Security+

Question 1

A server that acts as a central repository of all the user accounts and their associated passwords for the network

Answer 1

Domain Controller

Question 2

Occurs when an attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website

Answer 2

Altered Hosts File

Question 3

Certain operations that should only be performed once or not at all, such as initializing a memory location

Answer 3

Atomic Execution

Question 4

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

Answer 4

nxlog - nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

Question 5

Process where each user’s rights and permissions are revalidated to ensure they are correct

Answer 5

User Access Recertification

Question 6

Conducted between two business partners that establishes the
conditions of their relationship

Answer 6

Business Partnership Agreement (BPA)

Question 7

Fire suppression system that relies upon gas (HALON, FM-200, or CO2) instead of water to extinguish a fire

Answer 7

Clean Agent System - If you hear a loud alarm in the server room… GET OUT!

Question 8

A one-way cryptographic function which takes an input and produces a unique message digest

Answer 8

Hash - Instantly match integrity and hashing on the exam

Question 9

A tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE)

Answer 9

[curl]

Question 10

The access control policy is determined by the owner

Answer 10

Discretionary Access Control (DAC)
1. Every object in a system must have an owner
2. Each owner determines access rights and permissions for each
object

Question 11

Malware is placed on a website that you know your potential victims will access

Answer 11

Watering Holes

Question 12

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset

Answer 12

Data Owner - The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls

Question 13

Cloud Threats - Insecure Application Programming Interface (API)

Answer 13

An API must only be used over an encrypted channel (HTTPS). Data received by an API must pass service-side validation routines. Implement throttling/rate-limiting mechanisms to protect from a DoS

Question 14

Occurs when an attacker is able to execute or run commands
on a remote computer

Answer 14

Remote Code Execution (RCE)

Question 15

A communications network designed to implement an industrial control system rather than data networking

Answer 15

Operational Technology (OT)

Question 16

A security component in Windows that keeps every user in standard user mode instead of acting like an administrative user

Answer 16

User Account Control (UAC)
1. Eliminates unnecessary admin-level requests for Windows resources
2. Reduces risk of malware using admin-level privileges to cause system
issues

Question 17

Provides redundancy by striping data and parity data across the disk drives

Answer 17

RAID 5

Question 18

Storage device that performs whole disk encryption by using embedded hardware

Answer 18

Self-Encrypting Drive (SED)

Question 19

Program in Linux that is used to change the permissions or rights of a file or folder using a shorthand number system

Answer 19

chmod
R (Read) = 4
W (Write) = 2
X (Execute) = 1
# chmod 760 filename
7 = Owner can RWX
6 = Group can RW
0 = All Users (no access)

Question 20

Contents of a virtual machine that exist as deleted files on a cloud-based server after deprovisioning of a virtual machine

Answer 20

Data Remnants

Question 21

Resources and costs are shared among several different organizations who have common service needs

Answer 21

Community Cloud

Question 22

Encryption algorithm where different keys are used to encrypt and decrypt the data

Answer 22

Asymmetric Encryption (Public Key) - Diffie-Hellman, RSA, and ECC

Question 23

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

Answer 23

Security Information and Event Management (SIEM)

Question 24

A technique that is used to mitigate a weaker key by increasing the time needed to crack it

Answer 24

Key Stretching - WPA, WPA2, PGP, bcrypt, and other algorithms utilize key stretching

Question 25

Enterprise management software designed to mediate access to cloud services by users across all types of devices

Answer 25

Cloud Access Security Broker (CASB)

Question 26

An appliance positioned at the cloud network edge and
directs traffic to cloud services if the contents of that
traffic comply with policy

Answer 26

Reverse Proxy

Question 27

Insecure Components, Insufficient Logging and Monitoring, Weak or Default Configurations

Answer 27

Design Vulnerabilities - Utilize scripted installations and baseline configuration templates to secure applications during installation

Question 28

Cloud Threats - Unprotected Storage

Answer 28

Access control to storage is administered through container
policies, IAM authorizations, and object ACLs. Incorrect permissions may occur due to default read/write permissions
leftover from creation. Incorrect origin settings may occur when using content delivery networks.

Question 29

A digital serial data communications network used within vehicles

Answer 29

Controller Area Network (CAN) - The primary external interface is the Onboard Diagnostics (OBD-II) module

Question 30

A checklist of actions to perform to detect and respond to a specific type of incident

Answer 30

Playbook

Question 31

A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions

Answer 31

Deep Learning

Question 32

Collection of free and open-source SIEM tools that provides storage, search, and analysis functions

Answer 32

ELK/Elastic Stack

Question 33

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Answer 33

Metasploit (MSF) - Exploitation

Question 34

Complete platform designed to replace an entire physical computer and includes a full desktop/server operating system

Answer 34

System Virtual Machine

Question 35

Cross-platform version of the Remote Desktop Protocol for remote user GUI access

Answer 35

Virtual Network Computing (VNC)- VNC requires a client, server, and protocol be configured

Question 36

Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server

Answer 36

arp - Networking Security Tools

Question 37

A restricted version of the BER that only allows the use of only one encoding type

Answer 37

Canonical Encoding Rules (CER)

Question 38

Safeguards and countermeasures used to avoid, detect,
counteract, or minimize security risks to our systems and
information

Answer 38

Technical Controls

Question 39

Symmetric stream cipher using a variable key size from 40-bits to 2048-bits that is used in SSL and WEP

Answer 39

Rivest Cipher (RC4)

Question 40

Process to check the user’s or system’s attributed or characteristics prior to allowing it to connect

Answer 40

Context-aware Authentication - Restrict authentication based on the time of day or location

Question 41

Encryption algorithm in which both the sender and the receiver must know the same secret using a privately-held key

Answer 41

Symmetric Algorithm (Private Key) - Confidentiality can be assured with symmetric encryption, but key distribution can be challenging. Symmetric is 100-1000x faster than asymmetric.

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6

Question 42

A TCP/IP protocol that aids in monitoring network-attached devices and computers

Answer 42

Simple Network Management Protocol (SNMP) - SNMP is incorporated into a network management and monitoring
system

Question 43

A technique used to gain information about servers and inventory the systems or services

Answer 43

Banner Grabbing

Question 44

A library of programming utilities used to enable software developers to access functions of another application

Answer 44

Application Programming Interface (API) - APIs allow for the automated administration, management, and monitoring of a cloud service

Question 45

A database used to centralize information about clients and objects on the network

Answer 45

Lightweight Directory Access Protocol (LDAP) - Active Directory is Microsoft’s version

Question 46

A single identity is created for a user and shared with all of the organizations in a federation

Answer 46

Federated Identity Management (FIdM)

Question 47

A password is computed from a shared secret and is synchronized between the client and the server

Answer 47

HMAC-based One Time Password (HOTP)

Question 48

Provides data striping across multiple disks to increase performance

Answer 48

RAID 0

Question 49

Software that is loaded on a managed device to redirect information to the network management system

Answer 49

Agents

Question 50

The process of ensuring that hardware is procured tamper-free from trustworthy suppliers

Answer 50

Hardware Source Authenticity

Question 51

Focused on providing controlled access to publicly available servers that are hosted within your organizational network

Answer 51

De-Militarized Zone (DMZ)

Question 52

Input and output controls on a PLC to allow a user to configure and monitor the system

Answer 52

Human-Machine Interface (HMI)

Question 53

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Answer 53

Dereferencing

Question 54

Class K Fire Suppresion

Answer 54

Black K Hexagon - fire in cooking appliances including vegetable and animal fat

Question 55

A specialized network scan that sets the FIN, PSH, and URG flags set and can cause a device to crash or reboot

Answer 55

XMAS Attack

Question 56

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function).

Answer 56

Trusted Foundry - Trusted Foundry Program is operated by the Department of Defense (DoD)

Question 57

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

Answer 57

Security Orchestration, Automation, and Response (SOAR)

Question 58

An attack that embeds a request for a local resource

Answer 58

XML External Entity (XXE) - To prevent XML vulnerabilities from being exploited, use proper input validation

Question 59

Expected cost of a realized threat over a given year

Answer 59

Annualized Loss Expectancy (ALE)

Question 60

Only conducts a backup of the contents of a drive that has changed since the last full backup

Answer 60

Differential Backup - Differential backups take more time to create but less time to restore

Question 61

An access model that is controlled by the system (like MAC) but
utilizes a set of permissions instead of a single data label to define the permission level

Answer 61

Role-Based Access Control (RBAC) - Power Users is a role-based permission

Question 62

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques

Answer 62

Salting - A “nonce” is used to prevent password reuse

Question 63

An attack that sends an oversized and malformed packet to another computer or server

Answer 63

Ping of Death

Question 64

Software running on one or more servers to control the monitoring of network-attached devices and computers

Answer 64

Network Management System (NMS) - Management should be conducted on an out-of-band network to increase
security

Question 65

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

Answer 65

journalctl

Question 66

A computer system that is designed to perform a specific, dedicated function

Answer 66

Embedded Systems - Embedded systems are considered static environments where frequent changes are not made or allowed. Embedded systems have very little support for identifying and correcting security issues

Question 67

Utility that displays all the network configurations of the currently
connected network devices and can modify the DHCP and DNS settings

Answer 67

ipconfig/ifconfig - Networking Security Tools

Question 68

Automated encryption setup for wireless networks at a push of a button, but is severely flawed and vulnerable

Answer 68

WiFi Protected Setup (WPS) - Always disable WPS

Question 69

An open source password security auditing and password recovery tool available for many operating systems

Answer 69

Jack the Ripper - Exploitation

Question 70

Each tape is used once per day for two weeks and then the entire set is reused

Answer 70

10 Tape Rotation

Question 71

Ensure the scene is safe, secure the scene to prevent evidence
contamination, and identify the scope of evidence to be collected

Answer 71

Identification - Forensic Procedures

Question 72

Specialized type of DMZ that is created for your partner organizations to access over a wide area network

Answer 72

Extranet

Question 73

Protects against the loss of the array’s data if a single disk fails (RAID 1 or RAID 5)

Answer 73

Fault-resistant RAID

Question 74

Secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations, and other threats

Answer 74

Protected Distribution System (PDS)

Question 75

Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

Answer 75

Out-of-band communication

Question 76

Digital serial data communications used in operational technology networks to link PLCs

Answer 76

Fieldbus

Question 77

Router keeps track of requests from internal hosts by assigning them random high number ports for each request

Answer 77

Port Address Translation (PAT)

Question 78

Original 802.11 wireless security standard that claims to be as secure as a wired network

Answer 78

Wired Equivalent Privacy - WEP’s weakness is its 24-bit IV (Initialization Vector)

Question 79

Network-based attack where a valid data transmission is fraudulently or malicious rebroadcast, repeated, or delayed

Answer 79

Replay Attack - Multi-factor authentication can help prevent successful replay attacks

Question 80

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

Answer 80

Nessus - Networking Security Tools

Question 81

Occurs when permissions are passed to a subfolder from the parent through inheritance

Answer 81

Propagation - Use Groups for roles and do not assign users directly to a folder’s permissions

If you copy a folder, then permissions are inherited from the parent folder it is
copied into

If you move a folder, then permissions are retained from its
original permissions

Question 82

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

Answer 82

MITRE ATT&CK Framework

Question 83

Provides flexible authentication via secure tunneling (FAST) by using a protected access credential instead of a certificate for mutual authentication

Answer 83

EAP-FAST

Question 84

Software development is performed in time-boxed or small increments to allow more adaptivity to change

Answer 84

Agile Software Development

Question 85

Attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port

Answer 85

MAC Flooding - Switches can fail-open when flooded and begin to act like a hub

Question 86

A universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector

Answer 86

Internet Protocol Flow Information Export (IPfix)

Question 87

A communications protocol used in operational technology networks

Answer 87

Modbus - Modbus gives control servers and SCADA hosts the ability to query and
change the configuration of each PLC

Question 88

Class A Fire Suppresion

Answer 88

Green A Triangle - ordinary combustibles: wood, paper, rubber, fabrics

Question 89

A feature of key agreement protocols (like SAE) that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised

Answer 89

Perfect Forward Secrecy or Forward Secrecy
- The AP and the client use a public key system to generate a pair of
long-term keys
- The AP and the client exchange a one-time use session key using a
secure algorithm like Diffie-Hellman
- The AP sends the client messages and encrypts them using the
session key created in Step 2
- Client decrypts the messages received using the same one-time
use session key

Question 90

A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions

Answer 90

Machine Learning (ML) - Machine learning is only as good as the datasets used to train it

Question 91

Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)

Answer 91

Metamorphic

Question 92

The process of identifying the person responsible for the confidentiality, integrity availability and privacy of information assets

Answer 92

Data Ownership

Question 93

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Answer 93

OCSP Stapling

Question 94

Symmetric key encryption that supports 128-bit and 256-bit keys

Answer 94

Advanced Encryption Standard (AES)

Question 95

Provides control over what the application should do when faced with a runtime or syntax error

Answer 95

Structured Exception Handling (SEH)

Question 96

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

Answer 96

Endpoint Detection and Response (EDR)

Question 97

Utilizes complex mathematics to create sets of objects and subjects to define how they interact

Answer 97

Lattice-based Access Control - Only in high security systems due to its complex configuration

Question 98

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

Answer 98

XML Bomb (Billion Laughs Attack) - To prevent XML vulnerabilities from being exploited, use proper
input validation

Question 99

The length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Answer 99

Work Recovery Time (WRT)

Question 100

A connection between two or more computers or device that are not on the same private network

Answer 100

Layer 2 Tunneling Protocol (L2TP) - L2TP is usually paired with IPSec to provide security

Question 101

A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

Answer 101

System and Organization Controls (SOC)

Question 102

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMS)

Answer 102

ISO 27002

Question 103

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

Answer 103

nmap - Networking Security Tools

Question 104

A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system’s state on an endpoint

Answer 104

Host-based IDS/IPS (HIDS/HIPS)

Question 105

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Answer 105

Network DLP System

Question 106

Organizations are able to place their trust in a single third-party
(also called the bridge model)

Answer 106

Trusted Third-Party - Trusted third-party model is more efficient than a cross
certification or web of trust model

Question 107

A password is computed from a shared secret and current time

Answer 107

Time-based One Time Password (TOTP)

Question 108

An open standard and decentralized protocol that is used to
authenticate users in a federated identity management system

Answer 108

OpenID - User logs into an Identity Provider (IP) and uses their account at
Relying Parties (RP).

Question 109

Components and protocols that facilitate the centralized configuration and monitoring of security mechanisms within offices and data centers

Answer 109

Physical Access Control System (PACS) - PACS can either be implemented as part of a building automation system or a separate system.

Question 110

Virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

Answer 110

Multipartite

Question 111

Logs the events for the operating system and third-party applications

Answer 111

Application Logs

Question 112

Standard used PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information

Answer 112

X.509

Question 113

A test that uses active tools and security utilities to evaluate security by simulating an attack on a system to verify that a threat exists, actively test it, bypass security controls, and then finally exploit vulnerabilities on a given system

Answer 113

Penetration Test

Question 114

The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system

Answer 114

Weaponization

Question 115

List of precomputed valued used to more quickly break a password since values don’t have to be calculated for each password being guessed

Answer 115

Rainbow Table

Question 116

A stream cipher that encrypts plaintext information with a secret random key that is the same length as the plaintext input

Answer 116

One-Time Pad - not commonly used

Question 117

Measures the average time between failures of a device

Answer 117

Mean Time Between Failures (MTBF)

Question 118

Data is encrypted by an application prior to being placed on the data bus

Answer 118

Bus Encryption - Ensures that the device at the end of the bus is trusted to decrypt the data

Question 119

Attempts to have a non-persistent effect activated by a victim clicking a link on the site

Answer 119

Reflected XSS

Question 120

Method used by an attacker to gain access to a victim’s machine in order to infect it with malware

Answer 120

Attack Vector

Question 121

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information

Answer 121

Trusted Platform Module (TPM) - A TPM can be managed in Windows via the tpm.msc console or through group policy

Question 122

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Answer 122

sflow

Question 123

Attempt to exploit the victim’s web browser

Answer 123

DOM-based XSS

Question 124

A processor that integrates the platform functionality of multiple logical controllers onto a single chip

Answer 124

System-on-Chip (SoC) - System-on-Chip are power efficient and used with embedded systems

Question 125

Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Answer 125

Behavior-based Monitoring

Question 126

Translates the information into a format that the sender and receiver both understand

Answer 126

Presentation Layer - Layer 6

Question 127

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

Answer 127

netflow

Question 128

Four key controls for mitigating vulnerabilities in Operational Technology/Industrial Control Systems

Answer 128

1. Establish administrative control over Operational technology networks by recruiting staff with relevant expertise
2. Implement the minimum network links by disabling unnecessary links, services
3. Develop and test a patch management program for Operational
   Technology Network
4. Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusion

Question 129

Act of configuring an operating system securely by updating it, creating rules and policies to govern it, and removing unnecessary applications and services

Answer 129

Hardening

Question 130

Insertion of additional information or code through data input from a client to an application

Answer 130

Injection Attack

Question 131

A remote worker’s machine diverts internal traffic over the VPN but external traffic over their own internet connection

Answer 131

Split Tunneling

Question 132

Number of times per year that a threat is realized

Answer 132

Annualized Rate of Occurrence (ARO)

Question 133

Deidentification method where generic or placeholder labels are
substituted for real data while preserving the structure or format of the original data

Answer 133

Data Masking

Question 134

Replacement for WEP which uses TKIP, Message Integrity Check (MIC), and RC4 encryption

Answer 134

WiFi Protected Access (WPA) - WPA was flawed, so it was replaced by WPA2

Question 135

A suite of free open source utilities for editing and replaying previously captured network traffic

Answer 135

tcpreplay - Packet Capture

Question 136

A deidentification method where a unique token is substituted for real data

Answer 136

Tokenization

Question 137

Attack that creates a large number of processes to use up the available processing power of a computer

Answer 137

Fork Bomb

Question 138

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Answer 138

Active Interception

Question 139

Only conducts a backup of the contents of a drive that have changed since the last full or incremental backup

Answer 139

Incremental Backup

Question 140

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

Answer 140

User and Entity Behavior Analytics (UEBA). UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning

Question 141

Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Answer 141

Collection - Forensic Procedures

Question 142

Symmetric block cipher that uses 128-bit, 192-bit, or 256-bit blocks and a matching encryption key size to encrypt plaintext into ciphertext

Answer 142

Advanced Encryption Standard (AES)

Question 143

Represents the actual network cables and radio waves used to carry data over a network

Answer 143

Physical Layer - Layer 1 - Bits

Question 144

Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network

Answer 144

Network Access Control (NAC) - If a device fails the inspection, it is placed into digital quarantine. IEEE 802.1x standard is used in port-based NAC

Question 145

Technique used by an attacker to find two different messages that have the same identical hash digest

Answer 145

Birthday Attack

Question 146

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Answer 146

Cloud Security Alliance’s Cloud Control Matrix

Question 147

An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics

Answer 147

Access Control List

Question 148

Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner

Answer 148

scanless - Networking Security Tools

Question 149

Attacker adds an additional VLAN tag to create an outer and inner tag

Answer 149

Double Tagging - Prevent double tagging by moving all ports out of the default VLAN group

Question 150

Creates network segment for each client when it connects to prevent them from communicating with other clients on the network

Answer 150

AP Isolation

Question 151

A security framework that divides IT into four domains: Plan and
Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Answer 151

Control Objectives for Information and Related Technology (COBIT)

Question 152

A task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language

Answer 152

PowerShell - Shell and Scripts

Question 153

An open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps

Answer 153

Graylog

Question 154

Process of configuring workstation or server to only provide essential applications and services

Answer 154

Least Functionality

Question 155

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks

Answer 155

Real-Time Operating System (RTOS) - Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond
tolerances

Question 156

Provides your organization with the hardware and software needed for a specific service to operate

Answer 156

Platform as a Service (PaaS)

Question 157

A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

Answer 157

Browser Exploitation Framework (BeEF) - Exploitation

Question 158

Variant on a Denial of Service (DOS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake

Answer 158

SYN Flood - Flood guards, time outs, and an IPS can prevent SYN Floods

Question 159

Removal of data with a certain amount of assurance that it cannot be reconstructed

Answer 159

Clearing

Question 160

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level. A shim is placed between two components to intercept calls and redirect
them

Answer 160

Driver Manipulation

Question 161

Utility that is used to view and manipulate the IP routing table on a host or server

Answer 161

route - Networking Security Tools

Question 162

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

Answer 162

Cain and Abel - Exploitation

Question 163

Provides two independent zones with full access to the data (RAID 10)

Answer 163

Disaster-tolerant RAID

Question 164

Occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device

Answer 164

MAC Spoofing - MAC Spoofing is often combined with an ARP spoofing attack. Limit static MAC addresses accepted. Limit duration of time for ARP entry on hosts.

Question 165

Securing the BIOS

Answer 165

1. Flash the BIOS
2. Use a BIOS password
3. Configure the BIOS boot order
4. Disable the external ports and devices
5. Enable the secure boot option

Question 166

Used during the event to find out whether something bad might be happening

Answer 166

Detective Controls

Question 167

Provides redundancy by mirroring the data identically on two hard disks

Answer 167

RAID 1

Question 168

A specific string of bytes triggers an alert

Answer 168

Signature-based Detection (IDS)

Question 169

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

Answer 169

Memdump - Forensics

Question 170

Setting when the network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them

Answer 170

Promiscuous Mode - Protocol Analyzers

Question 171

A piece of software that is installed on the device requesting access to the network

Answer 171

Persistent Agents

Question 172

For data collection procedures, analysts should always follow the order of volatility

Answer 172

• CPU registers and cache memory
• Contents of system memory (RAM), routing tables,
  ARP cache, process table, temporary swap files
• Data on persistent mass storage
  (HDD/SDD/flash drive)
• Remote logging and monitoring data
• Physical configuration and network topology
• Archival media

Question 173

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

Answer 173

Autopsy - Forensics

Question 174

Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Answer 174

Switch Spoofing

Question 175

Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols

Answer 175

Registered Ports

Question 176

Built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues

Answer 176

Issue-Specific Policies

Question 177

The science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

Answer 177

Artificial Intelligence (AI)

Question 178

Technology like a DVD-R that allows data to be written only once but read unlimited times

Answer 178

Write Once Read Many (WORM)

Question 179

A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

Answer 179

SYSLOG - Used to consolidate all the logs into a single repository. Syslog can refer to the protocol, the server, or the log entries themselves. Newer implementations can use MD-5 or SHA-1 for authentication and integrity

Question 180

Software that isn’t benign nor malicious and tends to behave improperly without serious consequences

Answer 180

Grayware

Question 181

Describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing (MAC addresses)

Answer 181

Data Link Layer - Layer 2 - Frames

Question 182

Security controls that are installed before an event happens and
are designed to prevent something from occurring

Answer 182

Preventative Controls

Question 183

Provides centralized administration of dial-up, VPN, and wireless authentication services for 802.1x and the Extensible Authentication Protocol (EAP)

Answer 183

Remote Authentication Dial-In User Service (RADIUS) - operates at the application layer

Question 184

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

Answer 184

Kill Chain

Question 185

An encryption program used for signing, encrypting, and decrypting emails

Answer 185

Pretty Good Privacy (PGP) - The IDEA algorithm is used by PGP. Symmetric functions use 128-bit or higher keys and the asymmetric functions use 512-bit to 2048-bit key sizes

Question 186

An estimation of the amount of damage that a negative risk might achieve

Answer 186

Magnitude of Impact

Question 187

A hardened server that provides access to other hosts within the DMZ

Answer 187

Jumpbox - An administrator connects to the jumpbox and the jumpbox connects to hosts in the DMZ. The jumpbox and management workstation should only have the minimum required software to perform their job and be well hardened

Question 188

Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access

Answer 188

Privilege Escalation

Question 189

An access model that is dynamic and context-aware using IF-THEN statements

Answer 189

Attribute-Based Access Control (ABAC)

Question 190

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics

Answer 190

Hardware Root of Trust (ROT) - A hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report

Question 191

Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Answer 191

Distinguished Encoding Rules (DER)

Question 192

Allow all of the subdomains to use the same public key certificate and have it displayed as valid

Answer 192

Wildcard Certificates

Question 193

Virus embedded into a document and is executed when
the document is opened by the user

Answer 193

Macro Virus

Question 194

Security controls that are focused on decision-making and the
management of risk

Answer 194

NIST - Management Controls

Question 195

The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and
motives

Answer 195

Actions on Objectives

Question 196

Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into ciphertext

Answer 196

International Data Encryption Algorithm (IDEA)

Question 197

Allows a certificate owner to specify additional domains and IP addresses to be supported

Answer 197

Subject Alternative Name (SAN)

Question 198

Used to provide authentication but is not considered secure since it transmits the login credentials unencrypted (in the clear)

Answer 198

Password Authentication Protocol (PAP)

Question 199

Provides redundancy by striping and double parity data across the disk drives

Answer 199

RAID 6

Question 200

Used to provide authentication by using the user’s password to encrypt a challenge string of random numbers

Answer 200

Challenge Handshake Authentication Protocol (CHAP)

Question 201

Ports 49,152 to 65,535 can be used by any application without being registered with IANA

Answer 201

Dynamic or Private Ports

Question 202

Attacker sends a ping to subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing

Answer 202

Smurf Attack

Question 203

The CPU’s security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Answer 203

Trusted Execution

Question 204

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Answer 204

sn1per - Networking Security Tools

Question 205

Process of changing an IP address while it transits across a router

Answer 205

Network Address Translation (NAT) - Using NAT can help us hide our network IPs

Question 206

Act of creating subnetworks logically through the manipulation of IP addresses

Answer 206

Subnetting

Question 207

Allows the combination of multiple physical hard disks into a single logical hard disk drive that is recognized by the operating system

Answer 207

Redundant Array of Independent Disks (RAID)

Question 208

Supports mutual authentication by using server certificates and Microsoft’s Active Directory to authenticate a client’s password

Answer 208

Protected EAP (PEAP) - LEAP is proprietary to Cisco-based networks

Question 209

Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware

Answer 209

Permanent Denial of Service

Question 210

Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Answer 210

Analysis - Forensic Procedures

Question 211

Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine

Answer 211

Teardrop Attack

Question 212

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end

Answer 212

OpenSSL - Shell and Scripts

Question 213

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

Answer 213

Cybersecurity Framework (CSF)

Question 214

Phishing attempt to trick a user to access a different or fake website (usually by modifying hosts file)

Answer 214

Pharming

Question 215

Requires each agency to develop, document, and implement an agencywide information systems security program to protect their data

Answer 215

Federal Information Security Management (FISMA) Act of 2002

Question 216

An attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings)

Answer 216

Ping Flood

Question 217

An architecture of input, hidden, and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives

Answer 217

Artificial Neural Network (ANN) - A machine learning system adjusts its neural network to reduce errors and optimize objectives

Question 218

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

Answer 218

Reidentification

Question 219

Provides regulations that govern the security, confidentiality, and
integrity of the personal information collected, stored, or processed during the election and voting process

Answer 219

Help America Vote Act (HAVA) of 2002

Question 220

A baseline is established and any network traffic that is outside of the baseline is evaluated

Answer 220

Anomaly-based Monitoring

Question 221

Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Answer 221

Reporting - Forensic Procedures

Question 222

Occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access

Answer 222

TCP/IP Hijacking

Question 223

A default user profile for each user is created and linked with all of the resources needed

Answer 223

Single Sign-On (SSO)

Question 224

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application

Answer 224

SQL Injection - If you see ` OR 1=1; on the exam, it’s an SQL injection

Question 225

The hostile or attacking team in a penetration test or incident response exercise

Answer 225

Red Team

Question 226

The automation of multiple steps in a deployment process

Answer 226

Orchestration

Question 227

The attacker determines what methods to use to complete the phases of the attack

Answer 227

Reconnaissance

Question 228

Three sets of backup tapes (like the grandfather-father-son) that are rotated in a more complex system

Answer 228

Towers of Hanoi

Question 229

An open source software for automating analysis of suspicious files

Answer 229

Cuckoo - File Manipulation

Question 230

Occurs when a secure copy of a user’s private key is held in case
the user accidently loses their key

Answer 230

Key Escrow

Question 231

Allows two phones to utilize the same service and allows an attacker to gain access to the phone’s data

Answer 231

SIM Cloning

Question 232

The extensions allow a trusted process to create an encrypted container for sensitive data

Answer 232

Secure Enclave

Question 233

Also known as Flash cookies, they are stored in your Windows user profile under the Flash folder inside of your AppData folder

Answer 233

Locally Shared Object (LSO)

Question 234

Address the security needs of a specific technology, application, network, or computer system

Answer 234

System-Specific Policies

Question 235

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

Answer 235

Downloader

Question 236

A mechanism for ensuring the confidentiality, integrity, and availability of software code and data as it is executed in volatile memory

Answer 236

Secure Processing

Question 237

Encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create ciphertext using an effective key strength of only 56-bits

Answer 237

Data Encryption Standard (DES) - DES used to be the standard for encryption

Question 238

Staff administering, evaluating, and supervising a penetration test
or incident response exercise

Answer 238

White Team

Question 239

Breaks the input into fixed-length blocks of data and performs the encryption on each block

Answer 239

Block Cipher

Question 240

Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)

Answer 240

Well-Known Ports

Question 241

A hash digest of a message encrypted with the sender’s private key to let the recipient know the document was created and sent by the person claiming to have sent it

Answer 241

Digital Signature

Question 242

Attacker sends a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets

Answer 242

Fraggle Attack

Question 243

Advanced version of an encrypted virus that changes itself
every time it is executed by altering the decryption
module to avoid detection

Answer 243

Polymorphic

Question 244

The process of finding and investigating other computers on the
network by analyzing the network traffic or capturing the packets
being sent

Answer 244

Network Sniffing

Question 245

An encryption method that allows calculations to be performed on data without decrypting it first

Answer 245

Homomorphic Encryption - Homomorphic encryption can be used for privacy-preserving outsourced storage and computation

Question 246

A command line utility that allows you to capture and analyze network traffic going through your system

Answer 246

tcpdump - Packet Capture

Question 247

An international standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

Answer 247

ISO 27001

Question 248

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

Answer 248

curl - Networking Security Tools

Question 249

Occurs when an attacker embeds malicious scripting commands on a trusted website

Answer 249

Cross-Site Scripting (XSS) - Prevent XSS with output encoding and proper input validation

Question 250

Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label

Answer 250

Rule-based Access Control

Question 251

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

Answer 251

Risk Management Framework (RMF)

Question 252

Software that aggregates and catalogs data from multiple sources within an industrial control system

Answer 252

Data Historian

Question 253

Was introduced in 2018 to strengthen WPA2. Has an equivalent cryptographic strength of 192-bits.

Answer 253

WPA3 - Largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) exchange

Question 254

A specialized type of file server that is used to host files for distribution across the web

Answer 254

FTP Server - FTP servers should be configured to require TLS connections

Question 255

A command line utility used to copy disk images using a bit by bit copying process

Answer 255

dd - Forensics

Question 256

Occurs when the name resolution information is modified in the DNS server’s cache

Answer 256

DNS Poisoning

Question 257

Methods and technologies that remove identifying information from data before it is distributed

Answer 257

Deidentification

Question 258

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

Answer 258

dnsenum - Networking Security Tools

Question 259

Penetration Testing Process

Answer 259

o Get permission and document info
o Conduct reconnaissance
o Enumerate the targets
o Exploit the targets
o Document the results

Question 260

A cryptographic key that is generated for each execution of a key
establishment process

Answer 260

Ephemeral - Ephemeral keys are short-lived and used in the key exchange for WPA3 to create perfect forward secrecy

Question 261

A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click

Answer 261

Prepending

Question 262

A network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network

Answer 262

tracert/traceroute - Networking Security Tools

Question 263

The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Answer 263

Command & Control (C2)

Question 264

Designed to only run a single process or application like a
virtualized web browser or a simple web server

Answer 264

Processor Virtual Machine

Question 265

Provides all the hardware, operating system, and backend software needed in order to develop your own software or service

Answer 265

Infrastructure as a Service (IaaS)

Question 266

Exploit techniques that use standard system tools and packages to perform intrusions. Detection of an adversary is more difficult when they are executing malware code within standard tools and processes

Answer 266

Living Off the Land

Question 267

A software development method where application and platform
updates are committed to production rapidly.

Answer 267

Continuous Deployment - Continuous deployment focuses on automated testing and release of code in order to get it into the production environment more quickly

Question 268

Occurs when an attacker redirects one website’s traffic to another website that is bogus or malicious

Answer 268

Pharming

Question 269

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

Answer 269

DLL Injection

Question 270

A standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available

Answer 270

Open Vulnerability and Assessment Language (OVAL)

Question 271

Digitally-signed electronic documents that bind a public key with a user’s identity

Answer 271

Certificates

Question 272

Cloud Threats - Insufficient Logging and Monitoring

Answer 272

Software as a service may not supply access to log files or monitoring tools. Logs must be copied to non-elastic storage for long-term retention.

Question 273

Software tool that allows for the capture, reassembly, and analysis of packets from the network

Answer 273

Protocol Analyzer

Question 274

Layer from which the message is created, formed, and originated

Answer 274

Application Layer - Layer 7 - Consists of high-level protocols like HTTP, SMTP, and FTP

Question 275

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

Answer 275

Wireshark - Packet Capture

Question 276

Class B Fire Suppresion

Answer 276

Red B Square - flammable liquids and gases: gasoline, oils, paint

Question 277

A logical communication opening created on a client in order to call out to a server that is listening for a connection

Answer 277

Outbound Port

Question 278

Chip residing on the motherboard that contains an encryption key

Answer 278

Trusted Platform Module (TPM)

Question 279

Occurs when virtual machines are created, used, and deployed without proper management or oversight by the system admins

Answer 279

Virtualization Sprawl

Question 280

A newer and updated version of the PGP encryption suite that uses AES for its symmetric encryption functions

Answer 280

GNU Privacy Guard (GPG)

Question 281

Uses logical address to route or switch information between hosts, the network, and the internetworks

Answer 281

Network Layer - Layer 3 - Packets, Routers

Question 282

An interpreted, high-level and general-purpose programming language

Answer 282

Python - Shell and Scripts

Question 283

A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on

Answer 283

Splunk

Question 284

Uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer

Answer 284

Code Signing

Question 285

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Answer 285

hping - Networking Security Tools

Question 286

Used whenever you can’t meet the requirement for a normal control

Answer 286

Compensating Control

Question 287

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

Answer 287

netcat - Networking Security Tools

Question 288

Used after an event occurs

Answer 288

Corrective Controls

Question 289

Analysis and testing of a program occurs while it is being executed or run

Answer 289

Dynamic Analysis

Question 290

A property of IaC that an automation or orchestration action always produces the same result, regardless of the component’s previous state

Answer 290

Idempotence

Question 291

A python script that is used to gather emails, subdomains, hosts,
employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Answer 291

the harvester - Networking Security Tools

Question 292

A single operating system kernel is shared across multiple virtual machines but each virtual machine receives its own user space for programs and data

Answer 292

Application Containerization - Containerization allows for rapid and efficient deployment of distributed applications

Question 293

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Answer 293

Time of Check to Time of Use (TOCTTOU) - Develop applications to not process things sequentially if possible. Implement a locking mechanism to provide app with exclusive
access

Question 294

Cisco’s proprietary version of RADIUS

Answer 294

TACACS+

Question 295

A specialized type of software that allows the restoration of a lost or corrupted key to be performed

Answer 295

Key Recovery Agent

Question 296

Provides integrity, confidentiality, and authenticity of packets by
encapsulating and encrypting them

Answer 296

Encapsulating Security Payload (ESP)

Question 297

A security appliance or host positioned at the client
network edge that forwards user traffic to the cloud
network if the contents of that traffic comply with policy

Answer 297

Forward Proxy

Question 298

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Answer 298

Shellcode

Question 299

Occurs when an attacker observes the operation of a cipher being used with several different keys and finds a mathematical relationship between those keys to determine the clear text data

Answer 299

IV Attack

Question 300

A logical communication opening on a server that is listening for a connection from a client

Answer 300

Inbound Port

Question 301

Network adapter can only capture the packets directly addressed to itself

Answer 301

Non-promiscuous Mode - Protocol Analyzers

Question 302

Attestation model built upon XML used to share federated identity management information between systems

Answer 302

Security Assertion Markup Language (SAML)

Question 303

A means for software or firmware to permanently alter the state of a transistor on a computer chip

Answer 303

eFUSE

Question 304

Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network

Answer 304

ARP Poisoning - Allows an attacker to essentially take over any sessions within the LAN. ARP Poisoning is prevented by VLAN segmentation and DHCP snooping.

Question 305

Cryptographic protocols that provide secure Internet communications for web browsing, instant messaging, email, VoIP, and many other services

Answer 305

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Question 306

Attempts to remove, detain, or redirect malicious traffic

Answer 306

Network Intrusion Prevention Systems - NIPS should be installed in-line of the network traffic flow. NIPS can also perform functions as a protocol analyzer.

Question 307

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Answer 307

Logic Bomb

Question 308

Methods that make it difficult for an attacker to alter the authorized execution of software

Answer 308

Anti-Tamper - Anti-tamper mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF)

Question 309

A claim that the data presented in the report is valid by digitally
signing it using the TPM’s private key

Answer 309

Attestation

Question 310

A simulated random number stream generated by a computer that is used in cryptography, video games, and more

Answer 310

Pseudo-Random Number Generator (PRNG) - There are no such thing as truly random numbers in computers

Question 311

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Answer 311

Address Space Layout Randomization

Question 312

Exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server

Answer 312

Hijacking

Question 313

The attacker identifies a vector by which to transmit the
weaponized code to the target environment

Answer 313

Delivery

Question 314

Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections

Answer 314

SSH - Shell and Scripts

Question 315

Utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information

Answer 315

nslookup/dig - Networking Security Tools

Question 316

Cloud Threats - Improper Key Management

Answer 316

APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data. Do not hardcode or embed a key into the source code. Do not create one key with full control to access an application’s functions. Delete unnecessary keys and regenerate keys when moving
into a production environment.

Question 317

A SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS

Answer 317

ArcSight

Question 318

An operating system that meets the requirements set forth by
government and has multilevel security

Answer 318

Trusted Operating System (TOS)

Question 319

An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS)

Answer 319

ISO 27701

Question 320

An attack that allows an attacker to break out of a normally isolated VM by interacting directly with the hypervisor

Answer 320

VM Escape

Question 321

Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

Answer 321

Cross-Site Request Forgery (XSRF/CSRF) - Prevent XSRF with tokens, encryption, XML file scanning, and cookie verification

Question 322

Focused on changing the behavior of people instead of removing the actual risk involved

Answer 322

Administrative Controls

Question 323

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Answer 323

Degaussing

Question 324

A physical device that allows you to intercept the traffic between
two points on the network

Answer 324

Network Tap

Question 325

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Answer 325

Due Care

Question 326

Focused on the things done by people

Answer 326

NIST - Operational Controls

Question 327

Hosts or servers in the DMZ which are not configured with any services that run on the local network

Answer 327

Bastion Hosts

Question 328

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

Answer 328

FTK Imager - Forensics

Question 329

Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

Answer 329

Non-Persistent Agents

Question 330

Comparing a precomputed encrypted password to a value in a lookup table

Answer 330

Cryptanalysis Attack

Question 331

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Answer 331

Building Automation System (BAS)

Question 332

Source code of an application is reviewed manually or with automatic tools without running the code

Answer 332

Static Analysis

Question 333

Malware designed to install or run other types of malware embedded in a payload on an infected host

Answer 333

Dropper - Droppers are likely to implement anti-forensics techniques to prevent detection and analysis

Question 334

Utility used to determine if a host is reachable on an Internet Protocol network

Answer 334

ping/pathping - Networking Security Tools

Question 335

A protocol that encapsulates PPP packets and ultimately sends data as encrypted traffic

Answer 335

Point-to-Point Tunneling Protocol (PPTP) - PPTP can use CHAP-based authentication, making it vulnerable to attacks

Question 336

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

Answer 336

Purging (Sanitizing)

Question 337

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographic region

Answer 337

Supervisory Control and Data Acquisition (SCADA) - SCADA typically run as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs

Question 338

Used to verify information about a user prior to requesting that a certificate authority issue the certificate

Answer 338

Registration Authority

Question 339

Microsoft’s proprietary protocol that allows administrators and users to remotely connect to another computer via a GUI

Answer 339

Remote Desktop Protocol (RDP) - RDP doesn’t provide authentication natively

Question 340

U.S. Government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility

Answer 340

TEMPEST

Question 341

This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

Answer 341

Installation

Question 342

Analyzes the current traffic against an established baseline and
triggers an alert if outside the statistical average

Answer 342

Anomaly-based Detection (IDS)

Question 343

A container for an emulated computer that runs an entire operating system

Answer 343

Virtual Machine

Question 344

The default file system format for Windows and is more secure because it supports logging, encryption, larger partition sizes, and larger file sizes than FAT32

Answer 344

New Technology File System (NTFS)

Question 345

The original ruleset governing the encoding of data structures for
certificates where several different encoding types can be utilized

Answer 345

Basic Encoding Rules (BER)

Question 346

Sending of unsolicited messages to Bluetooth-enabled devices

Answer 346

Bluejacking

Question 347

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

Answer 347

Web of Trust

Question 348

Method used by an attacker to access a victim’s machine

Answer 348

Threat Vector

Question 349

The longest period of time a business can be inoperable without causing irrevocable business failure

Answer 349

Maximum Tolerable Downtime (MTD)

Question 350

A role responsible for handling the management of the system on which the data assets are stored

Answer 350

Data Custodian

Question 351

An access control policy where the computer system determines the access control for an object

Answer 351

Mandatory Access Control (MAC) - MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object). Data labels create trust levels for all subjects and objects

Question 352

Attack that targets an individual client connected to a network, forces it offline by deauthenticating it, and then captures the handshake when it reconnects. Used as part of an attack on WPA/WPA2

Answer 352

WiFi Disassociation Attack

Question 353

A specialized type of DoS which attempts to send more packets to a single server or host than they can handle

Answer 353

Flood Attack

Question 354

Any system that is different in its configuration compared to a standard template within an infrastructure as code architecture

Answer 354

Snowflake Systems - Lack of consistency leads to security issues and inefficiencies in support

Question 355

A deidentification technique where data is generalized to protect the individuals involved

Answer 355

Aggregation/Banding

Question 356

Method used by IPSec to create a secure tunnel by encrypting the connection between authenticated peers

Answer 356

Internet Key Exchange (IKE)

Question 357

Utilizes a web of trust between organizations where each one certifies others in the federation

Answer 357

Cross-Certification

Question 358

Logs the events such as successful and unsuccessful user logins to the system

Answer 358

Security Logs

Question 359

Attempts to get data provided by the attacker to be saved on the
web server by the victim

Answer 359

Stored/Persistent XSS

Question 360

Algorithm that creates a fixed-length 128-bit hash value unique to the input file

Answer 360

Message Digest 5 (MD5) - SHA has higher encryption

Question 361

A TCP/IP protocol that authenticates and encrypts IP packets and effectively securing communications between computers and devices using this protocol

Answer 361

IPSec

Question 362

A role focused on the quality of the data and associated metadata

Answer 362

Data Steward

Question 363

Attack that causes data to flow through the attacker’s computer where they can intercept or manipulate the data

Answer 363

Man-in-the-Middle (MITM)

Question 364

Unauthorized access of information from a wireless device over a Bluetooth connection

Answer 364

Bluesnarfing

Question 365

A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Answer 365

Programmable Logic Controller (PLC)

Question 366

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

Answer 366

logger - File Manipulation

Question 367

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances

Answer 367

Serverless - Serverless depends on orchestration

Question 368

Firmware that provides the computer instructions for how to accept input and send output

Answer 368

Basic Input Output System (BIOS) OR Unified Extensible Firmware Interface (UEFI)

Question 369

Class D Fire Suppresion

Answer 369

Yellow D Star - combustible metals and metal alloys

Question 370

A logical communication endpoint that exists on a computer or server

Answer 370

Port

Question 371

The collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent

Answer 371

Influence Operations or Influence Campaign

Question 372

Seeks to identify any issues in a network, application, database, or other systems prior to it being used that might compromise the system

Answer 372

Vulnerability Assessment

Question 373

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

Answer 373

Fuzzing

Question 374

Wireless B, G, and N

Answer 374

Use a 2.4 GHz signal

Question 375

An automated version of a playbook that leaves clearly defined interaction points for human analysis

Answer 375

Runbook

Question 376

Measures the average time it takes to repair a network device when it breaks

Answer 376

Mean Time To Repair (MTTR)

Question 377

A UEFI feature that gathers secure metrics to validate the boot
process in an attestation report

Answer 377

Measured Boot

Question 378

Low-level CPU changes and instructions that enable secure processing

Answer 378

Processor Security Extensions

Question 379

Cost associated with the realization of each individualized threat
that occurs

Answer 379

Single Loss Expectancy (SLE)

Question 380

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Answer 380

Physical Controls

Question 381

A technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password

Answer 381

Pass the Hash - difficult to defend against

Question 382

Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics

Answer 382

netstat - Networking Security Tools

Question 383

A group of policies that can be loaded through one procedure

Answer 383

Security Template

Question 384

Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server

Answer 384

DNS Amplification

Question 385

An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets

Answer 385

Kerberos - A domain controller can be a single point of failure for Kerberos

Question 386

Attack that exploits a process in the registration process for a domain name that keeps the domain name in limbo and cannot be registered by an authenticated buyer

Answer 386

Domain Name Kiting

Question 387

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Answer 387

Center for Internet Security (CIS)

Question 388

Protocol used in IPSec that provides integrity and authentication

Answer 388

Authentication Header (AH)

Question 389

Combination of network security devices and technologies to provide more defense in depth within a single device

Answer 389

Unified Threat Management - UTM may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP, and VPN. Also known as NGFW.

Question 390

Provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms

Answer 390

Organizational Policies

Question 391

Occurs when an attacker blindly injects data into the communication stream without being able to see if it is successful or not

Answer 391

Blind Hijacking

Question 392

A single computer (or file, group of files, or IP range) that might be attractive to an attacker

Answer 392

Honeypot

Question 393

A software development method where code updates are tested and committed to a development or build server/code repository rapidly.

Answer 393

Continuous Integration - Continuous integration can test and commit updates multiple times per day. Continuous integration detects and resolves development conflicts early and often.

Question 394

Occurs when an attacker is able to execute or run commands on a victim computer

Answer 394

Arbitrary Code Execution

Question 395

Allows two devices to transmit information when they are within close range through automated pairing and transmission

Answer 395

Near Field Communication (NFC)

Question 396

One or more switch ports are configured to forward all of their packets to another port on the switch

Answer 396

Port Mirroring

Question 397

Manages the distribution of the physical resources of a host machine (server) to the virtual machines being run (guests)

Answer 397

Hypervisor

Question 398

An agreement for the owners and operators of the IT systems to
document what technical requirements each organization must meet

Answer 398

Interconnection Security Agreement (ISA)

Question 399

A standard that provides cryptographic security for electronic messaging

Answer 399

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Question 400

Operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP or UDP

Answer 400

Circuit-Level Gateway

Question 401

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

Answer 401

Public Key Infrastructure (PKI) - PKI and public key encryption are related but they are not the same thing

Question 402

A UEFI feature that prevents unwanted processes from executing during the boot operation

Answer 402

Secure Boot

Question 403

Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered

Answer 403

Software as a Service (SaaS)

Question 404

Type of backup primarily used to capture the entire operating system image including all applications and data

Answer 404

Snapshot Backup

Question 405

Process of measuring changes in the network, hardware,
and software environment

Answer 405

Baselining

Question 406

Physical devices that act as a secure cryptoprocessor during the
encryption process

Answer 406

Hardware Security Module (HSM)

Question 407

The longest period of time that an organization can tolerate lost data being unrecoverable

Answer 407

Recovery Point Objective (RPO) - Recovery Point Objective (RPO) is focused on how long can you be without your data. MTD and RPO help to determine which business functions are critical and to specify appropriate risk countermeasures

Question 408

Logical controls that are put into a system to help secure it

Answer 408

NIST - Logical Controls

Question 409

Occurs when a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser

Answer 409

Man-in-the-Browser (MITB)

Question 410

Methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it

Answer 410

Access Control

Question 411

Network traffic is analyzed for predetermined attack patterns

Answer 411

Signature-based Monitoring

Question 412

An XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools

Answer 412

OVAL Language

Question 413

Utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR function to create the ciphertext

Answer 413

Stream Cipher

Question 414

A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure

Answer 414

Extensible Authentication Protocol (EAP)

Question 415

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

Answer 415

WinHex - Forensics

Question 416

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions

Answer 416

ISO 31000

Question 417

A provisioning architecture in which deployment of resources is
performed by scripted automation and orchestration

Answer 417

Infrastructure as Code (IaC) - IaC allows for the use of scripted approaches to provisioning infrastructure in the cloud

Question 418

Uniquely identifies the network and is the name of the WAP used by the clients

Answer 418

Service Set Identifier (SSID) - Disable the SSID broadcast in the exam

Question 419

Logs the events such as a system shutdown and driver failures

Answer 419

System Logs

Question 420

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Answer 420

Online Certificate Status Protocol (OCSP)

Question 421

A SIEM log management, analytics, and compliance reporting
platform created by IBM

Answer 421

QRadar

Question 422

A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

Answer 422

Function as a Service (FAAS)

Question 423

A protocol that can create a secure channel between two computers or network devices to enable one device to control the other device

Answer 423

Secure Shell (SSH)

Question 424

Computers and other network-attached devices monitored through the use of agents by a network management system

Answer 424

Managed Devices

Question 425

A firmware update that is digitally signed by the vendor and
trusted by the system before installation

Answer 425

Trusted Firmware Updates

Question 426

Manages the establishment, termination, and synchronization of a session over the network

Answer 426

Session Layer - Layer 5

Question 427

Attempts to detect, log, and alert on malicious network activities

Answer 427

Network Intrusion Detection Systems - NIDS use promiscuous mode to see all network traffic on a segment

Question 428

An online list of digital certificates that the certificate authority has
revoked

Answer 428

Certificate Revocation List (CRL)

Question 429

A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption

Answer 429

Endpoint Protection Platform (EPP)

Question 430

A type of system firmware providing support for 64-bit CPU
operation at boot, full GUI and mouse operation at boot, and
better boot security

Answer 430

Unified Extensible Firmware Interface (UEFI)

Question 431

Firewall installed to protect your server by inspecting traffic being sent to a web application

Answer 431

Web Application Firewall - A WAF can prevent a XSS or SQL injection

Question 432

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Answer 432

Field Programmable Gate Array (FPGA) - End customer can configure the programming logic to run a specific application instead of using an ASIC (application-specific integrated circuit)

Question 433

IEEE standard that defines Port-based Network Access Control (PNAC) and is a data link layer authentication technology used to connected devices to a wired or wireless LAN

Answer 433

802.1x

Question 434

Attacker guesses the session ID for a web session, enabling them to take over the already authorized session of the client

Answer 434

Session Theft

Question 435

Shielding installed around an entire room that prevents electromagnetic energy and radio frequencies from entering or leaving the room

Answer 435

Faraday Cage

Question 436

Manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP

Answer 436

Transport Layer - Layer 4 - Segments (TCP) or Datagrams (UDP)

Question 437

Cloud Threats - Cross Origin Resource Sharing (CORS) Policy

Answer 437

A content delivery network policy that instructs the browser to treat requests from nominated domains as safe. Weak CORS policies expose the site to vulnerabilities like XSS.

Question 438

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

Answer 438

Race Conditions - A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location

Question 439

Wireless A, N, and AC

Answer 439

Use a 5.0 GHz signal

Question 440

Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user’s web browser as part of the HTTP header

Answer 440

Public Key Pinning

Question 441

A secure password-based authentication and password-authenticated key agreement method

Answer 441

Simultaneous Authentication of Equals (SAE) - (SAE) provides forward secrecy

Question 442

Creates a striped RAID of two mirrored RAIDs (combines RAID 1 & RAID 0)

Answer 442

RAID 10

Question 443

Three sets of backup tapes are defined as the son (daily), the father (weekly), and the grandfather (monthly)

Answer 443

Grandfather-Father-Son Tape Rotations

Question 444

Protects against the loss of the array’s data if a single component fails (RAID 1, RAID 5, RAID 6)

Answer 444

Fault-tolerant RAID

Question 445

802.11i standard to provide better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking

Answer 445

WiFi Protected Access version 2 (WPA2) - WPA2 is considered the best wireless encryption available

Question 446

The method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk

Answer 446

Data Acquisition

Question 447

Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Answer 447

Unauthorized Zone Transfer

Question 448

Occurs when a process stores data outside the memory range allocated by the developer

Answer 448

Buffer Overflow - Over 85% of data breaches were caused by a buffer overflow

Question 449

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Answer 449

Diamond Model of Intrusion Analysis

Question 450

A network that manages embedded devices

Answer 450

Industrial Control Systems (ICS) - ICS is used for electrical power stations, water suppliers, health services, telecommunications, manufacturing, and defense needs. ICS manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world (values, motors, etc)

Question 451

A methodology and a set of tools that enable security architects,
enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business

Answer 451

Cloud Security Alliance’s Reference Architecture

Question 452

The length of time it takes after an event to resume normal business operations and activities

Answer 452

Recovery Time Objective (RTO)

Question 453

Class C Fire Suppresion

Answer 453

Blue C Circle - live electrical equipment

Question 454

An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage

Answer 454

Hardware Security Module (HSM)

Question 455

Encryption algorithm which uses three separate symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

Answer 455

Triple DES (3DES)

Question 456

Attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page

Answer 456

Clickjacking

Question 457

A software development method where application and platform
requirements are frequently tested and validated for immediate
availability

Answer 457

Continuous Delivery- Continuous delivery focuses on automated testing of code in order to get it ready for release

Question 458

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run

Answer 458

Smash the Stack

Question 459

Specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers

Answer 459

VPN Concentrator

Question 460

The weaponized code is executed on the target system by this
mechanism

Answer 460

Exploitation