Sec Two Flashcards

Question

What is SAML?

Answer 1

an XML based standard used to exchange authentication and authorization info between parties

Answer 2

links a user's credentials from different networks or OSs, but treats it as one identity

Answer 3

open source federated identity solution

Answer 4

commonly used authentication solutions allowing users to log on to many web sites with another account

Answer 5

- Least privilege - No account sharing - Admin should have 2 accounts (one non-admin account) - Account disablement policy for users that leave - routinely delete accounts that are no longer needed

Answer 6

role-BAC (RBAC) - grants access based on user roles such as jobs, functions, or assigned tasks - rule-BAC (RBAC) - grants access based on approved instructions such as rules triggered in response to detected attack - discretionary (DAC) - every object has an owner, that owner can determine everyone else's access - major flaw is susceptibility to trojan horses - Mandatory access control (MAC) - uses sensitivity labels to identify objects and users, users with matching labels can access - attribute-based (ABAC) evaluates attributes and grants access based on the value of the attributes. often used in software-defined networks

Answer 7

Real time transport protocol (RTP) and secure real time transport protocol (SRTP) - SRTP provides encryption, message authentication, and integrity

Answer 8

File transfer protocol (FTP)

Answer 9

File Transfer Protocol Secure (FTPS - uses TLS) Secure File Transfer Protocol (SFTP - uses SSH) Secure Shell (SSH) Secure Socket Layer (SSL - Deprecated) Transport Layer Security (TLS)

Answer 10

995 (legacy) or with STARTTLS on port 110

Answer 11

port 993 (Legacy) or with STARTTLS on port 143

Answer 12

SSH or RDP

Answer 13

provides time synchronization services

Answer 14

IPv4 addresses

Answer 15

IPv6 addresses

Answer 16

zone transfers and secure zone transfers

Answer 17

TCP 53 for zone transfers and UDP 53 for DNS Client queries

Answer 18

provides validatin for DNS responses and helps prevent DNS poisoning attacks

Answer 19

nslookup (windows) and dig (Linux)

Answer 20

download all zone data from DNS server, unless it is blocked

Answer 21

map MAC addresses to physical ports

Answer 22

limiting number of MAC addresses per port, and disabling unused ports

Answer 23

connects multiple switches together in a network

Answer 24

connect networks and direct traffic based on the destination IP address use rules within access control lists (ACLs) to allow or block traffic

Answer 25

indicates that unless something is explicitly allowed, it is denied. it is the last rule in an ACL

Answer 26

filter traffic in and out of a network | placed on border of network

Answer 27

controls traffic between networks using rules within an ACL

Answer 28

filters traffic based on the state of a packet within a session

Answer 29

protects a web server against web application attacks. Typically placed in the DMZ and alerts admins of suspicious activity

Answer 30

provides a layer of protection for servers that are accessible from the internet typically sits between two different firewalls

Answer 31

an internal network used to communicate and share content with each other

Answer 32

part of a network that can be accessed by authorized entities from outside the network

Answer 33

translates public IP addresses to private IP addresses and vice versa

Answer 34

a metaphor for physical isolation, indicating a system or network is completely isolated from another system or network

Answer 35

forward requests for services from a client can cache and record users' internet activity

Answer 36

transparent accepts and forwards requests without modifying them nontransparent can modify or filter requests, such as filtering based on the URL

Answer 37

proxy server which accepts traffic from the internet and forwards it to one or more internal servers, then returns the result to the requester

Answer 38

unified threat management. a security appliance which includes multiple layers of protection, such as URL filters, content inspection, malware inspection, and DDoS mitigator

Answer 39

gateway placed between an email server and the internet. examines and analyzes all traffic and can block unsolicited email. may include data loss prevention (DLP) and encryption capabilities

Answer 40

protects against switching loop problems, such as when a user connects two switch ports together with a cable.

Answer 41

Spanning Tree Protocol (STP)

Answer 42

prevent MAC flood attacks on switches

Answer 43

logically separated computers or logically grouped computers regardless of their physical location. can be created with layer 3 switches

Answer 44

router using rules within ACLs

Answer 45

used to monitor and configure network devices and uses notification messages known as traps. Uses strong authentication mechanisms and uses UDP ports 161 and 162

Answer 46

intrusion detection systems and intrusion prevention systems | inspect traffic using the same functionality as a protocol analyzer

Answer 47

HIDS can detect attacks on local systems and protect local resources on the host. Can also detect some malware not detected by traditional antivirus NIDS detects attacks on the network

Answer 48

uses a signatures to detect known attacks or vulnerabilities

Answer 49

require a baseline and detect attacks based on anomalies or when traffic is outside of expected boundaries compared to the baseline

Answer 50

IPS is placed inline with traffic while an active IDS is out of band

Answer 51

dedicated hardware device that handles TLS traffic, allowing other devices to offload TLS traffic

Answer 52

allows an organization to inspect traffic, even when traffic is using SSL or TLS

Answer 53

(SDN) uses virtualization tech to route traffic instead of using hardware routers or switches. separates the data and control planes

Answer 54

servers that appear to have valuable data in an attempt to divert attackers from live networks. honeynet is a group of honeypots that looks like a full network can also be used to observe current attack methodologies

Answer 55

provides strong port security using port-based authentication. prevents rogue devices from connecting to a network by ensuring only authorized clients can connect

Answer 56

fat AP has everything needed to connect wireless clients to wireless network. thin AP is controller-based. multiple thin APs are typically configured and managed by one controller

Answer 57

attackers can easily discover authorized MACs and spoof an authorized MAC address

Answer 58

they have narrower beams and longer ranges

Answer 59

network set up between two or more devices connected together without an AP

Answer 60

TKIP (temporal key integrity protocol)

Answer 61

counter mode cipher block chaining message authentication code protocol (CCMP) which is based on AES

Answer 62

one of the extensible authentication protocol (EAP) versions such as Protected EAP (PEAP), EAP Tunneled TLS (EAP-TTLS), EAP-TLS, or EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 63

EAP-TLS - requires a certificate on the server and each of the wireless clients PEAP and EAP-TTLS only require certificate on the server PEAP is often implemented with MS-CHAPv2 LEAP is proprietary to Cisco and does not require a certificate. EAP-FAST replaces LEAP

Answer 64

forces wireless clients to complete a process such as acknowledging a policy or paying for access before being granted access to the network

Answer 65

effectively removes a wireless client from a wireless network, forcing it to reauthenticate

Answer 66

allows users to set up a WAP to allow access by pressing a button or entering a short PIN. WPS PINs can be discovered within hours and are not secure. The PIN can then be used to discover the passphrase

Answer 67

an AP placed within a network without official authorization.

Answer 68

a rogue AP with the same SSID as a legitimate access point

Answer 69

floods a wireless frequency with noise, blocking wireless traffic

Answer 70

initialization vector attack. Attempts to discover the IV and uses it to discover the passphrase. WPA2 isn't susceptible to an IV attack

Answer 71

near field communication attack. uses an NFC reader to read data from mobile devices

Answer 72

the practice of sending unsolicited messages to a phone

Answer 73

the unauthorized access to, or theft of information from, a bluetooth device

Answer 74

an attacker captures data sent between two entities, modifies it, and then impersonates one of the parties by replaying the data. WPA2 using CCMP and AES prevents wireless replay attacks

Answer 75

radio frequency identification attack. includes eavesdropping, replay, and DoS

Answer 76

provides secure access to private networks via a public network, such as the internet.

Answer 77

dedicated devices that provide secure remote access to remote users

Answer 78

a common tunneling protocol used with VPNs. Secures traffic within a tunnel. provides authentication with an Authentication Header (AH). Encapsulating security payload (ESP) encrypts traffic and provides CIA

Answer 79

tunnel mode encrypts the entire IP packet used in the internal network. Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs

Answer 80

full tunnel encrypts all traffic after a user has connected to a VPN. Split tunnel encrypts only traffic destined for the VPNs private network

Answer 81

provide secure access between two networks. Can be on-demand or always-on VPNs

Answer 82

network access control. inspects clients for specific health conditions such as up to date antivirus, and can redirect unhealthy clients to a remediation or quarantine network

Answer 83

permanent is installed on client and stays on clinet dissolvable is downloaded and run, then deleted when the session ends. commonly used for BYOD devices

Answer 84

when a user accesses a private network from a remote location, such as with a VPN

Answer 85

password authentication protocol. uses password or PIN for authentication. weakest authentication protocol because it sends passwords as cleartext

Answer 86

challenge handshake authentication protocol. mroe secure than PAP and uses a handshake process when authenticating clients

Answer 87

microsoft versions of CHAP. CHAPv2 provides mutual authentication

Answer 88

provides central authentication for multiple remote access services. relies on the use of shared secrets and only encrypts the PW during authentication procses. uses UDP

Answer 89

used by some Cisco systems as an alternative to RADSIUS. uses TCP, encrypts the entire authentication process, and supports multiple challenges and responses

Answer 90

an improvement over RADIUS. uses TCP, encrypts the entire authentication process, and supports many additional capabilities

Answer 91

protocols when provide authentication, authorization, and accounting. examples include RADIUS, TACACS+, and Diameter

Answer 92

core system design principle stating that systems should only be deployed with the applications, services, and protocols needed to function

Answer 93

one which meets a set of predetermined requirements such as those defined in the Common Criteria

Answer 94

a secure starting point for systems, created with a template or other baseline

Answer 95

procedures which ensure OS's and applications are kept up to date with current patches to ensure protection against known vulnerabilities

Answer 96

creating virtual machines or using chroot(on linux) to test security controls and patches in an isolated environment

Answer 97

electromagentic interference. comes from sources such as motors, power lines, and flourescent lights, and can be prevented with shielding

Answer 98

electromagnetic pulse. a short burst of electromagnetic energy

Answer 99

full disk encryption. encrypts an entire disk

Answer 100

self-encrypting drive. includes hardware and software necessary to automatically encrypt a drive

Answer 101

Trusted Platform Module. A chip included in many laptops and mobile devices that provides full disk encryption, a secure boot process, and supports remote attestation. Have an encryption key burned into them that provides hardware root of trust

Answer 102

hardware security module. kind of like a removable TPM. generates and stores RSA encryption keys and can be integrated with servers to provide hardware based encryption

Answer 103

cloud access security broker. A software tool or service deployed between an organization's network and cloud provider. Monitors all network traffic and can enforce security policies acting as Security as a Service

Answer 104

corporate-owned, personally enabled. Refers to mobile devices owned by the organization but used by an employee for personal use

Answer 105

choose your own device. employer provides a list of acceptable devices and allows employees with one of those devices to connect to the network

Answer 106

virtual desktop infrastructure. provides a virtual desktop that users can access from their mobile devices

Answer 107

mobile device management. Tools which help ensure that devices meet minimum security requirements. Can monitor devices, enforce security policies, and block network access if req's/policies are not met. Can restrict apps on devices, segment nad encrypt data, enforce strong authentication methods, and implement securtiy methods such as screen lock and remote wipe

Answer 108

supervisory control and data acquisition system. controls an industrial control system (ICS) typically used in large facilities like power plants or water treatment facilities. Should be in isolated networks without access to the internet, and sometimes are protected by NIPS

Answer 109

real-time operating system. OS which reacts to input within a specific time

Answer 110

individual columns, entire database, individual files, entire disks, and removable media

Answer 111

encryption and strong access controls

Answer 112

unauthorized transfer of data outside an organization

Answer 113

data loss prevention. techniques and technologies which help prevent data loss. Can block transfer of data to USB devices and analyze outgoing data via email to detect unauthorized transfers

Answer 114

virus: malicious code that attaches itself to a host application. Host app must be executed for the virus to run. Virus tries to replicate by finding other host applications to infect with the code. payload is typically damaging, deleting files, causing random reboots, join computer to botnet, or enable backdoors. Worm: self-replicating malware that travels without the assistance of a host application. Resides in memory and uses different transport protocols to travel the network. consume network bandwidth and can replicate hundreds of times to spread all over network trojan: looks like something beneficial but is actually malicious. often delivered via drive-by downloads

Answer 115

string of code embedded into an app or script that will execute in response to an event.

Answer 116

remote access trojan. allows attackers to take control of systems from remote locations. often delivered via drive-by downloads

Answer 117

malware with system-level or kernel access and can modify system files and system access. hide their running processes to avoid detection with hooking techniques. tools that can inspect RAM can discover these hooked processes

Answer 118

intercepting system-level function calls, events, or messages in order to control the system's behaviour

Answer 119

attempts to discover which web sites a group of people are likely to visit and then infects those websites with malware

Answer 120

phishing using the phone system to trick users into giving up personal and financial information

Answer 121

DoS is an attack from a single source DDoS attacks include multiple computers attacking a single target and are typically sustained abnormally high network traffic

Answer 122

MAC address and IP address

Answer 123

attacker sends a flood of SYN packets but never returns a SYN/ACK packet in response to the ACK packet, leaving the full TCP session unistablished and the server with multiple half-open connections

Answer 124

Kerberos using mutual authentication

Answer 125

attacker sends ARP reply with a bogus MAC address for the default gateway. without the correct default gateway address, traffic can never leave the network

Answer 126

manipulates the DNS process. tries to corrupt the DNS server or the DNS client. redirects users to a different site.

Answer 127

a type of DDoS attack. typically uses a method that significantly increases the amount of traffic sent to or requested from a victim.

Answer 128

spoofs the source address of a directed broadcast ping packet to flood a victim with ping replies

Answer 129

timestamps and sequence numbers

Answer 130

attackers hijack session ID from cookies and impersonate the user

Answer 131

attacker changes the registration of a domain name without permission from the owner

Answer 132

a proxy trojan horse that infects vulnerable web browsers. can capture browser session data, including keyloggers to captures keystrokes, and all data sent to and from web browser

Answer 133

attackers can create shims or rewrite internal code to fool the OS into using a manipulated driver instead of the real driver

Answer 134

bug in a computer app that causes app to consume more and more memory the longer it runs. can eventually cause system crash.

Answer 135

attack attempts to use or create a numeric value that is too big for an application to handle resulting in inaccurate results

Answer 136

an attack that injects a DLL into a system's memory and causes it to run

Answer 137

cross-site request forger. An attack where an attacker tricks a user into performing an action on a web site

Answer 138

a structure used to provide a foundation. in cybersecurity, they typically use a structure of basic concepts and provide guidance to professionals on how to implement security in various systems

Answer 139

frameworks based on relevant laws and regulations such as HIPAA

Answer 140

frameworks not required by law, but typically identify common standards and best practices that orgs can follow such as COBIT (control objectives for information related technologies)

Answer 141

when two different passwords produce the same hash. occurs with weak hashing algorithms

Answer 142

when an attacker tries to produce a password that produces the same hash as the real password

Answer 143

adding additional characters to passwords before hashing them to prevent many types of attacks, including dictionary, brute force, and rainbow table attacks

Answer 144

additional code that can be run instead of the original driver

Answer 145

using a digital signature within a certificate to authenticate and validate software code

Answer 146

server side. Client side can be used as well, but can be bypassed, so server side is better

Answer 147

measures the risk using a specific monetary amount, making it easier to prioritize risks

Answer 148

single loss expectancy. the cost of any single loss

Answer 149

annual rate of occurrence. indicates how many times the loss will occur in a year

Answer 150

annual loss expectancy. the value of SLE * ARO

Answer 151

uses judgment to categorize risks based on likelihood of occurrence

Answer 152

a record of information about identified risks, or a repository for all risks identified and includes additional information abotu each risk

Answer 153

evaluating the raw materials supply sources and all the processes required to create, sell, and distribute a product

Answer 154

discovering devices on the network and how they are connected to each other often done as part of a network scan, but a full network scan also includes identifying open ports, running services, and OS details

Answer 155

a technique used to gain information about remote systems and is used by many network scanners often used to identify the OS along w/ information about some applications

Answer 156

``` open ports weak passwords default accounts and passwords sensitive data security and configuration errors ```

Answer 157

collecting information about a targeted system, network, or organization using open-source intelligence such as social media, news, or an org's website or from passively collecting info from a network such as SSIDs

Answer 158

includes using tools to send data to systems and analyzing the responses

Answer 159

command-line packet analyzing (protocol analyzer) allowing you to capture packets like with Wireshark, but for Linux

Answer 160

a network scanner. its graphical counterpart is zenmap. can identify all active hosts and IP addresses in a network, the protocols and services running on each, and the OS Has switches Tx (x = 0 through 5, with 0 being slowest and 5 being fastest); -A (indicates the scan should include OS detection, version detection, script scanning, and traceroute); and -v, indicating the verbosity level. can get more data with -vv or -vvv

Answer 161

can be used for remotely accessing Linux systems. doesn't include native encryption but can be used with SSH. can be used for banner grabbing; transferring files; port scanning

Answer 162

- var/log/messages (contains general system messags) - var/log/boot.log (log entries created when the system boots) - var/log/auth.log (authentication log of logins) - var/log/kern.log (information logged by system kernel) - var/log/faillog (information on failed login attempts - var/log/httpd/ (if system is an apache server, this shows error logs) - utmp (info on current status of system, such as who is logged in) - wtmp (archive of utmp file) - btmp (reords failed login attempts)

Answer 163

security information and event management system. provides a centralized solution for collecting, analyzing, and managing data from multiple sources can be used to aggregate and correlate logs

Answer 164

credentialed scan, because it allowed the scan to see more information

Answer 165

high humidity can cause condensation on the equipment, causing water damage. low humidity allows a higher incidence of ESD

Answer 166

RAID-0 (striping only. requires at least 2 disks. increased R/W speed) RAID-1 (Mirroring ony. uses at least 2 disks. provides redundency) RAID-5 and 6 (5 requires 3 or more disks. provides striping similar to 0, but also includes parity for fault tolerance. one drive can fail and the data is not lost. 6 is an extension of 5 with an extra parity block. can recover even if 2 drives fail, but requires min of 4 disks) RAID-10 (Mirroring and Striping. min of 4 drives.

Answer 167

two or more servers in a cluster configuration. at least one is active and at least one is inactive. if one fails, the inactive can take over without interruption

Answer 168

optimizes and distributes data loads across multiple computers or networks. can be hardware or software

Answer 169

full backup (backs up all the selected data) differential backup (all data that has changed or is different since last full backup) incremental backup (backs up all data that has changed since the last full OR incremental backup) snapshots (captures the data at a point in time)

Answer 170

recovery time objective. The max amount of time it should take to restore a system after an outage

Answer 171

recovery point objective. refers to the amount of data you can afford to lose

Answer 172

mean time between failures. the average time between failures

Answer 173

mean time to recover. average time it takes to restore a failed system.

Answer 174

disaster recovery plan. includes a hierarchical list of critical systems and often prioritizes services to restore after an outage

Answer 175

load spreading technique in which users are directed to servers based on their IP

Answer 176

MD5 an SHA

Answer 177

128 bits - MD5 is considered cracked and is now only used for verifying file integrity

Answer 178

SHA-1: 160 bit | SHA-2 & 3: 224, 256, 384, and 512 bit

Answer 179

hash-based message authentication code. a fixed-length string of bits similar to those from hashing algorithms. however, it also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key provides integrity through hashing, and authenticity by using the secret key often used by IPsec and TLS HMAC-MD5 creates 128 bit hashes HMAC-SHA1 creates 160 bit hashes

Answer 180

RACE integrity primitives evaluation message digest. Another hash function used for integrity, but not widely used. can create 128, 160, 256, and 320 bit hashes

Answer 181

a technique used to increase the strength of stored passwords and can help thwart brute force and rainbow table attacks salts passwords with additional random bits to make them more complex two common techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2)

Answer 182

a key stretching technique based on the Blowfish block cipher. used on Unix and Linux distributions to protect passwords.

Answer 183

a key stretching technique that uses salt of at least 64 bits and uses a pseudo-random function such as HMAC. used by WPA2, iOS, and Cisco OSs, among others. Hash size can be 128, 256, or 512, most commonly

Answer 184

IV starting value for cryptographic algorithm. fixed size random or pseudorandom number that helps create random encryption keys

Answer 185

logical operation used in some encryption schemes. compares two inputs. outputs false if they are they same, true if they are the different

Answer 186

confusion: ciphertext is significantly different than plaintext diffusion: ensures that small changes in plaintext result in large changes in ciphertext

Answer 187

the security of an encryption key even if an attacker discovers part of the key

Answer 188

stream encrypt bit by bit and are more efficient when encrypting data in a continuous stream such as video or audio. block encrypt data in specific sized block and are more efficient when the size of data is known

Answer 189

ECB: electronic codebook (simplest cipher mode. divide plaintext into blocks and encrypt each block using the same key) CBC: Cipher Block Chaining (uses an IV for randomization when encrypting the first block. then combines each subsequent block with previous block using an XOR operation. sometimes less efficient due to pipeline delays) CTM: counter mode (converts a block cipher into a stream cipher. combines an IV with a counter and uses the result to encrypt each plaintext block. runs faster on multiprocessor or multicore systems. widely used and respected as a secure mode) GCM: Galois/Counter mode (combines counter mode with Galois mode. doesn't authenticate users or systems, but provides integrity and confidentiality. includes hashing techniques for integrity)

Answer 190

uses same key to encrypt and decrypt data

Answer 191

advanced encryption standard. strong symmetric block cipher that uses 128 bit blocks can use 128, 192, or 256 bit keys

Answer 192

data encryption standard. symmetric block cipher that was widely used dating back to the 70s. encrypts data in 64 bit blocks. uses 56 bit key. not used today

Answer 193

triple DES. a symmetric block cipher designed as an improvement over DES. encrypts data using DES in 3 separate passes and uses multiple keys. still uses 64 bit blocks. can use keys of 56, 112, or 168 bits

Answer 194

Rivest Cipher. symmetric stream cipher using between 40 and 2,048 bits. it is speculated that agencies such as NSA can break RC4, so it is recommended to disable RC4 and use AES instead.

Answer 195

blowfish: strong symmetric block cipher encrypting 64-bit blocks and supporting keys between 32 and 448 bits. still widely used today and actually faster than AES in some instances. twofish: related to blowfish, but encrypts in 128 bit blocks and supports 128, 192, or 256 bit keys

Answer 196

uses two different keys, a public and a private key, to encrypt and decrypt data

Answer 197

a digital document that typically includes the public key and information on the owner of the certificate

Answer 198

Rivest, Shamir, Adleman. asymmetric encryption method widely used due to its strong security. recommended key sizes of 2,048 bits through 2030, 3,072 bits for beyond 2030

Answer 199

static: semitransparent and stays the same over long periods of time ephemeral: has a very short lifetime and is re-created for each session

Answer 200

elliptic curve cryptography. doesn't take as much processing power as other cryptographic methods. often used with small wireless devices. formulates an elliptical curve, then graphs points on the curve to create keys

Answer 201

diffie-hellman. key exchange algorithm used to privately share a symmetric key between two parties. supports both static and ephemeral keys. RSA is based on DH using static keys DHE uses ephemeral keys with a new key each session. ECDHE uses ephemeral keys generated using ECC

Answer 202

senders private key encrypts, sender's public key decrypts

Answer 203

recipients public key encrypts, recipients private key decrypts

Answer 204

web site's public key encrypts, web site's private key decrypts, the symmetric key encrypts data in the web site session

Answer 205

encrypted hash of a message. sender's private key encrypts the hash of the message and the recipient decrypts the hash with the sender's public key. if successful, it provides authentication, non-repudiation, and integrity

Answer 206

secure/multipurpose internet mail extensions. standard used to digitally sign/encrypt email. uses RSA for asymmetric encryption and AES for symmetric.

Answer 207

pretty good privacy. method used to secure email communication. can encrypt, decrypt, and digitally sign email. GPG is GNU Privacy Guard, based on OpenPGP standard uses RSA algorithm and public/private keys for encrytion/decryption

Answer 208

a set of hardware, software, and/or firmware that implements cryptographic functions including encryption, hashing, key gen, and authentication techniques

Answer 209

a software library of cryptographic standards and algorithms. typically distributed within crypto modules

Answer 210

an attack which forces a system to downgrade its security. the attacker then exploits the lesser security control. to prevent this, admins should disable weak cipher suites and weak protocols on servers

Answer 211

the first certificate created by the CA that identifies it. if the root certificate is placed in the root CA store, all certificates issued by the CA are trusted

Answer 212

certificate signing request. a request sent to CA including the purpose of the certificate, info on the web site, public key, and the requester. CA validates the request and creates the certificate. first step in CSR is to create the RSA-based private key, which is used to create the public key included in the request

Answer 213

certificate revocation list. ncludes a list of revoked certificates and is publicly available.

Answer 214

the Online Certificate Status Protocol (OCSP) which returns answers such as good, revoked, or unknown. OCSP stapling appends a digitally signed OCSP response to a certificate.

Answer 215

a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates. web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions

Answer 216

the process of placing a copy of a private key in a safe environment. useful for recovery. if original is lost, organization retrieves a copy of the key to access data in some cases, a copy of the key is provided to a 3rd party

Answer 217

a designated individual who can recover or restore cryptographic keys

Answer 218

starts with an asterisk and can be sued for multiple domains, but each domain must have the same root domain. for example, *.google.com may be used for all google domains

Answer 219

subject alternative name. used for multiple domains that have different names but are owned by the same org.

Answer 220

CER: .cer extension, ASCII format, used for ASCII certificates DER: .der extension, binary format, used for binary certificates PEM: .pem, .cer, .crt, .key; used for binary or ASCII formats, can be used for almost any certificate purpose, can contain server certificates, certificate chains, keys, CRL P7B: .p7b, .p7c; used to share public key in ASCII format. never holds private key P12/PFX: .p12, .pfx; commonly used to store private keys in binary format

Answer 221

written documents that lay out a security plan within a company

Answer 222

defines proper system usage or the rules of behaviour for employees when using IT systems

Answer 223

help detect when employees are involved in malicious activity such as fraud or embezzlement

Answer 224

a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process

Answer 225

require employees to change roles on a regular basis to help ensure that employees cannot continue with fraudulent activity indefinitely

Answer 226

directs users to keep their areas organized and free of papers in order to reduce threats of security incidents by ensuring the protection of sensitive data

Answer 227

interconnection security agreement. specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities

Answer 228

service level agreement. agreement between a company and a vendor that stipulates performance expectations

Answer 229

memorandum of agreement/understanding. expresses an understanding between two or more parties indicating their intention to work together toward a common goal. often supports an ISA

Answer 230

business partners agreement. a written agreement that details the relationship between business partners including their obligation towards the partnership

Answer 231

general sanitization term indicating that all sensitive data has been removed from a device

Answer 232

mandates that organizations protect PHI

Answer 233

Gramm-Leach Bliley Act. also known as Financial Services Modernization Act and includes a Financial Privacy Rule. requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how it is used

Answer 234

Sarbanes-Oxley Act. requires that executives within an organization take individual responsibility for the accuracy of financial reports

Answer 235

General Data Protection Regulation. EU directive mandating the protection of privacy data for individuals within the EU

Answer 236

- Preparation: occurs before an incident, provides guidance to personnel on how to respond - Identification: verify that a reported incident is an actual security incident - Containment: attempt to isolate or contain the incident through quarantine or removing the device from the network - Eradication: remove components of the attack such as installed malware, or deleting/disabling compromised accounts - Recover: return all affected systems to normal ops and verify they are operating normally. may include rebuilding systems from images, restoring data from backups, etc. - Lessons learned: review the incident for possible lessons learned for future incidents

Answer 237

the order in which you should collect evidence. the order from most volatile to least is: - data in cache memory including processor and HDD - data in RAM including system and network processes - A paging file on the system disk - data stored on local disk drives - logs stored on remote systems - archive media

Answer 238

web app firewall (WAF)

Answer 239

mail gateway