SecPlusP2 Flashcards
What is a challenge for multinational companies and cloud services regarding data sovereignty laws?
Complying with the requirement of data storage and processing within national borders
What access restrictions might cloud services impose due to data sovereignty laws?
Restricting access from multiple geographic locations
Why do data sovereignty and geographical considerations pose complex challenges?
They conflict with the global nature of multinational companies and cloud services
What is geofencing?
Virtual boundaries to restrict data access based on location
Why is geofencing important for data security?
Compliance with data sovereignty laws, prevent unauthorized access from high-risk locations
What does encryption protect?
Data at rest and in transit
What is needed to recover encrypted data?
Decryption key
What is masking?
Replace some or all data with placeholders
What is tokenization?
Replace sensitive data with non-sensitive tokens
What is obfuscation?
Make data unclear or unintelligible
What is hashing commonly used for?
Password storage
What is the purpose of hashing?
Irreversible one-way function
What is the purpose of masking?
Partially retains metadata for analysis
What is the purpose of tokenization?
Credit card protection
What is the purpose of obfuscation?
Irreversible de-identification method
What are some techniques used to hinder unauthorized understanding?
Encryption, masking, pseudonyms
How does segmentation help in network security?
Divides network into separate segments with unique security controls
What is the goal of Data Loss Prevention (DLP) systems?
To detect and prevent data theft
What are the three types of DLP systems?
Endpoint DLP, Network DLP, Storage DLP
What does a DLP system inspect?
Data at rest
What type of data does a DLP system inspect?
Encrypted or watermarked data
What does a DLP system monitor?
Data access patterns
What happens if a policy violation is detected?
It is flagged
What type of solution is a cloud-based DLP system?
Software-as-a-service
What does a cloud-based DLP system protect?
Data stored in cloud services
What are the three data states?
Data at rest, data in transit, data in use
What does an algorithm do in cryptography?
Performs encryption or decryption
What is the advantage of key rotation?
Best practice for security longevity
What type of encryption uses the same key for encryption and decryption?
Symmetric encryption
What type of encryption uses a pair of keys for encryption and decryption?
Asymmetric encryption
Name two symmetric algorithms.
DES, AES
Name two asymmetric algorithms.
Diffie-Hellman, RSA
What does hashing do?
Converts data into fixed-size string (digest) using hash functions
What are some examples of encryption algorithms?
MD5, SHA Family, RIPEMD, HMAC
What is Public Key Infrastructure (PKI)?
Framework managing digital keys and certificates for secure data transfer
What are digital certificates?
Electronic credentials verifying entity identity for secure communications
What is blockchain?
Decentralized, immutable ledger ensuring data integrity and transparency
What are some examples of encryption tools?
TPM, HSM, Key Management Systems, Secure Enclave
What are some types of cryptographic attacks?
Downgrade Attacks, Collision Attacks, Quantum Computing Threats
What is symmetric encryption?
Uses a single key for both encryption and decryption
What is asymmetric encryption?
Uses two separate keys: public key for encryption and private key for decryption
What is the hybrid approach to encryption?
Combines both symmetric and asymmetric encryption for optimal benefits
What is a stream cipher?
Encrypts data bit-by-bit or byte-by-byte in a continuous stream
What are the challenges with key distribution in symmetric encryption?
Requires both sender and receiver to share the same secret key
What are the commonly used algorithms for asymmetric encryption?
Diffie-Hellman, RSA, and Elliptic Curve Cryptography (ECC)
What are the advantages of using a block cipher?
Ease of implementation and security
What is the key size used in DES?
64-bit (56 effective bits due to parity)
What types of data streams are suitable for block ciphers?
Real-time communication data streams like audio and video
What is the encryption algorithm that encrypts data in 64-bit blocks through 16 rounds of transposition and substitution?
DES
What is the encryption algorithm that utilizes three 56-bit keys and provides 112-bit key strength?
Triple DES (3DES)
What is the encryption algorithm that uses a 128-bit key and is faster and more secure than DES?
IDEA (International Data Encryption Algorithm)
What is the block size of IDEA?
64-bit
What is AES?
US government encryption standard
What are the key sizes supported by AES?
128-bit, 192-bit, or 256-bit
What is Blowfish?
DES replacement with limited adoption
What are the key sizes supported by Twofish?
128, 192, or 256 bits
What is the RC Cipher Suite?
Cipher suite created by Ron Rivest
What are the key sizes supported by RC4?
40 to 2048 bits
What is the classification of the mentioned algorithms?
Symmetric block ciphers except for RC4 which is a stream cipher
What is public key cryptography?
No shared secret key required
What is the purpose of a key pair in encryption?
Public key for encryption and private key for decryption
What does the public key in encryption provide?
Confidentiality
What does the private key in encryption provide?
Non-repudiation
What are the roles of the private key and public key in encryption?
Private key encrypts, public key decrypts
What is the purpose of a digital signature?
Integrity and authentication
What is a hash digest?
Encrypted message with sender’s private key
How is the message encrypted in asymmetric cryptography?
With the receiver’s public key
What does asymmetric cryptography ensure?
Message integrity, non-repudiation, and confidentiality
What is the Diffie-Hellman algorithm used for?
Key exchange and secure key distribution
What are the vulnerabilities of Diffie-Hellman?
Man-in-the-middle attacks, requires authentication
What is RSA used for?
Key exchange, encryption, and digital signatures
What is the reliance of RSA encryption?
Factoring large prime numbers
What are the key sizes supported by RSA encryption?
1024 to 4096 bits
What is the cryptographic algorithm widely used in organizations and multi-factor authentication?
RSA
What algebraic structure does ECC use?
Elliptical curves
Where is ECC commonly used?
Mobile devices and low-power computing
How does ECC compare to RSA in terms of efficiency for equivalent security?
Six times more efficient
What are the variants of ECC?
ECDH, ECDHE
What is ECDSA?
Elliptic Curve Digital Signature Algorithm
What are common hashing algorithms?
MD5 (Message Digest Algorithm 5)
What is SHA-1?
Produces a 160-bit hash digest, less prone to collisions than MD5
What does SHA-2 offer?
Longer hash digests (SHA-224, SHA-256, SHA-384, SHA-512)
What is SHA-3?
Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations
What is RIPEMD?
Competitor to SHA, available in 160-bit, 256-bit, and 320-bit versions
What is HMAC?
Hash-based Message Authentication Code
What are common digital signature algorithms?
DSA
How does a digital signature ensure non-repudiation?
Encrypts the hash with the sender’s private key
What is the purpose of a 160-bit message digest?
Verify data integrity
What is a common hashing attack known as?
Pass the Hash Attack
How can pass the hash attacks be prevented?
Trusted OS, proper Windows domain trusts, patching, multi-factor authentication, least privilege
What is a hub/control system?
Central component connecting IoT devices
What are smart devices?
Everyday objects with computing and internet capabilities
What are wearables?
Smart devices worn on the body
What do sensors do in IoT?
Detect changes and convert them into data
What are the risks associated with IoT?
Weak Default Settings, Poorly Configured Network Services
Why are weak default settings a common security risk in IoT?
Default usernames/passwords are easy targets for hackers
What can be done to mitigate the risk of weak default settings in IoT?
Changing defaults upon installation is essential
What are the risks of poorly configured network services in IoT?
Open ports and unencrypted communications can expose vulnerabilities
How can the attack surface of IoT devices be minimized?
Keeping IoT devices on a separate network is recommended
What is DLL?
Library
What is the name of the software that collects code and data that can be used simultaneously to allow for reuse and modularization?
software 62
What happens when two different messages result in the same hash digest?
Birthday Attack
What does longer hash output do to reduce collisions and mitigate the attack?
SHA-256)
How many replay attacks does DionTraining.com have?
92
What areStudy Notes?
CompTIA Security+ (SY0-701)
Where are PKI Components used?
HTTPS connections
What is a random shared secret key generated for?
symmetric encryption
What type of encryption does the shared secret use to create a secure tunnel?
AES
What is the purpose of establishing a website via HTTPS?
Secure Connection
What is the private key used to verify the web server’s identity?
93
What is the name of a shared secret?
Authentication
What standard does CompTIA Security+ use?
X.509 Standard
Where is the X.509 Standard used for digital certificates?
PKI
What does the X.509 Standard contain?
Contains owner’s/user’s information and certificate authority details
What is the name of the digital certificate that is signed by the same entity whose identity it it certifies?
Third-Party Certificates 95
What does CompTIA Security+ refer to?
Preferred for public-facing websites
What is the name of the study Notes Digital certificate issued and signed by trusted certificate authorities?
CompTIA Security+ (SY0-701)
What are Verisign, Google, etc?
Trusted third-party providers
What does CompTIA Security+ offer transparency, efficiency, and trust in the digital era?
Encryption Tools
What does CompTIA Security+ offer in the digital era?
Transparency, efficiency, and trust
What is the name of a hardware-level security tool?
Dedicated microcontroller
What is an Encryption Tools for Data Security?
TPM
How many devices are protected from unauthorized access?
100
What technique is used to prevent the suspicion that there’s any hidden data at all?
encryption
What is Data Obfuscation?
Data Masking
In what environments is data authenticated and usable?
testing environments
What does Assess and prioritize risks based on likelihood and impact?
Qualitative Risk Analysis
What does Numerically estimate probability and potential impact?
Quantitative Risk Analysis
What does Quantitative Risk Analysis mean?
Numerically estimate probability and potential impact
What are the Crucial Steps Continuous tracking and regular reporting Long-Term Impact Significant for the effectiveness of the risk management process
Risk Monitoring and Reporting
What is significant for the effectiveness of the risk management process?
Long-Term Impact
What is the term for Risk Assessment Frequency?
Regularity
What is regularity with which risk assessments are conducted within an organization?
Risk Assessment Frequency
What are the four main types of risk assessment frequencies?
Ad-Hoc Risk Assessments
What is a crucial first step in risk management?
Risk Identification
Risks can vary from financial and operational to what?
strategic and reputational
What is the ARO?
Annualized Rate of Occurrence
What is EF?
Exposure Factor
What are four primary risk management strategies?
Common methods
What is one of the four primary risk management strategies?
Risk Transference
What does one party agree to cover the other’s harm, liability, or loss resulting from the contract?
Doesn’t remove the risk
What is the responsibility for handling the risk’s financial consequences?
risk Acceptance
What are routers and switches composed of?
components from various suppliers
What does CompTIA Security+ (SY0-701) ensure secure manufacturing?
Trusted foundry programs
Devices may contain what?
malware or vulnerabilities
What is 118 https://www.DionTraining.com/?
Assess cybersecurity protocols
What is Study Notes?
CompTIA Security+ (SY0-701)
Collaborating with organizations and industry groups for what?
Joint defense
What is the purpose of incorporating contractual safeguards in contracts with suppliers or service providers?
Vendor Assessment
What is the process to evaluate the security, reliability, and performance of external entities?
Vendor Assessments
Why is it crucial to have a significant impact on multiple businesses?
interconnectivity
What is the name of the entity in the Vendor Assessment?
Entities in Vendor Assessment
What does MSPs do on behalf of organizations?
Manage IT services
What does the validation of supplier’s cyber?
security practices
What does Penetration Testing Validate?
cybersecurity practices
What does the right-to-audit clause allow organizations to evaluate vendor’s internal processes?
Compliance
What is a neutral perspective of external audits?
adherence to security or performance standards
What is the purpose of ensuring integrity of the vendor’s entire supply chain?
Vendor Selection and Monitoring
What does Supply Chain Analysis Assessment of an entire vendor supply chain for?
security and reliability
What does the evaluation of a team member include?
Financial stability
What do on-the-ground practices ensure?
cultural alignment
What could bias the selection process?
conflicts of interest
What do Vendor Questionnaires do?
Ensure productive and compliant interactions
What is the mechanism used to ensure that the chosen vendor still aligns with organizational needs and standards?
Vendor Monitoring
What is the name of the agreement that provides in-depth project-related information?
Non-Disclosure Agreement
What does DionTraining define ownership of?
Intellectual Property and revenue distribution
What is the name of the organization that identifies, assess, and manages potential risks?
Strategic Alignment
What is a mechanism for measuring and monitoring the performance of IT processes?
Performance Measurement
What is Adherence to laws, regulations, standards, and policies?
Compliance
What does non-compliance lead to penalties?
Trust and Reputation
What leads to penalties?
Non-compliance
What does compliance enhance reputation and foster trust?
Data Protection
What type of disasters are there?
disasters or disruptions
What are the key elements of organizational structure?
External entities influencing governance
What is the SDLC?
Software Development Lifecycle
What is the name of the information security policies that cover a range of areas?
Physical Security
What is the purpose of ensuring confidentiality, integrity, and availability of data?
Business Continuity Policy
What are strategies for?
power outages, hardware failures, and disasters
How many websites do Disaster Recovery Policy Addresses detection, reporting, assessment, response, and learning from?
129
What does CompTIA Security+ do during incidents?
Minimizes damage and downtime
What is the SDLC policy?
Software Development Lifecycle
What is the name of the standard for password hashing and salting for security?
Access Control Standards
How many Role Based Access Control models are there?
130
What type of access control model does DAC include?
Discretionary Access Control
What is RBAC?
Role Based Access Control
What do physical security standards address?
Environmental controls and secure areas for sensitive information
What does the systematic sequences of actions or steps taken to achieve a specific outcome in an organization do?
Ensures consistency, efficiency, and compliance with standards
What is the post-change review?
131
What are some of the tasks Offboarding manages when an employee leaves?
property retrieval, access disabling, and exit interviews
What is the name of a playbook that provides step-by-step instructions for consistent and efficient execution?
Detailed guides
What are organizations required to comply with different regulations?
Regulatory Considerations
How many Employment laws address minimum wage, overtime, safety, discrimination?
132
What can non-adoption lead to?
Competitive disadvantages and stakeholder criticism
What is a major challenge for navigating conflict of laws between jurisdictions?
Compliance
What is included in 133 https://www.DionTraining.com?
compliance reporting and compliance monitoring
What is included in compliance monitoring 133 https://www.DionTraining.com?
compliance reporting
What is the name of the two Types of Compliance Reporting?
Internal Compliance Reporting
What is the purpose of Compliance Reporting?
Systematic process of collecting and presenting data
What does an internal audit team conduct?
External Compliance Reporting
Ensures adherence to what?
internal policies and procedures
Who is responsible for ensuring compliance to internal policies and procedures?
internal audit team or compliance department
What type of monitoring does Compliance Monitoring include?
internal and external monitoring
What does Compliance Monitoring include?
due diligence and due care
What risks are identified through thorough review Due Care Mitigating identified risks Attestation and Acknowledgement At
Compliance
What is essential to avoid severe consequences?
Compliance in IT
What is the purpose of ensuring purchase alignment with company goals Validates budget allocation Assesses security and compatibility with existing infrastructure
Internal Approval Process
What is the name of the asset that is integrated into the existing workflow?
Mobile Asset Deployments
What is the post-Approval Procurement?
Product compatibility assessment
How many Main Mobile Device Deployment Models are there?
three
What is the name of the company that provides devices for employees?
CYOD
What do employees select devices from?
Employees select devices from a company-approved list
How many people are in your organization?
140
What are the specific needs of your organization?
Budget constraints
What provides a balance between flexibility and control?
CYOD
What is a systematic approach to governing and maximizing the value of items an entity is responsible for throughout the asset’s life cycle?
Tangible Assets
What approach to maximizing the value of items an entity is responsible for throughout the asset’s life cycle?
Systematic approach
What does the process of the allocation or assignment of ownership avoid?
ambiguity
What criteria should Classification and Categorization be based on?
Function and value
High value assets may require what?
stringent maintenance schedules
What can low value assets be considered for?
recycling or disposal
What is SY0-701?
CompTIA Security+
What is the name of an inventory that maintains an inventory with specifications, location, and assigned users?
Asset Tracking
What approach does Enumeration help maintain an accurate inventory?
Proactive approach
What is MDM?
Mobile Device Management
What is the purpose of removing outdated assets?
Asset Disposal and Decommissioning
What is the name of the need to manage the disposal of outdated assets?
Necessity to manage the disposal of outdated assets
What is the NIST Special Publication 800-88?
Guidelines for Media Sanitization
When is the NIST Special Publication?
800-88
What method is used to make data inaccessible and irretrievable from storage medium?
Overwriting
How often is it used to reduce the chance of the original data being recovered?
Repeated several times
What is a machine called to produce a strong magnetic field that can disrupt magnetic domains on storage devices?
a degausser
What is a permanent erasure of data but makes the device unusable?
unreadable and irretrievable
What is the purpose of a new tool?
Verifying the Change
What do Stakeholder interviews Address discrepancies or issues to refine and optimize the process Documenting the Change Maintain historical
Reflect on past initiatives and improve change management practices
How many websites does DionTraining.com have?
148
What does CompTIA Security+ have?
Technical Implications of Changes
How many times can restart critical services cause data loss?
149
What is an example of a backlog?
CompTIA Security+ (SY0-701)
What is the name of the document that prevents cascading effects, outages, or disruptions in various parts of your network?
Documenting Changes
What create dependencies?
Interconnected systems
What provides a clear history of what, when, and why for accountability and future reference?
Documenting changes
How many documents should all accompanying documentation be updated when implementing a change?
150
What helps improve change management practices?
Learn from past mistakes
What is a clear timeline of change actions?
Importance of Records
What help create a clear timeline of change actions?
Change requests and trouble tickets
What is the objective of Audits and Assessments?
Objective 5.5
What are audits?
Systematic evaluations
What is the name of the organization’s team?
External Audits
What is one example of a security measure?
Internal Audit Example
Who is responsible for identifying vulnerabilities?
third-party entities
What policy does the review of?
Data protection policies
What is CompTIA Security+?
Significance of Audits
What types of policies, procedures, and controls are there?
Security policies, procedures, and controls
What are Vulnerability Assessments?
Threat Assessments
What are the Categories before implementing new systems or significant changes?
Risk Assessments
Review processes, controls, and compliance Importance Ensure operational effectiveness and compliance to internal policies?
Internal Audits and Assessments
What do internal audits and assessments have?
Importance
What are independent evaluations by external parties?
External Audits and Assessments
What are Verification Areas?
Financial statements
What is Simulated cyber attacks to identify vulnerabilities?
Penetration Testing
What is another name for CompTIA Security+?
Pen Testing
How many Incident response procedures are there?
154
What is the name of the internal audit focus areas?
Concepts in Internal Audits
What are internal audit focus areas?
Password policies
What does ensuring adherence to?
established standards, regulations, and laws
What is essential for protecting sensitive data?
Compliance
What is the name of the internal audit that may be required for compliance with specific laws or regulations?
Audit Committee
What types of activities does a group oversee?
Audit and compliance
How many auditors are there?
155
Vulnerability assessments, what type of modeling exercises, and risk assessments are part of internal assessments?
Threat
What is the term for Assisted Internal Assessments?
Internal Assessment Process
What is the name of the Modeling Exercise?
Vulnerability Assessment
What does automated scanning tools and manual testing techniques help identify known vulnerabilities and code weaknesses?
Risk Assessment
What is used to identify known vulnerabilities and code weaknesses?
automated scanning tools
What type of professionals are involved in the Collaborative Approach To maximize the checklist’s effectiveness, involve a diverse group of participants from across
Cybersecurity professionals
What is the general format and purpose of self-assessments consistent across most organizations?
External Audits and Assessments
What is 158 https://www.DionTraining.com/?
Access controls
What can external assessments take various forms?
Threat assessments
What is the name of the CompTIA?
Security+
What is the name of the website that covers various areas of security?
Network security 159
What is the name of the infrastructure that Focuses on known assets Evaluates vulnerabilities and weaknesses Aims to understand exploitability
CompTIA Security+ (SY0-701)
How many audits are required to ensure the reliability and integrity of the following?
164
What is a CompTIA?
Security+
What may be provided to prove the occurrence of penetration testing?
A letter of attestation
Who may provide a letter of attestation to prove the occurrence of penetration testing?
third parties interested in network security
What does System Attestation Validate?
Security posture
What standard does System Attestation Validate the security posture of a system?
security standards 165
In what audits do third parties provide attestation on financial statements, regulatory compliance, and operational efficiency?
external audits
Explain the importance of what in security architecture?
resilience and recovery
What is the name of Cyber Resilience Ability to deliver outcomes despite adverse cyber events?
Redundancy
What is used for improved performance but offers no data redundancy?
CompTIA Security+ (SY0-701)
What is a Safeguard against catastrophic events by maintaining data in independent zones?
Disaster-tolerant
What are essential for ensuring data redundancy, availability, and performance in enterprise networks?
RAIDs
What is a critical strategic planning effort for organizations?
Ensures an organization is prepared to meet future demands in a cost-effective manner
What are specific requirements for RAID type?
performance and fault tolerance
What are the four main Aspects of Capacity Planning?
Ensure the right number of people with the right skills for strategic objectives
How many technology resources does DionTraining.com have?
173
What are some factors that should be considered for future technology demands?
scalability and potential investments in new technology
What is the definition of protecting data during transmission?
Importance
What does Importance Importance Importance Importance Importance Importance
Protecting data
What captures a consistent state 177 https://www.DionTraining.com?
Point-in-time copies
How many Point-in-time copies capture a consistent state?
177
What type of access can backup data be protected from?
unauthorized access and breaches
How do records change since the previous snapshot?
reducing storage requirements
What is the key step in data recovery?
Selection of the right backup
What are the key steps in the data recovery process?
Several key steps
What is essential in the recovery process?
a well-defined and tested recovery plan
What is the COOP?
Continuity of Operations Plan
What is used to maintain operations during disasters?
Cloud services
Who is responsible for developing the BC Plan Goals for BC and DR efforts?
senior management
How many senior managers are responsible for developing the BC Plan Goals for BC and DR efforts?
179
What is the name of the study note?
CompTIA Security+ (SY0-701)
Who is responsible for the Business Continuity Committee?
Comprises representatives from various departments
What is determined for different events Identifies and prioritizes systems critical for business continuity?
recovery priorities
What factors determine the scope of the plan?
risk appetite and tolerance
How many times does the Redundant Site have a slight delay?
180
What can be hot, warm, or cold?
Mobile Sites
How long is the Cold Sites ready?
1-2 months
What is the name of a virtual site that is fully replicated and instantly accessible in the cloud?
Virtual Hot Site
How many resources does DionTraining Enhance?
Disaster recovery capabilities
What is the purpose of assessing system’s ability to withstand and adapt to disruptive events?
Ensures the system can recover from unforeseen incidents
What is the purpose of recovery testing?
Ensures that planned recovery procedures work effectively in a real-world scenario
What does Scenario-based discussion among key stakeholders do?
Assess and improve an organization’s preparedness and response
Tabletop Exercises What type of discussion among key stakeholders?
Scenario-based discussion
What promotes team-building among stakeholders 182 https://www.DionTraining.com?
Identifies gaps and seams in response plans
What does CompTIA Security+ mean?
Low-cost and engaging
What is the name of Parallel Processing?
Resilience Testing
What is the name of the test that tests the ability of the system to handle multiple failure scenarios?
Recovery Testing
How does the system recover from multiple points of failure?
Tests the efficiency of the system to recover from multiple points of failure
What is the Security Architecture Objectives?
4.1
What is the name of an organization’s information security environment?
Security Architecture
What is a limitation of user permissions?
Monitor user activities for suspicious behavior
What are dynamic and require up-to-date security measures?
Cloud environments
What can weak Authentication and Encryption Practices do?
Strong encryption algorithms
What can weak authentication and encryption expose cloud systems and data?
Secure key management practices
What is the purpose of a secure deletion process?
Verify data removal after deletion
How many people are responsible for cloud security?
190
What is the name of the hardware that runs directly on hardware?
Type 2
What other hardware does ESXi run directly on?
Hyper-V, XenServer, ESXi
What is a standard OS?
VirtualBox, VMware
What is SDN?
Software-defined Network
What is complete isolation Logical Separation More flexible, easier to implement Less secure if not properly configured?
High security