Security + Flashcards

Question

what are some things we can use for Physical access control

Answer 1

- Limited facility access - Vestibules - Door locks - Proximity cards - Key fobs

Answer 2

- We should assign permissions to groups - Principle of least privilege should be assigned to user accounts - Audit user accounts Make sure to disable user accounts when they are terminated or leave

Answer 3

- employee onboarding policies - Password policies ○ Here we can define password complexity policies ○ Password history - Account lockout policies to protect against bruteforce attacks - Geolocation ○ Where a user is located - Geofencing ○ Users geolocation determines resource access - Geotagging ○ Adding location metadata to files and social media posts - Impossible travel time Moving locations so fast it's impossible

Answer 4

User home directory on the Linux server. SSH public keys must be stored on the server in the user home directory in a file called “authorized_keys”

Answer 5

Geotagging uses GPS coordinates or IP address block information to add detailed location information to social media posts and pictures.

Answer 6

Pap or password authentication protocol MS-Chap Microsoft challenge handshake authentication protocol NTLM Microsoft new technology Lan Manager NTLM Kerberos EAP IEEE 802.1x Radius

Answer 7

Outdated Sends passwords in the clear over the network

Answer 8

Client requests authentication from a server Then the server sends a challenge to the client Client responds to challenge by hashing the response with a users password Server compares response to its own computed hash and authenticates if they match

Answer 9

NTLM is used on workgroup computers A workgroup computer is one that is not joined to an active directory domain Password hashes with NTLM are not salted NTLM v2 passwords are salted

Answer 10

Microsoft active directory authentication Kerberos uses a key distribution center or KDC Authentication service AS Ticket granting service TGS Ticket Granting Ticket TGT Once you are authenticated you are granted a ticket from the ticket granting service , that ticket is what you present when you try to access resources in the AD domain and if you should have access to that resource you get let in without having to sign in again

Answer 11

Network authentication framework Lets us authenticate using more methods PKI certificate authentication Smart card authentication Often EAP uses TLS as a transport mechanism Applies to wired and wireless networks

Answer 12

port based network access control This protocol hands off authentication to a centralized RADIUS server for authentication This applies to wired and wireless network edge devices The devices that can authenticate users to the network include Ethernet switches Routers VPN appliances

Answer 13

centralized authentication server This could be a domain controller ○ Radius clients are network edge devices § Network switches § VPN appliances § Wireless routers We call actual users trying to connect to the network the radius supplicant

Answer 14

- User credentials are not requested after initial authentication - Protocols used with single sign on ○ OpenID ○ Oauth

Answer 15

- Identity federation is when multiple resources trust a single authentication source ○ With this we have a centralized trusted identity provider IDP - Protocols we can use with identity federation ○ Security assertion markup language SAML A Saml token is a digital security token that proves your identity

Answer 16

Program that can replicate through user interaction Activates once a user clicks or downloads

Answer 17

No file lives only in memory Difficult for anti malware to detect

Answer 18

Also known as crypto malware and crypto ransomware Uses encryption to lock a user out of a system Attacker hides your data until you pay your Ransome

Answer 19

A virus that once it gets started will use networking or the internet to self-replicate More like a pathway for replication

Answer 20

A program that looks like one thing but does another usually nefarious No replication Remote access trojans or RAT's Maliciously takes control of a system remotely

Answer 21

Created by developers as an easy maintenance entry point Can be exploited by attackers if left open by developers Can be created in a program by hackers to gain access

Answer 22

Software that may have negative or undesirable effects Crapware adware spyware bloatware

Answer 23

Distributed attack using remotely-controlled malware controlling several computers Often running some kind of RAT Hosts are called bots or zombies One kind of Botnet is a distributed denial of service attack or DDOS attack Trying to overload traffic from a number of sources that makes resources unavailable for legitimate users Usually have a C2 or command or control

Answer 24

Can be hardware Device that plugs in between keyboard and computer to log keystrokes Can be software Programs that logs keystrokes

Answer 25

Can often be somewhat invisible Goal to get root access to the system Usually installed on the boot of the systems they are attacking

Answer 26

Often a script is set to execute Created with a timer to go off at a specific time or during a specific event on a system

Answer 27

Open wireless networks guest user accounts, we need to disable these No intruder lockout settings, nothing to block failed logon attempts Too many file or app permissions assigned by default

Answer 28

Don’t sign in with a root account Use sudo to run privileged commands Disallow remote access as root Use su to temporarily switch to root

Answer 29

WEP is weak DES digital encryption standard Use AES instead Secure Sockets Layer Use TLS SSL uses a PKI certificate for encryption TLS Not secure 1.0 and 1.1 Secure versions 1.2 and 1.3

Answer 30

Change IP address Don’t have ports open that don’t need to be listening Don’t install everything in the default space with a webserver Don’t use usernames and password that come default

Answer 31

An exploit unknown by the vendor and the public ZDI zero day initiative This encourages the private reporting of vulnerabilities to vendors

Answer 32

DNS sinkholing Privilege escalation Replay attacks Pointer / object dereference Error handling Dynamic link Library DLL injection Resource Exhaustion Race condition

Answer 33

This attack returns false DNS query results

Answer 34

Attacker acquires a higher level of access Example - compromising an admin account that has a weak password

Answer 35

Capturing something that happens on the network and replaying it Common in MITM attacks

Answer 36

Attacker manipulates memory pointers to point to unexpected memory locations Normally causes software to crash

Answer 37

Improper handling can crash a system These errors might disclose to much information

Answer 38

Attacker places malicious DLL's in the file system Legitimate running processes call malicious code within the DLL

Answer 39

Dos or DDOS Can result in memory leaks

Answer 40

Actions might occur before security control in in effect These are based on timing

Answer 41

driver shimming driver refactoring

Answer 42

Normally used to allow legacy software to run This can be installed by a malicious user If an attacker has access to a device they can install malicious drivers This can happen in the supply chain injected in the software development stage Intercept API calls to run the malicious code

Answer 43

Restructures internal code while maintaining external behavior Can evade signature based AV

Answer 44

integer overflow Buffer overflows

Answer 45

Less memory than expected is allocated This can lead to Sensitive information disclosure Remote exploit privilege escalation Application crash

Answer 46

Less memory than expected is allocated This can lead to Sensitive information disclosure Remote exploit privilege escalation Application crash

Answer 47

Online vs offline attacks

Answer 48

John the ripper Cain and Abel Hydra

Answer 49

Uses common username and password files Tries thousands or millions of likely possibilities to login to a user account

Answer 50

Try every possible combination of characters Multiple attempts should trigger an account lockout

Answer 51

Blast many accounts with a best guess common password before trying a new password Slower than traditional attacks Less likely to trigger account lockout settings

Answer 52

Bot - single infected device under attacker control Botnet - collection of infected machine under control

Answer 53

Periodically talks to a command and control C2 attack server We can mitigate this with IDS Attackers might have directions stored in a DNS TXT record

Answer 54

Group disks together to work as one We would do this for better performance Provides high availability Hardware Raid controller Software Raid This is slower and less reliable than software RAID

Answer 55

Storage out on a network

Answer 56

The benefit of raid 0 is better performance

Answer 57

Data in its entirety is written to two sperate disks We get better performance with this We also get higher availability because if one disk fails the other one is up to date

Answer 58

Better performance Parity is stored on separate disks If one disk fails we can use the parity info on the other disks to rebuild the disk

Answer 59

Requires at least 4 disks Stores 2 parity stripes on each disk This means raid 6 can tolerate two disk failures

Answer 60

This is a combination of Raid level 1 and 0 Disk mirroring then disk stripping Requires at least 4 disks

Answer 61

Limit physical access to the servers or hardware Alarms, sensors, locks Card cloning / skimming Use vendor diversity Limit USB storage device use Apply firmware updates Use USB data blocker Allows recharging but not data transfer

Answer 62

Used as basis for hardware root of trust This check for boot integrity of the machine UEFI secure boot Has the boot order changed ? Check the hash of each file to make sure it matches that of the vendor Can encrypt and decrypt disk volumes and store keys in the TPM Microsoft Bitlocker is an example of this

Answer 63

Causes Corrupt OS file Malware Failing disks Misconfiguration Remediation Boot from alternative media Live boot media Revert to known state or last known good configuration

Answer 64

RAID NIC teaming UPS PDU

Answer 65

Multiple network connections to the cloud Load balancing Cross region storage replication

Answer 66

EDR Host based firewall NGFW Allow lists

Answer 67

Alarms for detected anomalies or malware infections

Answer 68

Looks for suspicious activity Analyze log files Detect and alert on anomalies

Answer 69

Packet filtering firewall Up to OSI layer 4 Deep packet inspection firewall Up to OSI layer 7 IDS/IPS built in

Answer 70

- What cabling do we use - What frequency do we use with wireless Getting 1s and 0s from one layer to another

Answer 71

Preamble in an Ethernet frame warns the network card that there is an incoming frame

Answer 72

Allow individual systems to address ethernet frames and send them to the right spot based on MAC address The data link layer checks out the source destination parts of the ethernet frame

Answer 73

MAC address's are great for moving data on individual systems on a LAN But when you need data to leave the LAN you use logical addressing like IP addresses This layer inspects the destination and source IP address

Answer 74

The transports layer job is to assemble and disassemble packets as they come in

Answer 75

this is where the connections are established

Answer 76

used for converting data and encoding it

Answer 77

used to map IP addresses in a network ARP traffic is really only local to the LAN

Answer 78

- type of man in the middle attack * a malicious actor has to have access to the network * Victim traffic is sent through the attacker station - Attacker can view the victim traffic

Answer 79

1. Attacker has gained access to the network 2. Attacker sends a request saying please update your ARP cache for the IP change the mac address to my attacker machine 3. Victim devices update their arp cache

Answer 80

1. Use static ARP cache entries a. This means hosts will not accept ARP cache updates 2. Limit access to the network a. Use MFA b. Use NAC network access control c. Limit based on device type

Answer 81

1. attacker sends traffic with forged source MAC address's to a switch port. 2. Switch memory is filled, new incoming traffic is sent out to all switch ports

Answer 82

- Excessive amounts of broadcast traffic on a network - Caused by Failing equipment

Answer 83

- Mac address filtering for network access - Static MAC address assignments - Disable unused switch ports

Answer 84

- internal network should be untrusted - Make sure employees can recognize scams - Use a network IDS/IPS for internal network

Answer 85

- Network and data flow diagrams ○ Need to know what we have so we can deal with security incidents - Standard naming conventions IP address ranges need to be mapped and consistent

Answer 86

- Some people call this a DMZ - Public services are in the DMZ - Firewall rules must be configured for this to work. ○ Only allow HTTPS from the internet to the DMZ web server - Rules blocking traffic from the internet from getting farther into our internal network

Answer 87

- Increases service availability - Improves service performance - Load balancing is multiple backend servers providing the same service - Load balancing can also use horizontal scaling which is adding more VM's as the load increases - Session persistence ○ Clients remain connected to the same backend server - Active / Active ○ All servers are up and running at the same time ○ Round / Robin ▪ Each request goes to the next backend server ○ Least connections ▪ Each request is sent to the least busy backend server * Active/Passive ○ Backend server status ▪ Some are active some are in a standby state A standby server is activated when an active server fails

Answer 88

* Limit endpoint access to a network ○ We can limit by OS type ○ We can see the device location and where the connection is coming from ○ Make sure there is a host based firewall ○ Make sure that the AV is up to date - Nac can be agent based or agentless

Answer 89

* Port based network access control 802.1x is configured to send authentication request to a radius server

Answer 90

* DHCP snooping can block rogue DHCP servers ○ Untrusted DHCP server responses are blocked * DHCP snooping is enabled on network switches - This means we specify trusted DHCP ports

Answer 91

* Also called jump box or bastion host * Has a public interface for us to connect to and a private interface for connecting to internal hosts * Jump servers sit between server admins and target servers

Answer 92

* A decoy system or server made to look vulnerable so we can track attacks against it * Only deploy a honeypot on an isolated network - Implement logging so we can track the attacks

Answer 93

* Fake files made to look attractive to hackers Implement logging to see what actions are taken on the file

Answer 94

a honeynet is a network of honey pots

Answer 95

* Hardware appliance * VM that acts as a firewall * Host based firewall * Firewalls essentially allow or deny incoming / outgoing traffic - Firewalls use access control lists

Answer 96

* This applies to OSI layer 4 or the transport layer * Stateful firewall track entire sessions instead of only individual packets * Packet filtering firewalls can be based on ○ Source / destination port numbers ○ Source / Destination IP addresses - MAC addresses

Answer 97

* Runs on OSI layer 7 * Rules can be based on ○ The direction of the traffic incoming vs outgoing ○ Packet filtering firewall conditions ○ These firewalls can look at specific protocols

Answer 98

* OSI layer 7 Protects against common web application attacks

Answer 99

OSI layer 4

Answer 100

OSI layer 7

Answer 101

common web app attacks

Answer 102

- fetches internal content for internal users - Hides IP address of internal machines, the machines make the request to the proxy server and the server makes the request for them - user device uses the proxy as the default gateway - another benefit of a proxy is fetched content can be cached this speeds up subsequent requests

Answer 103

A reverse proxy is a type of proxy server. Unlike a traditional proxy server, which is used to protect clients, a reverse proxy is used to protect servers. A reverse proxy is a server that accepts a request from a client, forwards the request to another one of many other servers, and returns the results from the server that actually processed the request to the client as if the proxy server had processed the request itself. The client only communicates directly with the reverse proxy server and it does not know that some other server actually processed its request.

Answer 104

forward proxy fetches internal user requesting content from the internet and interal client IPs are hidden forward proxy enables computers isolated on a private network to connect to the public internet,

Answer 105

Reverse proxy provides external user access to internal services and internal server IPs are hidden

Answer 106

* This can be a hardware or software solution ○ This is normally enabled on a router ○ It can also be called PAT or NAT gateway * Multiple internal IP's share a single public IP Requests are tracked by internal IP and unique port number

Answer 107

pat router maintains a table in its memory

Answer 108

OSI layer 4

Answer 109

OSI layer 7

Answer 110

pat enables multiple internal clients to gain internet access using a single public IP

Answer 111

NAT maps public IP's to private IPS to allow external clients access to servers

Answer 112

- suite of network security protocols - IPSEC has to do with network traffic encryption and authentication - IPSEC can be configured to secure some network traffic or all network traffic

Answer 113

* Normally used for site to site VPN's * With IPSEC tunnel mode the entire original packet is encrypted and placed inside a new IP packet A new IP header is added when the packet is encapsulated

Answer 114

* Normally used for host to host encryption on a LAN or WAN * In transport mode the original packet header doesn’t get changed like it does in tunnel mode, there is also no packet encapsulation With transport mode we protect traffic by encrypting it

Answer 115

* This provides us with integrity and origin authentication * This is done with hashing algorithms The entire IP packet is authenticated with this mode

Answer 116

* With this mode we get integrity and origin authentication * We also gain confidentiality through encryption with this mode Only the packet payload or data within the packet is encrypted

Answer 117

* Layer 2 tunneling protocol L2TP ○ Normally uses IPsec to provide encryption * TLS ○ Firewall friendly vpn solution because it uses 443 -With this you access resources through a web browser

Answer 118

* Individual client devices that makes a secure connection to a remote network ○ Working from home ○ Traveling - Client device requires a VPN software to establish the connection

Answer 119

* Always on VPN ○ VPN tunnel is established if device is internet connected ○ This helps with deploying updates * Split tunnel ○ Requests for remote network resources go through the VPN - Other requests use client internet connection

Answer 120

* Securely link sites together over the internet * For this to work each site needs a VPN device - VPN tunnel is established between the two VPN devices

Answer 121

* Watches for suspicious activity * Detect ○ Writes anomalous activity to a log ○ Sends an alert * Prevent ○ Block suspicious activity * Must detect anomalies in the context of the individual network ○ What is strange on my network might not be strange on your network ○ We will need to tweak this tool to our specific environment ○ We do this to try to reduce the amount of false positives * IDS is often enable directly on routers * The network placement is crucial with these devices ' * It can be hard for these devices to detect anomalies with encryption * Signature based - Looking for known patterns of attacker traffic

Answer 122

* Also called a secure web gateway * Includes things like ○ Firewalls ○ Proxy servers ○ IDS/IPS ○ WAF ○ Virus scanning ○ Spam filtering Data loss prevention

Answer 123

* Botnets are used * Usually flooding networks or apps * Mitigation ○ Throttling ○ Blackhole routing - Routing the traffic to nowhere

Answer 124

* This attack can stem from user typos that result in redirection to similar URL ○ Also called typo squatting * Tainted search results redirect to a malicious site - DNS poisoning

Answer 125

attackers can take over the sessions 1. attackers can do this with stealing cookies 2. form a url and trick the user to click it Mitigation 1. Set HTTPOnly flag 2. disallow javascript cookie access

Answer 126

- take advantage of knowing user password hashes and passing them around the network - attacker compromises systems with user login session - attackers use the hash to gain access to other resources on the network

Answer 127

- app components are managed as a single unit virtual machines contain an entire operating system, application containers do not all they contain is the files to run the app

Answer 128

- facilitates network management from a gui or the command line - this simplifies and hides the underlying network configuration complexities - Vnets - Subnets - VPN's

Answer 129

- operating system that manages virtual machine guests - on premise hypervisor - we have full control over this - Cloud hypervisors can also be deployed

Answer 130

- a type one hypervisor is also called a bare metal hypervisor - in this instance the hypervisor is the OS, ESXI is an example of this

Answer 131

- this hypervisor runs as an app within the OS - vmware workstation is an example of a type 2 hypervisor

Answer 132

you harden virtual machines the same way you would harden a host you still have to install patches disable un-used accounts / services

Answer 133

un-used forgotten VM's

Answer 134

all this really means is we are running IT services on somebody else's equipment over a network

Answer 135

this is when an on-premise server caches files stored in the cloud, the benefit here is local users have access to that content, this is going to be quicker than accessing it over the internet where it is stored in the cloud.

Answer 136

accessing the cloud over a network from any type of device

Answer 137

spinning up resources yourself

Answer 138

grow our cloud resources quickly

Answer 139

usage of cloud resources is tracked

Answer 140

AWS, Azure are examples of this Anybody can sign up for an account cloud tenant isolation - isolated environments in the cloud

Answer 141

cloud is owned and used by a single org requires an upfront capital investment organization assumes full hardware / software responsibility

Answer 142

- combines public and private cloud - public clouds can be used for redundancy and disaster recovery

Answer 143

- cloud computing for organizations / agencies with similar cloud computing needs Example is the government cloud in AZURE

Answer 144

- Infrastructure as a service IAAS - Platform as a service PaaS - Software as a service SaaS

Answer 145

this can be a variety of services such as storage, network devices Do not expose to the internet when possible in this model the cloud service provider is responsible for the underlying infrastructure the cloud tenant is responsible for - deploying VM's - deploying storage - hardening the system

Answer 146

these are usually databases, software developer tools. in this model the underlying VM's are managed by the provider

Answer 147

this is usually productivity software the cloud service provider is responsible for the hardware, VMs and the software installation and patching

Answer 148

everything related to the hardware in there data centers - power - HVAC - hardware configuration - firmware updates Responsible for the security of software in the Paas and Saas models

Answer 149

CASB cloud security broker Next generation secure web gateway firewall solutions Policies

Answer 150

- this enforces security policies when accessing cloud security resources - this is normally done via proxying

Answer 151

CASB functionality plus additional security features such as: - web content filtering - Data loss prevention

Answer 152

* Adding your own information into a data stream * This is often enabled because of bad programming within an application ○ The application should properly handle input and output * There are many different types of injection attacks including: HTML, SQL, XML, LDAP, etc

Answer 153

* SQL stands for structured query language * SQL injection allows modifying SQL requests Your application really shouldn’t allow this

Answer 154

* XML stands for extensible markup language ○ XML is a set of rules for data transfer and storage XML injection attacks you modify the XML requests – a good application will validate these requests

Answer 155

* LDAP was created by the telephone companies and now used by almost everyone LDAP is used to store information about authentication

Answer 156

* Dynamic link library ○ A windows library containing code and data ○ Many applications can use this library Inject a DLL and have an application run a program

Answer 157

a buffer overflow attack occurs when one section of memory is able to overwrite a different section of memory

Answer 158

Developers need to perform bounds checking to make sure no one is able to overwrite certain sections of memory

Answer 159

* Useful information is transmitted over the network, a crafty attacker will take advantage of this * An attacker will need raw access to the raw network data ○ They can achieve this with a network tap, ARP poisoning, or malware on the victim computer * The gathered information may be replayed across the network to appear as someone else Session ID's or credentials are what attackers are usually after with replay attacks

Answer 160

* This is a common replay attack * Attacker captures the hash and replay's it through the network and this can allow them to gain access to resources * Mitigation ○ Avoid this type of replay attack with salt or encryption

Answer 161

* Cookies can provide useful information for attackers trying to do replay attacks * Cookies are used for tracking, personalization, and session management ○ These can be a security risk if someone gains access to them Session ID's are often stored in cookies

Answer 162

* Attacker gains access to the session ID * First the attacker needs to get the information ○ They can do this with a tool like wireshark Then they need to modify the headers

Answer 163

* Encrypt end to end * They cant capture your session ID if they cant see it Use HTTPS

Answer 164

* DNS ○ TCP/UDP port 53 * DNS can be susceptible to domain hijacking * DNS can fall victim to URL redirection attacks Cache poisoning is when an attacker poisons a DNS cache

Answer 165

is the secure version of DNS because all zones use forests

Answer 166

* UDP port 161/162 * SNMP version 1 was all unencrypted * Version 2 and 3 is encrypted Version 3 is the most secure

Answer 167

this runs through an SSL tunnel on TCP port 990

Answer 168

SFTP is SSH FTP – runs through SSH on TCP port 22

Answer 169

secure real time transport protocol – for encrypting VOIP calls UDP port 5004

Answer 170

* Hide true Web Server IP address ○ Load balancer can achieve this because they are connecting to the load balancer IP ○ Reverse proxies can also do this ○ NAT will hide the IP address as well * Run HTTPS ○ This is enabled on the web server ○ Requires a server PKI certificate ○ HTTPS is port 443 ○ TLS – network security protocol ○ TLS works together with PKI Need to use TLS version 1.2 or higher

Answer 171

○ Directory service access protocol ○ Supported by Microsoft active directory ○ Requires a server PKI certificate LDAPS uses TCP port 636

Answer 172

SMTP is used to send mail

Answer 173

This attack targets users and unchanging session tokens This attack is designed to hijack authenticated sessions between a client and a server

Answer 174

This happens on the server side as opposed to the CSRF which happens on the client side This attack targets web servers, hoping to compromise the webserver Designed to have server make HTTP requests to other services

Answer 175

User authenticates to legitimate banking website While logged into banking web site, user is tricked into visiting a fake site User unknowingly sends malicious requests/instructions to the legitimate banking web site using existing authenticated session

Answer 176

Harden client devices Use web application firewall or WAF

Answer 177

Request forgeries involve hijacking existing sessions to run malicious user commands

Answer 178

Cross site request forgeries CSRFs attack victims that already have authenticated sessions

Answer 179

Server side request forgeries SSRFs attack server sessions to other hosts such as backend databases

Answer 180

Cross site scripting attacks start with a web app that doesn’t properly validate or sanitize input All user input must be untrusted Attacker injects malicious code into a vulnerable web site Javascript is commonly used in xss attacks Web site visitors unknowingly execute malicious code

Answer 181

In an XSS attack, attackers inject malicious code into a web app, then victims visit the web app and malicious code executed on their device in the web browser

Answer 182

Malicious user input is accepted by the web app Types SQL injection LDAP injection XML injection Mitigation - Sanitize user input

Answer 183

Developers need to adhere to software development security best practices Input validation Secure web browsing cookies HTTP headers Code signing

Answer 184

Planning Defining Designing Building Testing Deployment

Answer 185

Automate developer code changes Test for quality assurance Send update notifications to users for code version control Security issues Attackers could make changes and inject them into the update

Answer 186

VM templates Able to deploy a vm from a baseline Cloud templates Deploy rapidly from the cloud These methods allow for rapid and consistent provisioning/deprovisioning

Answer 187

Static testing Often called code review Manually scanning code Dynamic testing Observe runtime behavior One way to do this is with fuzzing Fuzzing is throwing unexpected data at an application

Answer 188

Secure multipurpose internet mail extensions S/MIME

Answer 189

- a vulnerability without a patch - never seen this vulnerability before, its brand new.

Answer 190

* Very easy to leave a door open This is becoming more common with cloud storage

Answer 191

* Can be misconfigured, or the password is weak * You can disable the admin or root account as a security best proactive - Its best to protect root or admin accounts

Answer 192

Error messages can provide useful information to an attacker

Answer 193

* Use strong encryption protocols such as AES or 3DES * Make sure the hashes don’t have any vulnerabilities - Some cipher suites are easier to break than other

Answer 194

* Some protocols aren't encrypted these are ○ Telnet ○ FTP ○ SMTP - IMAP

Answer 195

every application and network devices has a default login, they need to be changed

Answer 196

* Services will open ports its important to manage access * Often managed with a firewall ○ Manage traffic flows - Allow or deny based on port number or application

Answer 197

* Often centrally managed ○ The update server determines when you patch ○ Test all your apps then deploy ○ Efficiently manage bandwidth * Many different types of patches ○ Firmware associated with the BIOS of the device ○ Operating system patches Application provided by the manufacturer

Answer 198

- Data loss - identity theft - reputation impacts - availability loss

Answer 199

Threat hunting is a constant game of cat and mouse the goal is to find the attacker before they find you.

Answer 200

* The data comes from logs and sensors, network information, internet events and intrusion detection * Then we can add data from external sources Threat feeds, government alerts, advisories, bulletins, and social media

Answer 201

* Port scans ○ Poke around and see what's open * Identify all the devices on the network It's important to test from the outside and the inside

Answer 202

* Non-intrusive scans or passive scans ○ Gather information, don’t try to exploit a vulnerability * Intrusive scans ○ You will try out the vulnerability and see if it works * Non credentialed scan ○ The scanner cant login to the remote devices * Credentialed scan - You are a normal user, this emulates an inside attack

Answer 203

False positives – a vulnerability is identified that doesn’t really exist

Answer 204

Indicating you don’t have a vulnerability when you really do

Answer 205

* Collects logs of security alerts * Usually includes advanced reporting features * Data correlation - Link diverse data types

Answer 206

With good documentation of our systems its easier to rebuild those systems if a disaster occurs

Answer 207

- Network diagrams ○ Documents the physical wire and device - Physical data center layout Can include physical rack locations

Answer 208

- The security of an application environment should be well defined - All application instances must follow this baseline - The baseline configuration should include firewall settings, patch levels, os file versions These will probably require constant updates

Answer 209

- An ip address plan or model ○ Consistent addressing for network devices ○ Helps avoid duplicate IP addressing Might assign different IP ranges to different locations

Answer 210

- Use encryption - Security policies - Data permissions - Who has access to what

Answer 211

- Data that resides in a country is subject to the laws of that country - GDPR general data protection regulation Data collected on EU citizens must be stored in the EU

Answer 212

- This means hiding some of the original data - Protects PII Many different techniques for masking, encrypting, shuffling substitution

Answer 213

The original information is called plaintext the encrypted form of that data is called cypher text

Answer 214

If you change one character in the plaintext then the resulting cipher text is going to be dramatically different

Answer 215

- Encrypt the data - Whole disk encryption - Database encryption - Apply access control lists Only authorized users can access the data

Answer 216

- Data transmitted over the network - Also called data in motion - Usually we protect this data with a firewall or IPS - We can also provide transport layer security ○ Using TLS - Using Ipsec

Answer 217

- Data is actively processing in memory ○ System RAM, CPU registers and cache - This data is almost always decrypted, otherwise you couldn’t do anything with it - This data is useful for attackers because they can pick the decrypted information out of RAM

Answer 218

- Replace sensitive data with a non sensitive placeholder - This practice is common with credit card processing

Answer 219

- Control how data is used - This is common in Microsoft documents especially email messages and PDF's - Restrict data access to unauthorized persons ○ Prevent copy and paste ○ Control screenshots ○ Manage printing - Restrict editing

Answer 220

Prevent loss of data from company systems - Endpoint DLP resides on the endpoint - DLP technologies on the network that are inspecting packets - DLP systems on the servers

Answer 221

DLP systems can block USB drives

Answer 222

- These are located between the users and the internet - Block custom defined data strings - Manage access to URL's - Prevent file transfers to cloud storage

Answer 223

- Smart to have DLP on your email so data is not sent out - Inbound ○ Block keywords, identify imposters, quarantine email messages - Outbound - Fake wire transfers, W-2 Transmissions, employee information

Answer 224

- when recovery systems are hosted in a different location outside the scope of the disaster

Answer 225

the incident response plan should already be established in the event of a disaster ○ Documentation is critical with IR ○ The goal is to identify the attack and then contain the attack After we have identified an attack we want to limit data exfiltration and limit access to sensitive data

Answer 226

- Commonly used to examine outgoing SSL/TLS traffic - This can make a defenders job harder because information on the network is encrypted so its harder to see what is going out and what is going in - With SSL inspection we are able to put ourselves in the middle of the conversation and inspect the traffic while maintaining trust on the client side and the server side - To inspect this traffic we usually use a firewall to decrypt the data

Answer 227

- Your browser contains a list of trusted CA's - Your browser doesn’t trust a website unless a CA has signed the web servers encryption certificate - Before giving a CA to a site it makes sure the site is legitimate

Answer 228

- Represents the data as a short string of text - One way trip impossible to recover the original message from the digest - Hashing is used to store password and achieve confidentiality - You can use hashing to verify a downloaded document is the same as the original

Answer 229

- API's are used to control software or hardware programmatically - On path attacks can target API's and replay API commands - API injection Inject data into an API message

Answer 230

- Authentication is an important part of API security ○ We want to limit API access to legitimate users ○ Only use API's over secure protocols - Authorization is another important part of API security ○ API should not allow extended access ○ Each user should have a limited role in what they can do A read only user should not be able to make changes

Answer 231

* Traffic light controllers * Digital watches - Medical imaging systems

Answer 232

Often embedded systems are running on a Soc or system on a chip

Answer 233

* Difficult to upgrade hardware - Limited off the shelf security option

Answer 234

* This is an integrated circuit that can be configured after manufacturing * With these devices a problem doesn’t require a hardware replacement * These devices are common in infrastructure devices ○ Firewalls ○ Switches - routers

Answer 235

* With SCADA systems the PC manages equipment ○ Power Generation, refining, manufacturing equipment ○ Common to find this in different facilities ▪ Industrial ▪ Energy - Logistics

Answer 236

* Sensors are IOT devices ○ Heating and cooling, lighting * Smart devices ○ Home automation, video doorbells * Wearable technology ○ Temperature, air quality, lighting - IOT devices usually have weak defaults

Answer 237

* Medical devices * Vehicles commonly have embedded systems in them - Embedded systems are also common on aircraft

Answer 238

* Voip is also an embedded system - Each VOIP device is a standalone computer

Answer 239

* Significant performance improvements * Operates at higher frequencies * 5G has a dramatic impact on IOT devices ○ We can do larger data transfers ○ Faster monitoring and notifications - Additional cloud processing

Answer 240

* To connect to cellular networks you need a SIM card * IOT devices will need a sim card to use cellular technology * The sim card contains a lot of details ○ Authentication information - Contact information

Answer 241

* If an ITO device is not using cellular technologies its probably using narrow band * Narrowband allows many IOT devices to communicate over longer distances * You might find narrowband in ○ SCADA equipment - Sensors in oil fields

Answer 242

- May not have access to a main power source - Batteries may need to be replaced and maintained - Low power CPU's and are limited in speed - May not have the option for a wired link - Wireless is a limiting factor - Limited cryptography features - Inability to patch or very hard to patch - No authentication or very limited

Answer 243

- SRTP secure real time transport protocol - SRTP adds security features to RTP and keeps conversations private - The encryption used for SRTP is AES - Additional security features od SRTP ○ Authentication ○ Integrity ○ replay protection ○ These additional features ^ are accomplished using HMAC-SHA1 which is hashed based message and authentication code

Answer 244

- Classic NTP has no security features - NTPsec ○ Secure network time protocol - Cleaned up the code base

Answer 245

- S/MIME ○ Secure multipurpose internet mail extensions ○ Features public key encryption and digital signing of mail content ○ Requires a PKI or similar organization of keys - Secure POP and secure IMAP ○ Uses a starttls extension to encrypt POP3 with ssl or use imap with SSL SSL/TLS

Answer 246

- SSL/TLS secure sockets layer / transport layer security - SSL is older TLS is newer if someone says SSL they are actually referring to TLS - HTTPS over TLS ○ HTTPS uses public key encryption ○ Private key on the server - Symmetric session key is transferred using asymmetric encryption

Answer 247

- This is security for OSI layer 3 - IPSEC provides authentication and encryption for every packet - IPSEC includes packet signing for integrity and anti-replay features - One of the benefits of IPSEC is it is very standardized its common to use multi vendor implementations - The two core Ipsec protocols ○ Authentication header AH Encapsulation security payload ESP

Answer 248

- FTPS - file transfer protocol secure / FTP over SSL FTP-SSL ○ This is not to be confused with SFTP - SFTP is the SSH file transfer protocol ○ Provides file system functionality FTP uses SSL to provide the encryption SFTP uses SSH to provide the encryption

Answer 249

- Protocol for reading and writing directories over an IP network ○ An organized set of records, like a phone directory - Commonly used in Microsoft AD

Answer 250

a nonstandard implementation of LDAP over SSL

Answer 251

a nonstandard implementation of LDAP over SSL

Answer 252

- SSH ○ Encrypted terminal communication ○ Replaces telnet - Provides secure terminal communication and file transfer features

Answer 253

- Originally created without security in mind -Very easy to perform DNS poisoning attacks on the original DNS

Answer 254

○ Domain name system security extensions ○ DNSSEC lets us validate the information we are getting from a DNS server using: ▪ Origin authentication ▪ Data integrity ○ DNSSEC also uses public key cryptography ▪ DNS records are signed with a trusted third party Signed DNS records are published in DNS

Answer 255

- If you are querying your routers and switches then you will use the SNMP protocol - SNMP v3 is the most secure and offers the following features ○ Confidentiality – encrypted data ○ Integrity – no tampering of the data - Authentication – verifies the source

Answer 256

- Dhcp does not include any built in security - Within active directory you can avoid rogue DHCP servers because DHCP servers must be authorized CISCO uses something called DHCP snooping which blocks DHCP requests not coming from trusted interfaces

Answer 257

* Some of the security concerns with cell networks ○ Traffic monitoring - Location tracking

Answer 258

encrypt your data so it cant be captured we need to be concerned about on path attacks with WIFI

Answer 259

* Access badges * Inventory / assembly line tracking * Pet / animal identification - Anything that needs to be tracked

Answer 260

* Two way wireless communication * Builds on RFID * Payment systems use this ○ Google Wallet ○ Apple Pay - NFC helps with Bluetooth pairing

Answer 261

* Remote capture * Frequency jamming - Relay / replay attacks

Answer 262

Mobile device management * Manage company owned and user owned mobile devices * MDM gives us centralized management of the mobile devices - Set policies on apps, data, camera, etc

Answer 263

* Managing mobile apps are a challenge * Not all applications are secure ○ Some are malicious ○ Android malware is a rapidly growing security concern * A good way to manage application use is through allow lists ○ Only approved applications can be installed

Answer 264

* Secure access to data - Protect data from outsiders

Answer 265

* Remove all the data from your mobile device - Often managed from MDM

Answer 266

* Combines different characteristics to create a profile on who might be trying to authenticate * Combine multiple contexts ○ Where your normally login - IP address - Where you normally frequent - GPS information

Answer 267

* HSM stands for hardware security module * Provides security services ○ Encryption ○ Key generation ○ Digital signatures ○ Authentication * We can also store information securely in HSM's ○ Protect private keys ○ Crypto storage

Answer 268

* UEM is used to manage mobile and non-mobile devices - UEM is an evolution of the mobile device manager

Answer 269

* Provision, update, and remove apps * Keeps everyone running at the correct version * We can use this to create an enterprise app catalog - Users can choose and install the apps they need

Answer 270

* Isolated locations within a cloud region * AZ's commonly span across multiple regions - Each AZ has independent power, HVAC and Networking

Answer 271

* Build an application to be active in one AZ and be on standby in another AZ * The application will then be able to recognize an outage and move to another AZ - Use load balancers to provide seamless High Availability

Answer 272

* Identity and Access Management ○ Who gets access ○ What do they get access to * IAM allows us to create different groups and map job functions to those roles ○ We can combine users into groups * We can also use IAM to provide access to cloud resources ○ Set granular policies Group, IP address, date and time

Answer 273

* Cloud computing includes many secrets ○ API Keys, Passwords, Certificates * The amount of secret keys can easily become overwhelming ○ Its difficult to manage and protect all these * Provide an audit trail Know exactly who accesses secrets and when

Answer 274

* A significant cloud storage concern * One permission mistake can cause a breach * Many different options for managing cloud storage access ○ Identity and access management ○ Bucket policies ○ Globally blocking public access Don’t put data into the cloud unless it really needs to be there

Answer 275

* Cloud data is more accessible than non-cloud data * Server side encryption ○ Encrypt the data in the cloud ○ Data is encrypted when stored on disk * Client side encryption ○ Data is already encrypted when its sent to the cloud ○ This is performed by the application Encrypting the data locally then sending it to the cloud

Answer 276

* Copy data from one place to another ○ Real time data duplication in multiple locations * Replication is common for disaster recovery and high availability ○ Plan for problems ○ Maintain uptime if an outage occurs ○ Hot site for disaster recovery Having a backup is a good reason to use replication

Answer 277

* Users communicate to the cloud in two primary ways ○ From the public internet Over a VPN tunnel

Answer 278

* Virtual switches, virtual routers ○ Build the network from the cloud console You can use the same configurations as a physical device

Answer 279

○ All internal IP addresses ○ Connect to the private cloud over a VPN No access from the internet

Answer 280

○ External IP addresses Connect to the cloud from anywhere

Answer 281

○ Combine internal cloud resources with external ○ May combine both public and private subnets

Answer 282

* Some cloud may have segmentation separate VPC's, containers, and microservices ○ Application segmentation is almost guaranteed * Virtualized security technologies ○ Web application firewall WAF Next generation firewall NGFW

Answer 283

* Provision resources when they are needed ○ Based on demand * Scale up and down ○ Allocate compute resources where and when they are needed ○ This is called rapid elasticity Pay for only what's used

Answer 284

* VPC gateway endpoints ○ Allow private cloud subnets to communicate to other cloud services * VPC endpoints allow us to keep private resources private Internet connectivity is not required

Answer 285

* A CASB will help us enforce the security policies in the cloud This can be implemented as client software, or a local security appliance, or cloud based security solutions

Answer 286

○ Visibility ▪ Determine what apps are in use? ▪ Determine what users are authorized to use those applications ○ Compliance ▪ Are users complying with HIPPA ? PCI ? ○ Threat prevention ▪ Allow access by authorized users prevent access from everyone else ○ Data Security ▪ Ensure that all data transfers are encrypted Protect the transfer of PII with DLP

Answer 287

* Secure cloud based applications ○ Complexity increases in the cloud * Application misconfigurations ○ One of the most common security issues ○ Especially cloud storage * API security Attackers will try to exploit interfaces and API's

Answer 288

* Used to protect users and devices ○ Regardless of location and activity * SWG's go beyond URLS and GET requests ○ Examine the applications and API * Also able to examine JSON strings and API requests Allows or disallows certain activities

Answer 289

* a service that can vouch for who a person happens to be * Think of this as authentication as a services -Commonly used by SSO applications or any authentication process

Answer 290

* To be able to understand an identity we have to gather attributes * Personal attributes ○ Name, email address, phone number, employee ID * Other attributes Department name, job title

Answer 291

* Digital certificate ○ Assigned to a person or device * Binds the identity of the certificate owner to a public and private key - Encrypt data create digital signatures

Answer 292

* With SSH you can use a key instead of a username and password ○ Public/Private keys ○ Critical for automation * Key management is critical * The command for creating a public private key pair on Linux is - Ssh-keygen

Answer 293

* Shared account ○ Used by more than one person ○ Guest logins or anonymous logins * With these accounts it is very difficult to create an audit trail ○ No way to know exactly who was working ○ Difficult to determine the proper privileges * Password management becomes difficult ○ Password change requires notifying everyone -Difficult to remember so many password changes

Answer 294

* Access to a computer for guests ○ No access to change settings, modify applications, view other users files and more ○ Usually no password on a guest account * Guest accounts bring significant security challenges ○ Access to the user space is one step closer to an exploit - Must be controlled

Answer 295

* Used exclusively by services running on a computer ○ No interactive / user access * Access can be defined for a specific service ○ Web server rights and permissions will be different than a database server * Service accounts commonly use usernames and passwords You will need to determine the best policy for password updates

Answer 296

* Elevated access to one or more systems ○ Administrator, Root * Privileged accounts have full access to the OS * This account should not be used for normal administration ○ User accounts should be used * Needs to be highly secured - Strong passwords

Answer 297

* Control access to an account * The authentication process ○ Password policies ○ Authentication factor policies Permissions after the login

Answer 298

* Permission auditing ○ Does everyone have the correct permissions ? * Usage auditing ○ How are resources used ? Are your systems and applications secure

Answer 299

* Make your password strong * Increase password entropy ○ Entropy is a way to measure just how unpredictable a password might be ○ No single words, no obvious passwords ○ Mix uppercase and lowercase with special characters Stronger passwords are at least 8 characters

Answer 300

* Hardware based authentication ○ This is under the category of something you have Helps prevent un-authorized logins and account takeovers even if they have your account password because they don’t have your hardware key

Answer 301

* Password managers ○ All passwords in one location ○ A database of credentials * Secure storage ○ All credentials are encrypted ○ Cloud based synchronization options * Create unique passwords Passwords are not the same across sites

Answer 302

* Hardware to help us with encryption * TPM provides us with a cryptographic processor ○ Which is random number generators and key generators You can also securely store keys on a TPM module

Answer 303

* Hardware security module – if you are managing a large number of servers that are using encryption then you need some way to centralize the management of all these different keys, one way to that is with a HSM * HSM is usually a server that has specialized hardware inside that allows it to perform cryptographic functions quickly. HSM can be used for centralized storage of all our encryption and decryption keys

Answer 304

* Using personal knowledge as an authentication factor ○ Something you know * Static KBA ○ Pre configured shared secrets ○ This is often used with account recovery ○ Example: what was the make and model of your first car ? * Dynamic KBA Questions are based on an identity verification service or pulled from public records

Answer 305

* A basic authentication method ○ Used in legacy operating systems ○ Rare to see singularly used * PAP is in the clear ○ Weak authentication scheme ○ Non – encrypted password exchange It would fall on the application to provide the encryption

Answer 306

* Encrypted challenge sent over the network * CHAP uses a three way handshake ○ After a link is established, the server sends a challenge message ○ Client responds with a password hash calculated from the challenge and the password ○ Server compares received hash with stored * Challenge response ○ Not just at the beginning occurs periodically during the connection User never knows it happens

Answer 307

* Microsoft's implementation of CHAP ○ Used commonly on Microsoft's PPTP or point-to-point tunneling protocol ○ MS-CHAP vs is the most recent version Relatively easy to brute force because it uses DES, Don’t use MS-CHAP

Answer 308

Radius – remote authentication dial in user service * One of the more common AAA protocols * Supported on a wide variety of platforms and devices Centralized authentication for users * Routers, switches, firewalls * Server authentication * Remote VPN access 802.1x network access

Answer 309

terminal access controller access control system Remote authentication protocol

Answer 310

* TACACS+ the latest version of TACACS, not backwards compatible More authentication requests and response codes

Answer 311

* Kerberos is able to use single sign on * We can authenticate one time and at that point are trusted by the system * We can access different network resources all day without having to enter in our username or password Kerberos provides mutual authentication so the server is also authenticating to you

Answer 312

When you authenticate to a ticket granting service which would be your centralized authentication server. That ticket granting service gives you a service ticket. And then instead of having to put in a username and password every time you access a different resource you simply have to show the service ticket that device recognizes that you were properly authenticated by the ticket granting service.

Answer 313

* Port based Network access control NAC * You don’t get access to the network until you authenticate * EAP integrates with 802.1x ○ EAP is the extensible authentication protocol 802.1x prevents access to the network until the authentication succeeds

Answer 314

* Allows us to use credentials that someone uses for a completely different services * Third parties can establish a federated network ○ Authenticate and authorize between the two organizations ○ Aka login with your Facebook credentials ○ Login with your google credentials

Answer 315

* Open standard for authentication and authorization * You can authenticate through a third party to gain access * Not originally designed for mobile apps This has been SAML's largest roadblock

Answer 316

1. User accesses application URL 2. Sends signed / encrypted SAML request, redirects user to authorization server 3. User logs in 4. Authentication successful SAML token generated User presents SAML token

Answer 317

* Authorization framework ○ Determines what resources a user will be able to access OAuth is a framework that allows us to control what types of resources a third party application may be able to access

Answer 318

OAuth is usually used in conjunction with OpenID connect, so Open ID connect is providing all the authentication functionality, and then OAuth is determining what types of data is accessible by that third party app once the authentication is complete

Answer 319

* Authorization ○ The process of ensuring only authorized rights are exercised ○ Usually we enforce access control with policy enforcement Users receive rights based on access control models

Answer 320

* The operating system limits the operation of an object * Every object gets a label Confidential, secret, top secret

Answer 321

* Used in most operating systems * You create a spreadsheet, as the owner you control who has access, you can modify access at any time * Very flexible access control However this is pretty weak security

Answer 322

* You have a role in your organization Manager, director, team lead, project manager

Answer 323

* Determine the route a packet takes to a destination * Tracert for windows * Traceroute for Linux - Takes advantage of ICMP time to live exceeded error message

Answer 324

* Lookup information from DNS servers ○ Canonical names, IP addresses, cache timers * Dig domain information groper - More advanced domain information

Answer 325

* Most of your troubleshooting starts with your IP address ○ Ping your local router or gateway * Determine TCP/IP and network adapter information * Ipconfig – windows Ifconfig – linux

Answer 326

* Test reachability * Determine round trip time Uses ICMP

Answer 327

* Combines ping and traceroute * First phase runs a traceroute * Second phase Measures round trip time and packet loss at each hop

Answer 328

* Network statistics ○ Used on many different OS's * Show all active connections ○ Netstat –a * Show binaries (windows) ○ Netstat –b * Do not resolve names - Netstat -n

Answer 329

- Determine a MAC address based on an IP address ○ You need the hardware address to communicate - To view your local ARP table Use the arp -a command

Answer 330

- The route command is used to view the devices routing table ○ Find out which way the packets will go - Windows ○ Route print - Linux and Mac OS - Netstat -r

Answer 331

- Client URL ○ Retrieve data using a URL Used for enumerating and viewing the source code of webpages

Answer 332

- Search a network for IP address - Locate active devices - IP scanners use many different techniques ○ ARP (if on the local subnet) ○ ICMP requests (ping) ○ TCP ACK ICMP timestamp requests

Answer 333

- TCP/IP packet assembler and analyzer - Ping command to the next level Hping allows you to modify almost everything about the packet

Answer 334

* Incident response team * The IR team might include ○ IT security management ○ Compliance officers - Technical staff

Answer 335

* This is a document made to help you handle security incidents * This document outlines the entire lifestyle of a security incident ○ Preparation ○ Detection and analysis ○ Containment, Eradication, and recovery Post incident activity

Answer 336

* Communication methods ○ Phones and contact information * Incident handling, hardware and software ○ Laptops, removable media, forensic software, digital cameras etc * Incident analysis resources ○ Documentation, network diagrams, baselines, critical hash values * Incident migration software ○ Clean OS and application images * Policies needed for incident handling Everyone knows what to do

Answer 337

* These let us know if an attack is underway * Alerts coming from anti-malware and anti-virus software * Host based monitors detects a configuration change Constantly monitors system files

Answer 338

* Generally a bad idea to let malicious threats run their course ○ An incident can spread quickly * Sandboxes ○ An isolated operating system ○ Run Malware and analyze the results - Clean out the sandbox when done

Answer 339

* Eradicate the bug ○ Remove malware ○ Disable breached user accounts ○ Fix vulnerabilities * Recover the system ○ Restore from backups ○ Rebuild from scratch ○ Replace compromised files - Tighten down the perimeter

Answer 340

* Learn and improve ○ No system is perfect * Post incident meeting - Invite everyone affected by the incident

Answer 341

* Performing a full scale disaster drill can be costly and time consuming Instead of actually going through the drill you just talk about what would be done

Answer 342

* This is a step beyond a tabletop exercise * With a walkthrough we are going to test processes and procedures before an event ○ Walk through each step ○ Involve all groups - Reference actual response materials

Answer 343

* Test with a simulated attack ○ Phishing attack ○ Password requests ○ Data breaches - Phishing simulations are common

Answer 344

* If a disaster happens IT should be ready ○ Part of business continuity planning ○ Keep the organization up and running * There are many different types of disasters that could happen ○ Natural disasters ○ Technology or system failures ○ Human created disasters * Comprehensive plan ○ Recovery location ○ Data recovery method - Application restoration

Answer 345

* Something we would put together well before a disaster occurring, so that we know what to do if we don’t have our normal systems in place. * There needs to be some type of alternative to our technology In case it goes down ○ Manual transactions ○ Paper receipts - Phone calls for transaction approvals

Answer 346

* Made by the MITRE corporation * We can use this framework to determine the actions of an attacker ○ Identify point of intrusion ○ Understand the methods used to move around - Identify potential security techniques to block future accounts

Answer 347

* Designed by the intelligence community * This framework guides analysts to help understand intrusions * Integrates well with other frameworks * Applies scientific principles to intrusion analysis - Measurement, testability and repeatability

Answer 348

- Adversary ○ Who the attacker is - Capability ○ An exploit of some kind - Infrastructure ○ What was used by the attacker to gain access ○ IP's, Domain names, - Victim ○ A person - Asset on the network

Answer 349

method used by an attacker to access a victims machine

Answer 350

unpatched software, phishing email, usb thumb drive

Answer 351

Malware infections usually start within software, messaging, and media

Answer 352

registering a malicious URL that is close to the target domain

Answer 353

Strange noises Unusual error message Display looks strange Jumbled printouts New icons appear on the desktop Double file extensions are being displayed, such as textfile.txt.exe

Answer 354

1. Identify symptoms of a malware infection 2. Quarantine the infected systems 3. Disable systems restore (if using a windows machine) 4. Remediate the infected system 5. Schedule automatic updates and scans 6. Enable system restore and create a new restore point 7. Provide end user security awareness training

Answer 355

- Verify your email servers aren't configured as open mail relays or SMTP open relays - Remove email address from website - Use whitelists and blacklists - Train and educate end users

Answer 356

1. Dropper or downloader a. Small piece of code that goes out and downloads more code 2. Maintain access 3. Strengthen access a. Identifying and infecting other machines 4. Actions on objectives a. Copying or stealing files Concealment

Answer 357

- Malware designed to install or run other types of malware embedded in a payload on an infected host - Likely to implement anti-forensics techniques to prevent detection and analysis

Answer 358

A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper

Answer 359

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Answer 360

Shellcode originally referred to malware code that would give the attacker a shell or command prompt on the target system, but for the exam use the more generic definition provided previously

Answer 361

- Hids or host based IDS - NIDS or network based IDS

Answer 362

- Signature based - Policy based - Anomaly based

Answer 363

a specific string of bytes triggers an alert

Answer 364

relies on specific declaration of the security policy Example: no telnet authorized

Answer 365

analyzes the current traffic against an established baseline and triggers an alert if outside the statistical average

Answer 366

malicious activity is identified as an attack

Answer 367

an event when no attack has occurred and no detection is made. no attack occurred and your rule didn't fire

Answer 368

legitimate activity is identified as an attack

Answer 369

malicious activity is identified as legitimate traffic When no alarm is raised when an attack has taken place

Answer 370

Endpoint DLP system - software based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence Network DLP system - software or hardware based solution that is installed on the perimeter of the network to detect data in transit Storage DLP system - software installed on servers in the datacenter to inspect the data at rest Cloud DLP system - cloud software as a service that protects data being stored in cloud services

Answer 371

firmware that provides the computer instructions for how to accept input and send output

Answer 372

1. Flash the BIOS a. Ensuring that the software is up to date 2. Use a BIOS password 3. Configure the BIOS boot order 4. Disable the external ports and devices 5. Enable secure boot Involves the TPM

Answer 373

technical limitations placed on a system in regards to the utilization of usb storage devices and other removable media

Answer 374

1. Use data encryption 2. Use proper authentication 3. Log NAS access

Answer 375

Encryption scrambles data into unreadable information

Answer 376

Self-encrypting drive SED - storage device that performs whole disk encryption by using embedded hardware

Answer 377

Trusted platform module TPM - chip residing on the motherboard that contains an encryption key

Answer 378

AES is a symmetric key encryption that supports 128 bit and 256 bit keys

Answer 379

Hardware security module HSM - physical devices that act as a secure crypto processor during the encryption process

Answer 380

Host based IDS/IPS HIDS/HIPS- a type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the systems state on an endpoint

Answer 381

Endpoint protection platform EPP - a software agent and monitoring system that performs multiple security tasks such as anti virus, HIDS/HIPS, firewall, DLP and file encryption

Answer 382

a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

Answer 383

- Ensure we have AV on the phone - Ensure the device is patched - only install apps from the official store - Dont jailbreak the device

Answer 384

integrated circuit that securely stores the international mobile subscriber identity IMSI number and its related key / this is what tells the cellphone towers which device is assigned to which number

Answer 385

SIM cloning allows two phone to utilize the same service and allows an attacker to gain access to the phones data SIM v1 cards were easy to clone but newer SIM v2 cards are much harder

Answer 386

sending of unsolicited messages to Bluetooth enabled devices / blue jacking send information to a device

Answer 387

unauthorized access of information from a wireless device over a Bluetooth connection / taking information from a device

Answer 388

centralized software solution that allows system administrators to create and enforce policies across its mobile devices

Answer 389

Update your device to the latest version of the software Install AV Train users on proper security and use of the device Only install apps from the official mobile stores Don’t root or jailbreak the device Only use v2 sim cards with your devices Turn off all unnecessary features Turn on encryption for voice and data Use strong passwords or biometrics Don’t allow BYOD

Answer 390

process of configuring workstation or server to only provide essential application and services

Answer 391

only applications that are on the list are allowed to be run by the operating system while all other applications are blocked

Answer 392

any application placed on the list will be prevented from running while all others will be permitted to run

Answer 393

any operating system that meets the requirements set forth by government and has multilevel security

Answer 394

a single problem fixing a piece of software for an OS or application

Answer 395

software code that is issued for a product specific security related vulnerability

Answer 396

software code for a specific problem addressing a critical non security bug in software

Answer 397

a tested cumulative grouping of patches, hotfixes, security updates, critical updates, and possibly some feature or design changes

Answer 398

Planning Testing Implementing Auditing

Answer 399

Password complexity Account lockout policy Software restrictions Application restrictions

Answer 400

NTFS FAT32 Ext4 HFS+

Answer 401

Windows systems can utilize NTFS or FAT32

Answer 402

new technology file system is the default file system format for windows and is more secure because it supports logging, encryption, larger partition sizes and larger file sizes than FAT32

Answer 403

a legal principle identifying a subject has used best practices or reasonable care when setting up, configuring, and maintaining a system

Answer 404

Properly resourced cybersecurity program Security assurance and risk management processes Product support lifecycle Security controls for confidential data Incident response and forensics assistance General and historical company information

Answer 405

a microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function) created by the DOD / the trusted foundry is a way to make microprocessors secure

Answer 406

the process of ensuring that hardware is procured tamper-free from trustworthy suppliers / Don’t buy second hand go straight to the source

Answer 407

a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics / the TPM is an example of a root of trust A hardware root of trust is used to scan the boot metrics and OS files to verify the signatures, which we can then use to sign a digital report

Answer 408

a specification for hardware based storage of digital certificates, keys, hashed passwords, and other user and platform identification information TPM makes sure when you boot up it does it securely

Answer 409

an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software based storage

Answer 410

A firmware exploit is going to give the attacker an opportunity to run any code at the highest level of CPU privilege

Answer 411

a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security

Answer 412

a UEFI feature that prevents unwanted processes from executing during the boot operation

Answer 413

a UEFI feature that gathers secure metrics to validate the boot process in an attestation report / as you boot up it take measurements then creates a report

Answer 414

a claim that the data presented in the report is valid by digitally signing it using the TPM's private key

Answer 415

a means for software or firmware to permanently alter the state of a transistor on a computer chip

Answer 416

a firmware update that is digitally signed by the vendor and trusted by the system before installation

Answer 417

a disk drive where the controller can automatically encrypt the data that is written to it.

Answer 418

a mechanism for ensuring the confidentiality, integrity, and availability for software code and data as it is executed in volatile memory

Answer 419

the CPU'S security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Answer 420

the extensions allow a trusted process to create an encrypted container for sensitive data / also able to store encryption key

Answer 421

certain operations that should only be performed once or not at all such as initializing a memory location

Answer 422

data is encrypted by an application prior to being placed on the data bus

Answer 423

a complete platform designed to replace an entire physical computer and includes a full desktop/server operating system

Answer 424

designed to only run a single process or application like a virtualized web browser or a simple web browser

Answer 425

Hypervisor – manages the distribution of the physical resources of a host machine (server) to the virtual machines being run guests

Answer 426

Type 1 or bare metal hypervisors - runs directly on the host hardware and runs as the operating system

Answer 427

Type 2 runs within a typical OS

Answer 428

Type 1 are more efficient then type 2 hypervisors

Answer 429

Application containerization – a single operating system kernel is shared across multiple virtual machines but each virtual machine receives its own user space for programs and data

Answer 430

an attack that allows an attacker to break out of a normally isolated VM by interacting directly with the hypervisor

Answer 431

1. Create and implement web browsing policies as an administrative control or technical control 2. Train your users, user training will prevent many issues inside your organization 3. Use proxies and content filters a. Proxies cache the website to reduce requests and bandwidth usage b. Content filters can be used to blacklist specific websites or entire categories of sites 4. Prevent malicious code Configure your browser to prevent ActiveX controls, Java applets, JavaScript, Flash and other active content

Answer 432

Cookies – text files placed on a clients computer to store information about the user's browsing habits, credentials, and other data

Answer 433

also known as flash cookies they are stored in your windows user profile under the flash folder inside of your AppData Folder

Answer 434

1. disable macros 2. use digital certificates 3. UAC

Answer 435

is an organized process of developing a secure application throughout the life of the project /waterfall model

Answer 436

1. Planning and Analysis 2. Software / Systems design 3. Implementation 4. Testing 5. Intergration 6. Deployment 7. Maintenance

Answer 437

software development is performed in time-boxed or small increments to allow more adaptivity to change

Answer 438

software developments and information technology operations

Answer 439

helps to prioritize vulnerability identification and patching

Answer 440

any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application because it can be malicious

Answer 441

default installations should include secure configurations instead of requiring an administrator or user to add in additional security

Answer 442

applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user

Answer 443

applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing

Answer 444

occurs when a tester is not provided with any information about the system or the program prior to conducting the test

Answer 445

occurs when a tester is provided full details on a system including the source code, diagrams, and user credentials in order to conduct the test

Answer 446

provides control over what the application should do when faced with a runtime or syntax error

Answer 447

applications verify that information received from a user matches a specific format or range of values

Answer 448

source code of an application is reviewed manually or with automatic tools without running the code / reading the code

Answer 449

analysis and testing of a program occurs while it is being executed or run / the most common type of this is fuzzing

Answer 450

injection of randomized data into a software program in an attempt to find system failures. Memory leaks, error handling issues, and improper input validations

Answer 451

method of accessing unauthorized directories by moving through the directory structure on a remote server

Answer 452

occurs when an attacker is able to execute or run commands on a victim computer

Answer 453

occurs when an attacker is able to execute or run commands on a remote computer

Answer 454

occurs when a process stores data outside the memory range allocated by the developer

Answer 455

a temporary storage area that a program uses to store data

Answer 456

reserved area of memory where the program saves the return address when a function call instruction is revealed

Answer 457

occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attackers code to run

Answer 458

method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Answer 459

occurs when an attacker embeds malicious scripting commands on a trusted website

Answer 460

* Stored/persistent * Reflected Dom based

Answer 461

attempts to get data provided by the attacker to be saved on the web server by the victim

Answer 462

attempts to have a non-persistent effect activated by a victim clicking a link on a site

Answer 463

an attempt to exploit the victims browser

Answer 464

occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

Answer 465

attack consisting of the insertion or injection of an SQL query via input data from the client to a web application /putting in malicious sql statements

Answer 466

insertion of additional information or code through data input from a client to an application

Answer 467

SQL injection is prevented through input validation and using lest privilege when accessing a database

Answer 468

XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery and injection of arbitrary code

Answer 469

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

Answer 470

an attack that embeds a request for a local resource

Answer 471

a software vulnerability when the resulting outcome from execution processes is a direct dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

Answer 472

A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location

Answer 473

a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points too

Answer 474

the potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Answer 475

1. Develop applications to not process things sequentially if possible 2. Implement a locking mechanism to provide an app with exclusive access

Answer 476

any code that is used or invoked outside the main program development process

Answer 477

1. Code reuse 2. Third party library 3. Software development toolkit SDK

Answer 478

any program that does not properly record or log detailed enough information for an analyst to perform there job

Answer 479

any program that uses ineffective credentials or one in which the defaults have not been changed for security

Answer 480

represents the actual network cables and radio waves used to carry data over a network / this data is known as bits / network cables

Answer 481

describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing / frames / MAC address's, switches

Answer 482

uses logical address to route or switch information between hosts, the network, and the internetworks / packets / router, IP addresses

Answer 483

manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP

Answer 484

manages the establishment, termination, and synchronization of a session over the network

Answer 485

translates the information into a format that the sender and receiver both understand /encoding / encryption

Answer 486

layer from which the message is created, formed, and originated / HTTP / Email

Answer 487

attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port

Answer 488

occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device

Answer 489

MAC spoofing is often combined with an ARP spoofing attack

Answer 490

used to connect two or more network to form an inter network

Answer 491

Routers rely on a packets IP addresses to determine the proper destination

Answer 492

an ordered set of rules that a router used to decide whether to permit or deny traffic based upon given characteristics

Answer 493

IP spoofing is used to trick a routers ACL

Answer 494

focused on providing controlled access to publicly available servers that are hosted within your organizational network a segment isolated from the rest of a private network by one or more firewalls that accepts connections from the internet over designated ports

Answer 495

Email and web servers are the most common things to put in the DMZ

Answer 496

hosts or servers in the DMZ which are not configured with any services that run on the local network

Answer 497

a hardened server that provides access to other hosts within the DMZ / an admin connects to the jump box and the jump box connects to hosts in the DMZ

Answer 498

security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network

Answer 499

a piece of software that is installed on the device requesting access to the network

Answer 500

uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

Answer 501

Switches create VLANS

Answer 502

1. Segment the network 2. Reduce collisions 3. Organize the network 4. Boost performance Increase security

Answer 503

attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Answer 504

attacker adds an additional VLAN tag to create an outer and inner tag / adds two vlan tags / prevent double tagging by moving all ports out of the default VLAN group

Answer 505

creating sub-networks logically through the manipulation of IP addresses

Answer 506

1. Compartmentalized 2. Efficient use of IP addresses 3. Reduced broadcast traffic Reduced collisions

Answer 507

NAT – process of changing an IP address while it translates across a router Using NAT can help us hide our network IPs

Answer 508

router keeps track of requests from internal hosts by assigning them random high number ports for each request

Answer 509

Class A 10.0.0.0 to 10.255.255.255

Answer 510

Class B 172.16.0.0 to 172.31.255.255

Answer 511

Class C 192.168.0.0 to 192.168.255.255

Answer 512

Term used to describe devices that provide voice communication to users

Answer 513

a device that could modulate digital information into an analog signal for transmission over a standard dial-up phone line

Answer 514

internal phone system used in large organizations

Answer 515

Digital phone service provided by software or hardware devices over a data network

Answer 516

Firewalls screen traffic between two portions of a network

Answer 517

- Software based - Hardware based - Embedded firewalls

Answer 518

inspects each packet passing through the firewall and accepts or rejects it based on the rules

Answer 519

Stateless packet filtering accepts or denies the requests based on the ip and port that was requested

Answer 520

stateful packet filtering tracks the requests leaving the network / this helps eliminate IP spoofing

Answer 521

Nat filtering - filters traffic based upon the ports being utilized and type of connection

Answer 522

conducts an in depth inspection based upon the application being used / also known as layer 7 firewalls

Answer 523

operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP and UDP

Answer 524

traffic is allowed to enter or leave the network because there is an ACL rule that specifically allows it

Answer 525

traffic is denied the ability to leave the network because there is an ACL rule that specifically denies it

Answer 526

traffic is denied the ability to enter or leave the network because there is no specific rules that allow it

Answer 527

firewall installed to protect your server by inspecting traffic being sent to a web application

Answer 528

a device that acts as a middle man between a device and remote server

Answer 529

- IP proxy - Caching proxy - Content filter - Web security gateway

Answer 530

is used to secure a network by keeping its machines anonymous during web browsing

Answer 531

attempts to serve a client requests by delivering content from itself without actually contacting the remote server

Answer 532

Used in organizations to prevent users from accessing prohibited websites and other content

Answer 533

a go between device that scans for viruses, filters unwanted content and performs data loss prevention functions

Answer 534

a single computer that might be attractive to an attacker

Answer 535

a group of computers servers or networks used to attract an attacker

Answer 536

systems designed to protect data by conducting content inspection of data being sent out of the network

Answer 537

attempts to detect, log, and alert on malicious network activities

Answer 538

NIPS or network intrusion prevention systems - attempts to remove, detain, or redirect malicious traffic

Answer 539

Unified threat management system - combination of network security devices and technologies to provide more defense in depth with a single device UTM might include - a firewall, NIDS/NIPS, content filter, anti-malware, DLP and VPN

Answer 540

Cloud computing - a way of offering on demand services that extend the traditional capabilities of a computer or network Cloud computing relies on virtualization to gain efficiencies and cost savings

Answer 541

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Answer 542

- Public - Private - Hybrid - Community

Answer 543

a service provider makes resources available to the end users over the internet

Answer 544

a company creates its own cloud environment that only it can utilize as an internal enterprise resource

Answer 545

resources and costs are shared among several different organizations who have common service needs

Answer 546

- SaaS - IaaS - PaaS - SECaaS

Answer 547

provides all the hardware , operating system, software ad applications needed for a complete service to be delivered

Answer 548

provides all the hardware, operating system, and backend software needed in order to develop your own software or service / web hosting is an example of this

Answer 549

provides your organization with the hardware and software needed for a specific service to operate

Answer 550

provides your organization with various types of security services without the need to maintain a cybersecurity staff

Answer 551

utilizes separate virtual networks to allows security professionals to test suspicious or malicious files

Answer 552

web servers should be placed in your DMZ

Answer 553

a private network segment made available to a single cloud consumer within a public cloud

Answer 554

VPC is typically going to be used to provision internet-accessible applications that need to be accessed from geographically remote sites

Answer 555

enterprise management software designed to mediate access to cloud services by users across all types of devices

Answer 556

- Single sign on - Malware and rogue device detection - Monitor / audit user activity - Mitigate data exfiltration

Answer 557

- Forward proxy - Reverse proxy - API

Answer 558

a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with the policy

Answer 559

an appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of the traffic comply with the policy

Answer 560

API's allow for the automated administration management and monitoring of a cloud service

Answer 561

Curl can be used for testing API's

Answer 562

function as a service – a cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language / make applications without having our own servers

Answer 563

Serverless eliminates the need to manage physical or virtual servers

Answer 564

- No patching - No administration No file system monitoring

Answer 565

- Insecure API's - Improper key management - Logging and monitoring Unprotected storage

Answer 566

- API's should use secure authentication and authorization such as SAML or OAuth before accessing the data - Do not hardcode or embed a key into the source code - Delete unnecessary keys

Answer 567

- Cloud storage containers are referred to as buckets or blobs Incorrect permissions may occur due to defaults permissions

Answer 568

* Resource orchestration * Workload orchestration Service orchestration

Answer 569

a software development method where code updates are tested and committed to a development or build a server/code repository rapidly / can test and commit updates multiple times per day

Answer 570

a software development method where application and platform requirements are frequently tested and validated for immediate availability / gets the code ready for release doesn’t actually release it

Answer 571

a software development method where application and platform updates are committed to production rapidly / focuses on automated testing and release of code in order to get it into the production environment more quickly

Answer 572

DevOps – an organizational culture shift that combines software development and systems operation by referring to the practice of integrating the two disciplines within a company DevSecOps – a combination of software development, security operations, and systems operations by integrating each discipline with the others

Answer 573

a provisioning architecture in which deployment of resources is performed by scripted automation and orchestration / allows us to script out the provisioning of cloud resources

Answer 574

any system that is different in its configuration compared to a standard template within an infrastructure as code architecture

Answer 575

a property of IAC that an automation or orchestration action always produces the same result regardless of the components previous state

Answer 576

the science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

Answer 577

a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further instructions

Answer 578

an architecture of input, hidden, and output layers that can perform algorithmic analysis of datasets to achieve outcome objectives

Answer 579

a refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions

Answer 580

a logical communication opening on a server that is listening for a connection from a client

Answer 581

a logical communication opening created on a client in order to call out to a server that is listening for a connection

Answer 582

ports 0-1023 are considered well-known and are assigned by the internet Assigned numbers authority IANA

Answer 583

ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols

Answer 584

ports 49,152 to 65,535 can be used by any application without being registered with IANA

Answer 585

21 TCP, file transfer protocol Is used to transfer files from host to host

Answer 586

22 TCP,UDP – secure shell Is used to remotely administer network devices and systems

Answer 587

unencrypted method to remotely administer network devices

Answer 588

simple mail transfer protocol is used to send email over the internet

Answer 589

domain name service is used to resolve hostnames to IPs and IPs to hostnames

Answer 590

trivial FTP is used as a simplified version of FTP to put a file on a remote host or get a file from the remote host

Answer 591

80 TCP – hypertext transfer protocol is used to transmit web page data to a client for unsecured web browsing

Answer 592

88 TCP/UDP - used for network authentication using a system of tickets within a windows domain

Answer 593

110 TCP – post office protocol v3 is used to receive email from a mail server

Answer 594

119 TCP – network news transfer protocol is used to transport UseNet articles

Answer 595

135 TCP/UDP - remote procedure call is used to locate DCOM ports to request a service from a program on another computer on the network

Answer 596

137-139 TCP/UDP – netbios is used to conduct name querying, sending of data and other functions over a netbios connection

Answer 597

143 TCP - internet message access protocol is used to receive email from a mail server with more features than POP3

Answer 598

161 UDP – simple network management protocol is used to remotely monitor devices

Answer 599

162 TCP/UDP - used to send trap and inform requests to the SNMP manager on a network

Answer 600

389 TCP/UDP - lightweight directory access protocol is used to maintain directories of users and other objects

Answer 601

443 TCP – hyper text transfer protocol secure is used to transmit web page data to a client over an SSL/TLS encrypted connection

Answer 602

445 TCP – server message block is used to provide shared access to files and other resources on the network

Answer 603

465/587 TCP – smtp TLS is used to send email over the internet with an SSL and TLS secured connection

Answer 604

syslog is used to connect computer message logging especially for routers and firewall logs

Answer 605

ldap is used to maintain directories of users and other objects over an encrypted SSL/TLS connection

Answer 606

iSCSI is used for linking data storage facilities over IP / commonly used in storage area networks

Answer 607

989/990 TCP – file transfer protocol secure is used to transfer files from host to host over an encrypted connection

Answer 608

995 TCP – pop3 used to receive email from a mail server using an SSL/TLS encrypted connection

Answer 609

1433 TCP – Microsoft SQL server is used to receive SQL database queries from clients

Answer 610

1645/1646 alternate 1812/1813 primary UDP – Remote authentication dial in user service is used for authentication and authorization

Answer 611

1701 UDP – layer 2 tunneling protocol is used as an underlying VPN protocol but has no inherent security

Answer 612

1723 TCP/UDP - point to point tunneling protocol is an underlying VPN protocol with built in security

Answer 613

3225 TCP/UDP - fiber channel IP is used to encapsulate fiber channel frames within the TCP/IP packets

Answer 614

3260 TCP – iSCSI target is a listening port for an iSCSI targeted devices when linking data storage facilities over IP

Answer 615

3389 TCP/UDP - remote desktop protocol is used to remotely view and control other windows systems via a graphical user interface

Answer 616

6514 TCP – it is used to conduct computer message logging, especially for routers and firewall logs, over a TLS encrypted connection

Answer 617

any ports that is associated with a service or function that is non-essential to the operation of your computer or network To close an a non needed port you can stop the service that is utilizing the port

Answer 618

term used to describe many different types of attacks which attempt to make a computer or servers resources un-available

Answer 619

* Flood attacks * Ping of Death * Teardrop attack * Permanent DOS Fork bomb

Answer 620

a specialized type of DOS which attempts to send more packets to a single server or host then they can handle

Answer 621

an attacker attempts to flood the server by sending too many ICMP echo request packets also known as pings

Answer 622

attacker sends a ping to subnet broadcast address and devices reply to spoofed IP (victim server) using up bandwidth and processing power

Answer 623

attacker sends a UDP echo packet to port 7 and port 19 to flood a server with UDP packets

Answer 624

Smurf used TCP fraggle attacks use UDP

Answer 625

variant on a denial of service attack where attacker initiates multiple TCP sessions but never completes the three way handshake

Answer 626

a specialized network scan that sets the FIN, PSH and URG flags and can cause a device to crash or re-boot

Answer 627

attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads and sends them to a victim machine

Answer 628

attack that creates a large number of processes to use up the available processing power of a computer

Answer 629

Distributed denial of service DDOS –a group of compromised systems attack a single target simultaneously to create a denial of service DOS

Answer 630

attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server

Answer 631

Blackholing or sinkholing - identifies any attacking IP addresses and routes all their traffic to a non-existent server through the null interface

Answer 632

Spoofing – occurs when an attacker masquerades as another person by falsifying there identity

Answer 633

Proper authentication is the best way to prevent spoofing

Answer 634

exploitation of a computer session in an attempt to gain unauthorized access to data services or other resources on a computer server

Answer 635

attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client

Answer 636

occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access

Answer 637

occurs when an attacker blindly injects data into the communication stream without being able to see if its successful or not

Answer 638

attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click the actual page

Answer 639

attack that causes data to flow through the attacks computer where they can intercept or manipulate the data

Answer 640

occurs when a trojan infects a vulnerable web browser and modifies the web pages or transactions being done on the browser

Answer 641

occurs when malware is placed on a website that the attacker knows his potential victims will access

Answer 642

network based attack where a valid data transmission is fraudulently or maliciously re-broadcast repeated or delayed

Answer 643

session tokens will combat replay attacks MFA will also prevent these sort of attacks

Answer 644

occurs when the name resolution information is modified in the DNS servers cache / if the cache is poisoned the attacker can send users to malicious websites

Answer 645

occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Answer 646

occurs when an attacker modifies the host files to have the client bypass the DNS server and redirects them to an incorrect or malicious website

Answer 647

protocol for mapping an internet protocol or IP address to a physical machine address that is recognized in the local network

Answer 648

attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network

Answer 649

ARP poisoning is prevented by VLAN segmentation and DHCP snooping

Answer 650

a disturbance that can affect electrical circuits, devices, and cables due to radiation or electromagnetic conduction

Answer 651

Shielding the cables STP on the source can minimize EMI

Answer 652

A disturbance that can affect electrical circuits, devices, and cables due to AM/FM transmissions or cell towers

Answer 653

occurs when a signal transmitted on one copper wire creates and undesired effect on another wire

Answer 654

the electromagnetic field generated by a network cable or device when transmitting / comes from inside the cable / someone could capture this

Answer 655

secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations, and other threats

Answer 656

uniquely identifies the network and is the name of the WAP used by the clients

Answer 657

an unauthorized WAP or wireless router that allows access to the secure network

Answer 658

a rogue, counterfeit, and unauthorized WAP with the same SSID as your valid one

Answer 659

same encryption key is used by the access point and the client

Answer 660

WEP – not secure / weak IV's

Answer 661

replacement for WEP which used TKIP, Message integrity check and RC4 encryption

Answer 662

802.11 standard to provide better wireless security featuring AES with a 128 bit key, CCMP, and integrity checking

Answer 663

Smurf used TCP fraggle attacks use UDP

Answer 664

2.4 GHz signals can travel further than 5 GHz

Answer 665

intentional radio frequency interference targeting your wireless network to cause a denial of service

Answer 666

creates network segments for each client when it connects to prevent them from communicating with other clients on the network

Answer 667

occurs when an attacker observes the operation of a cipher being used with several different keys and finds a mathematical relationship between those keys to determine the clear text data

Answer 668

attack that targets an individual client connected to a network forces it offline by deauthenticating it and then captures the handshake when it reconnects

Answer 669

uses AES-256 encryption with a SHA-384 hash for integrity checking

Answer 670

uses CCMP-128 as the minimum encryption required for secure connectivity

Answer 671

a secure password based authentication and password authenticated key agreement method

Answer 672

SAE provides forward secrecy

Answer 673

a feature of key agreement protocols like SAE that provides assurance the session keys will not be compromised even if long term secrets used in the session key exchange are compromised

Answer 674

devices that use a radio frequency signal to transmit identifying information about the device or token holder

Answer 675

allows two devices to transmit information when they are within close range through automated pairing and transmission

Answer 676

area between two doorways that holds people until they are identified and authenticated

Answer 677

relies on the physical characteristics of a person to identify them

Answer 678

Biometrics is considered something you are

Answer 679

rate that a system authenticates a user as authorized of valid when they should not have been granted access to the system

Answer 680

rate that a system denies a user as authorized or valid when they should have been granted access to the system

Answer 681

an equal error rate where the false acceptance rate and false rejection rate are equal

Answer 682

pipes are filled with water all the way to the sprinkler head and are just waiting for the bulb to be melted or broken

Answer 683

pipes are filled with pressurized air and only push water into the pipes when needed to combat the fire

Answer 684

A pre action sprinkler system will activate when heat or smoke is detected

Answer 685

fire suppression system that relies upon gas instead of water to extinguish a fire

Answer 686

To reduce EMI use shielded twisted pair STP which adds a layer of shielding inside the cable

Answer 687

shielding installed around an entire room that prevents electromagnetic energy and radio frequencies from entering or leaving the room

Answer 688

us government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility / resistant to EMP's

Answer 689

Vehicles connect numerous subsystems over a controller area network or CAN

Answer 690

a digital serial data communications network used within vehicles

Answer 691

- Attack the exploit to OBD-II Exploit over onboard cellular

Answer 692

a group of objects electronic or not that are connected to the wider internet by using embedded electronic components

Answer 693

a computer system that us designed to perform a specific dedicated function

Answer 694

a type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Answer 695

a processor that integrates the platform functionality of multiple logical controllers onto a single chip

Answer 696

a type of OS that prioritizes deterministic execution of operations to ensure consistent response for time critical tasks

Answer 697

a processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Answer 698

a communications network designed to implement an industrial control system rather than data networking

Answer 699

a network that manages embedded devices

Answer 700

- Electrical power stations - Water suppliers - Health services - Telecommunications - Manufacturing Defense

Answer 701

digital serial data communications used in operational technology networks to link PLC's

Answer 702

input and output controls on a PLC to allow a user to configure and monitor the system

Answer 703

ICS manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world

Answer 704

software that aggregates and catalogs data from multiple sources within an industrial control system

Answer 705

a type of industrial control system that manages large scale, multiple site devices and equipment spread over a geographic region

Answer 706

typically runs as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs

Answer 707

a communications protocol used in OT networks / Its like TCP for operation technology networks

Answer 708

- establish administrative control over OT networks by recruiting staff with relevant expertise - Implement the minimum network links by disabling unnecessary links, services, and protocols - Develop and test a patch management program for OT networks Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusions

Answer 709

systems used for building automation and physical access security

Answer 710

components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Answer 711

use of two or more authentication factors to prove a user's identity

Answer 712

Username and password are only considered a single factor authentication

Answer 713

a password is computed from a shared secret and current time

Answer 714

a password is computed from a shared secret and is synchronized between the client and the server

Answer 715

process to check the users or systems attributes or characteristics prior to allowing it to connect

Answer 716

a default user profile for each user is created and linked with all the resources needed

Answer 717

a single identity is created for a user and shared with all of the organizations in a federation

Answer 718

utilizes a web of trust between organizations where each one certifies others in the federation

Answer 719

organizations are able to place their trust in a single third party

Answer 720

attestation model built upon XML used to share federated identity management information between systems

Answer 721

an open standard and decentralized protocol that is used to authenticate users in a federated identity management system

Answer 722

standardized framework used for port based authentication on wired and wireless networks 802.1x framework uses RADIUS and TACACS+ to do the authentication for us

Answer 723

a framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure

Answer 724

a database used to centralize information about clients and objects on the network

Answer 725

an authentication protocol used by windows to provide two way mutual authentication using a system of tickets

Answer 726

Microsoft's proprietary protocol that allows administrators and users to remotely connect to another computer via GUI

Answer 727

cross platform version of the remote desktop protocol for remote user GUI access / VNC requires a client, server, and protocol be configured / port 5900

Answer 728

used to provide authentication but is not considered secure since it transmits the login credentials unencrypted

Answer 729

used to provide authentication by using the users password to encrypt a challenge string of random numbers

Answer 730

allows end users to create a tunnel over an untrusted network and connect remotely and securely back into the enterprise network

Answer 731

specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers

Answer 732

a remote workers machine diverts internal traffic over the VPN but external traffic over their own internet connection

Answer 733

provides centralized administration of dial up VPN and wireless authentication services for 802.1x and the EAP protocol / Radius operates at the application layer / uses UDP

Answer 734

standard that defines port based network access control and is a data link layer authentication technology used to connect devices to a wired or wireless LAN

Answer 735

application layer protocol for accessing and modifying directory services data / AD uses it

Answer 736

authentication protocol used in windows to identify clients to a server using mutual authentication / uses tickets

Answer 737

service that enables dial up and VPN connections to occur from remote clients

Answer 738

a software based attack where the goal is to assume the identity of a user, process, address, or other unique identifier

Answer 739

an attack where the attacker sits between two communicating hosts and transparently captures monitors and relays all communication between the hosts

Answer 740

brute force attack in which multiple user accounts are tested with a dictionary of common passwords

Answer 741

brute force attack in which stolen user account names and passwords are tested against multiple websites

Answer 742

a software vulnerability where the authentication mechanism allows an attacker to gain entry 1. Weak password credentials 2. Weak password reset methods 3. Credential exposure Session Hijacking

Answer 743

methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it

Answer 744

* DAC * MAC * RBAC ABAC

Answer 745

the access control policy is determined by the owner every object in a system must have an owner Each owner determines access right's and permissions for each object

Answer 746

an access control policy where the computer system determines the access control for an object The owner choses the permissions in DAC but in MAC the computer does

Answer 747

* MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network c) and every file/folder/device or network connection (called an object) MAC is implemented through the rule-based and the lattice-based access control methods

Answer 748

label based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label

Answer 749

an access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission label

Answer 750

all access to a resource should be denied by default and only be allowed when explicitly stated

Answer 751

R (Read) = 4 W (Write)=2 X ( (Execute) = 1

Answer 752

seeks to identify any issue in a network application, database, or other systems prior to it being used that might compromise the system

Answer 753

practice of finding and mitigating the vulnerabilities in computers and networks

Answer 754

* Get permission and document info * Conduct recon * Enumerate the targets * Exploit the targets Document the results

Answer 755

is a discussion of simulated emergency situations and security incidents

Answer 756

a standard designed to regulate the transfer of secure public information across network and the internet utilizing any security tools and services available

Answer 757

OVAL is comprised of a language and an interpreter OVAL language – an XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools OVAL interpreter – a reference developed to ensure the information passed around by these programs complies with the OVAL schemas and definitions used by the OVAL language

Answer 758

list of precomputed values used to more quickly break a password since values don’t have to be calculated for each password being guessed

Answer 759

signature based anomaly based behavior based

Answer 760

network traffic is analyzed for predetermined attack patterns

Answer 761

a baseline is established and any network traffic that is outside the baseline is evaluated

Answer 762

activity is evaluated based on the previous behavior of applications, executables and the operating system in comparison to the current activity on the system

Answer 763

network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them

Answer 764

network adapters can only capture the packets addressed to itself directly

Answer 765

a physical device that allows you to intercept the traffic between two points on the network

Answer 766

a TCP/IP protocol that aids in monitoring network attached devices and computers / SNMP is incorporated into a network management and monitoring system

Answer 767

computers and other network attached devices monitored through the use of agents by a network management system

Answer 768

software that is loaded on a managed device to redirect information to the network management system

Answer 769

software run on one or more servers to control the monitoring of network attached devices and computers

Answer 770

are insecure due to the use of community strings to access a device

Answer 771

version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network

Answer 772

logs the events such as successful and unsuccessful user logins to the system

Answer 773

logs the events such as a system shutdown and driver failures

Answer 774

logs the events for the operating system and third party applications

Answer 775

a standardized format used for computer messaging logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyes them

Answer 776

Log all relevant events and filter irrelevant data Establish and document the scope of the events Develop use cases to define a threat Plan incident response for an event Establish a ticketing process to track events Schedule regular threat hunting Provide auditors and analysts an evidence trail

Answer 777

a protocol for enabling different appliances and software applications to transmit logs or event records to a central server

Answer 778

Use port 1468 TCP for consistent delivery Can use TLS to encrypt messages sent to servers Use MD5 or SHA1 for authentication and integrity

Answer 779

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestration automated runbooks and delivering data enrichment

Answer 780

SOAR is primarily used for incident response

Answer 781

Playbook- a checklist of actions to perform to detect and respond to a specific type of incident

Answer 782

an automated version of a playbook that leaves clearly defined interaction points for human analysis

Answer 783

- encryption algorithm in which both the sender and the receiver must know the same secret using a privately held key Key distribution can be challenging with symmetric encryption

Answer 784

DES 3DES IDEA AES Blowfish Twofish RC4 RC5 RC6

Answer 785

encryption algorithm where different keys are used to encrypt and decrypt the data

Answer 786

Diffie Helman RSA ECC PGP

Answer 787

utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR function to create the ciphertext

Answer 788

breaks the input into fixed length blocks of data and performs the encryption on each block

Answer 789

Block ciphers are commonly implemented through software stream ciphers are commonly implemented through hardware

Answer 790

encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create cyphertext using an effective key strength of only 56 bits

Answer 791

encryption algorithm which uses three separate symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

Answer 792

symmetric block cipher which uses 64 bit blocks to encrypt plaintext into ciphertext

Answer 793

symmetric block cipher that uses 128 bit 192 bit or 256 bit blocks and a matching encryption key size to encrypt plaintext into ciphertext AES is the standard for encrypting sensitive US government data

Answer 794

symmetric block cipher that uses 64 bit blocks and a variable length encryption key to encrypt plaintext into cipher text

Answer 795

symmetric block cipher that replaced blowfish and uses 128 bit blocks and a 128 bit, 192 bit or 256 bit encryption key to encrypt plaintext into cipher text

Answer 796

symmetric stream cipher using a variable key size from 40 bits to 2048 bits that is used in SSL and WEP RC4 is the only stream cipher everything else is block

Answer 797

a hash digest of a message encrypted with the sender private key to let the recipient know the document was created and sent by the person claiming to have sent it

Answer 798

read it again

Answer 799

used to conduct key exchanges and secure key distribution over an unsecure network Diffie-hellman is used for the establishment of a VPN tunnel using IPSec

Answer 800

asymmetric algorithm that relies on the mathematical difficulty of factoring large prime numbers / key sizes 1024 buts to 4096 bits

Answer 801

algorithm that is based upon the algebraic structure of elliptic curves over finite fields to define the keys ECC is most commonly used for mobile devices and low power computing devices

Answer 802

PGP an encryption program used for signing, encrypting, and decrypting emails

Answer 803

a newer and updated version of the PGP encryption suite that uses AES for its symmetric encryption functions

Answer 804

refers to how an organization will generate, exchange, store and use encryption keys The strength of an encryption system lies in the key strength / keys must also be securely stored / change keys periodically

Answer 805

stream cipher that encrypts plaintext information with a secret random key that is the same length as the plaintext input

Answer 806

a shared, immutable ledger for recording transactions tracking assets and building trust

Answer 807

a record keeping system that maintains participants identities in secure and anonymous form, their respective crypto balances, ad a record book of all the genuine transactions executed between network participants

Answer 808

a one way cryptographic function which takes an input and produces a unique message digest

Answer 809

algorithm that creates a fixed length 128 bit hash value unique to the input file

Answer 810

condition that occurs when two different files create the same hash digest

Answer 811

algorithm that creates a fixed length 160-bit hash value unique to the input file

Answer 812

family of algorithms that includes SHA-224 SHA-256 SHA-348 AND SHA-512

Answer 813

family of algorithms that creates hash digests between 224 bits and 512 bits

Answer 814

an open source hash algorithm that creates a unique 160-bit, 256-bit or 320 bit message digest for each input file

Answer 815

uses a hash algorithm to create a level of assurance as to the integrity and authenticity of a given message or file

Answer 816

uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer

Answer 817

original version of password hashing used by windows that uses DES and is limited to 14 characters

Answer 818

replacement to LM hash that uses RC4 and was released with WIndows NT

Answer 819

replacement to NTLM hash that uses HMAC-MD5 and is considered difficult to crack

Answer 820

MD5 and SHA

Answer 821

a technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password

Answer 822

Technique used by an attacker to find two different messages that have the same identical hash digest

Answer 823

a technique that is used to mitigate a weaker key by increasing the time needed to crack it

Answer 824

adding random data into a one way cryptographic hash to help protect against password cracking techniques

Answer 825

digitally signed electronic documents that bind a public key with a user's identity

Answer 826

standard used for PKI for digital certificates and contains the owner/users information and the certificate authorities information

Answer 827

CA or certificate authority is the trusted third party who is going to issue the digital certificates

Answer 828

allow all of the subdomains to use the same public key certificate and have it displayed as valid

Answer 829

allows a certificate owner to specify additional domains and IP address to be supported

Answer 830

the original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Answer 831

a restricted version of the BER that only allows the use of only one encoding type

Answer 832

certificate signing request is what is submitted to the CA to request a digital certificate

Answer 833

used to verify information about a user prior to requesting that a certificate authority issue the certificate

Answer 834

the entity that issues certificates to a user

Answer 835

an online list of digital certificates that the certificate authority has revoked

Answer 836

a protocol that allows you to determine the revocation status of a digital certificate using its serial number

Answer 837

allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Answer 838

allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the users web browser as part of the HTTP header

Answer 839

occurs when a secure copy of a users private key is held in case the user accidentally loses their key

Answer 840

a specialized type of software that allows for the restoration of a lost or corrupted key to be performed

Answer 841

a decentralized trust model that addresses issues associated with the public authentication of public keys within a CA based PKI system / more of a peer to peer model

Answer 842

the individual elements, objects, or parts of a system that would cause the whole system to fail if they were to fail

Answer 843

an enclosure that provides two or more complete power supplies

Answer 844

combines the functionality of a surge protector with that of a battery backup

Answer 845

an emergency power system used when there is an outage of the regular electric power grid

Answer 846

provides data stripping across multiple disks to increase performance / you would use this when you care about performance but not fault tolerance / need at least two disks

Answer 847

provides redundancy by mirroring the data identically on two hard disks

Answer 848

provides redundancy by stripping data and parity data across the disk drives / requires three disks

Answer 849

provides redundancy by striping and double parity data across the disk drives / 2 stripes for parity data where as RAID 5 only has one / At least 4

Answer 850

* Fault – resistant * Fault tolerant Disaster tolerant

Answer 851

protects against the loss of the arrays data if a single disk fails / raid 1 or 5

Answer 852

protects against the loss of the arrays data if a single component fails / raid 1 5 and 6

Answer 853

provides two independent zones with full access to the data / RAID 10

Answer 854

two or more server working together to perform a particular job function

Answer 855

a secondary server can take over the function when the primary one fails

Answer 856

servers are clustered in order to share resources such as CPU, RAM and Hard disks

Answer 857

all of the contents of a drive are backed up

Answer 858

only conducts a backup of the contents of a drive that have changed since the last full or incremental backup

Answer 859

only conducts a backup of the contents of a drive that have changed since the last full backup / this type of backup takes more time to create but less time to restore

Answer 860

each tape is used once per day for two weeks and the entire set is reused

Answer 861

three sets of backup tapes are defined as the son (daily), the father (weekly), and the grandfather (monthly)

Answer 862

three sets of backup tapes (like the grandfather-father-son) that are rotated in a more complex system /helps prevent tapes from being worn out quickly

Answer 863

type of backup primarily used to capture the entire operating system image including all applications and data / commonly used with VM's

Answer 864

the development of an organized and in depth plan for problems that could affect the access of data or the orgs building

Answer 865

1. Contact info 2. Impact determination (how much this affects the business) 3. Recovery Plan (what is the order and priority of things that need to be recovered) 4. Business continuity plan (BCP) 5. Copies of agreements 6. Disaster recovery exercises List of critical systems and data

Answer 866

a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations / business impact analysis is governed by metrics that express system availability

Answer 867

the longest period of time a business can be inoperable without causing irrevocable business failure

Answer 868

the length of time it takes after an event to resume normal business operations and activities

Answer 869

the length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Answer 870

the longest period of time that an organization can tolerate lost data being unrecoverable

Answer 871

measures the average time it takes to repair a network device when it breaks

Answer 872

average time between failures on a device