Security + Flashcards

Question 1

Q

what are the three parts to any form of authentication ?

Answer

A

Identification - usually a username
Password - or something you know
Authorization - what you can do

Question 2

Q

what is MFA ?

Answer

A

more than one factor to authenticate

Question 3

Q

what are the different factors that can be used when authenticating someone with MFA

Answer

A

something you know, password
Something you have, keyfob
Something you are - biometrics

Question 4

Q

what are some of the different authentication attributes ?

Answer

A

Something you do
Your signature

Something you exhibit
Typing speed

Someone you know
Certificates from a server

Somewhere you are
Physical location

Question 5

Q

what is identification ?

Answer

A

claiming an identity

Question 6

Q

what is authentication?

Answer

A

proving an identity

Question 7

Q

what is authorization?

Answer

A

permitting specific actions once a user has been authenticated

Question 8

Q

what does it mean when we hear the word accounting in security ?

Answer

A

essentially auditing, we want to be able to account for or audit the activity that the user executed when they were signed in

Question 9

Q

when can authorization occur ?

Answer

A

authorization can only occur after the authentication

Question 10

Q

what do we need to do proper accounting and auditing ?

Answer

A

To do these we need to have separate user accounts or else it will look like the same user id doing everything

Question 11

Q

what are some different type of auditing ?

Answer

A

Resource access, such as signings into a system
Failed login attempts
Changes to files or database records, has it been tampered with ?

Question 12

Q

why is username and password security risky ?

Answer

A

Security risk because they are both something you know and can be guessed
Mitigation for this is to use different passwords for different resources

Question 13

Q

what is a password vault ?

Answer

A

A way of storing passwords something like last pass is an example of this

Question 14

Q

what are the characteristics of one time passwords ?

Answer

A

Unique password generated for single use, static code sent via email or SMS text
- TOTP stands for time-based one-time password,
  ○ this means the password is only valid for a certain amount of time
- HOTP stands for HMAC one-time password
  HMAC encrypts a hash to ensure authenticity

Question 15

Q

what are the characteristics of certification based authentication ?

Answer

A

PKI certificates are issued by a trusted authority to an individual entity

Question 16

Q

what are the characteristics of SSH public key encryption

Answer

A

This means you would sign in with a username and password as well as a private key

The public key is stored on the server

The private key is stored with you on your station

Question 17

Q

what are some of the characteristics of bio metrics ?

Answer

A

This is something that is unique to you as an individual
- Fingerprints
- Retina scan
- Iris scans
- Facial recognition
- Voice recognition
- Vein analysis
Gait analysis how you move or walk

Question 18

Q

what are some mistakes that can happen with biometrics ?

Answer

A

False acceptance - makes a mistake
False rejection rate
Cross over error rate

Question 19

Q

what are some of the characteristics of credential policies ?

Answer

A

defines who gets access to what, like what employees get access to what in an ORG
- We might have a credential policy that is related to contractors
- Device policies, example need to use a VPN tunnel
- Credential policies for service accounts
We can have credential policies for administrator or root accounts, this is sometimes called PAM or privileged access management

Question 20

Q

what is attribute based access control ?

Answer

A

Looks at the attributes of a user or device to determine what permissions they have to a resource Example Date of birth, or maybe we will look at the device type

Question 21

Q

what is role based access control ?

Answer

A

A role is a collection of related permissions
Example we could create a roll to have someone access files in the cloud

Question 22

Q

What is rule based access control ?

Answer

A

Uses conditional access policies
For example have to be signed in using MFA have to be using an iPhone have to be signing in from Canada

Question 23

Q

what is Mandatory access control ?

Answer

A

We assign labels or identifiers to resources
○ Devices, files, databases, network ports etc
- Permission assignments are based on resource labels and security clearance

Question 24

Q

what is discretionary access control ?

Answer

A

Data custodian sets permissions at their discretion

Question 25

Q

what are some things we can use for Physical access control

Answer

A

Limited facility access
- Vestibules
- Door locks
- Proximity cards
- Key fobs

Question 26

Q

What are some best practices for account management ?

Answer

A

We should assign permissions to groups
- Principle of least privilege should be assigned to user accounts
- Audit user accounts
  Make sure to disable user accounts when they are terminated or leave

Question 27

Q

what are some different types of account policies ?

Answer

A

employee onboarding policies
- Password policies
  ○ Here we can define password complexity policies
  ○ Password history
- Account lockout policies to protect against bruteforce attacks
- Geolocation
  ○ Where a user is located
- Geofencing
  ○ Users geolocation determines resource access
- Geotagging
  ○ Adding location metadata to files and social media posts
- Impossible travel time
  Moving locations so fast it’s impossible

Question 28

Q

where are public keys stored on a linux machine ?

Answer

A

User home directory on the Linux server. SSH public keys must be stored on the server in the user home directory in a file called “authorized_keys”

Question 29

Q

what is geotagging ?

Answer

A

Geotagging uses GPS coordinates or IP address block information to add detailed location information to social media posts and pictures.

Question 30

Q

what are some of the different network authentication protocols ?

Answer

A

Pap or password authentication protocol

MS-Chap Microsoft challenge handshake authentication protocol

NTLM Microsoft new technology Lan Manager NTLM

Kerberos

EAP

IEEE 802.1x

Radius

Question 31

Q

what are some of the characteristics of PAP ?

Answer

A

Outdated
Sends passwords in the clear over the network

Question 32

Q

what are some of the characteristics of MS-Chap ?

Answer

A

Client requests authentication from a server
Then the server sends a challenge to the client
Client responds to challenge by hashing the response with a users password
Server compares response to its own computed hash and authenticates if they match

Question 33

Q

what are some of the characteristics of NTLM ?

Answer

A

NTLM is used on workgroup computers
A workgroup computer is one that is not joined to an active directory domain
Password hashes with NTLM are not salted
NTLM v2 passwords are salted

Question 34

Q

what are some of the characteristics of Kerberos ?

Answer

A

Microsoft active directory authentication
Kerberos uses a key distribution center or KDC
Authentication service AS
Ticket granting service TGS
Ticket Granting Ticket TGT
Once you are authenticated you are granted a ticket from the ticket granting service , that ticket is what you present when you try to access resources in the AD domain and if you should have access to that resource you get let in without having to sign in again

Question 35

Q

what are some of the characteristics of EAP ?

Answer

A

Network authentication framework
Lets us authenticate using more methods
PKI certificate authentication
Smart card authentication
Often EAP uses TLS as a transport mechanism
Applies to wired and wireless networks

Question 36

Q

what are some of the characteristics of IEEE 802.1x ?

Answer

A

port based network access control

This protocol hands off authentication to a centralized RADIUS server for authentication

This applies to wired and wireless network edge devices

The devices that can authenticate users to the network include
Ethernet switches
Routers
VPN appliances

Question 37

Q

what are some of the characteristics of RADIUS ?

Answer

A

centralized authentication server
This could be a domain controller
○ Radius clients are network edge devices
§ Network switches
§ VPN appliances
§ Wireless routers
We call actual users trying to connect to the network the radius supplicant

Question 38

Q

what are the characteristics of single sign on ?

Answer

A

User credentials are not requested after initial authentication
- Protocols used with single sign on
  ○ OpenID
  ○ Oauth

Question 39

Q

What are the characteristics of identity federation

Answer

A

Identity federation is when multiple resources trust a single authentication source
○ With this we have a centralized trusted identity provider IDP
- Protocols we can use with identity federation
  ○ Security assertion markup language SAML
  A Saml token is a digital security token that proves your identity

Question 40

Q

explain a virus

Answer

A

Program that can replicate through user interaction

Activates once a user clicks or downloads

Question 41

Q

what is a file-less Malware or Virus

Answer

A

No file lives only in memory

Difficult for anti malware to detect

Question 42

Q

explain Ransomeware

Answer

A

Also known as crypto malware and crypto ransomware

Uses encryption to lock a user out of a system

Attacker hides your data until you pay your Ransome

Question 43

Q

explain a worm

Answer

A

A virus that once it gets started will use networking or the internet to self-replicate

More like a pathway for replication

Question 44

Q

explain a trojan horse

Answer

A

A program that looks like one thing but does another usually nefarious

No replication

Remote access trojans or RAT’s

Maliciously takes control of a system remotely

Question 45

Q

explain a backdoor

Answer

A

Created by developers as an easy maintenance entry point

Can be exploited by attackers if left open by developers

Can be created in a program by hackers to gain access

Question 46

Q

explain a PUP or potentially unwanted program

Answer

A

Software that may have negative or undesirable effects

Crapware adware spyware bloatware

Question 47

Q

what are the characteristics of Bots/Botnets

Answer

A

Distributed attack using remotely-controlled malware controlling several computers

Often running some kind of RAT

Hosts are called bots or zombies

One kind of Botnet is a distributed denial of service attack or DDOS attack

Trying to overload traffic from a number of sources that makes resources unavailable for legitimate users

Usually have a C2 or command or control

Question 48

Q

what is a key logger

Answer

A

Can be hardware

Device that plugs in between keyboard and computer to log keystrokes

Can be software

Programs that logs keystrokes

Question 49

Q

what is a rootkit

Answer

A

Can often be somewhat invisible

Goal to get root access to the system

Usually installed on the boot of the systems they are attacking

Question 50

Q

what is a logic bomb ?

Answer

A

Often a script is set to execute

Created with a timer to go off at a specific time or during a specific event on a system

Question 51

Q

what are some bad security configurations relating to open permissions ?

Answer

A

Open wireless networks

guest user accounts, we need to disable these

No intruder lockout settings, nothing to block failed logon attempts

Too many file or app permissions assigned by default

Question 52

Q

what are some security best practices for linux instances

Answer

A

Don’t sign in with a root account

Use sudo to run privileged commands

Disallow remote access as root

Use su to temporarily switch to root

Question 53

Q

what are some insecure cryptographic solutions

Answer

A

WEP is weak

DES digital encryption standard

Use AES instead

Secure Sockets Layer

Use TLS

SSL uses a PKI certificate for encryption

TLS

Not secure 1.0 and 1.1

Secure versions 1.2 and 1.3

Question 54

Q

what are some security settings to be aware of with default settings ?

Answer

A

Change IP address

Don’t have ports open that don’t need to be listening

Don’t install everything in the default space with a webserver

Don’t use usernames and password that come default

Question 55

Q

what are some characteristics of zero day attacks ?

Answer

A

An exploit unknown by the vendor and the public

ZDI zero day initiative

This encourages the private reporting of vulnerabilities to vendors

Question 56

Q

what are some common attacks ?

Answer

A

DNS sinkholing

Privilege escalation

Replay attacks

Pointer / object dereference

Error handling

Dynamic link Library DLL injection

Resource Exhaustion

Race condition

Question 57

Q

Explain DNS sinkholing ?

Answer

A

This attack returns false DNS query results

Question 58

Q

explain privilege escalation

Answer

A

Attacker acquires a higher level of access

Example - compromising an admin account that has a weak password

Question 59

Q

Explain replay attacks

Answer

A

Capturing something that happens on the network and replaying it

Common in MITM attacks

Question 60

Q

what is Pointer / object dereference

Answer

A

Attacker manipulates memory pointers to point to unexpected memory locations

Normally causes software to crash

Question 61

Q

what is error handling

Answer

A

Improper handling can crash a system

These errors might disclose to much information

Question 62

Q

explain Dynamic Link library

Answer

A

Attacker places malicious DLL’s in the file system

Legitimate running processes call malicious code within the DLL

Question 63

Q

what is resource exhaustion

Answer

A

Dos or DDOS

Can result in memory leaks

Question 64

Q

explain a race condition

Answer

A

Actions might occur before security control in in effect

These are based on timing

Answer 65

A

driver shimming

driver refactoring

Answer 66

A

Normally used to allow legacy software to run

This can be installed by a malicious user

If an attacker has access to a device they can install malicious drivers

This can happen in the supply chain injected in the software development stage

Intercept API calls to run the malicious code

Answer 67

A

Restructures internal code while maintaining external behavior

Can evade signature based AV

Answer 68

A

integer overflow

Buffer overflows

Answer 69

A

Less memory than expected is allocated

This can lead to

Sensitive information disclosure

Remote exploit privilege escalation

Application crash

Answer 70

A

Less memory than expected is allocated

This can lead to

Sensitive information disclosure

Remote exploit privilege escalation

Application crash

Answer 71

A

Online vs offline attacks

Answer 72

A

John the ripper

Cain and Abel

Hydra

Answer 73

A

Uses common username and password files

Tries thousands or millions of likely possibilities to login to a user account

Answer 74

A

Try every possible combination of characters

Multiple attempts should trigger an account lockout

Answer 75

A

Blast many accounts with a best guess common password before trying a new password

Slower than traditional attacks

Less likely to trigger account lockout settings

Answer 76

A

Bot - single infected device under attacker control

Botnet - collection of infected machine under control

Answer 77

A

Periodically talks to a command and control C2 attack server

We can mitigate this with IDS

Attackers might have directions stored in a DNS TXT record

Answer 78

A

Group disks together to work as one

We would do this for better performance

Provides high availability

Hardware Raid controller

Software Raid

This is slower and less reliable than software RAID

Answer 79

A

Storage out on a network

Answer 80

A

The benefit of raid 0 is better performance

Answer 81

A

Data in its entirety is written to two sperate disks

We get better performance with this

We also get higher availability because if one disk fails the other one is up to date

Answer 82

A

Better performance

Parity is stored on separate disks

If one disk fails we can use the parity info on the other disks to rebuild the disk

Answer 83

A

Requires at least 4 disks

Stores 2 parity stripes on each disk

This means raid 6 can tolerate two disk failures

Answer 84

A

This is a combination of Raid level 1 and 0

Disk mirroring then disk stripping

Requires at least 4 disks

Answer 85

A

Limit physical access to the servers or hardware

Alarms, sensors, locks

Card cloning / skimming

Use vendor diversity

Limit USB storage device use

Apply firmware updates

Use USB data blocker

Allows recharging but not data transfer

Answer 86

A

Used as basis for hardware root of trust

This check for boot integrity of the machine

UEFI secure boot

Has the boot order changed ?

Check the hash of each file to make sure it matches that of the vendor

Can encrypt and decrypt disk volumes and store keys in the TPM

Microsoft Bitlocker is an example of this

Answer 87

A

Causes

Corrupt OS file

Malware

Failing disks

Misconfiguration

Remediation

Boot from alternative media

Live boot media

Revert to known state or last known good configuration

Answer 88

A

RAID

NIC teaming

UPS

PDU

Answer 89

A

Multiple network connections to the cloud

Load balancing

Cross region storage replication

Answer 90

A

EDR

Host based firewall

NGFW

Allow lists

Answer 91

A

Alarms for detected anomalies or malware infections

Answer 92

A

Looks for suspicious activity

Analyze log files

Detect and alert on anomalies

Answer 93

A

Packet filtering firewall

Up to OSI layer 4

Deep packet inspection firewall

Up to OSI layer 7

IDS/IPS built in

Answer 94

A

What cabling do we use
- What frequency do we use with wireless
  Getting 1s and 0s from one layer to another

Answer 95

A

Preamble in an Ethernet frame warns the network card that there is an incoming frame

Answer 96

A

Allow individual systems to address ethernet frames and send them to the right spot based on MAC address
The data link layer checks out the source destination parts of the ethernet frame

Answer 97

A

MAC address’s are great for moving data on individual systems on a LAN

But when you need data to leave the LAN you use logical addressing like IP addresses

This layer inspects the destination and source IP address

Answer 98

A

The transports layer job is to assemble and disassemble packets as they come in

Answer 99

A

this is where the connections are established

Answer 100

A

used for converting data and encoding it

Answer 101

A

used to map IP addresses in a network

ARP traffic is really only local to the LAN

Answer 102

A

type of man in the middle attack
- a malicious actor has to have access to the network
- Victim traffic is sent through the attacker station
Attacker can view the victim traffic

Answer 103

A

Attacker has gained access to the network
1. Attacker sends a request saying please update your ARP cache for the IP change the mac address to my attacker machine
Victim devices update their arp cache

Answer 104

A

Use static ARP cache entries
a. This means hosts will not accept ARP cache updates
1. Limit access to the network
  a. Use MFA
  b. Use NAC network access control
  c. Limit based on device type

Answer 105

A

attacker sends traffic with forged source MAC address’s to a switch port.
Switch memory is filled, new incoming traffic is sent out to all switch ports

Answer 106

A

Excessive amounts of broadcast traffic on a network
- Caused by Failing equipment

Answer 107

A

Mac address filtering for network access
Static MAC address assignments
Disable unused switch ports

Answer 108

A

internal network should be untrusted
- Make sure employees can recognize scams
Use a network IDS/IPS for internal network

Answer 109

A

Network and data flow diagrams
○ Need to know what we have so we can deal with security incidents
- Standard naming conventions
  IP address ranges need to be mapped and consistent

Answer 110

A

Some people call this a DMZ
- Public services are in the DMZ
- Firewall rules must be configured for this to work.
  ○ Only allow HTTPS from the internet to the DMZ web server
Rules blocking traffic from the internet from getting farther into our internal network

Answer 111

A

Increases service availability
- Improves service performance
- Load balancing is multiple backend servers providing the same service
- Load balancing can also use horizontal scaling which is adding more VM’s as the load increases
- Session persistence
  ○ Clients remain connected to the same backend server
- Active / Active
  ○ All servers are up and running at the same time
  ○ Round / Robin
  ▪ Each request goes to the next backend server
  ○ Least connections
  ▪ Each request is sent to the least busy backend server
- Active/Passive
  ○ Backend server status
  ▪ Some are active some are in a standby state
  A standby server is activated when an active server fails

Answer 112

A

Limit endpoint access to a network
○ We can limit by OS type
○ We can see the device location and where the connection is coming from
○ Make sure there is a host based firewall
○ Make sure that the AV is up to date
Nac can be agent based or agentless

Answer 113

A

Port based network access control
802.1x is configured to send authentication request to a radius server

Answer 114

A

DHCP snooping can block rogue DHCP servers
○ Untrusted DHCP server responses are blocked
- DHCP snooping is enabled on network switches
  - This means we specify trusted DHCP ports

Answer 115

A

Also called jump box or bastion host
- Has a public interface for us to connect to and a private interface for connecting to internal hosts
  - Jump servers sit between server admins and target servers

Answer 116

A

A decoy system or server made to look vulnerable so we can track attacks against it
- Only deploy a honeypot on an isolated network
Implement logging so we can track the attacks

Answer 117

A

Fake files made to look attractive to hackers
Implement logging to see what actions are taken on the file

Answer 118

A

a honeynet is a network of honey pots

Answer 119

A

Hardware appliance
- VM that acts as a firewall
- Host based firewall
- Firewalls essentially allow or deny incoming / outgoing traffic
  - Firewalls use access control lists

Answer 120

A

This applies to OSI layer 4 or the transport layer
- Stateful firewall track entire sessions instead of only individual packets
- Packet filtering firewalls can be based on
  ○ Source / destination port numbers
  ○ Source / Destination IP addresses
  - MAC addresses

Answer 121

A

Runs on OSI layer 7
- Rules can be based on
  ○ The direction of the traffic incoming vs outgoing
  ○ Packet filtering firewall conditions
  ○ These firewalls can look at specific protocols

Answer 122

A

OSI layer 7
Protects against common web application attacks

Answer 123

A

OSI layer 4

Answer 124

A

OSI layer 7

Answer 125

A

common web app attacks

Answer 126

A

fetches internal content for internal users
Hides IP address of internal machines, the machines make the request to the proxy server and the server makes the request for them
user device uses the proxy as the default gateway
another benefit of a proxy is fetched content can be cached this speeds up subsequent requests

Answer 127

A

A reverse proxy is a type of proxy server. Unlike a traditional proxy server, which is used to protect clients, a reverse proxy is used to protect servers. A reverse proxy is a server that accepts a request from a client, forwards the request to another one of many other servers, and returns the results from the server that actually processed the request to the client as if the proxy server had processed the request itself. The client only communicates directly with the reverse proxy server and it does not know that some other server actually processed its request.

Answer 128

A

forward proxy fetches internal user requesting content from the internet and interal client IPs are hidden

forward proxy enables computers isolated on a private network to connect to the public internet,

Answer 129

A

Reverse proxy provides external user access to internal services and internal server IPs are hidden

Answer 130

A

This can be a hardware or software solution
○ This is normally enabled on a router
○ It can also be called PAT or NAT gateway
- Multiple internal IP’s share a single public IP
  Requests are tracked by internal IP and unique port number

Answer 131

A

pat router maintains a table in its memory

Answer 132

A

OSI layer 4

Answer 133

A

OSI layer 7

Answer 134

A

pat enables multiple internal clients to gain internet access using a single public IP

Answer 135

A

NAT maps public IP’s to private IPS to allow external clients access to servers

Answer 136

A

suite of network security protocols
IPSEC has to do with network traffic encryption and authentication
IPSEC can be configured to secure some network traffic or all network traffic

Answer 137

A

Normally used for site to site VPN’s
- With IPSEC tunnel mode the entire original packet is encrypted and placed inside a new IP packet
  A new IP header is added when the packet is encapsulated

Answer 138

A

Normally used for host to host encryption on a LAN or WAN
- In transport mode the original packet header doesn’t get changed like it does in tunnel mode, there is also no packet encapsulation
  With transport mode we protect traffic by encrypting it

Answer 139

A

This provides us with integrity and origin authentication
- This is done with hashing algorithms
  The entire IP packet is authenticated with this mode

Answer 140

A

With this mode we get integrity and origin authentication
- We also gain confidentiality through encryption with this mode
  Only the packet payload or data within the packet is encrypted

Answer 141

A

Layer 2 tunneling protocol L2TP
○ Normally uses IPsec to provide encryption
- TLS
  ○ Firewall friendly vpn solution because it uses 443
  -With this you access resources through a web browser

Answer 142

A

Individual client devices that makes a secure connection to a remote network
○ Working from home
○ Traveling
- Client device requires a VPN software to establish the connection

Answer 143

A

Always on VPN
○ VPN tunnel is established if device is internet connected
○ This helps with deploying updates
- Split tunnel
  ○ Requests for remote network resources go through the VPN
  - Other requests use client internet connection

Answer 144

A

Securely link sites together over the internet
- For this to work each site needs a VPN device
  - VPN tunnel is established between the two VPN devices

Answer 145

A

Watches for suspicious activity
- Detect
  ○ Writes anomalous activity to a log
  ○ Sends an alert
- Prevent
  ○ Block suspicious activity
- Must detect anomalies in the context of the individual network
  ○ What is strange on my network might not be strange on your network
  ○ We will need to tweak this tool to our specific environment
  ○ We do this to try to reduce the amount of false positives
- IDS is often enable directly on routers
- The network placement is crucial with these devices ‘
- It can be hard for these devices to detect anomalies with encryption
- Signature based
  - Looking for known patterns of attacker traffic

Answer 146

A

Also called a secure web gateway
- Includes things like
  ○ Firewalls
  ○ Proxy servers
  ○ IDS/IPS
  ○ WAF
  ○ Virus scanning
  ○ Spam filtering
  Data loss prevention

Answer 147

A

Botnets are used
- Usually flooding networks or apps
- Mitigation
  ○ Throttling
  ○ Blackhole routing - Routing the traffic to nowhere

Answer 148

A

This attack can stem from user typos that result in redirection to similar URL
○ Also called typo squatting
- Tainted search results redirect to a malicious site
  - DNS poisoning

Answer 149

A

attackers can take over the sessions
1. attackers can do this with stealing cookies
2. form a url and trick the user to click it

Mitigation
1. Set HTTPOnly flag
2. disallow javascript cookie access

Answer 150

A

take advantage of knowing user password hashes and passing them around the network
attacker compromises systems with user login session
attackers use the hash to gain access to other resources on the network

Answer 151

A

app components are managed as a single unit

virtual machines contain an entire operating system, application containers do not all they contain is the files to run the app

Answer 152

A

facilitates network management from a gui or the command line
this simplifies and hides the underlying network configuration complexities
- Vnets
  - Subnets
- VPN’s

Answer 153

A

operating system that manages virtual machine guests
on premise hypervisor - we have full control over this
Cloud hypervisors can also be deployed

Answer 154

A

a type one hypervisor is also called a bare metal hypervisor
in this instance the hypervisor is the OS, ESXI is an example of this

Answer 155

A

this hypervisor runs as an app within the OS
vmware workstation is an example of a type 2 hypervisor

Answer 156

A

you harden virtual machines the same way you would harden a host

you still have to install patches

disable un-used accounts / services

Answer 157

A

un-used forgotten VM’s

Answer 158

A

all this really means is we are running IT services on somebody else’s equipment over a network

Answer 159

A

this is when an on-premise server caches files stored in the cloud, the benefit here is local users have access to that content, this is going to be quicker than accessing it over the internet where it is stored in the cloud.

Answer 160

A

accessing the cloud over a network from any type of device

Answer 161

A

spinning up resources yourself

Answer 162

A

grow our cloud resources quickly

Answer 163

A

usage of cloud resources is tracked

Answer 164

A

AWS, Azure are examples of this

Anybody can sign up for an account

cloud tenant isolation - isolated environments in the cloud

Answer 165

A

cloud is owned and used by a single org

requires an upfront capital investment

organization assumes full hardware / software responsibility

Answer 166

A

combines public and private cloud
public clouds can be used for redundancy and disaster recovery

Answer 167

A

cloud computing for organizations / agencies with similar cloud computing needs

Example is the government cloud in AZURE

Answer 168

A

Infrastructure as a service IAAS
- Platform as a service PaaS
  - Software as a service SaaS

Answer 169

A

this can be a variety of services such as storage, network devices

Do not expose to the internet when possible

in this model the cloud service provider is responsible for the underlying infrastructure

the cloud tenant is responsible for
- deploying VM’s
- deploying storage
- hardening the system

Answer 170

A

these are usually databases, software developer tools.

in this model the underlying VM’s are managed by the provider

Answer 171

A

this is usually productivity software

the cloud service provider is responsible for the hardware, VMs and the software installation and patching

Answer 172

A

everything related to the hardware in there data centers
- power
- HVAC
- hardware configuration
- firmware updates

Responsible for the security of software in the Paas and Saas models

Answer 173

A

CASB cloud security broker
Next generation secure web gateway
firewall solutions
Policies

Answer 174

A

this enforces security policies when accessing cloud security resources
this is normally done via proxying

Answer 175

A

CASB functionality plus additional security features such as:
- web content filtering
- Data loss prevention

Answer 176

A

Adding your own information into a data stream
- This is often enabled because of bad programming within an application
  ○ The application should properly handle input and output
- There are many different types of injection attacks including:
  HTML, SQL, XML, LDAP, etc

Answer 177

A

SQL stands for structured query language
- SQL injection allows modifying SQL requests
  Your application really shouldn’t allow this

Answer 178

A

XML stands for extensible markup language
○ XML is a set of rules for data transfer and storage
XML injection attacks you modify the XML requests – a good application will validate these requests

Answer 179

A

LDAP was created by the telephone companies and now used by almost everyone
LDAP is used to store information about authentication

Answer 180

A

Dynamic link library
○ A windows library containing code and data
○ Many applications can use this library
Inject a DLL and have an application run a program

Answer 181

A

a buffer overflow attack occurs when one section of memory is able to overwrite a different section of memory

Answer 182

A

Developers need to perform bounds checking to make sure no one is able to overwrite certain sections of memory

Answer 183

A

Useful information is transmitted over the network, a crafty attacker will take advantage of this
- An attacker will need raw access to the raw network data
  ○ They can achieve this with a network tap, ARP poisoning, or malware on the victim computer
- The gathered information may be replayed across the network to appear as someone else
  Session ID’s or credentials are what attackers are usually after with replay attacks

Answer 184

A

This is a common replay attack
- Attacker captures the hash and replay’s it through the network and this can allow them to gain access to resources
- Mitigation
  ○ Avoid this type of replay attack with salt or encryption

Answer 185

A

Cookies can provide useful information for attackers trying to do replay attacks
- Cookies are used for tracking, personalization, and session management
  ○ These can be a security risk if someone gains access to them
  Session ID’s are often stored in cookies

Answer 186

A

Attacker gains access to the session ID
- First the attacker needs to get the information
  ○ They can do this with a tool like wireshark
  Then they need to modify the headers

Answer 187

A

Encrypt end to end
- They cant capture your session ID if they cant see it
  Use HTTPS

Answer 188

A

DNS
○ TCP/UDP port 53
- DNS can be susceptible to domain hijacking
- DNS can fall victim to URL redirection attacks
  Cache poisoning is when an attacker poisons a DNS cache

Answer 189

A

is the secure version of DNS because all zones use forests

Answer 190

A

UDP port 161/162
- SNMP version 1 was all unencrypted
- Version 2 and 3 is encrypted
  Version 3 is the most secure

Answer 191

A

this runs through an SSL tunnel on TCP port 990

Answer 192

A

SFTP is SSH FTP – runs through SSH on TCP port 22

Answer 193

A

secure real time transport protocol – for encrypting VOIP calls UDP port 5004

Answer 194

A

Hide true Web Server IP address
○ Load balancer can achieve this because they are connecting to the load balancer IP
○ Reverse proxies can also do this
○ NAT will hide the IP address as well
- Run HTTPS
  ○ This is enabled on the web server
  ○ Requires a server PKI certificate
  ○ HTTPS is port 443
  ○ TLS – network security protocol
  ○ TLS works together with PKI
  Need to use TLS version 1.2 or higher

Answer 195

A

○ Directory service access protocol
○ Supported by Microsoft active directory
○ Requires a server PKI certificate
LDAPS uses TCP port 636

Answer 196

A

SMTP is used to send mail

Answer 197

A

This attack targets users and unchanging session tokens

This attack is designed to hijack authenticated sessions between a client and a server

Answer 198

A

This happens on the server side as opposed to the CSRF which happens on the client side

This attack targets web servers, hoping to compromise the webserver

Designed to have server make HTTP requests to other services

Answer 199

A

User authenticates to legitimate banking website

While logged into banking web site, user is tricked into visiting a fake site

User unknowingly sends malicious requests/instructions to the legitimate banking web site using existing authenticated session

Answer 200

A

Harden client devices

Use web application firewall or WAF

Answer 201

A

Request forgeries involve hijacking existing sessions to run malicious user commands

Answer 202

A

Cross site request forgeries CSRFs attack victims that already have authenticated sessions

Answer 203

A

Server side request forgeries SSRFs attack server sessions to other hosts such as backend databases

Answer 204

A

Cross site scripting attacks start with a web app that doesn’t properly validate or sanitize input

All user input must be untrusted

Attacker injects malicious code into a vulnerable web site

Javascript is commonly used in xss attacks

Web site visitors unknowingly execute malicious code

Answer 205

A

In an XSS attack, attackers inject malicious code into a web app, then victims visit the web app and malicious code executed on their device in the web browser

Answer 206

A

Malicious user input is accepted by the web app

Types

SQL injection

LDAP injection

XML injection

Mitigation - Sanitize user input

Answer 207

A

Developers need to adhere to software development security best practices

Input validation

Secure web browsing cookies

HTTP headers

Code signing

Answer 208

A

Planning

Defining

Designing

Building

Testing

Deployment

Answer 209

A

Automate developer code changes

Test for quality assurance

Send update notifications to users for code version control

Security issues

Attackers could make changes and inject them into the update

Answer 210

A

VM templates

Able to deploy a vm from a baseline

Cloud templates

Deploy rapidly from the cloud

These methods allow for rapid and consistent provisioning/deprovisioning

Answer 211

A

Static testing

Often called code review

Manually scanning code

Dynamic testing

Observe runtime behavior

One way to do this is with fuzzing

Fuzzing is throwing unexpected data at an application

Answer 212

A

Secure multipurpose internet mail extensions S/MIME

Answer 213

A

a vulnerability without a patch
never seen this vulnerability before, its brand new.

Answer 214

A

Very easy to leave a door open
This is becoming more common with cloud storage

Answer 215

A

Can be misconfigured, or the password is weak
- You can disable the admin or root account as a security best proactive
  - Its best to protect root or admin accounts

Answer 216

A

Error messages can provide useful information to an attacker

Answer 217

A

Use strong encryption protocols such as AES or 3DES
- Make sure the hashes don’t have any vulnerabilities
  - Some cipher suites are easier to break than other

Answer 218

A

Some protocols aren’t encrypted these are
○ Telnet
○ FTP
○ SMTP
- IMAP

Answer 219

A

every application and network devices has a default login, they need to be changed

Answer 220

A

Services will open ports its important to manage access
- Often managed with a firewall
  ○ Manage traffic flows
  - Allow or deny based on port number or application

Answer 221

A

Often centrally managed
○ The update server determines when you patch
○ Test all your apps then deploy
○ Efficiently manage bandwidth
- Many different types of patches
  ○ Firmware associated with the BIOS of the device
  ○ Operating system patches
  Application provided by the manufacturer

Answer 222

A

Data loss
identity theft
reputation impacts
availability loss

Answer 223

A

Threat hunting is a constant game of cat and mouse the goal is to find the attacker before they find you.

Answer 224

A

The data comes from logs and sensors, network information, internet events and intrusion detection
- Then we can add data from external sources
  Threat feeds, government alerts, advisories, bulletins, and social media

Answer 225

A

Port scans
○ Poke around and see what’s open
- Identify all the devices on the network
  It’s important to test from the outside and the inside

Answer 226

A

Non-intrusive scans or passive scans
○ Gather information, don’t try to exploit a vulnerability
- Intrusive scans
  ○ You will try out the vulnerability and see if it works
- Non credentialed scan
  ○ The scanner cant login to the remote devices
- Credentialed scan
  - You are a normal user, this emulates an inside attack

Answer 227

A

False positives – a vulnerability is identified that doesn’t really exist

Answer 228

A

Indicating you don’t have a vulnerability when you really do

Answer 229

A

Collects logs of security alerts
- Usually includes advanced reporting features
- Data correlation
  - Link diverse data types

Answer 230

A

With good documentation of our systems its easier to rebuild those systems if a disaster occurs

Answer 231

A

Network diagrams
○ Documents the physical wire and device
- Physical data center layout
  Can include physical rack locations

Answer 232

A

The security of an application environment should be well defined
- All application instances must follow this baseline
- The baseline configuration should include firewall settings, patch levels, os file versions
  These will probably require constant updates

Answer 233

A

An ip address plan or model
○ Consistent addressing for network devices
○ Helps avoid duplicate IP addressing
Might assign different IP ranges to different locations

Answer 234

A

Use encryption
- Security policies
- Data permissions
  - Who has access to what

Answer 235

A

Data that resides in a country is subject to the laws of that country
- GDPR general data protection regulation
  Data collected on EU citizens must be stored in the EU

Answer 236

A

This means hiding some of the original data
- Protects PII
  Many different techniques for masking, encrypting, shuffling substitution

Answer 237

A

The original information is called plaintext the encrypted form of that data is called cypher text

Answer 238

A

If you change one character in the plaintext then the resulting cipher text is going to be dramatically different

Answer 239

A

Encrypt the data
- Whole disk encryption
- Database encryption
- Apply access control lists
  Only authorized users can access the data

Answer 240

A

Data transmitted over the network
- Also called data in motion
- Usually we protect this data with a firewall or IPS
- We can also provide transport layer security
  ○ Using TLS
  - Using Ipsec

Answer 241

A

Data is actively processing in memory
○ System RAM, CPU registers and cache
- This data is almost always decrypted, otherwise you couldn’t do anything with it
This data is useful for attackers because they can pick the decrypted information out of RAM

Answer 242

A

Replace sensitive data with a non sensitive placeholder
- This practice is common with credit card processing

Answer 243

A

Control how data is used
- This is common in Microsoft documents especially email messages and PDF’s
- Restrict data access to unauthorized persons
  ○ Prevent copy and paste
  ○ Control screenshots
  ○ Manage printing
  - Restrict editing

Answer 244

A

Prevent loss of data from company systems

- Endpoint DLP resides on the endpoint 
- DLP technologies on the network that are inspecting packets 
   -  DLP systems on the servers

Answer 245

A

DLP systems can block USB drives

Answer 246

A

These are located between the users and the internet
- Block custom defined data strings
- Manage access to URL’s
  - Prevent file transfers to cloud storage

Answer 247

A

Smart to have DLP on your email so data is not sent out
- Inbound
  ○ Block keywords, identify imposters, quarantine email messages
- Outbound
  - Fake wire transfers, W-2 Transmissions, employee information

Answer 248

A

when recovery systems are hosted in a different location outside the scope of the disaster

Answer 249

A

the incident response plan should already be established in the event of a disaster

	○ Documentation is critical with IR
	○ The goal is to identify the attack and then contain the attack  After we have identified an attack we want to limit data exfiltration and limit access to sensitive data

Answer 250

A

Commonly used to examine outgoing SSL/TLS traffic
- This can make a defenders job harder because information on the network is encrypted so its harder to see what is going out and what is going in
- With SSL inspection we are able to put ourselves in the middle of the conversation and inspect the traffic while maintaining trust on the client side and the server side
- To inspect this traffic we usually use a firewall to decrypt the data

Answer 251

A

Your browser contains a list of trusted CA’s
- Your browser doesn’t trust a website unless a CA has signed the web servers encryption certificate
Before giving a CA to a site it makes sure the site is legitimate

Answer 252

A

Represents the data as a short string of text
- One way trip impossible to recover the original message from the digest
- Hashing is used to store password and achieve confidentiality
  - You can use hashing to verify a downloaded document is the same as the original

Answer 253

A

API’s are used to control software or hardware programmatically
- On path attacks can target API’s and replay API commands
- API injection
  Inject data into an API message

Answer 254

A

Authentication is an important part of API security
○ We want to limit API access to legitimate users
○ Only use API’s over secure protocols
- Authorization is another important part of API security
  ○ API should not allow extended access
  ○ Each user should have a limited role in what they can do
  A read only user should not be able to make changes

Answer 255

A

Traffic light controllers
- Digital watches
  - Medical imaging systems

Answer 256

A

Often embedded systems are running on a Soc or system on a chip

Answer 257

A

Difficult to upgrade hardware
- Limited off the shelf security option

Answer 258

A

This is an integrated circuit that can be configured after manufacturing
- With these devices a problem doesn’t require a hardware replacement
- These devices are common in infrastructure devices
  ○ Firewalls
  ○ Switches
  - routers

Answer 259

A

With SCADA systems the PC manages equipment
○ Power Generation, refining, manufacturing equipment
○ Common to find this in different facilities
▪ Industrial
▪ Energy
- Logistics

Answer 260

A

Sensors are IOT devices
○ Heating and cooling, lighting
- Smart devices
  ○ Home automation, video doorbells
- Wearable technology
  ○ Temperature, air quality, lighting
  - IOT devices usually have weak defaults

Answer 261

A

Medical devices
- Vehicles commonly have embedded systems in them
  - Embedded systems are also common on aircraft

Answer 262

A

Voip is also an embedded system
- Each VOIP device is a standalone computer

Answer 263

A

Significant performance improvements
- Operates at higher frequencies
- 5G has a dramatic impact on IOT devices
  ○ We can do larger data transfers
  ○ Faster monitoring and notifications
  - Additional cloud processing

Answer 264

A

To connect to cellular networks you need a SIM card
- IOT devices will need a sim card to use cellular technology
- The sim card contains a lot of details
  ○ Authentication information
  - Contact information

Answer 265

A

If an ITO device is not using cellular technologies its probably using narrow band
- Narrowband allows many IOT devices to communicate over longer distances
- You might find narrowband in
  ○ SCADA equipment
  - Sensors in oil fields

Answer 266

A

May not have access to a main power source
- Batteries may need to be replaced and maintained
- Low power CPU’s and are limited in speed
- May not have the option for a wired link
- Wireless is a limiting factor
- Limited cryptography features
- Inability to patch or very hard to patch
  - No authentication or very limited

Answer 267

A

SRTP secure real time transport protocol
- SRTP adds security features to RTP and keeps conversations private
- The encryption used for SRTP is AES
- Additional security features od SRTP
  ○ Authentication
  ○ Integrity
  ○ replay protection
  ○ These additional features ^ are accomplished using HMAC-SHA1 which is hashed based message and authentication code

Answer 268

A

Classic NTP has no security features
- NTPsec
  ○ Secure network time protocol
  - Cleaned up the code base

Answer 269

A

S/MIME
○ Secure multipurpose internet mail extensions
○ Features public key encryption and digital signing of mail content
○ Requires a PKI or similar organization of keys
- Secure POP and secure IMAP
  ○ Uses a starttls extension to encrypt POP3 with ssl or use imap with SSL
  SSL/TLS

Answer 270

A

SSL/TLS secure sockets layer / transport layer security
- SSL is older TLS is newer if someone says SSL they are actually referring to TLS
- HTTPS over TLS
  ○ HTTPS uses public key encryption
  ○ Private key on the server
  - Symmetric session key is transferred using asymmetric encryption

Answer 271

A

This is security for OSI layer 3
- IPSEC provides authentication and encryption for every packet
- IPSEC includes packet signing for integrity and anti-replay features
- One of the benefits of IPSEC is it is very standardized its common to use multi vendor implementations
- The two core Ipsec protocols
  ○ Authentication header AH
  Encapsulation security payload ESP

Answer 272

A

FTPS - file transfer protocol secure / FTP over SSL FTP-SSL
○ This is not to be confused with SFTP
- SFTP is the SSH file transfer protocol
  ○ Provides file system functionality
  FTP uses SSL to provide the encryption SFTP uses SSH to provide the encryption

Answer 273

A

Protocol for reading and writing directories over an IP network
○ An organized set of records, like a phone directory
- Commonly used in Microsoft AD

Answer 274

A

a nonstandard implementation of LDAP over SSL

Answer 275

A

a nonstandard implementation of LDAP over SSL

Answer 276

A

SSH
○ Encrypted terminal communication
○ Replaces telnet
- Provides secure terminal communication and file transfer features

Answer 277

A

Originally created without security in mind
-Very easy to perform DNS poisoning attacks on the original DNS

Answer 278

A

○ Domain name system security extensions
○ DNSSEC lets us validate the information we are getting from a DNS server using:
▪ Origin authentication
▪ Data integrity
○ DNSSEC also uses public key cryptography
▪ DNS records are signed with a trusted third party
Signed DNS records are published in DNS

Answer 279

A

If you are querying your routers and switches then you will use the SNMP protocol
- SNMP v3 is the most secure and offers the following features
  ○ Confidentiality – encrypted data
  ○ Integrity – no tampering of the data
  - Authentication – verifies the source

Answer 280

A

Dhcp does not include any built in security
- Within active directory you can avoid rogue DHCP servers because DHCP servers must be authorized
  CISCO uses something called DHCP snooping which blocks DHCP requests not coming from trusted interfaces

Answer 281

A

Some of the security concerns with cell networks
○ Traffic monitoring
- Location tracking

Answer 282

A

encrypt your data so it cant be captured
we need to be concerned about on path attacks with WIFI

Answer 283

A

Access badges
- Inventory / assembly line tracking
- Pet / animal identification
  - Anything that needs to be tracked

Answer 284

A

Two way wireless communication
- Builds on RFID
- Payment systems use this
  ○ Google Wallet
  ○ Apple Pay
NFC helps with Bluetooth pairing

Answer 285

A

Remote capture
- Frequency jamming
  - Relay / replay attacks

Answer 286

A

Mobile device management

* Manage company owned and user owned mobile devices 
* MDM gives us centralized management of the mobile devices 
    - Set policies on apps, data, camera, etc

Answer 287

A

Managing mobile apps are a challenge
- Not all applications are secure
  ○ Some are malicious
  ○ Android malware is a rapidly growing security concern
- A good way to manage application use is through allow lists
  ○ Only approved applications can be installed

Answer 288

A

Secure access to data
- Protect data from outsiders

Answer 289

A

Remove all the data from your mobile device
- Often managed from MDM

Answer 290

A

Combines different characteristics to create a profile on who might be trying to authenticate
- Combine multiple contexts
  ○ Where your normally login - IP address
Where you normally frequent - GPS information

Answer 291

A

HSM stands for hardware security module
- Provides security services
  ○ Encryption
  ○ Key generation
  ○ Digital signatures
  ○ Authentication
- We can also store information securely in HSM’s
  ○ Protect private keys
  ○ Crypto storage

Answer 292

A

UEM is used to manage mobile and non-mobile devices
- UEM is an evolution of the mobile device manager

Answer 293

A

Provision, update, and remove apps
- Keeps everyone running at the correct version
- We can use this to create an enterprise app catalog
  - Users can choose and install the apps they need

Answer 294

A

Isolated locations within a cloud region
- AZ’s commonly span across multiple regions
  - Each AZ has independent power, HVAC and Networking

Answer 295

A

Build an application to be active in one AZ and be on standby in another AZ
- The application will then be able to recognize an outage and move to another AZ
  - Use load balancers to provide seamless High Availability

Answer 296

A

Identity and Access Management
○ Who gets access
○ What do they get access to
- IAM allows us to create different groups and map job functions to those roles
  ○ We can combine users into groups
- We can also use IAM to provide access to cloud resources
  ○ Set granular policies
  Group, IP address, date and time

Answer 297

A

Cloud computing includes many secrets
○ API Keys, Passwords, Certificates
- The amount of secret keys can easily become overwhelming
  ○ Its difficult to manage and protect all these
- Provide an audit trail
  Know exactly who accesses secrets and when

Answer 298

A

A significant cloud storage concern
- One permission mistake can cause a breach
- Many different options for managing cloud storage access
  ○ Identity and access management
  ○ Bucket policies
  ○ Globally blocking public access
  Don’t put data into the cloud unless it really needs to be there

Answer 299

A

Cloud data is more accessible than non-cloud data
- Server side encryption
  ○ Encrypt the data in the cloud
  ○ Data is encrypted when stored on disk
- Client side encryption
  ○ Data is already encrypted when its sent to the cloud
  ○ This is performed by the application
  Encrypting the data locally then sending it to the cloud

Answer 300

A

Copy data from one place to another
○ Real time data duplication in multiple locations
- Replication is common for disaster recovery and high availability
  ○ Plan for problems
  ○ Maintain uptime if an outage occurs
  ○ Hot site for disaster recovery
  Having a backup is a good reason to use replication

Answer 301

A

Users communicate to the cloud in two primary ways
○ From the public internet
Over a VPN tunnel

Answer 302

A

Virtual switches, virtual routers
○ Build the network from the cloud console
You can use the same configurations as a physical device

Answer 303

A

○ All internal IP addresses
○ Connect to the private cloud over a VPN
No access from the internet

Answer 304

A

○ External IP addresses
Connect to the cloud from anywhere

Answer 305

A

○ Combine internal cloud resources with external
○ May combine both public and private subnets

Answer 306

A

Some cloud may have segmentation separate VPC’s, containers, and microservices
○ Application segmentation is almost guaranteed
- Virtualized security technologies
  ○ Web application firewall WAF
  Next generation firewall NGFW

Answer 307

A

Provision resources when they are needed
○ Based on demand
- Scale up and down
  ○ Allocate compute resources where and when they are needed
  ○ This is called rapid elasticity
  Pay for only what’s used

Answer 308

A

VPC gateway endpoints
○ Allow private cloud subnets to communicate to other cloud services
- VPC endpoints allow us to keep private resources private
  Internet connectivity is not required

Answer 309

A

A CASB will help us enforce the security policies in the cloud
This can be implemented as client software, or a local security appliance, or cloud based security solutions

Answer 310

A

○ Visibility
▪ Determine what apps are in use?
▪ Determine what users are authorized to use those applications
○ Compliance
▪ Are users complying with HIPPA ? PCI ?
○ Threat prevention
▪ Allow access by authorized users prevent access from everyone else
○ Data Security
▪ Ensure that all data transfers are encrypted
Protect the transfer of PII with DLP

Answer 311

A

Secure cloud based applications
○ Complexity increases in the cloud
- Application misconfigurations
  ○ One of the most common security issues
  ○ Especially cloud storage
- API security
  Attackers will try to exploit interfaces and API’s

Answer 312

A

Used to protect users and devices
○ Regardless of location and activity
- SWG’s go beyond URLS and GET requests
  ○ Examine the applications and API
- Also able to examine JSON strings and API requests
  Allows or disallows certain activities

Answer 313

A

a service that can vouch for who a person happens to be
- Think of this as authentication as a services
  -Commonly used by SSO applications or any authentication process

Answer 314

A

To be able to understand an identity we have to gather attributes
- Personal attributes
  ○ Name, email address, phone number, employee ID
- Other attributes
  Department name, job title

Answer 315

A

Digital certificate
○ Assigned to a person or device
- Binds the identity of the certificate owner to a public and private key
  - Encrypt data create digital signatures

Answer 316

A

With SSH you can use a key instead of a username and password
○ Public/Private keys
○ Critical for automation
- Key management is critical
- The command for creating a public private key pair on Linux is
  - Ssh-keygen

Answer 317

A

Shared account
○ Used by more than one person
○ Guest logins or anonymous logins
- With these accounts it is very difficult to create an audit trail
  ○ No way to know exactly who was working
  ○ Difficult to determine the proper privileges
- Password management becomes difficult
  ○ Password change requires notifying everyone
  -Difficult to remember so many password changes

Answer 318

A

Access to a computer for guests
○ No access to change settings, modify applications, view other users files and more
○ Usually no password on a guest account
- Guest accounts bring significant security challenges
  ○ Access to the user space is one step closer to an exploit
Must be controlled

Answer 319

A

Used exclusively by services running on a computer
○ No interactive / user access
- Access can be defined for a specific service
  ○ Web server rights and permissions will be different than a database server
- Service accounts commonly use usernames and passwords
  You will need to determine the best policy for password updates

Answer 320

A

Elevated access to one or more systems
○ Administrator, Root
- Privileged accounts have full access to the OS
- This account should not be used for normal administration
  ○ User accounts should be used
- Needs to be highly secured
  - Strong passwords

Answer 321

A

Control access to an account
- The authentication process
  ○ Password policies
  ○ Authentication factor policies
  Permissions after the login

Answer 322

A

Permission auditing
○ Does everyone have the correct permissions ?
- Usage auditing
  ○ How are resources used ?
  Are your systems and applications secure

Answer 323

A

Make your password strong
- Increase password entropy
  ○ Entropy is a way to measure just how unpredictable a password might be
  ○ No single words, no obvious passwords
  ○ Mix uppercase and lowercase with special characters
  Stronger passwords are at least 8 characters

Answer 324

A

Hardware based authentication
○ This is under the category of something you have
Helps prevent un-authorized logins and account takeovers even if they have your account password because they don’t have your hardware key

Answer 325

A

Password managers
○ All passwords in one location
○ A database of credentials
- Secure storage
  ○ All credentials are encrypted
  ○ Cloud based synchronization options
- Create unique passwords
  Passwords are not the same across sites

Answer 326

A

Hardware to help us with encryption
- TPM provides us with a cryptographic processor
  ○ Which is random number generators and key generators
  You can also securely store keys on a TPM module

Answer 327

A

Hardware security module – if you are managing a large number of servers that are using encryption then you need some way to centralize the management of all these different keys, one way to that is with a HSM
- HSM is usually a server that has specialized hardware inside that allows it to perform cryptographic functions quickly.
  HSM can be used for centralized storage of all our encryption and decryption keys

Answer 328

A

Using personal knowledge as an authentication factor
○ Something you know
- Static KBA
  ○ Pre configured shared secrets
  ○ This is often used with account recovery
  ○ Example: what was the make and model of your first car ?
- Dynamic KBA
  Questions are based on an identity verification service or pulled from public records

Answer 329

A

A basic authentication method
○ Used in legacy operating systems
○ Rare to see singularly used
- PAP is in the clear
  ○ Weak authentication scheme
  ○ Non – encrypted password exchange
  It would fall on the application to provide the encryption

Answer 330

A

Encrypted challenge sent over the network
- CHAP uses a three way handshake
  ○ After a link is established, the server sends a challenge message
  ○ Client responds with a password hash calculated from the challenge and the password
  ○ Server compares received hash with stored
- Challenge response
  ○ Not just at the beginning occurs periodically during the connection
  User never knows it happens

Answer 331

A

Microsoft’s implementation of CHAP
○ Used commonly on Microsoft’s PPTP or point-to-point tunneling protocol
○ MS-CHAP vs is the most recent version
Relatively easy to brute force because it uses DES, Don’t use MS-CHAP

Answer 332

A

Radius – remote authentication dial in user service
* One of the more common AAA protocols
* Supported on a wide variety of platforms and devices

Centralized authentication for users
* Routers, switches, firewalls
* Server authentication
* Remote VPN access
802.1x network access

Answer 333

A

terminal access controller access control system
Remote authentication protocol

Answer 334

A

TACACS+ the latest version of TACACS, not backwards compatible
More authentication requests and response codes

Answer 335

A

Kerberos is able to use single sign on
- We can authenticate one time and at that point are trusted by the system
- We can access different network resources all day without having to enter in our username or password
  Kerberos provides mutual authentication so the server is also authenticating to you

Answer 336

A

When you authenticate to a ticket granting service which would be your centralized authentication server. That ticket granting service gives you a service ticket. And then instead of having to put in a username and password every time you access a different resource you simply have to show the service ticket that device recognizes that you were properly authenticated by the ticket granting service.

Answer 337

A

Port based Network access control NAC
- You don’t get access to the network until you authenticate
- EAP integrates with 802.1x
  ○ EAP is the extensible authentication protocol
  802.1x prevents access to the network until the authentication succeeds

Answer 338

A

Allows us to use credentials that someone uses for a completely different services
- Third parties can establish a federated network
  ○ Authenticate and authorize between the two organizations
  ○ Aka login with your Facebook credentials
  ○ Login with your google credentials

Answer 339

A

Open standard for authentication and authorization
- You can authenticate through a third party to gain access
- Not originally designed for mobile apps
  This has been SAML’s largest roadblock

Answer 340

A

User accesses application URL
1. Sends signed / encrypted SAML request, redirects user to authorization server
2. User logs in
3. Authentication successful SAML token generated
  User presents SAML token

Answer 341

A

Authorization framework
○ Determines what resources a user will be able to access
OAuth is a framework that allows us to control what types of resources a third party application may be able to access

Answer 342

A

OAuth is usually used in conjunction with OpenID connect, so Open ID connect is providing all the authentication functionality, and then OAuth is determining what types of data is accessible by that third party app once the authentication is complete

Answer 343

A

Authorization
○ The process of ensuring only authorized rights are exercised
○ Usually we enforce access control with policy enforcement
Users receive rights based on access control models

Answer 344

A

The operating system limits the operation of an object
- Every object gets a label
  Confidential, secret, top secret

Answer 345

A

Used in most operating systems
- You create a spreadsheet, as the owner you control who has access, you can modify access at any time
- Very flexible access control
  However this is pretty weak security

Answer 346

A

You have a role in your organization
Manager, director, team lead, project manager

Answer 347

A

Determine the route a packet takes to a destination
- Tracert for windows
- Traceroute for Linux
  - Takes advantage of ICMP time to live exceeded error message

Answer 348

A

Lookup information from DNS servers
○ Canonical names, IP addresses, cache timers
- Dig domain information groper
  - More advanced domain information

Answer 349

A

Most of your troubleshooting starts with your IP address
○ Ping your local router or gateway
- Determine TCP/IP and network adapter information
- Ipconfig – windows
  Ifconfig – linux

Answer 350

A

Test reachability
- Determine round trip time
  Uses ICMP

Answer 351

A

Combines ping and traceroute
- First phase runs a traceroute
- Second phase
  Measures round trip time and packet loss at each hop

Answer 352

A

Network statistics
○ Used on many different OS’s
- Show all active connections
  ○ Netstat –a
- Show binaries (windows)
  ○ Netstat –b
- Do not resolve names
  - Netstat -n

Answer 353

A

Determine a MAC address based on an IP address
○ You need the hardware address to communicate
- To view your local ARP table
  Use the arp -a command

Answer 354

A

The route command is used to view the devices routing table
○ Find out which way the packets will go
- Windows
  ○ Route print
- Linux and Mac OS
  - Netstat -r

Answer 355

A

Client URL
○ Retrieve data using a URL
Used for enumerating and viewing the source code of webpages

Answer 356

A

Search a network for IP address
- Locate active devices
- IP scanners use many different techniques
  ○ ARP (if on the local subnet)
  ○ ICMP requests (ping)
  ○ TCP ACK
  ICMP timestamp requests

Answer 357

A

TCP/IP packet assembler and analyzer
- Ping command to the next level
  Hping allows you to modify almost everything about the packet

Answer 358

A

Incident response team
- The IR team might include
  ○ IT security management
  ○ Compliance officers
  - Technical staff

Answer 359

A

This is a document made to help you handle security incidents
- This document outlines the entire lifestyle of a security incident
  ○ Preparation
  ○ Detection and analysis
  ○ Containment, Eradication, and recovery
  Post incident activity

Answer 360

A

Communication methods
○ Phones and contact information
- Incident handling, hardware and software
  ○ Laptops, removable media, forensic software, digital cameras etc
- Incident analysis resources
  ○ Documentation, network diagrams, baselines, critical hash values
- Incident migration software
  ○ Clean OS and application images
- Policies needed for incident handling
  Everyone knows what to do

Answer 361

A

These let us know if an attack is underway
- Alerts coming from anti-malware and anti-virus software
- Host based monitors detects a configuration change
  Constantly monitors system files

Answer 362

A

Generally a bad idea to let malicious threats run their course
○ An incident can spread quickly
- Sandboxes
  ○ An isolated operating system
  ○ Run Malware and analyze the results
  - Clean out the sandbox when done

Answer 363

A

Eradicate the bug
○ Remove malware
○ Disable breached user accounts
○ Fix vulnerabilities
- Recover the system
  ○ Restore from backups
  ○ Rebuild from scratch
  ○ Replace compromised files
  - Tighten down the perimeter

Answer 364

A

Learn and improve
○ No system is perfect
- Post incident meeting
  - Invite everyone affected by the incident

Answer 365

A

Performing a full scale disaster drill can be costly and time consuming
Instead of actually going through the drill you just talk about what would be done

Answer 366

A

This is a step beyond a tabletop exercise
- With a walkthrough we are going to test processes and procedures before an event
  ○ Walk through each step
  ○ Involve all groups
  - Reference actual response materials

Answer 367

A

Test with a simulated attack
○ Phishing attack
○ Password requests
○ Data breaches
- Phishing simulations are common

Answer 368

A

If a disaster happens IT should be ready
○ Part of business continuity planning
○ Keep the organization up and running
- There are many different types of disasters that could happen
  ○ Natural disasters
  ○ Technology or system failures
  ○ Human created disasters
- Comprehensive plan
  ○ Recovery location
  ○ Data recovery method
  - Application restoration

Answer 369

A

Something we would put together well before a disaster occurring, so that we know what to do if we don’t have our normal systems in place.
- There needs to be some type of alternative to our technology In case it goes down
  ○ Manual transactions
  ○ Paper receipts
  - Phone calls for transaction approvals

Answer 370

A

Made by the MITRE corporation
- We can use this framework to determine the actions of an attacker
  ○ Identify point of intrusion
  ○ Understand the methods used to move around
  - Identify potential security techniques to block future accounts

Answer 371

A

Designed by the intelligence community
- This framework guides analysts to help understand intrusions
- Integrates well with other frameworks
- Applies scientific principles to intrusion analysis
  - Measurement, testability and repeatability

Answer 372

A

Adversary
○ Who the attacker is
- Capability
  ○ An exploit of some kind
- Infrastructure
  ○ What was used by the attacker to gain access
  ○ IP’s, Domain names,
- Victim
  ○ A person
  - Asset on the network

Answer 373

A

method used by an attacker to access a victims machine

Answer 374

A

unpatched software, phishing email, usb thumb drive

Answer 375

A

Malware infections usually start within software, messaging, and media

Answer 376

A

registering a malicious URL that is close to the target domain

Answer 377

A

Strange noises
Unusual error message
Display looks strange
Jumbled printouts
New icons appear on the desktop
Double file extensions are being displayed, such as textfile.txt.exe

Answer 378

A

Identify symptoms of a malware infection
1. Quarantine the infected systems
2. Disable systems restore (if using a windows machine)
3. Remediate the infected system
4. Schedule automatic updates and scans
5. Enable system restore and create a new restore point
Provide end user security awareness training

Answer 379

A

Verify your email servers aren’t configured as open mail relays or SMTP open relays
- Remove email address from website
- Use whitelists and blacklists
Train and educate end users

Answer 380

A

Dropper or downloader
a. Small piece of code that goes out and downloads more code
1. Maintain access
2. Strengthen access
  a. Identifying and infecting other machines
3. Actions on objectives
  a. Copying or stealing files
  Concealment

Answer 381

A

Malware designed to install or run other types of malware embedded in a payload on an infected host
Likely to implement anti-forensics techniques to prevent detection and analysis

Answer 382

A

A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper

Answer 383

A

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Answer 384

A

Shellcode originally referred to malware code that would give the attacker a shell or command prompt on the target system, but for the exam use the more generic definition provided previously

Answer 385

A

Hids or host based IDS
NIDS or network based IDS

Answer 386

A

Signature based
- Policy based
  - Anomaly based

Answer 387

A

a specific string of bytes triggers an alert

Answer 388

A

relies on specific declaration of the security policy Example: no telnet authorized

Answer 389

A

analyzes the current traffic against an established baseline and triggers an alert if outside the statistical average

Answer 390

A

malicious activity is identified as an attack

Answer 391

A

an event when no attack has occurred and no detection is made. no attack occurred and your rule didn’t fire

Answer 392

A

legitimate activity is identified as an attack

Answer 393

A

malicious activity is identified as legitimate traffic

When no alarm is raised when an attack has taken place

Answer 394

A

Endpoint DLP system - software based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence

Network DLP system - software or hardware based solution that is installed on the perimeter of the network to detect data in transit

Storage DLP system - software installed on servers in the datacenter to inspect the data at rest

Cloud DLP system - cloud software as a service that protects data being stored in cloud services

Answer 395

A

firmware that provides the computer instructions for how to accept input and send output

Answer 396

A

Flash the BIOS
a. Ensuring that the software is up to date
1. Use a BIOS password
2. Configure the BIOS boot order
3. Disable the external ports and devices
4. Enable secure boot
  Involves the TPM

Answer 397

A

technical limitations placed on a system in regards to the utilization of usb storage devices and other removable media

Answer 398

A

Use data encryption
1. Use proper authentication
2. Log NAS access

Answer 399

A

Encryption scrambles data into unreadable information

Answer 400

A

Self-encrypting drive SED - storage device that performs whole disk encryption by using embedded hardware

Answer 401

A

Trusted platform module TPM - chip residing on the motherboard that contains an encryption key

Answer 402

A

AES is a symmetric key encryption that supports 128 bit and 256 bit keys

Answer 403

A

Hardware security module HSM - physical devices that act as a secure crypto processor during the encryption process

Answer 404

A

Host based IDS/IPS HIDS/HIPS- a type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the systems state on an endpoint

Answer 405

A

Endpoint protection platform EPP - a software agent and monitoring system that performs multiple security tasks such as anti virus, HIDS/HIPS, firewall, DLP and file encryption

Answer 406

A

a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

Answer 407

A

Ensure we have AV on the phone
Ensure the device is patched
only install apps from the official store
Dont jailbreak the device

Answer 408

A

integrated circuit that securely stores the international mobile subscriber identity IMSI number and its related key / this is what tells the cellphone towers which device is assigned to which number

Answer 409

A

SIM cloning allows two phone to utilize the same service and allows an attacker to gain access to the phones data

SIM v1 cards were easy to clone but newer SIM v2 cards are much harder

Answer 410

A

sending of unsolicited messages to Bluetooth enabled devices / blue jacking send information to a device

Answer 411

A

unauthorized access of information from a wireless device over a Bluetooth connection / taking information from a device

Answer 412

A

centralized software solution that allows system administrators to create and enforce policies across its mobile devices

Answer 413

A

Update your device to the latest version of the software

Install AV

Train users on proper security and use of the device

Only install apps from the official mobile stores

Don’t root or jailbreak the device

Only use v2 sim cards with your devices

Turn off all unnecessary features

Turn on encryption for voice and data

Use strong passwords or biometrics

Don’t allow BYOD

Answer 414

A

process of configuring workstation or server to only provide essential application and services

Answer 415

A

only applications that are on the list are allowed to be run by the operating system while all other applications are blocked

Answer 416

A

any application placed on the list will be prevented from running while all others will be permitted to run

Answer 417

A

any operating system that meets the requirements set forth by government and has multilevel security

Answer 418

A

a single problem fixing a piece of software for an OS or application

Answer 419

A

software code that is issued for a product specific security related vulnerability

Answer 420

A

software code for a specific problem addressing a critical non security bug in software

Answer 421

A

a tested cumulative grouping of patches, hotfixes, security updates, critical updates, and possibly some feature or design changes

Answer 422

A

Planning

Testing

Implementing

Auditing

Answer 423

A

Password complexity

Account lockout policy

Software restrictions

Application restrictions

Answer 424

A

NTFS

FAT32

Ext4

HFS+

Answer 425

A

Windows systems can utilize NTFS or FAT32

Answer 426

A

new technology file system is the default file system format for windows and is more secure because it supports logging, encryption, larger partition sizes and larger file sizes than FAT32

Answer 427

A

a legal principle identifying a subject has used best practices or reasonable care when setting up, configuring, and maintaining a system

Answer 428

A

Properly resourced cybersecurity program

Security assurance and risk management processes

Product support lifecycle

Security controls for confidential data

Incident response and forensics assistance

General and historical company information

Answer 429

A

a microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function) created by the DOD / the trusted foundry is a way to make microprocessors secure

Answer 430

A

the process of ensuring that hardware is procured tamper-free from trustworthy suppliers / Don’t buy second hand go straight to the source

Answer 431

A

a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics / the TPM is an example of a root of trust

A hardware root of trust is used to scan the boot metrics and OS files to verify the signatures, which we can then use to sign a digital report

Answer 432

A

a specification for hardware based storage of digital certificates, keys, hashed passwords, and other user and platform identification information

TPM makes sure when you boot up it does it securely

Answer 433

A

an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software based storage

Answer 434

A

A firmware exploit is going to give the attacker an opportunity to run any code at the highest level of CPU privilege

Answer 435

A

a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security

Answer 436

A

a UEFI feature that prevents unwanted processes from executing during the boot operation

Answer 437

A

a UEFI feature that gathers secure metrics to validate the boot process in an attestation report / as you boot up it take measurements then creates a report

Answer 438

A

a claim that the data presented in the report is valid by digitally signing it using the TPM’s private key

Answer 439

A

a means for software or firmware to permanently alter the state of a transistor
on a computer chip

Answer 440

A

a firmware update that is digitally signed by the vendor and trusted by the system before installation

Answer 441

A

a disk drive where the controller can automatically encrypt the data that is written to it.

Answer 442

A

a mechanism for ensuring the confidentiality, integrity, and availability for software code and data as it is executed in volatile memory

Answer 443

A

the CPU’S security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Answer 444

A

the extensions allow a trusted process to create an encrypted container for sensitive data / also able to store encryption key

Answer 445

A

certain operations that should only be performed once or not at all such as initializing a memory location

Answer 446

A

data is encrypted by an application prior to being placed on the data bus

Answer 447

A

a complete platform designed to replace an entire physical computer and includes a full desktop/server operating system

Answer 448

A

designed to only run a single process or application like a virtualized web browser or a simple web browser

Answer 449

A

Hypervisor – manages the distribution of the physical resources of a host machine (server) to the virtual machines being run guests

Answer 450

A

Type 1 or bare metal hypervisors - runs directly on the host hardware and runs as the operating system

Answer 451

A

Type 2 runs within a typical OS

Answer 452

A

Type 1 are more efficient then type 2 hypervisors

Answer 453

A

Application containerization – a single operating system kernel is shared across multiple virtual machines but each virtual machine receives its own user space for programs and data

Answer 454

A

an attack that allows an attacker to break out of a normally isolated VM by interacting directly with the hypervisor

Answer 455

A

Create and implement web browsing policies as an administrative control or technical control
1. Train your users, user training will prevent many issues inside your organization
2. Use proxies and content filters
  a. Proxies cache the website to reduce requests and bandwidth usage
  b. Content filters can be used to blacklist specific websites or entire categories of sites
3. Prevent malicious code
  Configure your browser to prevent ActiveX controls, Java applets, JavaScript, Flash and other active content

Answer 456

A

Cookies – text files placed on a clients computer to store information about the user’s browsing habits, credentials, and other data

Answer 457

A

also known as flash cookies they are stored in your windows user profile under the flash folder inside of your AppData Folder

Answer 458

A

disable macros
use digital certificates
UAC

Answer 459

A

is an organized process of developing a secure application throughout the life of the project /waterfall model

Answer 460

A

Planning and Analysis
1. Software / Systems design
2. Implementation
3. Testing
4. Intergration
5. Deployment
6. Maintenance

Answer 461

A

software development is performed in time-boxed or small increments to allow more adaptivity to change

Answer 462

A

software developments and information technology operations

Answer 463

A

helps to prioritize vulnerability identification and patching

Answer 464

A

any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application

because it can be malicious

Answer 465

A

default installations should include secure configurations instead of requiring an administrator or user to add in additional security

Answer 466

A

applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user

Answer 467

A

applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing

Answer 468

A

occurs when a tester is not provided with any information about the system or the program prior to conducting the test

Answer 469

A

occurs when a tester is provided full details on a system including the source code, diagrams, and user credentials in order to conduct the test

Answer 470

A

provides control over what the application should do when faced with a runtime or syntax error

Answer 471

A

applications verify that information received from a user matches a specific format or range of values

Answer 472

A

source code of an application is reviewed manually or with automatic tools without running the code / reading the code

Answer 473

A

analysis and testing of a program occurs while it is being executed or run / the most common type of this is fuzzing

Answer 474

A

injection of randomized data into a software program in an attempt to find system failures. Memory leaks, error handling issues, and improper input validations

Answer 475

A

method of accessing unauthorized directories by moving through the directory structure on a remote server

Answer 476

A

occurs when an attacker is able to execute or run commands on a victim computer

Answer 477

A

occurs when an attacker is able to execute or run commands on a remote computer

Answer 478

A

occurs when a process stores data outside the memory range allocated by the developer

Answer 479

A

a temporary storage area that a program uses to store data

Answer 480

A

reserved area of memory where the program saves the return address when a function call instruction is revealed

Answer 481

A

occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attackers code to run

Answer 482

A

method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Answer 483

A

occurs when an attacker embeds malicious scripting commands on a trusted website

Answer 484

A

Stored/persistent
- Reflected
  Dom based

Answer 485

A

attempts to get data provided by the attacker to be saved on the web server by the victim

Answer 486

A

attempts to have a non-persistent effect activated by a victim clicking a link on a site

Answer 487

A

an attempt to exploit the victims browser

Answer 488

A

occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

Answer 489

A

attack consisting of the insertion or injection of an SQL query via input data from the client to a web application /putting in malicious sql statements

Answer 490

A

insertion of additional information or code through data input from a client to an application

Answer 491

A

SQL injection is prevented through input validation and using lest privilege when accessing a database

Answer 492

A

XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery and injection of arbitrary code

Answer 493

A

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

Answer 494

A

an attack that embeds a request for a local resource

Answer 495

A

a software vulnerability when the resulting outcome from execution processes is a direct dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

Answer 496

A

A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location

Answer 497

A

a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points too

Answer 498

A

the potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Answer 499

A

Develop applications to not process things sequentially if possible
Implement a locking mechanism to provide an app with exclusive access

Answer 500

A

any code that is used or invoked outside the main program development process

Answer 501

A

Code reuse
1. Third party library
  1. Software development toolkit SDK

Answer 502

A

any program that does not properly record or log detailed enough information for an analyst to perform there job

Answer 503

A

any program that uses ineffective credentials or one in which the defaults have not been changed for security

Answer 504

A

represents the actual network cables and radio waves used to carry data over a network / this data is known as bits / network cables

Answer 505

A

describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing / frames / MAC address’s, switches

Answer 506

A

uses logical address to route or switch information between hosts, the network, and the internetworks / packets / router, IP addresses

Answer 507

A

manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP

Answer 508

A

manages the establishment, termination, and synchronization of a session over the network

Answer 509

A

translates the information into a format that the sender and receiver both understand /encoding / encryption

Answer 510

A

layer from which the message is created, formed, and originated / HTTP / Email

Answer 511

A

attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port

Answer 512

A

occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device

Answer 513

A

MAC spoofing is often combined with an ARP spoofing attack

Answer 514

A

used to connect two or more network to form an inter network

Answer 515

A

Routers rely on a packets IP addresses to determine the proper destination

Answer 516

A

an ordered set of rules that a router used to decide whether to permit or deny traffic based upon given characteristics

Answer 517

A

IP spoofing is used to trick a routers ACL

Answer 518

A

focused on providing controlled access to publicly available servers that are hosted within your organizational network

a segment isolated from the rest of a private network by one or more firewalls that accepts connections from the internet over designated ports

Answer 519

A

Email and web servers are the most common things to put in the DMZ

Answer 520

A

hosts or servers in the DMZ which are not configured with any services that run on the local network

Answer 521

A

a hardened server that provides access to other hosts within the DMZ / an admin connects to the jump box and the jump box connects to hosts in the DMZ

Answer 522

A

security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network

Answer 523

A

a piece of software that is installed on the device requesting access to the network

Answer 524

A

uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

Answer 525

A

Switches create VLANS

Answer 526

A

Segment the network
Reduce collisions
Organize the network
Boost performance
Increase security

Answer 527

A

attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Answer 528

A

attacker adds an additional VLAN tag to create an outer and inner tag / adds two vlan tags / prevent double tagging by moving all ports out of the default VLAN group

Answer 529

A

creating sub-networks logically through the manipulation of IP addresses

Answer 530

A

Compartmentalized
Efficient use of IP addresses
Reduced broadcast traffic Reduced collisions

Answer 531

A

NAT – process of changing an IP address while it translates across a router

Using NAT can help us hide our network IPs

Answer 532

A

router keeps track of requests from internal hosts by assigning them random high number ports for each request

Answer 533

A

Class A 10.0.0.0 to 10.255.255.255

Answer 534

A

Class B 172.16.0.0 to 172.31.255.255

Answer 535

A

Class C 192.168.0.0 to 192.168.255.255

Answer 536

A

Term used to describe devices that provide voice communication to users

Answer 537

A

a device that could modulate digital information into an analog signal for transmission over a standard dial-up phone line

Answer 538

A

internal phone system used in large organizations

Answer 539

A

Digital phone service provided by software or hardware devices over a data network

Answer 540

A

Firewalls screen traffic between two portions of a network

Answer 541

A

Software based
- Hardware based
  - Embedded firewalls

Answer 542

A

inspects each packet passing through the firewall and accepts or rejects it based on the rules

Answer 543

A

Stateless packet filtering accepts or denies the requests based on the ip and port that was requested

Answer 544

A

stateful packet filtering tracks the requests leaving the network / this helps eliminate IP spoofing

Answer 545

A

Nat filtering - filters traffic based upon the ports being utilized and type of connection

Answer 546

A

conducts an in depth inspection based upon the application being used / also known as layer 7 firewalls

Answer 547

A

operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP and UDP

Answer 548

A

traffic is allowed to enter or leave the network because there is an ACL rule that specifically allows it

Answer 549

A

traffic is denied the ability to leave the network because there is an ACL rule that specifically denies it

Answer 550

A

traffic is denied the ability to enter or leave the network because there is no specific rules that allow it

Answer 551

A

firewall installed to protect your server by inspecting traffic being sent to a web application

Answer 552

A

a device that acts as a middle man between a device and remote server

Answer 553

A

IP proxy
- Caching proxy
- Content filter
Web security gateway

Answer 554

A

is used to secure a network by keeping its machines anonymous during web browsing

Answer 555

A

attempts to serve a client requests by delivering content from itself without actually contacting the remote server

Answer 556

A

Used in organizations to prevent users from accessing prohibited websites and other content

Answer 557

A

a go between device that scans for viruses, filters unwanted content and performs data loss prevention functions

Answer 558

A

a single computer that might be attractive to an attacker

Answer 559

A

a group of computers servers or networks used to attract an attacker

Answer 560

A

systems designed to protect data by conducting content inspection of data being sent out of the network

Answer 561

A

attempts to detect, log, and alert on malicious network activities

Answer 562

A

NIPS or network intrusion prevention systems - attempts to remove, detain, or redirect malicious traffic

Answer 563

A

Unified threat management system - combination of network security devices and technologies to provide more defense in depth with a single device

UTM might include - a firewall, NIDS/NIPS, content filter, anti-malware, DLP and VPN

Answer 564

A

Cloud computing - a way of offering on demand services that extend the traditional capabilities of a computer or network

Cloud computing relies on virtualization to gain efficiencies and cost savings

Answer 565

A

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Answer 566

A

Public
- Private
- Hybrid
  - Community

Answer 567

A

a service provider makes resources available to the end users over the internet

Answer 568

A

a company creates its own cloud environment that only it can utilize as an internal enterprise resource

Answer 569

A

resources and costs are shared among several different organizations who have common service needs

Answer 570

A

SaaS
- IaaS
- PaaS
  - SECaaS

Answer 571

A

provides all the hardware , operating system, software ad applications needed for a complete service to be delivered

Answer 572

A

provides all the hardware, operating system, and backend software needed in order to develop your own software or service / web hosting is an example of this

Answer 573

A

provides your organization with the hardware and software needed for a specific service to operate

Answer 574

A

provides your organization with various types of security services without the need to maintain a cybersecurity staff

Answer 575

A

utilizes separate virtual networks to allows security professionals to test suspicious or malicious files

Answer 576

A

web servers should be placed in your DMZ

Answer 577

A

a private network segment made available to a single cloud consumer within a public cloud

Answer 578

A

VPC is typically going to be used to provision internet-accessible applications that need to be accessed from geographically remote sites

Answer 579

A

enterprise management software designed to mediate access to cloud services by users across all types of devices

Answer 580

A

Single sign on
- Malware and rogue device detection
- Monitor / audit user activity
  - Mitigate data exfiltration

Answer 581

A

Forward proxy
- Reverse proxy
  - API

Answer 582

A

a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with the policy

Answer 583

A

an appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of the traffic comply with the policy

Answer 584

A

API’s allow for the automated administration management and monitoring of a cloud service

Answer 585

A

Curl can be used for testing API’s

Answer 586

A

function as a service – a cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language / make applications without having our own servers

Answer 587

A

Serverless eliminates the need to manage physical or virtual servers

Answer 588

A

No patching
- No administration
  No file system monitoring

Answer 589

A

Insecure API’s
- Improper key management
- Logging and monitoring
  Unprotected storage

Answer 590

A

API’s should use secure authentication and authorization such as SAML or OAuth before accessing the data
- Do not hardcode or embed a key into the source code
Delete unnecessary keys

Answer 591

A

Cloud storage containers are referred to as buckets or blobs
Incorrect permissions may occur due to defaults permissions

Answer 592

A

Resource orchestration
- Workload orchestration
  Service orchestration

Answer 593

A

a software development method where code updates are tested and committed to a development or build a server/code repository rapidly / can test and commit updates multiple times per day

Answer 594

A

a software development method where application and platform requirements are frequently tested and validated for immediate availability / gets the code ready for release doesn’t actually release it

Answer 595

A

a software development method where application and platform updates are committed to production rapidly / focuses on automated testing and release of code in order to get it into the production environment more quickly

Answer 596

A

DevOps – an organizational culture shift that combines software development and systems operation by referring to the practice of integrating the two disciplines within a company

DevSecOps – a combination of software development, security operations, and systems operations by integrating each discipline with the others

Answer 597

A

a provisioning architecture in which deployment of resources is performed by scripted automation and orchestration / allows us to script out the provisioning of cloud resources

Answer 598

A

any system that is different in its configuration compared to a standard template within an infrastructure as code architecture

Answer 599

A

a property of IAC that an automation or orchestration action always produces the same result regardless of the components previous state

Answer 600

A

the science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

Answer 601

A

a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further instructions

Answer 602

A

an architecture of input, hidden, and output layers that can perform algorithmic analysis of datasets to achieve outcome objectives

Answer 603

A

a refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions

Answer 604

A

a logical communication opening on a server that is listening for a connection from a client

Answer 605

A

a logical communication opening created on a client in order to call out to a server that is listening for a connection

Answer 606

A

ports 0-1023 are considered well-known and are assigned by the internet Assigned numbers authority IANA

Answer 607

A

ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols

Answer 608

A

ports 49,152 to 65,535 can be used by any application without being registered with IANA

Answer 609

A

21 TCP, file transfer protocol Is used to transfer files from host to host

Answer 610

A

22 TCP,UDP – secure shell Is used to remotely administer network devices and systems

Answer 611

A

unencrypted method to remotely administer network devices

Answer 612

A

simple mail transfer protocol is used to send email over the internet

Answer 613

A

domain name service is used to resolve hostnames to IPs and IPs to hostnames

Answer 614

A

trivial FTP is used as a simplified version of FTP to put a file on a remote host or get a file from the remote host

Answer 615

A

80 TCP – hypertext transfer protocol is used to transmit web page data to a client for unsecured web browsing

Answer 616

A

88 TCP/UDP - used for network authentication using a system of tickets within a windows domain

Answer 617

A

110 TCP – post office protocol v3 is used to receive email from a mail server

Answer 618

A

119 TCP – network news transfer protocol is used to transport UseNet articles

Answer 619

A

135 TCP/UDP - remote procedure call is used to locate DCOM ports to request a service from a program on another computer on the network

Answer 620

A

137-139 TCP/UDP – netbios is used to conduct name querying, sending of data and other functions over a netbios connection

Answer 621

A

143 TCP - internet message access protocol is used to receive email from a mail server with more features than POP3

Answer 622

A

161 UDP – simple network management protocol is used to remotely monitor devices

Answer 623

A

162 TCP/UDP - used to send trap and inform requests to the SNMP manager on a network

Answer 624

A

389 TCP/UDP - lightweight directory access protocol is used to maintain directories of users and other objects

Answer 625

A

443 TCP – hyper text transfer protocol secure is used to transmit web page data to a client over an SSL/TLS encrypted connection

Answer 626

A

445 TCP – server message block is used to provide shared access to files and other resources on the network

Answer 627

A

465/587 TCP – smtp TLS is used to send email over the internet with an SSL and TLS secured connection

Answer 628

A

syslog is used to connect computer message logging especially for routers and firewall logs

Answer 629

A

ldap is used to maintain directories of users and other objects over an encrypted SSL/TLS connection

Answer 630

A

iSCSI is used for linking data storage facilities over IP / commonly used in storage area networks

Answer 631

A

989/990 TCP – file transfer protocol secure is used to transfer files from host to host over an encrypted connection

Answer 632

A

995 TCP – pop3 used to receive email from a mail server using an SSL/TLS encrypted connection

Answer 633

A

1433 TCP – Microsoft SQL server is used to receive SQL database queries from clients

Answer 634

A

1645/1646 alternate 1812/1813 primary UDP – Remote authentication dial in user service is used for authentication and authorization

Answer 635

A

1701 UDP – layer 2 tunneling protocol is used as an underlying VPN protocol but has no inherent security

Answer 636

A

1723 TCP/UDP - point to point tunneling protocol is an underlying VPN protocol with built in security

Answer 637

A

3225 TCP/UDP - fiber channel IP is used to encapsulate fiber channel frames within the TCP/IP packets

Answer 638

A

3260 TCP – iSCSI target is a listening port for an iSCSI targeted devices when linking data storage facilities over IP

Answer 639

A

3389 TCP/UDP - remote desktop protocol is used to remotely view and control other windows systems via a graphical user interface

Answer 640

A

6514 TCP – it is used to conduct computer message logging, especially for routers and firewall logs, over a TLS encrypted connection

Answer 641

A

any ports that is associated with a service or function that is non-essential to the operation of your computer or network

To close an a non needed port you can stop the service that is utilizing the port

Answer 642

A

term used to describe many different types of attacks which attempt to make a computer or servers resources un-available

Answer 643

A

Flood attacks
- Ping of Death
- Teardrop attack
- Permanent DOS
  Fork bomb

Answer 644

A

a specialized type of DOS which attempts to send more packets to a single server or host then they can handle

Answer 645

A

an attacker attempts to flood the server by sending too many ICMP echo request packets also known as pings

Answer 646

A

attacker sends a ping to subnet broadcast address and devices reply to spoofed IP (victim server) using up bandwidth and processing power

Answer 647

A

attacker sends a UDP echo packet to port 7 and port 19 to flood a server with UDP packets

Answer 648

A

Smurf used TCP fraggle attacks use UDP

Answer 649

A

variant on a denial of service attack where attacker initiates multiple TCP sessions but never completes the three way handshake

Answer 650

A

a specialized network scan that sets the FIN, PSH and URG flags and can cause a device to crash or re-boot

Answer 651

A

attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads and sends them to a victim machine

Answer 652

A

attack that creates a large number of processes to use up the available processing power of a computer

Answer 653

A

Distributed denial of service DDOS –a group of compromised systems attack a single target simultaneously to create a denial of service DOS

Answer 654

A

attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server

Answer 655

A

Blackholing or sinkholing - identifies any attacking IP addresses and routes all their traffic to a non-existent server through the null interface

Answer 656

A

Spoofing – occurs when an attacker masquerades as another person by falsifying there identity

Answer 657

A

Proper authentication is the best way to prevent spoofing

Answer 658

A

exploitation of a computer session in an attempt to gain unauthorized access to data services or other resources on a computer server

Answer 659

A

attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client

Answer 660

A

occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access

Answer 661

A

occurs when an attacker blindly injects data into the communication stream without being able to see if its successful or not

Answer 662

A

attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click the actual page

Answer 663

A

attack that causes data to flow through the attacks computer where they can intercept or manipulate the data

Answer 664

A

occurs when a trojan infects a vulnerable web browser and modifies the web pages or transactions being done on the browser

Answer 665

A

occurs when malware is placed on a website that the attacker knows his potential victims will access

Answer 666

A

network based attack where a valid data transmission is fraudulently or maliciously re-broadcast repeated or delayed

Answer 667

A

session tokens will combat replay attacks

MFA will also prevent these sort of attacks

Answer 668

A

occurs when the name resolution information is modified in the DNS servers cache / if the cache is poisoned the attacker can send users to malicious websites

Answer 669

A

occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Answer 670

A

occurs when an attacker modifies the host files to have the client bypass the DNS server and redirects them to an incorrect or malicious website

Answer 671

A

protocol for mapping an internet protocol or IP address to a physical machine address that is recognized in the local network

Answer 672

A

attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network

Answer 673

A

ARP poisoning is prevented by VLAN segmentation and DHCP snooping

Answer 674

A

a disturbance that can affect electrical circuits, devices, and cables due to radiation or electromagnetic conduction

Answer 675

A

Shielding the cables STP on the source can minimize EMI

Answer 676

A

A disturbance that can affect electrical circuits, devices, and cables due to AM/FM transmissions or cell towers

Answer 677

A

occurs when a signal transmitted on one copper wire creates and undesired effect on another wire

Answer 678

A

the electromagnetic field generated by a network cable or device when transmitting / comes from inside the cable / someone could capture this

Answer 679

A

secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations, and other threats

Answer 680

A

uniquely identifies the network and is the name of the WAP used by the clients

Answer 681

A

an unauthorized WAP or wireless router that allows access to the secure network

Answer 682

A

a rogue, counterfeit, and unauthorized WAP with the same SSID as your valid one

Answer 683

A

same encryption key is used by the access point and the client

Answer 684

A

WEP – not secure / weak IV’s

Answer 685

A

replacement for WEP which used TKIP, Message integrity check and RC4 encryption

Answer 686

A

802.11 standard to provide better wireless security featuring AES with a 128 bit key, CCMP, and integrity checking

Answer 687

A

Smurf used TCP fraggle attacks use UDP

Answer 688

A

2.4 GHz signals can travel further than 5 GHz

Answer 689

A

intentional radio frequency interference targeting your wireless network to cause a denial of service

Answer 690

A

creates network segments for each client when it connects to prevent them from communicating with other clients on the network

Answer 691

A

occurs when an attacker observes the operation of a cipher being used with several different keys and finds a mathematical relationship between those keys to determine the clear text data

Answer 692

A

attack that targets an individual client connected to a network forces it offline by deauthenticating it and then captures the handshake when it reconnects

Answer 693

A

uses AES-256 encryption with a SHA-384 hash for integrity checking

Answer 694

A

uses CCMP-128 as the minimum encryption required for secure connectivity

Answer 695

A

a secure password based authentication and password authenticated key agreement method

Answer 696

A

SAE provides forward secrecy

Answer 697

A

a feature of key agreement protocols like SAE that provides assurance the session keys will not be compromised even if long term secrets used in the session key exchange are compromised

Answer 698

A

devices that use a radio frequency signal to transmit identifying information about the device or token holder

Answer 699

A

allows two devices to transmit information when they are within close range through automated pairing and transmission

Answer 700

A

area between two doorways that holds people until they are identified and authenticated

Answer 701

A

relies on the physical characteristics of a person to identify them

Answer 702

A

Biometrics is considered something you are

Answer 703

A

rate that a system authenticates a user as authorized of valid when they should not have been granted access to the system

Answer 704

A

rate that a system denies a user as authorized or valid when they should have been granted access to the system

Answer 705

A

an equal error rate where the false acceptance rate and false rejection rate are equal

Answer 706

A

pipes are filled with water all the way to the sprinkler head and are just waiting for the bulb to be melted or broken

Answer 707

A

pipes are filled with pressurized air and only push water into the pipes when needed to combat the fire

Answer 708

A

A pre action sprinkler system will activate when heat or smoke is detected

Answer 709

A

fire suppression system that relies upon gas instead of water to extinguish a fire

Answer 710

A

To reduce EMI use shielded twisted pair STP which adds a layer of shielding inside the cable

Answer 711

A

shielding installed around an entire room that prevents electromagnetic energy and radio frequencies from entering or leaving the room

Answer 712

A

us government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility / resistant to EMP’s

Answer 713

A

Vehicles connect numerous subsystems over a controller area network or CAN

Answer 714

A

a digital serial data communications network used within vehicles

Answer 715

A

Attack the exploit to OBD-II
Exploit over onboard cellular

Answer 716

A

a group of objects electronic or not that are connected to the wider internet by using embedded electronic components

Answer 717

A

a computer system that us designed to perform a specific dedicated function

Answer 718

A

a type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Answer 719

A

a processor that integrates the platform functionality of multiple logical controllers onto a single chip

Answer 720

A

a type of OS that prioritizes deterministic execution of operations to ensure consistent response for time critical tasks

Answer 721

A

a processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Answer 722

A

a communications network designed to implement an industrial control system rather than data networking

Answer 723

A

a network that manages embedded devices

Answer 724

A

Electrical power stations
- Water suppliers
- Health services
- Telecommunications
- Manufacturing
  Defense

Answer 725

A

digital serial data communications used in operational technology networks to link PLC’s

Answer 726

A

input and output controls on a PLC to allow a user to configure and monitor the system

Answer 727

A

ICS manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world

Answer 728

A

software that aggregates and catalogs data from multiple sources within an industrial control system

Answer 729

A

a type of industrial control system that manages large scale, multiple site devices and equipment spread over a geographic region

Answer 730

A

typically runs as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs

Answer 731

A

a communications protocol used in OT networks / Its like TCP for operation technology networks

Answer 732

A

establish administrative control over OT networks by recruiting staff with relevant expertise
- Implement the minimum network links by disabling unnecessary links, services, and protocols
- Develop and test a patch management program for OT networks
  Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusions

Answer 733

A

systems used for building automation and physical access security

Answer 734

A

components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Answer 735

A

use of two or more authentication factors to prove a user’s identity

Answer 736

A

Username and password are only considered a single factor authentication

Answer 737

A

a password is computed from a shared secret and current time

Answer 738

A

a password is computed from a shared secret and is synchronized between the client and the server

Answer 739

A

process to check the users or systems attributes or characteristics prior to allowing it to connect

Answer 740

A

a default user profile for each user is created and linked with all the resources needed

Answer 741

A

a single identity is created for a user and shared with all of the organizations in a federation

Answer 742

A

utilizes a web of trust between organizations where each one certifies others in the federation

Answer 743

A

organizations are able to place their trust in a single third party

Answer 744

A

attestation model built upon XML used to share federated identity management information between systems

Answer 745

A

an open standard and decentralized protocol that is used to authenticate users in a federated identity management system

Answer 746

A

standardized framework used for port based authentication on wired and wireless networks

802.1x framework uses RADIUS and TACACS+ to do the authentication for us

Answer 747

A

a framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure

Answer 748

A

a database used to centralize information about clients and objects on the network

Answer 749

A

an authentication protocol used by windows to provide two way mutual authentication using a system of tickets

Answer 750

A

Microsoft’s proprietary protocol that allows administrators and users to remotely connect to another computer via GUI

Answer 751

A

cross platform version of the remote desktop protocol for remote user GUI access / VNC requires a client, server, and protocol be configured / port 5900

Answer 752

A

used to provide authentication but is not considered secure since it transmits the login credentials unencrypted

Answer 753

A

used to provide authentication by using the users password to encrypt a challenge string of random numbers

Answer 754

A

allows end users to create a tunnel over an untrusted network and connect remotely and securely back into the enterprise network

Answer 755

A

specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers

Answer 756

A

a remote workers machine diverts internal traffic over the VPN but external traffic over their own internet connection

Answer 757

A

provides centralized administration of dial up VPN and wireless authentication services for 802.1x and the EAP protocol / Radius operates at the application layer / uses UDP

Answer 758

A

standard that defines port based network access control and is a data link layer authentication technology used to connect devices to a wired or wireless LAN

Answer 759

A

application layer protocol for accessing and modifying directory services data / AD uses it

Answer 760

A

authentication protocol used in windows to identify clients to a server using mutual authentication / uses tickets

Answer 761

A

service that enables dial up and VPN connections to occur from remote clients

Answer 762

A

a software based attack where the goal is to assume the identity of a user, process, address, or other unique identifier

Answer 763

A

an attack where the attacker sits between two communicating hosts and transparently captures monitors and relays all communication between the hosts

Answer 764

A

brute force attack in which multiple user accounts are tested with a dictionary of common passwords

Answer 765

A

brute force attack in which stolen user account names and passwords are tested against multiple websites

Answer 766

A

a software vulnerability where the authentication mechanism allows an attacker to gain entry

1. Weak password credentials 
2. Weak password reset methods
3. Credential exposure  Session Hijacking

Answer 767

A

methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it

Answer 768

A

DAC
- MAC
- RBAC
  ABAC

Answer 769

A

the access control policy is determined by the owner

every object in a system must have an owner
Each owner determines access right’s and permissions for each object

Answer 770

A

an access control policy where the computer system determines the access control for an object

The owner choses the permissions in DAC but in MAC the computer does

Answer 771

A

MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network c) and every file/folder/device or network connection (called an object)
MAC is implemented through the rule-based and the lattice-based access control methods

Answer 772

A

label based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label

Answer 773

A

an access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission label

Answer 774

A

all access to a resource should be denied by default and only be allowed when explicitly stated

Answer 775

A

R (Read) = 4
W (Write)=2
X ( (Execute) = 1

Answer 776

A

seeks to identify any issue in a network application, database, or other systems prior to it being used that might compromise the system

Answer 777

A

practice of finding and mitigating the vulnerabilities in computers and networks

Answer 778

A

Get permission and document info
- Conduct recon
- Enumerate the targets
- Exploit the targets
  Document the results

Answer 779

A

is a discussion of simulated emergency situations and security incidents

Answer 780

A

a standard designed to regulate the transfer of secure public information across network and the internet utilizing any security tools and services available

Answer 781

A

OVAL is comprised of a language and an interpreter

OVAL language – an XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools

OVAL interpreter – a reference developed to ensure the information passed around by these programs complies with the OVAL schemas and definitions used by the OVAL language

Answer 782

A

list of precomputed values used to more quickly break a password since values don’t have to be calculated for each password being guessed

Answer 783

A

signature based
anomaly based
behavior based

Answer 784

A

network traffic is analyzed for predetermined attack patterns

Answer 785

A

a baseline is established and any network traffic that is outside the baseline is evaluated

Answer 786

A

activity is evaluated based on the previous behavior of applications, executables and the operating system in comparison to the current activity on the system

Answer 787

A

network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them

Answer 788

A

network adapters can only capture the packets addressed to itself directly

Answer 789

A

a physical device that allows you to intercept the traffic between two points on the network

Answer 790

A

a TCP/IP protocol that aids in monitoring network attached devices and computers / SNMP is incorporated into a network management and monitoring system

Answer 791

A

computers and other network attached devices monitored through the use of agents by a network management system

Answer 792

A

software that is loaded on a managed device to redirect information to the network management system

Answer 793

A

software run on one or more servers to control the monitoring of network attached devices and computers

Answer 794

A

are insecure due to the use of community strings to access a device

Answer 795

A

version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network

Answer 796

A

logs the events such as successful and unsuccessful user logins to the system

Answer 797

A

logs the events such as a system shutdown and driver failures

Answer 798

A

logs the events for the operating system and third party applications

Answer 799

A

a standardized format used for computer messaging logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyes them

Answer 800

A

Log all relevant events and filter irrelevant data

Establish and document the scope of the events

Develop use cases to define a threat

Plan incident response for an event

Establish a ticketing process to track events

Schedule regular threat hunting

Provide auditors and analysts an evidence trail

Answer 801

A

a protocol for enabling different appliances and software applications to transmit logs or event records to a central server

Answer 802

A

Use port 1468 TCP for consistent delivery

Can use TLS to encrypt messages sent to servers

Use MD5 or SHA1 for authentication and integrity

Answer 803

A

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestration automated runbooks and delivering data enrichment

Answer 804

A

SOAR is primarily used for incident response

Answer 805

A

Playbook- a checklist of actions to perform to detect and respond to a specific type of incident

Answer 806

A

an automated version of a playbook that leaves clearly defined interaction points for human analysis

Answer 807

A

encryption algorithm in which both the sender and the receiver must know the same secret using a privately held key

Key distribution can be challenging with symmetric encryption

Answer 808

A

DES

3DES

IDEA

AES

Blowfish

Twofish

RC4

RC5

RC6

Answer 809

A

encryption algorithm where different keys are used to encrypt and decrypt the data

Answer 810

A

Diffie Helman

RSA

ECC

PGP

Answer 811

A

utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR function to create the ciphertext

Answer 812

A

breaks the input into fixed length blocks of data and performs the encryption on each block

Answer 813

A

Block ciphers are commonly implemented through software stream ciphers are commonly implemented through hardware

Answer 814

A

encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create cyphertext using an effective key strength of only 56 bits

Answer 815

A

encryption algorithm which uses three separate symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

Answer 816

A

symmetric block cipher which uses 64 bit blocks to encrypt plaintext into ciphertext

Answer 817

A

symmetric block cipher that uses 128 bit 192 bit or 256 bit blocks and a matching encryption key size to encrypt plaintext into ciphertext
AES is the standard for encrypting sensitive US government data

Answer 818

A

symmetric block cipher that uses 64 bit blocks and a variable length encryption key to encrypt plaintext into cipher text

Answer 819

A

symmetric block cipher that replaced blowfish and uses 128 bit blocks and a 128 bit, 192 bit or 256 bit encryption key to encrypt plaintext into cipher text

Answer 820

A

symmetric stream cipher using a variable key size from 40 bits to 2048 bits that is used in SSL and WEP

RC4 is the only stream cipher everything else is block

Answer 821

A

a hash digest of a message encrypted with the sender private key to let the recipient know the document was created and sent by the person claiming to have sent it

Answer 822

A

read it again

Answer 823

A

used to conduct key exchanges and secure key distribution over an unsecure network

Diffie-hellman is used for the establishment of a VPN tunnel using IPSec

Answer 824

A

asymmetric algorithm that relies on the mathematical difficulty of factoring large prime numbers / key sizes 1024 buts to 4096 bits

Answer 825

A

algorithm that is based upon the algebraic structure of elliptic curves over finite fields to define the keys

ECC is most commonly used for mobile devices and low power computing devices

Answer 826

A

PGP an encryption program used for signing, encrypting, and decrypting emails

Answer 827

A

a newer and updated version of the PGP encryption suite that uses AES for its symmetric encryption functions

Answer 828

A

refers to how an organization will generate, exchange, store and use encryption keys

The strength of an encryption system lies in the key strength / keys must also be securely stored / change keys periodically

Answer 829

A

stream cipher that encrypts plaintext information with a secret random key that is the same length as the plaintext input

Answer 830

A

a shared, immutable ledger for recording transactions tracking assets and building trust

Answer 831

A

a record keeping system that maintains participants identities in secure and anonymous form, their respective crypto balances, ad a record book of all the genuine transactions executed between network participants

Answer 832

A

a one way cryptographic function which takes an input and produces a unique message digest

Answer 833

A

algorithm that creates a fixed length 128 bit hash value unique to the input file

Answer 834

A

condition that occurs when two different files create the same hash digest

Answer 835

A

algorithm that creates a fixed length 160-bit hash value unique to the input file

Answer 836

A

family of algorithms that includes SHA-224 SHA-256 SHA-348 AND SHA-512

Answer 837

A

family of algorithms that creates hash digests between 224 bits and 512 bits

Answer 838

A

an open source hash algorithm that creates a unique 160-bit, 256-bit or 320 bit message digest for each input file

Answer 839

A

uses a hash algorithm to create a level of assurance as to the integrity and authenticity of a given message or file

Answer 840

A

uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer

Answer 841

A

original version of password hashing used by windows that uses DES and is limited to 14 characters

Answer 842

A

replacement to LM hash that uses RC4 and was released with WIndows NT

Answer 843

A

replacement to NTLM hash that uses HMAC-MD5 and is considered difficult to crack

Answer 844

A

MD5 and SHA

Answer 845

A

a technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password

Answer 846

A

Technique used by an attacker to find two different messages that have the same identical hash digest

Answer 847

A

a technique that is used to mitigate a weaker key by increasing the time needed to crack it

Answer 848

A

adding random data into a one way cryptographic hash to help protect against password cracking techniques

Answer 849

A

digitally signed electronic documents that bind a public key with a user’s identity

Answer 850

A

standard used for PKI for digital certificates and contains the owner/users information and the certificate authorities information

Answer 851

A

CA or certificate authority is the trusted third party who is going to issue the digital certificates

Answer 852

A

allow all of the subdomains to use the same public key certificate and have it displayed as valid

Answer 853

A

allows a certificate owner to specify additional domains and IP address to be supported

Answer 854

A

the original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Answer 855

A

a restricted version of the BER that only allows the use of only one encoding type

Answer 856

A

certificate signing request is what is submitted to the CA to request a digital certificate

Answer 857

A

used to verify information about a user prior to requesting that a certificate authority issue the certificate

Answer 858

A

the entity that issues certificates to a user

Answer 859

A

an online list of digital certificates that the certificate authority has revoked

Answer 860

A

a protocol that allows you to determine the revocation status of a digital certificate using its serial number

Answer 861

A

allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Answer 862

A

allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the users web browser as part of the HTTP header

Answer 863

A

occurs when a secure copy of a users private key is held in case the user accidentally loses their key

Answer 864

A

a specialized type of software that allows for the restoration of a lost or corrupted key to be performed

Answer 865

A

a decentralized trust model that addresses issues associated with the public authentication of public keys within a CA based PKI system / more of a peer to peer model

Answer 866

A

the individual elements, objects, or parts of a system that would cause the whole system to fail if they were to fail

Answer 867

A

an enclosure that provides two or more complete power supplies

Answer 868

A

combines the functionality of a surge protector with that of a battery backup

Answer 869

A

an emergency power system used when there is an outage of the regular electric power grid

Answer 870

A

provides data stripping across multiple disks to increase performance / you would use this when you care about performance but not fault tolerance / need at least two disks

Answer 871

A

provides redundancy by mirroring the data identically on two hard disks

Answer 872

A

provides redundancy by stripping data and parity data across the disk drives / requires three disks

Answer 873

A

provides redundancy by striping and double parity data across the disk drives / 2 stripes for parity data where as RAID 5 only has one / At least 4

Answer 874

A

Fault – resistant
- Fault tolerant
  Disaster tolerant

Answer 875

A

protects against the loss of the arrays data if a single disk fails / raid 1 or 5

Answer 876

A

protects against the loss of the arrays data if a single component fails / raid 1 5 and 6

Answer 877

A

provides two independent zones with full access to the data / RAID 10

Answer 878

A

two or more server working together to perform a particular job function

Answer 879

A

a secondary server can take over the function when the primary one fails

Answer 880

A

servers are clustered in order to share resources such as CPU, RAM and Hard disks

Answer 881

A

all of the contents of a drive are backed up

Answer 882

A

only conducts a backup of the contents of a drive that have changed since the last full or incremental backup

Answer 883

A

only conducts a backup of the contents of a drive that have changed since the last full backup / this type of backup takes more time to create but less time to restore

Answer 884

A

each tape is used once per day for two weeks and the entire set is reused

Answer 885

A

three sets of backup tapes are defined as the son (daily), the father (weekly), and the grandfather (monthly)

Answer 886

A

three sets of backup tapes (like the grandfather-father-son) that are rotated in a more complex system /helps prevent tapes from being worn out quickly

Answer 887

A

type of backup primarily used to capture the entire operating system image including all applications and data / commonly used with VM’s

Answer 888

A

the development of an organized and in depth plan for problems that could affect the access of data or the orgs building

Answer 889

A

Contact info
1. Impact determination (how much this affects the business)
2. Recovery Plan (what is the order and priority of things that need to be recovered)
3. Business continuity plan (BCP)
4. Copies of agreements
5. Disaster recovery exercises
  List of critical systems and data

Answer 890

A

a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations / business impact analysis is governed by metrics that express system availability

Answer 891

A

the longest period of time a business can be inoperable without causing irrevocable business failure

Answer 892

A

the length of time it takes after an event to resume normal business operations and activities

Answer 893

A

the length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Answer 894

A

the longest period of time that an organization can tolerate lost data being unrecoverable

Answer 895

A

measures the average time it takes to repair a network device when it breaks

Answer 896

A

average time between failures on a device

Brainscape's Knowledge GenomeTM

Security + Flashcards

Brainscape's Knowledge Genome^TM