Sec Two Flashcards

Question 1

Q

What is a use case?

Answer

A

A goal that an organization wants to achieve

Question 2

Q

What is confidentiality?

Answer

A

ensuring data is only viewable by authorized users

Question 3

Q

What is steganography

Answer

A

hiding data inside other data, such as hiding messages inside a picture

Question 4

Q

What is integrity?

Answer

A

ensuring that data has not been modified, tampered with, or corrupted through unauthorized or unintended changes

Question 5

Q

What is non-repudiation?

Answer

A

prevents entities from denying they took an action

Question 6

Q

What is availability?

Answer

A

Ensuring data and services are available when needed

Question 7

Q

What is risk?

Answer

A

the possibility of a threat exploiting a vulnerability and resulting in loss

Question 8

Q

What is a threat?

Answer

A

any circumstance or event that has the potential to compromise CIA

Question 9

Q

What is a vulnerability?

Answer

A

a weakness in hardware, software, configuration, or users operating the system

Question 10

Q

What is risk mitigation?

Answer

A

Reduces risk by reducing the chances that a threat will exploit a vulnerability or reducing impact of the risk

Question 11

Q

What are security controls

Answer

A

things that reduce risk, such as antivirus software

Question 12

Q

What are the 3 primary security control types

Answer

A

technical (implemented w/ tech)
administrative (implemented w/ admin or management methods)
physical (controls you can physically touch)

Question 13

Q

What are preventive controls

Answer

A

controls that attempt to prevent security incidents

Question 14

Q

What are detective controls?

Answer

A

controls that attempt to detect when a vulnerability has been exploited

Question 15

Q

What are corrective controls

Answer

A

controls that attempt to reverse the impact of an incident after it has occurred

Question 16

Q

What are deterrent controls

Answer

A

controls that attempt to prevent incidents by discouraging threats

Question 17

Q

what are compensating controls

Answer

A

alternative controls used when it isn’t feasible to use a primary control

Question 18

Q

what is authentication

Answer

A

allows entities to prove their identity by using credentials known to another entity

Question 19

Q

what is identification

Answer

A

occurs when a user claims or professes an identity with username, email, PIV, biometrics, etc

Question 20

Q

What are the five factors of authentication?

Answer

A

something you know (username/password)
something you have (smart card, token)
something you are (fingerprint, retina scan)
somewhere you are (geolocation, MAC address)
something you do (gestures)

Question 21

Q

What are the open source standards used for one-time passwords?

Answer

A

HOTP - creates OTP that doesn’t expire

TOTP - creates OTP that expires after 30 seconds

Question 22

Q

What are FAR, FRR, and CER in regards to biometrics?

Answer

A

FAR - false acceptance rate (false positive match)
FRR - false rejection rate (false negative match)
CER - crossover error rate (the point on a sensitivity vs. rate graph where FAR and FRR cross - indicates quality of biometric system)

Question 23

Q

What is kerberos?

Answer

A

network authentication protocol using tickets issued by KDC or TGT server

Question 24

Q

What is LDAP?

Answer

A

specifies formats and methods to query directories such as Active Directory. LDAPS encrypts transmissions with SSL or TLS

Question 25

Q

What is SAML?

Answer

A

an XML based standard used to exchange authentication and authorization info between parties

Question 26

Q

what is a federated identity?

Answer

A

links a user’s credentials from different networks or OSs, but treats it as one identity

Question 27

Q

what is shibboleth?

Answer

A

open source federated identity solution

Question 28

Q

what is OAuth and OpenID Connect?

Answer

A

commonly used authentication solutions allowing users to log on to many web sites with another account

Question 29

Q

What are the general account management best practices?

Answer

A

Least privilege
No account sharing
Admin should have 2 accounts (one non-admin account)
Account disablement policy for users that leave
routinely delete accounts that are no longer needed

Question 30

Q

What are common access control models?

Answer

A

role-BAC (RBAC) - grants access based on user roles such as jobs, functions, or assigned tasks

rule-BAC (RBAC) - grants access based on approved instructions such as rules triggered in response to detected attack
discretionary (DAC) - every object has an owner, that owner can determine everyone else’s access - major flaw is susceptibility to trojan horses
Mandatory access control (MAC) - uses sensitivity labels to identify objects and users, users with matching labels can access
attribute-based (ABAC) evaluates attributes and grants access based on the value of the attributes. often used in software-defined networks

Question 31

Q

Which protocols are used for voice and video?

Answer

A

Real time transport protocol (RTP) and secure real time transport protocol (SRTP) - SRTP provides encryption, message authentication, and integrity

Question 32

Q

What protocol is commonly used to transfer files over networks?

Answer

A

File transfer protocol (FTP)

Question 33

Q

What are the encryption protocols used to encrypt data-in-transit?

Answer

A

File Transfer Protocol Secure (FTPS - uses TLS)
Secure File Transfer Protocol (SFTP - uses SSH)
Secure Shell (SSH)
Secure Socket Layer (SSL - Deprecated)
Transport Layer Security (TLS)

Question 34

Q

What port does SMTP use to send mail?

Question 35

Q

What port does POP3 use to receive mail?

Question 36

Q

What port does IMAP4 use?

Question 37

Q

What port does Secure POP use?

Answer

A

995 (legacy) or with STARTTLS on port 110

Question 38

Q

What port does IMAP use TLS?

Answer

A

port 993 (Legacy) or with STARTTLS on port 143

Question 39

Q

What port does HTTP use?

Question 40

Q

what port does HTTPS use?

Question 41

Q

What port does LDAP use?

Question 42

Q

What port does LDAP secure use?

Question 43

Q

What port does RDP use?

Question 44

Q

What do admins typically use to remote into systems?

Answer

A

SSH or RDP

Question 45

Q

What does network time protocol (NTP) do?

Answer

A

provides time synchronization services

Question 46

Q

What does DNS zone A records contain?

Answer

A

IPv4 addresses

Question 47

Q

What do DNS zone AAAA records contain?

Answer

A

IPv6 addresses

Question 48

Q

How is DNS Zone data updated?

Answer

A

zone transfers and secure zone transfers

Question 49

Q

What port does DNS use?

Answer

A

TCP 53 for zone transfers and UDP 53 for DNS Client queries

Question 50

Q

What is the purpose of DNSSEC?

Answer

A

provides validatin for DNS responses and helps prevent DNS poisoning attacks

Question 51

Q

What are the command line commands for querying DNS?

Answer

A

nslookup (windows) and dig (Linux)

Question 52

Q

what does the axfr switch do?

Answer

A

download all zone data from DNS server, unless it is blocked

Question 53

Q

What do switches do?

Answer

A

map MAC addresses to physical ports

Question 54

Q

What are two examples of port security?

Answer

A

limiting number of MAC addresses per port, and disabling unused ports

Question 55

Q

what is an aggregation switch?

Answer

A

connects multiple switches together in a network

Question 56

Q

What do routers do?

Answer

A

connect networks and direct traffic based on the destination IP address

use rules within access control lists (ACLs) to allow or block traffic

Question 57

Q

What is implicit deny?

Answer

A

indicates that unless something is explicitly allowed, it is denied. it is the last rule in an ACL

Question 58

Q

What do network-based firewalls do?

Answer

A

filter traffic in and out of a network

placed on border of network

Question 59

Q

What is a stateless firewall?

Answer

A

controls traffic between networks using rules within an ACL

Question 60

Q

What is a stateful firewall?

Answer

A

filters traffic based on the state of a packet within a session

Question 61

Q

What is a web application firewall?

Answer

A

protects a web server against web application attacks. Typically placed in the DMZ and alerts admins of suspicious activity

Question 62

Q

What is a demilitarized zone (DMZ)?

Answer

A

provides a layer of protection for servers that are accessible from the internet
typically sits between two different firewalls

Question 63

Q

What is an intranet?

Answer

A

an internal network used to communicate and share content with each other

Question 64

Q

what is an extranet?

Answer

A

part of a network that can be accessed by authorized entities from outside the network

Answer 57

A

translates public IP addresses to private IP addresses and vice versa

Answer 58

A

a metaphor for physical isolation, indicating a system or network is completely isolated from another system or network

Answer 59

A

forward requests for services from a client

can cache and record users’ internet activity

Answer 60

A

transparent accepts and forwards requests without modifying them
nontransparent can modify or filter requests, such as filtering based on the URL

Answer 61

A

proxy server which accepts traffic from the internet and forwards it to one or more internal servers, then returns the result to the requester

Answer 62

A

unified threat management. a security appliance which includes multiple layers of protection, such as URL filters, content inspection, malware inspection, and DDoS mitigator

Answer 63

A

gateway placed between an email server and the internet. examines and analyzes all traffic and can block unsolicited email. may include data loss prevention (DLP) and encryption capabilities

Answer 64

A

protects against switching loop problems, such as when a user connects two switch ports together with a cable.

Answer 65

A

Spanning Tree Protocol (STP)

Answer 66

A

prevent MAC flood attacks on switches

Answer 67

A

logically separated computers or logically grouped computers regardless of their physical location. can be created with layer 3 switches

Answer 68

A

router using rules within ACLs

Answer 69

A

used to monitor and configure network devices and uses notification messages known as traps. Uses strong authentication mechanisms and uses UDP ports 161 and 162

Answer 70

A

intrusion detection systems and intrusion prevention systems

inspect traffic using the same functionality as a protocol analyzer

Answer 71

A

HIDS can detect attacks on local systems and protect local resources on the host. Can also detect some malware not detected by traditional antivirus

NIDS detects attacks on the network

Answer 72

A

uses a signatures to detect known attacks or vulnerabilities

Answer 73

A

require a baseline and detect attacks based on anomalies or when traffic is outside of expected boundaries compared to the baseline

Answer 74

A

IPS is placed inline with traffic while an active IDS is out of band

Answer 75

A

dedicated hardware device that handles TLS traffic, allowing other devices to offload TLS traffic

Answer 76

A

allows an organization to inspect traffic, even when traffic is using SSL or TLS

Answer 77

A

(SDN) uses virtualization tech to route traffic instead of using hardware routers or switches. separates the data and control planes

Answer 78

A

servers that appear to have valuable data in an attempt to divert attackers from live networks. honeynet is a group of honeypots that looks like a full network

can also be used to observe current attack methodologies

Answer 79

A

provides strong port security using port-based authentication. prevents rogue devices from connecting to a network by ensuring only authorized clients can connect

Answer 80

A

fat AP has everything needed to connect wireless clients to wireless network.

thin AP is controller-based. multiple thin APs are typically configured and managed by one controller

Answer 81

A

attackers can easily discover authorized MACs and spoof an authorized MAC address

Answer 82

A

they have narrower beams and longer ranges

Answer 83

A

network set up between two or more devices connected together without an AP

Answer 84

A

TKIP (temporal key integrity protocol)

Answer 85

A

counter mode cipher block chaining message authentication code protocol (CCMP) which is based on AES

Answer 86

A

one of the extensible authentication protocol (EAP) versions such as Protected EAP (PEAP), EAP Tunneled TLS (EAP-TTLS), EAP-TLS, or EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 87

A

EAP-TLS - requires a certificate on the server and each of the wireless clients

PEAP and EAP-TTLS only require certificate on the server
PEAP is often implemented with MS-CHAPv2
LEAP is proprietary to Cisco and does not require a certificate. EAP-FAST replaces LEAP

Answer 88

A

forces wireless clients to complete a process such as acknowledging a policy or paying for access before being granted access to the network

Answer 89

A

effectively removes a wireless client from a wireless network, forcing it to reauthenticate

Answer 90

A

allows users to set up a WAP to allow access by pressing a button or entering a short PIN. WPS PINs can be discovered within hours and are not secure. The PIN can then be used to discover the passphrase

Answer 91

A

an AP placed within a network without official authorization.

Answer 92

A

a rogue AP with the same SSID as a legitimate access point

Answer 93

A

floods a wireless frequency with noise, blocking wireless traffic

Answer 94

A

initialization vector attack. Attempts to discover the IV and uses it to discover the passphrase. WPA2 isn’t susceptible to an IV attack

Answer 95

A

near field communication attack. uses an NFC reader to read data from mobile devices

Answer 96

A

the practice of sending unsolicited messages to a phone

Answer 97

A

the unauthorized access to, or theft of information from, a bluetooth device

Answer 98

A

an attacker captures data sent between two entities, modifies it, and then impersonates one of the parties by replaying the data. WPA2 using CCMP and AES prevents wireless replay attacks

Answer 99

A

radio frequency identification attack. includes eavesdropping, replay, and DoS

Answer 100

A

provides secure access to private networks via a public network, such as the internet.

Answer 101

A

dedicated devices that provide secure remote access to remote users

Answer 102

A

a common tunneling protocol used with VPNs. Secures traffic within a tunnel. provides authentication with an Authentication Header (AH). Encapsulating security payload (ESP) encrypts traffic and provides CIA

Answer 103

A

tunnel mode encrypts the entire IP packet used in the internal network.

Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs

Answer 104

A

full tunnel encrypts all traffic after a user has connected to a VPN.

Split tunnel encrypts only traffic destined for the VPNs private network

Answer 105

A

provide secure access between two networks. Can be on-demand or always-on VPNs

Answer 106

A

network access control. inspects clients for specific health conditions such as up to date antivirus, and can redirect unhealthy clients to a remediation or quarantine network

Answer 107

A

permanent is installed on client and stays on clinet

dissolvable is downloaded and run, then deleted when the session ends. commonly used for BYOD devices

Answer 108

A

when a user accesses a private network from a remote location, such as with a VPN

Answer 109

A

password authentication protocol. uses password or PIN for authentication. weakest authentication protocol because it sends passwords as cleartext

Answer 110

A

challenge handshake authentication protocol. mroe secure than PAP and uses a handshake process when authenticating clients

Answer 111

A

microsoft versions of CHAP. CHAPv2 provides mutual authentication

Answer 112

A

provides central authentication for multiple remote access services. relies on the use of shared secrets and only encrypts the PW during authentication procses. uses UDP

Answer 113

A

used by some Cisco systems as an alternative to RADSIUS. uses TCP, encrypts the entire authentication process, and supports multiple challenges and responses

Answer 114

A

an improvement over RADIUS. uses TCP, encrypts the entire authentication process, and supports many additional capabilities

Answer 115

A

protocols when provide authentication, authorization, and accounting. examples include RADIUS, TACACS+, and Diameter

Answer 116

A

core system design principle stating that systems should only be deployed with the applications, services, and protocols needed to function

Answer 117

A

one which meets a set of predetermined requirements such as those defined in the Common Criteria

Answer 118

A

a secure starting point for systems, created with a template or other baseline

Answer 119

A

procedures which ensure OS’s and applications are kept up to date with current patches to ensure protection against known vulnerabilities

Answer 120

A

creating virtual machines or using chroot(on linux) to test security controls and patches in an isolated environment

Answer 121

A

electromagentic interference. comes from sources such as motors, power lines, and flourescent lights, and can be prevented with shielding

Answer 122

A

electromagnetic pulse. a short burst of electromagnetic energy

Answer 123

A

full disk encryption. encrypts an entire disk

Answer 124

A

self-encrypting drive. includes hardware and software necessary to automatically encrypt a drive

Answer 125

A

Trusted Platform Module. A chip included in many laptops and mobile devices that provides full disk encryption, a secure boot process, and supports remote attestation. Have an encryption key burned into them that provides hardware root of trust

Answer 126

A

hardware security module. kind of like a removable TPM. generates and stores RSA encryption keys and can be integrated with servers to provide hardware based encryption

Answer 127

A

cloud access security broker. A software tool or service deployed between an organization’s network and cloud provider. Monitors all network traffic and can enforce security policies acting as Security as a Service

Answer 128

A

corporate-owned, personally enabled. Refers to mobile devices owned by the organization but used by an employee for personal use

Answer 129

A

choose your own device. employer provides a list of acceptable devices and allows employees with one of those devices to connect to the network

Answer 130

A

virtual desktop infrastructure. provides a virtual desktop that users can access from their mobile devices

Answer 131

A

mobile device management. Tools which help ensure that devices meet minimum security requirements. Can monitor devices, enforce security policies, and block network access if req’s/policies are not met. Can restrict apps on devices, segment nad encrypt data, enforce strong authentication methods, and implement securtiy methods such as screen lock and remote wipe

Answer 132

A

supervisory control and data acquisition system. controls an industrial control system (ICS) typically used in large facilities like power plants or water treatment facilities. Should be in isolated networks without access to the internet, and sometimes are protected by NIPS

Answer 133

A

real-time operating system. OS which reacts to input within a specific time

Answer 134

A

individual columns, entire database, individual files, entire disks, and removable media

Answer 135

A

encryption and strong access controls

Answer 136

A

unauthorized transfer of data outside an organization

Answer 137

A

data loss prevention. techniques and technologies which help prevent data loss. Can block transfer of data to USB devices and analyze outgoing data via email to detect unauthorized transfers

Answer 138

A

virus: malicious code that attaches itself to a host application. Host app must be executed for the virus to run. Virus tries to replicate by finding other host applications to infect with the code. payload is typically damaging, deleting files, causing random reboots, join computer to botnet, or enable backdoors.

Worm: self-replicating malware that travels without the assistance of a host application. Resides in memory and uses different transport protocols to travel the network. consume network bandwidth and can replicate hundreds of times to spread all over network

trojan: looks like something beneficial but is actually malicious. often delivered via drive-by downloads

Answer 139

A

string of code embedded into an app or script that will execute in response to an event.

Answer 140

A

remote access trojan. allows attackers to take control of systems from remote locations. often delivered via drive-by downloads

Answer 141

A

malware with system-level or kernel access and can modify system files and system access. hide their running processes to avoid detection with hooking techniques. tools that can inspect RAM can discover these hooked processes

Answer 142

A

intercepting system-level function calls, events, or messages in order to control the system’s behaviour

Answer 143

A

attempts to discover which web sites a group of people are likely to visit and then infects those websites with malware

Answer 144

A

phishing using the phone system to trick users into giving up personal and financial information

Answer 145

A

DoS is an attack from a single source

DDoS attacks include multiple computers attacking a single target and are typically sustained abnormally high network traffic

Answer 146

A

MAC address and IP address

Answer 147

A

attacker sends a flood of SYN packets but never returns a SYN/ACK packet in response to the ACK packet, leaving the full TCP session unistablished and the server with multiple half-open connections

Answer 148

A

Kerberos using mutual authentication

Answer 149

A

attacker sends ARP reply with a bogus MAC address for the default gateway. without the correct default gateway address, traffic can never leave the network

Answer 150

A

manipulates the DNS process. tries to corrupt the DNS server or the DNS client. redirects users to a different site.

Answer 151

A

a type of DDoS attack. typically uses a method that significantly increases the amount of traffic sent to or requested from a victim.

Answer 152

A

spoofs the source address of a directed broadcast ping packet to flood a victim with ping replies

Answer 153

A

timestamps and sequence numbers

Answer 154

A

attackers hijack session ID from cookies and impersonate the user

Answer 155

A

attacker changes the registration of a domain name without permission from the owner

Answer 156

A

a proxy trojan horse that infects vulnerable web browsers. can capture browser session data, including keyloggers to captures keystrokes, and all data sent to and from web browser

Answer 157

A

attackers can create shims or rewrite internal code to fool the OS into using a manipulated driver instead of the real driver

Answer 158

A

bug in a computer app that causes app to consume more and more memory the longer it runs. can eventually cause system crash.

Answer 159

A

attack attempts to use or create a numeric value that is too big for an application to handle resulting in inaccurate results

Answer 160

A

an attack that injects a DLL into a system’s memory and causes it to run

Answer 161

A

cross-site request forger. An attack where an attacker tricks a user into performing an action on a web site

Answer 162

A

a structure used to provide a foundation. in cybersecurity, they typically use a structure of basic concepts and provide guidance to professionals on how to implement security in various systems

Answer 163

A

frameworks based on relevant laws and regulations such as HIPAA

Answer 164

A

frameworks not required by law, but typically identify common standards and best practices that orgs can follow such as COBIT (control objectives for information related technologies)

Answer 165

A

when two different passwords produce the same hash. occurs with weak hashing algorithms

Answer 166

A

when an attacker tries to produce a password that produces the same hash as the real password

Answer 167

A

adding additional characters to passwords before hashing them to prevent many types of attacks, including dictionary, brute force, and rainbow table attacks

Answer 168

A

additional code that can be run instead of the original driver

Answer 169

A

using a digital signature within a certificate to authenticate and validate software code

Answer 170

A

server side.

Client side can be used as well, but can be bypassed, so server side is better

Answer 171

A

measures the risk using a specific monetary amount, making it easier to prioritize risks

Answer 172

A

single loss expectancy. the cost of any single loss

Answer 173

A

annual rate of occurrence. indicates how many times the loss will occur in a year

Answer 174

A

annual loss expectancy. the value of SLE * ARO

Answer 175

A

uses judgment to categorize risks based on likelihood of occurrence

Answer 176

A

a record of information about identified risks, or a repository for all risks identified and includes additional information abotu each risk

Answer 177

A

evaluating the raw materials supply sources and all the processes required to create, sell, and distribute a product

Answer 178

A

discovering devices on the network and how they are connected to each other

often done as part of a network scan, but a full network scan also includes identifying open ports, running services, and OS details

Answer 179

A

a technique used to gain information about remote systems and is used by many network scanners

often used to identify the OS along w/ information about some applications

Answer 180

A

open ports
weak passwords
default accounts and passwords
sensitive data
security and configuration errors

Answer 181

A

collecting information about a targeted system, network, or organization using open-source intelligence such as social media, news, or an org’s website or from passively collecting info from a network such as SSIDs

Answer 182

A

includes using tools to send data to systems and analyzing the responses

Answer 183

A

command-line packet analyzing (protocol analyzer) allowing you to capture packets like with Wireshark, but for Linux

Answer 184

A

a network scanner. its graphical counterpart is zenmap. can identify all active hosts and IP addresses in a network, the protocols and services running on each, and the OS

Has switches Tx (x = 0 through 5, with 0 being slowest and 5 being fastest); -A (indicates the scan should include OS detection, version detection, script scanning, and traceroute); and -v, indicating the verbosity level. can get more data with -vv or -vvv

Answer 185

A

can be used for remotely accessing Linux systems. doesn’t include native encryption but can be used with SSH. can be used for banner grabbing; transferring files; port scanning

Answer 186

A

var/log/messages (contains general system messags)
var/log/boot.log (log entries created when the system boots)
var/log/auth.log (authentication log of logins)
var/log/kern.log (information logged by system kernel)
var/log/faillog (information on failed login attempts
var/log/httpd/ (if system is an apache server, this shows error logs)
utmp (info on current status of system, such as who is logged in)
wtmp (archive of utmp file)
btmp (reords failed login attempts)

Answer 187

A

security information and event management system.

provides a centralized solution for collecting, analyzing, and managing data from multiple sources

can be used to aggregate and correlate logs

Answer 188

A

credentialed scan, because it allowed the scan to see more information

Answer 189

A

high humidity can cause condensation on the equipment, causing water damage. low humidity allows a higher incidence of ESD

Answer 190

A

RAID-0 (striping only. requires at least 2 disks. increased R/W speed)

RAID-1 (Mirroring ony. uses at least 2 disks. provides redundency)

RAID-5 and 6 (5 requires 3 or more disks. provides striping similar to 0, but also includes parity for fault tolerance. one drive can fail and the data is not lost. 6 is an extension of 5 with an extra parity block. can recover even if 2 drives fail, but requires min of 4 disks)

RAID-10 (Mirroring and Striping. min of 4 drives.

Answer 191

A

two or more servers in a cluster configuration. at least one is active and at least one is inactive. if one fails, the inactive can take over without interruption

Answer 192

A

optimizes and distributes data loads across multiple computers or networks. can be hardware or software

Answer 193

A

full backup (backs up all the selected data)

differential backup (all data that has changed or is different since last full backup)

incremental backup (backs up all data that has changed since the last full OR incremental backup)

snapshots (captures the data at a point in time)

Answer 194

A

recovery time objective. The max amount of time it should take to restore a system after an outage

Answer 195

A

recovery point objective. refers to the amount of data you can afford to lose

Answer 196

A

mean time between failures. the average time between failures

Answer 197

A

mean time to recover. average time it takes to restore a failed system.

Answer 198

A

disaster recovery plan. includes a hierarchical list of critical systems and often prioritizes services to restore after an outage

Answer 199

A

load spreading technique in which users are directed to servers based on their IP

Answer 200

A

MD5 an SHA

Answer 201

A

128 bits - MD5 is considered cracked and is now only used for verifying file integrity

Answer 202

A

SHA-1: 160 bit

SHA-2 & 3: 224, 256, 384, and 512 bit

Answer 203

A

hash-based message authentication code.

a fixed-length string of bits similar to those from hashing algorithms. however, it also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key

provides integrity through hashing, and authenticity by using the secret key

often used by IPsec and TLS

HMAC-MD5 creates 128 bit hashes
HMAC-SHA1 creates 160 bit hashes

Answer 204

A

RACE integrity primitives evaluation message digest.

Another hash function used for integrity, but not widely used. can create 128, 160, 256, and 320 bit hashes

Answer 205

A

a technique used to increase the strength of stored passwords and can help thwart brute force and rainbow table attacks

salts passwords with additional random bits to make them more complex

two common techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2)

Answer 206

A

a key stretching technique based on the Blowfish block cipher. used on Unix and Linux distributions to protect passwords.

Answer 207

A

a key stretching technique that uses salt of at least 64 bits and uses a pseudo-random function such as HMAC.

used by WPA2, iOS, and Cisco OSs, among others. Hash size can be 128, 256, or 512, most commonly

Answer 208

A

IV

starting value for cryptographic algorithm. fixed size random or pseudorandom number that helps create random encryption keys

Answer 209

A

logical operation used in some encryption schemes. compares two inputs. outputs false if they are they same, true if they are the different

Answer 210

A

confusion: ciphertext is significantly different than plaintext
diffusion: ensures that small changes in plaintext result in large changes in ciphertext

Answer 211

A

the security of an encryption key even if an attacker discovers part of the key

Answer 212

A

stream encrypt bit by bit and are more efficient when encrypting data in a continuous stream such as video or audio.
block encrypt data in specific sized block and are more efficient when the size of data is known

Answer 213

A

ECB: electronic codebook (simplest cipher mode. divide plaintext into blocks and encrypt each block using the same key)
CBC: Cipher Block Chaining (uses an IV for randomization when encrypting the first block. then combines each subsequent block with previous block using an XOR operation. sometimes less efficient due to pipeline delays)
CTM: counter mode (converts a block cipher into a stream cipher. combines an IV with a counter and uses the result to encrypt each plaintext block. runs faster on multiprocessor or multicore systems. widely used and respected as a secure mode)
GCM: Galois/Counter mode (combines counter mode with Galois mode. doesn’t authenticate users or systems, but provides integrity and confidentiality. includes hashing techniques for integrity)

Answer 214

A

uses same key to encrypt and decrypt data

Answer 215

A

advanced encryption standard. strong symmetric block cipher that uses 128 bit blocks

can use 128, 192, or 256 bit keys

Answer 216

A

data encryption standard. symmetric block cipher that was widely used dating back to the 70s. encrypts data in 64 bit blocks. uses 56 bit key. not used today

Answer 217

A

triple DES. a symmetric block cipher designed as an improvement over DES. encrypts data using DES in 3 separate passes and uses multiple keys. still uses 64 bit blocks. can use keys of 56, 112, or 168 bits

Answer 218

A

Rivest Cipher. symmetric stream cipher using between 40 and 2,048 bits.

it is speculated that agencies such as NSA can break RC4, so it is recommended to disable RC4 and use AES instead.

Answer 219

A

blowfish: strong symmetric block cipher encrypting 64-bit blocks and supporting keys between 32 and 448 bits. still widely used today and actually faster than AES in some instances.
twofish: related to blowfish, but encrypts in 128 bit blocks and supports 128, 192, or 256 bit keys

Answer 220

A

uses two different keys, a public and a private key, to encrypt and decrypt data

Answer 221

A

a digital document that typically includes the public key and information on the owner of the certificate

Answer 222

A

Rivest, Shamir, Adleman. asymmetric encryption method widely used due to its strong security. recommended key sizes of 2,048 bits through 2030, 3,072 bits for beyond 2030

Answer 223

A

static: semitransparent and stays the same over long periods of time
ephemeral: has a very short lifetime and is re-created for each session

Answer 224

A

elliptic curve cryptography. doesn’t take as much processing power as other cryptographic methods. often used with small wireless devices. formulates an elliptical curve, then graphs points on the curve to create keys

Answer 225

A

diffie-hellman. key exchange algorithm used to privately share a symmetric key between two parties. supports both static and ephemeral keys.

RSA is based on DH using static keys

DHE uses ephemeral keys with a new key each session.

ECDHE uses ephemeral keys generated using ECC

Answer 226

A

senders private key encrypts, sender’s public key decrypts

Answer 227

A

recipients public key encrypts, recipients private key decrypts

Answer 228

A

web site’s public key encrypts, web site’s private key decrypts, the symmetric key encrypts data in the web site session

Answer 229

A

encrypted hash of a message. sender’s private key encrypts the hash of the message and the recipient decrypts the hash with the sender’s public key. if successful, it provides authentication, non-repudiation, and integrity

Answer 230

A

secure/multipurpose internet mail extensions. standard used to digitally sign/encrypt email. uses RSA for asymmetric encryption and AES for symmetric.

Answer 231

A

pretty good privacy. method used to secure email communication. can encrypt, decrypt, and digitally sign email.
GPG is GNU Privacy Guard, based on OpenPGP standard
uses RSA algorithm and public/private keys for encrytion/decryption

Answer 232

A

a set of hardware, software, and/or firmware that implements cryptographic functions including encryption, hashing, key gen, and authentication techniques

Answer 233

A

a software library of cryptographic standards and algorithms. typically distributed within crypto modules

Answer 234

A

an attack which forces a system to downgrade its security. the attacker then exploits the lesser security control. to prevent this, admins should disable weak cipher suites and weak protocols on servers

Answer 235

A

the first certificate created by the CA that identifies it. if the root certificate is placed in the root CA store, all certificates issued by the CA are trusted

Answer 236

A

certificate signing request. a request sent to CA including the purpose of the certificate, info on the web site, public key, and the requester. CA validates the request and creates the certificate. first step in CSR is to create the RSA-based private key, which is used to create the public key included in the request

Answer 237

A

certificate revocation list. ncludes a list of revoked certificates and is publicly available.

Answer 238

A

the Online Certificate Status Protocol (OCSP) which returns answers such as good, revoked, or unknown. OCSP stapling appends a digitally signed OCSP response to a certificate.

Answer 239

A

a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates.

web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions

Answer 240

A

the process of placing a copy of a private key in a safe environment.

useful for recovery. if original is lost, organization retrieves a copy of the key to access data

in some cases, a copy of the key is provided to a 3rd party

Answer 241

A

a designated individual who can recover or restore cryptographic keys

Answer 242

A

starts with an asterisk and can be sued for multiple domains, but each domain must have the same root domain. for example, *.google.com may be used for all google domains

Answer 243

A

subject alternative name. used for multiple domains that have different names but are owned by the same org.

Answer 244

A

CER: .cer extension, ASCII format, used for ASCII certificates
DER: .der extension, binary format, used for binary certificates
PEM: .pem, .cer, .crt, .key; used for binary or ASCII formats, can be used for almost any certificate purpose, can contain server certificates, certificate chains, keys, CRL
P7B: .p7b, .p7c; used to share public key in ASCII format. never holds private key
P12/PFX: .p12, .pfx; commonly used to store private keys in binary format

Answer 245

A

written documents that lay out a security plan within a company

Answer 246

A

defines proper system usage or the rules of behaviour for employees when using IT systems

Answer 247

A

help detect when employees are involved in malicious activity such as fraud or embezzlement

Answer 248

A

a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process

Answer 249

A

require employees to change roles on a regular basis to help ensure that employees cannot continue with fraudulent activity indefinitely

Answer 250

A

directs users to keep their areas organized and free of papers in order to reduce threats of security incidents by ensuring the protection of sensitive data

Answer 251

A

interconnection security agreement. specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities

Answer 252

A

service level agreement. agreement between a company and a vendor that stipulates performance expectations

Answer 253

A

memorandum of agreement/understanding. expresses an understanding between two or more parties indicating their intention to work together toward a common goal. often supports an ISA

Answer 254

A

business partners agreement. a written agreement that details the relationship between business partners including their obligation towards the partnership

Answer 255

A

general sanitization term indicating that all sensitive data has been removed from a device

Answer 256

A

mandates that organizations protect PHI

Answer 257

A

Gramm-Leach Bliley Act. also known as Financial Services Modernization Act and includes a Financial Privacy Rule. requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how it is used

Answer 258

A

Sarbanes-Oxley Act. requires that executives within an organization take individual responsibility for the accuracy of financial reports

Answer 259

A

General Data Protection Regulation. EU directive mandating the protection of privacy data for individuals within the EU

Answer 260

A

Preparation: occurs before an incident, provides guidance to personnel on how to respond
Identification: verify that a reported incident is an actual security incident
Containment: attempt to isolate or contain the incident through quarantine or removing the device from the network
Eradication: remove components of the attack such as installed malware, or deleting/disabling compromised accounts
Recover: return all affected systems to normal ops and verify they are operating normally. may include rebuilding systems from images, restoring data from backups, etc.
Lessons learned: review the incident for possible lessons learned for future incidents

Answer 261

A

the order in which you should collect evidence. the order from most volatile to least is:

data in cache memory including processor and HDD
data in RAM including system and network processes
A paging file on the system disk
data stored on local disk drives
logs stored on remote systems
archive media

Answer 262

A

web app firewall (WAF)

Answer 263

A

mail gateway

Brainscape's Knowledge GenomeTM

Sec Two Flashcards

Brainscape's Knowledge Genome^TM