Security+ Flashcards

Question 1

Q

The organization that Chris works for has disabled automatic updates. What is the most common reason for disabling automatic updates for organizational systems?
A. To avoid disruption of the work process for office workers
B. To prevent security breaches due to malicious patches and updates
C. To avoid issues with problematic patches and updates
D. All of the above

Answer

A

C. The most common reason to disable automatic patching is to avoid issues with problematic or flawed patches and updates. In most environments the need to patch regularly is accepted and handled for office workers without causing significant disruption. That concern would be different if the systems being patched were part of an industrial process or factory production environment. Malicious patches from legitimate sources such as an automatic update repository are exceptionally rare and are not a common concern or driver of this behavior. For more information, see Chapter 11.

Question 2

Q

Which of the following is the least volatile according to the forensic order of volatility?

A. The system’s routing table
B. Logs
C. Temp files
D. CPU Registers

Answer

A

B. Logs, along with any file that is stored on disk without the intention of being frequently overwritten, are the least volatile item listed. In order from most volatile to least from the answers here, you could list these as CPU registers, the system’s routing table, temp files, and logs. For more information, see Chapter 15.

Question 3

Q

Ed wants to trick a user into connecting to his evil twin access point (AP). What type of attack should he conduct to increase his chances of the user connecting to it?

A. A disassociation attack
B. An application denial-of-service attack
C. A known plain-text attack
D. A network denial-of-service attack

Answer

A

A. If Ed can cause his target to disassociate from the access point they are currently connected to, he can use a higher transmission power or closer access point to appear higher in the list of access points. If he is successful at fooling the user or system into connecting to his AP, he can then conduct on-path attacks or attempt other exploits. Denial-of-service attacks are unlikely to cause a system to associate with another AP, and a known plain-text attack is a type of cryptographic attack and is not useful for this type of attempt. For more information, see Chapter 12.

Question 4

Q

What term is used to describe wireless site surveys that show the relative power of access points on a diagram of the building or facility?

A. Signal surveys
B. db maps
C. AP topologies
D. Heatmaps

Answer

A

D. Site surveys that show relative power on a map or diagram are called heatmaps. They can help show where access points provide a strong signal, and where multiple APs may be competing with each other due to channel overlap or other issues. They can also help identify dead zones where signal does not reach. Signal surveys, db maps, and AP topologies were made up for this question. For more information, see Chapter 13.

Question 5

Q

What hardware device is used to create the hardware root of trust for modern desktops and laptops?

A. System memory
B. A HSM
C. The CPU
D. The TPM

Answer

A

D. A hardware root of trust provides a unique element that means that a board or device cannot be replicated. A Trusted Platform Module (TPM) is commonly used to provide the hardware root of trust. CPUs and system memory are not unique in this way for common desktops and laptops, and a hardware security module (HSM) is used to create, manage, and store cryptographic certificates as well as perform and offload cryptographic operations. For more information, see Chapter 11.

Question 6

Q

Angela wants to prevent users in her organization from changing their passwords repeatedly after they have been changed so that they cannot reuse their current password. What two password security settings does she need to implement to make this occur?

A. Set a password history and a minimum password age.
B. Set a password history and a complexity setting.
C. Set a password minimum and maximum age.
D. Set password complexity and maximum age.

Answer

A

A. Angela needs to retain a password history and set a minimum password age so that users cannot simply reset their password until they have changed the password enough times to bypass the history. For more information, see Chapter 8.

Question 7

Q

Chris wants to establish a backup site that is fully ready to take over for full operations for his organization at any time. What type of site should he set up?

A. A cold site
B. A clone site
C. A hot site
D. A ready site

Answer

A

C. Hot sites are ready to take over operations in real time. Cold sites are typically simply ready buildings with basic infrastructure in place to set up a site. Clone sites and ready sites are not typical terms used in the industry. For more information, see Chapter 9.

Question 8

Q

Which of the following is not a common constraint of embedded and specialized systems?

A. Computational power
B. Overly complex firewall settings
C. Lack of network connectivity
D. Inability to patch

Answer

A

B. Embedded and specialized systems tend to have lower-power CPUs, less memory, less storage, and often may not be able to handle CPU-intensive tasks like cryptographic algorithms or built-in security tools. Thus, having a firewall is relatively unlikely, particularly if there isn’t network connectivity built in or the device is expected to be deployed to a secure network. For more information, see Chapter 11.

Question 9

Q

Gary is reviewing his system’s SSH logs and sees logins for the user named “Gary” with passwords like password1, password2 … PassworD. What type of attack has Gary discovered?

A. A dictionary attack
B. A rainbow table attack
C. A pass-the-hash attack
D. A password spraying attack

Answer

A

A. A dictionary attack will use a set of likely passwords along with common variants of those passwords to try to break into an account. Repeated logins for a single user ID with iterations of various passwords is likely a dictionary account. A rainbow table is used to match a hashed password with the password that was hashed to that value. A pass-the-hash attack provides a captured authentication hash to try to act like an authorized user. A password spraying attack uses a known password (often from a breach) for many different sites to try to log in to them. For more information, see Chapter 4.

Question 10

Q

Kathleen wants to set up a system that allows access into a high-security zone from a low-security zone. What type of solution should she configure?

A. VDI
B. A container
C. A screened subnet
D. A jump server

Answer

A

D. Jump servers are systems that are used to provide a presence and access path in a different security zone. VDI is a virtual desktop infrastructure and is used to provide controlled virtual systems for productivity and application presentation among other uses. A container is a way to provide a scalable, predictable application environment without having a full underlying virtual system, and a screened subnet is a secured zone exposed to a lower trust level area or population. For more information, see Chapter 12.

Question 11

Q

Derek’s organization is worried about a disgruntled employee publishing sensitive business information. What type of threat should Derek work to protect against?

A. Shoulder surfing
B. Social engineering
C. Insider threats
D. Phishing

Answer

A

C. Derek’s organization is worried about insider threats, or threats that are created by employees and others who are part of the organization or are otherwise trusted by the organization. Social engineering involves deceiving people to achieve an attacker’s goals. Phishing attempts to acquire personal information through social engineering and other techniques, and shoulder surfing is a technique where malicious actors watch over someone’s shoulder to acquire information like passwords or credit card numbers. For more information, see Chapter 2.

Question 12

Q

Jeff is concerned about the effects that a ransomware attack might have on his organization and is designing a backup methodology that would allow the organization to quickly restore data after such an attack. What type of control is Jeff implementing?

A. Corrective
B. Preventive
C. Detective
D. Deterrent

Answer

A

A. Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control. Preventative controls attempt to stop future issues. Detective controls focus on detecting issues and events, and deterrent controls attempt to deter actions. For more information, see Chapter 1.

Question 13

Q

Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated?

A. BPA
B. SLA
C. AUP
D. MOU

Answer

A

C. This activity is almost certainly a violation of the organization’s acceptable use policy (AUP), which should contain provisions describing appropriate use of networks and computing resources belonging to the organization. BPA is not a common term in this context. Service level agreements (SLAs) determine an agreed upon level of service, and MOUs, or memorandums of understanding are used to document agreements between organizations. See Chapter 16 for more information.

Question 14

Q

Jean recently completed the user acceptance testing process and is getting her code ready to deploy. What environment should house her code before it is released for use?

A. Test
B. Production
C. Development
D. Staging

Answer

A

D. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. This is where the code should reside before it is released for use. The development environment is where developers work on the code prior to preparing it for deployment. The test environment is where the software or systems can be tested without impacting the production environment. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production. For more information, see Chapter 6.

Question 15

Q

Rob has created a document that describes how staff in his organization can use organizationally owned devices, including if and when personal use is allowed. What type of policy has Rob created?

A. Change management policy
B. Acceptable use policy
C. Access control policy
D. Playbook

Answer

A

B. Acceptable use policies define how organizational systems, devices, and services can and should be used. Change management policies determine how an organization handles change and change control. Access control documentation is typically handled as a standard, and playbooks describe how perform specific duties or processes.

Question 16

Q

Oren obtained a certificate for his domain covering *.acmewidgets.net. Which one of the following domains would not be covered by this certificate?

A. www.acmewidgets.net
B. acmewidgets.net
C. test.mail.acmewidgets.net
D. mobile.acmewidgets.net

Answer

A

C. Wildcard certificates protect the listed domain as well as all first-level subdomains. test.mail.acmewidgets.net is a second-level subdomain of acmewidgets.net and would not be covered by this certificate. For more information, see Chapter 7.

Question 17

Q

Richard is sending a message to Grace and would like to apply a digital signature to the message before sending it. What key should he use to create the digital signature?

A. Richard’s private key
B. Richard’s public key
C. Grace’s private key
D. Grace’s public key

Answer

A

A. The sender of a message may digitally sign the message by encrypting a message digest with the sender’s own private key. For more information, see Chapter 7.

Question 18

Q

Andrew is employing which type of risk management strategy as he works with his financial team to purchase a cybersecurity insurance policy to cover the financial impact of a data breach?

A. Risk avoidance
B. Risk transference
C. Risk acceptance
D. Risk mitigation

Answer

A

B. Purchasing insurance is the most common example of risk transference—shifting liability to a third party. Avoidance involves efforts to prevent the risk from occurring, acceptance is just that—formally accepting that the risk may occur, and mitigation attempts to limit the impact of the risk. For more information, see Chapter 17.

Question 19

Q

Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?

A. Guideline
B. Standard
C. Procedure
D. Policy

Answer

A

C. Procedures provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance. Procedures commonly guide the early stages of incident response. Standards define how policies should be implemented. Guidelines are voluntary, whereas policies are mandatory. For more information, see Chapter 16.

Question 20

Q

Define control objectives

Answer

A

The specific goals or intended outcomes of implementing certain security measures or controls. These objectives are crucial for ensuring the confidentiality, integrity, and availability of information systems and data.

Question 21

Q

Define security controls

Answer

A

Specific measures that fulfill the security objectives of an organization.

Question 22

Q

Define gap analysis

Answer

A

A method used to assess the difference between the current state of security measures and the desired state. It involves identifying the existing controls within an organization’s security posture and comparing them against industry standards or best practices.

Question 23

Q

What are the security control categories?

Answer

A

Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.
Operational controls include the processes that we put in place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management.
Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples of administrative managerial controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.
Physical controls are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.

Question 24

Q

What are the security control types?

Answer

A

Preventive controls intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.
Deterrent controls seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls.
Detective controls identify security events that have already occurred. Intrusion detection systems are detective controls.
Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.
Compensating controls are controls designed to mitigate the risk associated with exceptions made to a security policy. Think a necessary, but outdated OS device running in an isolated network.
Directive controls inform employees and others what they should do to achieve security objectives. Policies and procedures are examples of directive controls.

Question 25

Q

What are the three criteria for PCI DSS compensating controls in order to be satisfactory?

Answer

A

The control must meet the intent and rigor of the original requirement.
The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
The control must be “above and beyond” other PCI DSS requirements.

Question 26

Q

What are the three states in which data might exist?

Answer

A

Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to theft by insiders or external attackers who gain access to systems and are able to browse through their contents.
Data in transit is data that is in motion/transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.
Data in use is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.

Question 27

Q

What are DLP systems?

Answer

A

DLP (Data Loss Prevention) systems are security tools that monitor, detect, and block the unauthorized transmission of information across a network. They help ensure that sensitive or critical information does not leave the corporate network or is not used in a manner that violates policies. DLP systems can be rule-based and may involve a combination of content inspection and contextual analysis to identify and protect data in use (endpoint actions), in motion (network traffic), and at rest (storage). They are crucial in enforcing regulatory compliance and protecting intellectual property.

Question 28

Q

What are agent-based DLP systems?

Answer

A

Agent-based DLP uses software agents installed on systems that search those systems for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places.

Question 29

Q

What are agentless DLP systems?

Answer

A

Agentless (network-based) DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information.

Question 30

Q

How can you automatically apply encryption to email exchanges that may contain sensitive information?

Answer

A

Integrate Data Loss Prevention (DLP) systems. They can be configured to scan email and encrypt traffic automatically.

Question 31

Q

How can you stop users from utilizing USB drives?

Answer

A

Implement an agent-based DLP (in this case, host-based).

Question 32

Q

What are the two mechanisms of action for DLP systems?

Answer

A

1) Pattern matching, where they watch for the telltale signs of sensitive information. For example, if they see a number that is formatted like a credit card or Social Security number, they can automatically trigger on that. Similarly, they may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when they see those terms in an outbound transmission.

2) Watermarking, where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.

Question 33

Q

Define data minimization

Answer

A

The principle of collecting, processing, and storing only the minimum amount of personal data necessary for specific purposes. This reduces the risk of data breaches and complies with privacy regulations.

Question 34

Q

Define de-identification

Answer

A

The process of removing or altering personally identifiable information (PII) from data sets, so that individuals cannot be readily identified, enhancing privacy and security while allowing data analysis and usage.

Question 35

Q

What are the three main data obfuscation methods?

Answer

A

Hashing
Tokenization
Masking

Question 36

Q

Define tokenization

Answer

A

Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you need to keep the lookup table secure.

Question 37

Q

Define masking

Answer

A

Masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s to render the card number unreadable.

Question 38

Q

Define rainbow table attack

Answer

A

A cryptographic attack that uses precomputed tables of hash values for cracking password hashes. It’s efficient against unsalted hashes, reducing the time needed to crack a password by comparing precomputed hashes rather than computing them on-the-fly.

Question 39

Q

Define (network) segmentation

Answer

A

Segmentation places sensitive systems on separate networks where they may communicate with each other but have strict restrictions on their ability to communicate with systems on other networks.

Question 40

Q

Define nonrepudiation

Answer

A

Nonrepudiation means that someone who performed some action, such as sending a message, cannot later deny having taken that action. Digital signatures are a common example of nonrepudiation. They allow anyone who is interested to confirm that a message truly originated with its purported sender.

Question 41

Q

Matt is updating the organization’s threat assessment process. What category of control is Matt implementing?

A. Operational
B. Technical
C. Corrective
D. Managerial

Answer

A

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.

Question 42

Q

Jade’s organization recently suffered a security breach that affected stored credit card data. Jade’s primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade?

A. Strategic
B. Compliance
C. Operational
D. Financial

Answer

A

B. The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade’s primary concern is violating PCI DSS, making his concern a compliance risk.

Question 43

Q

Chris is responding to a security incident that compromised one of his organization’s web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate?

A. Confidentiality
B. Nonrepudiation
C. Integrity
D. Availability

Answer

A

C. The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.

Question 44

Q

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization’s database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement?

A. Preventive
B. Detective
C. Corrective
D. Deterrent

Answer

A

D. Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack. Detective controls detect issues or indicators of issues.

Question 45

Q

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?

A. Watermarking
B. Pattern recognition
C. Host-based
D. Network-based

Answer

A

D. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information, but he must use network-based DLP to meet his goal.

Question 46

Q

What term best describes data that is being sent between two systems over a network connection?

A. Data at rest
B. Data in transit
C. Data in processing
D. Data in use

Answer

A

B. Data being sent over a network is data in transit. Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system.

Question 47

Q

Tina is tuning her organization’s intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?

A. Technical control
B. Physical control
C. Managerial control
D. Operational control

Answer

A

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Question 48

Q

Which one of the following is not a common goal of a cybersecurity attacker?

A. Disclosure
B. Denial
C. Alteration
D. Allocation

Answer

A

D. The three primary goals of cybersecurity attackers are disclosure, alteration, and denial. These map directly to the three objectives of cybersecurity professionals: confidentiality, integrity, and availability.

Question 49

Q

Tony is reviewing the status of his organization’s defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering?

A. Strategic
B. Reputational
C. Financial
D. Operational

Answer

A

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Question 50

Q

Which one of the following data elements is not commonly associated with identity theft?

A. Social Security number
B. Driver’s license number
C. Frequent flyer number
D. Passport number

Answer

A

C. Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers’ licenses, passports, and Social Security numbers.

Question 51

Q

What term best describes an organization’s desired security state?

A. Control objectives
B. Security priorities
C. Strategic goals
D. Best practices

Answer

A

A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.

Question 52

Q

What technology uses mathematical algorithms to render information unreadable to those lacking the required key?

A. Data loss prevention
B. Data obfuscation
C. Data minimization
D. Data encryption

Answer

A

D. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

Question 53

Q

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?

A. Detective
B. Corrective
C. Deterrent
D. Preventive

Answer

A

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Question 54

Q

What compliance regulation most directly affects the operations of a health-care provider?

A. HIPAA
B. PCI DSS
C. GLBA
D. SOX

Answer

A

A. Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.

Question 55

Q

Nolan is writing an after-action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization’s database. What cybersecurity principle was most impacted in this breach?

A. Availability
B. Nonrepudiation
C. Confidentiality
D. Integrity

Answer

A

C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Question 56

Q

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?

A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality

Answer

A

B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Question 57

Q

Which one of the following data protection techniques is reversible when conducted properly?

A. Tokenization
B. Masking
C. Hashing
D. Shredding

Answer

A

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Question 58

Q

Which one of the following statements is not true about compensating controls under PCI DSS?

A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of defense as the original requirement.

Answer

A

A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Question 59

Q

Define hacktivist

Answer

A

Hacktivists use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a hacktivist might attack a network due to some political issue. The defining characteristic of hacktivists is that they believe they are motivated by the greater good, even if their activity violates the law.

Question 60

Q

Define APT

Answer

A

Sophisticated, long-term cyberattacks conducted by highly skilled adversaries targeting specific organizations for espionage or financial gain. APTs stealthily infiltrate networks to extract or compromise data without detection.

Question 61

Q

What are espionage attacks?

Answer

A

Espionage attacks are motivated by organizations seeking to steal secret information from other organizations. This may come in the form of nation-states attacking each other or corporate espionage.

Question 62

Q

What are the types of threat actors?

Answer

A

Cybercriminals: Individuals or groups seeking financial gain through attacks like phishing, malware, and identity theft.
Hacktivists: Hackers who target organizations for political or social reasons, often through website defacement or data leaks.
Nation-State Actors: Government-sponsored groups conducting cyber espionage or attacks to gather intelligence or disrupt other nations.
Insiders: Employees or contractors who misuse their access to steal information or sabotage systems.
Script Kiddies: Inexperienced hackers using pre-written scripts to exploit known vulnerabilities without fully understanding the technology.
Advanced Persistent Threats (APTs): Highly skilled groups engaging in prolonged and targeted cyberattacks to steal data or monitor organizations.

Question 63

Q

What are the typical motivations for threat actor attacks?

Answer

A

Data exfiltration attacks are motivated by the desire to obtain sensitive or proprietary information, such as customer data or intellectual property.
Espionage attacks are motivated by organizations seeking to steal secret information from other organizations. This may come in the form of nation-states attacking each other or corporate espionage.
Service disruption attacks seek to take down or interrupt critical systems or networks, such as banking systems or health-care networks.
Blackmail attacks seek to extort money or other concessions from victims by threatening to release sensitive information or launch further attacks.
Financial gain attacks are motivated by the desire to make money through theft or fraud. Organized crime is generally motivated by financial gain, as are other types of attackers.
Philosophical/political belief attacks are motivated by ideological or political reasons, such as promoting a particular cause or ideology. Hacktivists are generally motivated by philosophical or political beliefs.
Ethical attacks, or white-hat hacking, are motivated by a desire to expose vulnerabilities and improve security. These attacks are often carried out by security researchers or ethical hackers with the permission of the organization being tested.
Revenge attacks are motivated by a desire to get even with an individual or organization by embarrassing them or exacting some other form of retribution against them.
Disruption/chaos attacks are motivated by a desire to cause chaos and disrupt normal operations. War may also be a motivation for cyberattacks. Military units and civilian groups may use hacking in an attempt to disrupt military operations and change the outcome of an armed conflict.

Question 64

Q

Define attack surface

Answer

A

This is a system, application, or service that contains a vulnerability that a threat actor might exploit.

Answer 65

A

A path or method used by a cyber attacker to gain unauthorized access to a system or network to deliver a payload or malicious outcome. Common vectors include phishing, malware, social engineering, and unsecured networks.

Answer 66

A

Phishing: Deceptive communication, often email, aiming to steal sensitive data.
Spear Phishing: Targeted phishing attacks directed at specific individuals or organizations.
Whaling: Highly targeted phishing attacks aimed at senior executives.
Spam: Unsolicited messages, often carrying malware or phishing links.

Answer 67

A

USB Drop Attacks: Distributing malware-infected USB drives to unsuspecting users.
Tailgating: Gaining unauthorized access to restricted areas by following authorized personnel.

Answer 68

A

Pretexting: Creating a fabricated scenario to steal a victim’s information.
Baiting: Offering something enticing to deliver malware or steal information.
Quid Pro Quo: Offering a service or benefit in exchange for information, typically under false pretenses.

Answer 69

A

Evil Twin Attacks: Creating a malicious Wi-Fi network mimicking a legitimate one.
Wi-Fi Eavesdropping: Intercepting information sent over unprotected Wi-Fi networks.
Bluetooth Hacking: Exploiting vulnerabilities over Bluetooth connections.

Answer 70

A

API Vulnerabilities: Exploiting weaknesses in cloud services’ Application Programming Interfaces.
Misconfigured Cloud Storage: Accessing improperly secured cloud storage to extract data.
Account Hijacking: Gaining control of cloud accounts to access sensitive information.

Answer 71

A

Definition: The DAD triad stands for Disclosure, Alteration, and Destruction. It is a model used to outline the potential security threats to information systems, contrasting the CIA (Confidentiality, Integrity, Availability) triad by focusing on negative outcomes.
Example: An attacker stealing confidential documents (Disclosure), modifying data (Alteration), or deleting critical files (Destruction).

Answer 72

A

Definition: Data exfiltration refers to the unauthorized transfer of data from a computer or other device to an external location or attacker-controlled environment. This can be done manually via physical means or automatically through malware or compromised networks.
Example: An attacker using a phishing scam to install malware that silently transfers sensitive files from the victim’s computer to an external server.

Answer 73

A

Definition: Protected Health Information is any information in a medical record or other health-related information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service, such as diagnosis or treatment.
Example: Names, addresses, birth dates, Social Security Numbers, medical records, and health insurance information.

Answer 74

A

Definition: Control objectives are the goals or purposes intended to be achieved by implementing specific control measures or procedures in information security. These objectives help ensure the confidentiality, integrity, and availability of data.
Example: Ensuring only authorized users have access to sensitive data, data is accurate and unaltered, and information systems are available when needed.

Answer 75

A

Definition: CPU registers are small, high-speed storage locations within a computer’s CPU (Central Processing Unit) that hold data and instructions that are being processed by the CPU. They play a critical role in the CPU’s ability to execute operations quickly.
Example: Instruction registers hold the instruction currently being executed, while accumulator registers store intermediate arithmetic and logic results.

Answer 76

A

Definition: Threat intelligence is information that is used to understand the threats that have, will, or are currently targeting an organization. This information can be used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.
Example: Data indicating a new malware strain is targeting the financial sector, helping institutions to proactively bolster their defenses.

Answer 77

A

Definition: Threat feeds deliver real-time information about potential security threats to an organization, providing actionable intelligence that can be used to bolster cybersecurity measures.
Details Included: IP addresses, domains, email addresses, URLs, file hashes, paths, and CVE numbers, offering comprehensive insight into the nature of threats.
Benefits: By including context such as why an organization might be targeted, descriptions of threat actors, and insights into their motives and methods, threat feeds enable organizations to understand and mitigate threats more effectively.

Answer 78

A

Definition: STIX is a language and serialization format used to exchange cyber threat intelligence (CTI) in a standardized manner. It enables organizations to share information about cyber threats and their indicators effectively and efficiently.
Purpose: Facilitates the understanding, management, and sharing of cyber threat intelligence, enhancing the ability to respond to and mitigate cyber threats across different platforms and organizations.

Answer 79

A

Definition: Trusted Automated Exchange of Intelligence Information (TAXII) is a protocol used for the automated exchange of cyber threat information in a secure and standardized manner.
Purpose: It supports the sharing of information about malware, attack patterns, and threat indicators, making it easier for organizations to communicate and collaborate on threat intelligence. TAXII is often used in conjunction with STIX to facilitate the exchange of structured threat information.

Answer 80

A

TTPs (Tactics, Techniques, and Procedures) represent the behavior patterns of threat actors or cybercriminals.

Tactics: The overarching strategy or goal of an attacker. For example, an attacker’s tactic might be to gain unauthorized access to a network to steal sensitive data.

Techniques: The methods used to carry out the tactic. Continuing the example, the technique could be phishing emails to trick employees into revealing their login credentials.

Procedures: The detailed, step-by-step actions taken to execute the technique. In this case, the procedure might involve crafting a convincing email that appears to be from a trusted source, embedding a malicious link, and then sending it to multiple employees within the targeted organization.

Answer 81

A

D. Forensic information does not have to include a time stamp to be admissible, but time stamps can help build a case that shows when events occurred. Files without a time stamp may still show other information that is useful to the case or may have other artifacts associated with them that can provide context about the time and date.

Answer 82

A

White, grey, and black hat hacking.

Answer 83

A

Quick-formatting a drive removes the file indexes but leaves the file content on the drive. Recovery tools look for those files on the drive and piece them back together using metadata, headers, and other clues that help to recover the files.

Answer 84

A

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Answer 85

A

C. Password spraying involves the use of the same password to attempt to log into multiple accounts. Joanna should search for uses of the same password for different accounts.

Answer 86

A

D. While many protocols have a secure version, DHCP does not have a secure option, and protection must be handled by using detection and response mechanisms, rather than an encrypted protocol.

Answer 87

A

This refers to the recording of system or application activities at times outside of normal operational hours or scheduled intervals, often to detect unauthorized access or anomalies that could indicate a security incident.

Answer 88

A

D. This is an example of out-of-cycle logging, or logging that occurs at a different time than expected. This may be because an attacker is using the backup tool to acquire data. Unexpected logs are not an indicator found on the Security+ exam outline. There is no indication of resource consumption or inaccessibility in the question.

Answer 89

A

ISACs. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.

Answer 90

A

D. Diffie–Hellman is a key exchange algorithm used to create a common shared secret key. The Advanced Encryption Standard (AES) is a symmetric encryption algorithm used to protect data. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching algorithm used to create strong keys from short passwords. The Online Certificate Status Protocol (OCSP) is used to verify the validity of digital certificates.

Answer 91

A

C. Sarah’s main focus in this situation is the Sarbanes–Oxley Act (SOX Act), as it is specifically designed for U.S. publicly traded companies. It insists on a high level of confidence in the IT systems that manage these companies’ financial records. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions in the U.S., mandating the secure handling of student records. The Gramm–Leach–Bliley Act (GLBA) is aimed at U.S. financial institutions, necessitating them to establish a formal security program. The Health Insurance Portability and Accountability Act (HIPAA) sets the rules for health-care providers, insurance firms, and health information clearinghouses in the U.S., calling for adherence to security and privacy standards related to health information. While each of these regulations plays a crucial role within their specific sectors, in Sarah’s role at a publicly traded tech firm, it’s the SOX Act that is most pertinent.

Answer 92

A

C. Isabelle should select PEAP, which doesn’t require client certificates but does provide TLS support. EAP-TTLS provides similar functionality but requires additional software to be installed on some devices. EAP-FAST focuses on quick reauthentication, and EAP-TLS requires certificates to be deployed to the endpoint devices.

Answer 93

A

D. Method of transport

Answer 94

A

Low: 0.1 - 3.9
Medium: 4.0 - 6.9
High: 7.0 - 8.9
Critical: 9.0 - 10.0

Answer 95

A

D. Since the drive acquisition was both unmonitored and not logged, and since the drive sat without being secured, the chain of custody for the drive cannot be validated. Michelle cannot prove that the drive was handled properly or was not modified between the time it was obtained and when it was handed to her. Drives will not typically lose data or have issues being copied after being unpowered for a week, or even months. There is no requirement for legal hold in this scenario, and no third party requested that the drive or data on the drive be preserved.

Answer 96

A

A. Misinformation and disinformation campaigns are primarily associated with nation-state actors, but are increasingly used by other organizations and even individuals as well. Watering hole attacks, business email compromise, and password spraying are broadly used attacks.

Answer 97

A

A. Server-side request forgery (SSRF) attacks trick a server into visiting a URL based on user-supplied input. SSRF attacks are possible when a web application accepts URLs from a user as input and then retrieves information from that URL. If the server has access to non-public URLs, an SSRF attack can unintentionally disclose that information to an attacker. CSRF (cross-site request forgery) leverages malicious code to cause users to take action via a website they’re already authenticated to. XSS (cross-site scripting) injects malicious scripts into preexisting websites by getting them to display the scripts, and command injection attacks attempt to run commands on an operating system by leveraging a vulnerable application.

Answer 98

A

D. When access points conflict, enterprise wireless network management tools will typically decrease the power for both access points until the issue is resolved. Simply increasing power will cause more conflicts, changing the SSID would not serve typical enterprise models that use a single SSID to allow roaming, and disabling an access point may leave coverage gaps.

Answer 99

A

B. Policy enforcement points communicate with policy administrators to forward requests from subjects and to receive instructions from them about connections to allow or end. Policy administrators are components that establish or remove the communication path between subjects and resources, including creating session-specific authentication tokens or credentials as needed. Policy engines make policy decisions based on both rules and external systems. Policy gateways are not reference components for zero-trust designs.

Answer 100

A

B. Browser on-path attacks take advantage of malicious browser plug-ins or proxies to modify traffic at the browser level. They do not involve compromised routers or servers, and a modified hosts file is more likely to be involved in an on-path attack.

Answer 101

A

C. This is an example of an impersonation attack. The pentester impersonated the head of IT in order to achieve their goals. The good news is that it was a penetration tester! Smishing is phishing via SMS, vishing is phishing via voice or voicemail, and pretexting provides a reason that the target should perform an action. Here the attack relied on the authority that Amanda believed the caller had.

Answer 102

A

C. This is one form of an on-path attack, an attack that redirects traffic to a system or device controlled by the attacker, which can then take action on network traffic originally destined for another system. ARPjacking and TCP redirect attacks are made up. Disassociation attacks focus on causing Wi-Fi devices to drop their connection and try to reconnect to an access point.

Answer 103

A

It is important to ensure that data prepared for e-discovery only contains what it is supposed to, and that information that should not be shared is not included.

Answer 104

A

To categorize these governance documents, assess their scope and detail level. Policies provide broad, principle-based directions and define the organization’s security posture. Standards specify mandatory actions, technical requirements, or rules to implement policies. Procedures are detailed, step-by-step instructions that describe exactly how to comply with policies and standards. Guidelines offer advisory best practices that can be tailored to specific circumstances or environments. The hierarchy moves from general (policies) to specific (procedures) with standards providing the compulsory requirements to achieve policy goals and guidelines offering optional advice.

Answer 105

A

In cybersecurity, federation is the process of linking and managing identities across multiple systems and organizations to allow users to access shared resources with single sign-on (SSO).

Answer 106

A

The Electronic Discovery Reference Model (EDRM) is a framework that outlines standards for the recovery and discovery of digital data. It provides guidance for the creation, management, and use of electronic stored information (ESI) in legal proceedings.

Answer 107

A

Definition: A logic bomb is a piece of malicious code intentionally inserted into a software system that will set off a malicious function when specified conditions are met, such as a particular time or event. It lies dormant until triggered.
Example: An employee might insert a logic bomb that deletes files on a specific date or after they are terminated from the company.

Answer 108

A

B. SFTP implements file transfers via SSH and only requires a single port to be open. FTPS uses a second port for file transfers, just like FTP. SFTP also allows the use of key-based authentication, making transfers even easier for users. Both SFTP and FTPS provide strong encryption, so this is not a deciding factor.

Answer 109

A

FRR (false rejection rate) describes what happens when a biometric system does not accept a valid biometric factor.

Answer 110

A

FAR (false acceptance rate) is the rate at which false acceptances occur.

Answer 111

A

An Simple Network Management Protocol (SNMP) trap is an automated notification sent by an SNMP-enabled device to a management station, signaling that an event or threshold has been reached. It’s a type of unsolicited alert from a network device that communicates significant incidents or status changes without request.

Answer 112

A

One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.

Answer 113

A

B. A longer key is generally stronger for modern cryptosystems, and a longer key will be harder to crack. Signing the file helps with nonrepudiation but not resistance to cracking the encryption. Hashing the file before encrypting it or hashing it after will not help in this scenario.

Answer 114

A

Attribute-Based Access Control (ABAC) is a flexible access control methodology where access rights are granted to users through the use of policies which combine attributes together. The attributes can be related to the user, the resource to be accessed, and the current environment.

Answer 115

A

Discretionary Access Control (DAC) is an access control method where access rights are assigned by the owner of the resource. It allows users to control resources they own by granting or restricting access to other users.

Answer 116

A

Mandatory Access Control (MAC) is a strict access control model that enforces access policies based on clearance levels of users and data classification. It is commonly used in environments that require high security, where access decisions are made by a central authority.

Answer 117

A

D. Supply chain attacks are typically associated with vendors and suppliers that provide technology infrastructure or services that may be compromised. This would include hardware and software providers as well as managed service providers (MSPs). Talent providers, who help with staffing solutions, are generally not considered common avenues for supply chain attacks.

Answer 118

A

SMS (text message) based phishing

Answer 119

A

B. Embedded systems are available at many price points. Understanding constraints that limited resources create for embedded systems helps security professionals identify appropriate security controls and options.

Answer 120

A

Linux users can change who can read, write, or execute files and directories they own, which is discretionary access control (DAC). Mandatory access control (MAC) would enforce settings set by the systems administrator without users having the rights to make their own decisions. While role-based access control is involved, DAC best describes the access control scheme. ABAC is not a default method for setting rights for the Linux filesystem.

Answer 121

A

An access control vestibule uses a pair of doors. When an individual enters, the first door must be closed and secured before the second door can be opened. This helps prevent tailgating, since the person entering will notice anybody following them through the secured area.

Answer 122

A

A Faraday cage is used to stop electromagnetic interference (EMI).

Answer 123

A

A device that prevents vehicular traffic.

Answer 124

A

A physical separation of networks or devices

Answer 125

A

Watering hole attacks rely on compromising or infecting a website that targeted users frequently visit, much like animals will visit a common watering hole.

Answer 126

A

Whaling is a type of phishing scam that targets high-profile individuals within an organization, like executives (the “big fish”). The attacks are highly personalized to trick the victim into divulging confidential information or transferring funds.

Answer 127

A

Typosquatting is a deceptive strategy where attackers register domain names that are misspellings of popular websites. Unsuspecting users who make typographical errors when entering a URL are led to fraudulent websites, which can result in phishing attacks or malware infections.

Answer 128

A

A stream cipher is an encryption method that encrypts digital data one bit or byte at a time. It combines plain text bits with a pseudorandom cipher digit stream (keystream), typically using bitwise XOR.

Answer 129

A

A block cipher is an encryption method that divides text into fixed-sized blocks and encrypts them one at a time. It provides a high level of security by using various modes of operation and can repeatedly change the key during the encryption process.

Answer 130

A

A legal hold is a notification that litigation is in progress or active and that data and documents related to the case must be preserved. Legal holds are used to ensure that information relevant to the case is not lost or destroyed.

Answer 131

A

Striping (RAID 0) is a method of dividing data into blocks and spreading it evenly across two or more disks to improve speed and capacity. However, it does not provide redundancy; if one disk fails, all data is lost.

Answer 132

A

Mirroring (RAID 1) involves creating an exact copy of a set of data on two or more disks. This provides high fault tolerance because if one disk fails, the data can be retrieved from the other.

Answer 133

A

Parity (RAID 5) involves spreading data across multiple disks and adding a parity block to each write operation. The parity blocks are used to recover data from a failed disk, providing a balance between performance and data protection.

Answer 134

A

Double parity (RAID 6) extends the single parity system of RAID 5 by adding a second parity block. This allows for two disk failures within the array without loss of data and provides a greater fault tolerance.

Answer 135

A

RAID 10 (Mirroring and Striping): Combines the benefits of RAID 0 and RAID 1 for both redundancy and improved performance. Requires a minimum of four drives.

Answer 136

A

A. Unlike computers and mobile devices, switches and other network devices typically do not have additional software that can be removed. Installing patches, placing administrative interfaces on protected VLANs, and changing default passwords are all common hardening techniques for network devices like switches.

Answer 137

A

Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process.

Answer 138

A

A Windows Group Policy Object (GPO) can be used to control whether users are able to install software.

Answer 139

A

C. Rootkits are intended to be stealthy, and a pop-up demanding ransom works against that purpose. File hashes, command and control details, and behavior-based identifiers are all useful IoCs likely to be relevant to a rootkit.

Answer 140

A

In the context of Windows systems, a GPO (Group Policy Object) is a virtual collection of policy settings created using Microsoft’s Group Policy technology. GPOs control the working environment of user and computer accounts, managing a range of configurable settings within an Active Directory environment.

Answer 141

A

An IoC (Indicator of Compromise) is forensic data gathered from system logs, files, or other sources that indicate a potential intrusion or malicious activity within a network or system.

Answer 142

A

Command and Control refer to methods cyber attackers use to maintain communication with compromised systems within a target network, typically to control malware, exfiltrate data, or issue commands to infected hosts.

Answer 143

A

C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Answer 144

A

Emily is looking for a solution to minimize the load of numerous third-party audits. In such a situation, SSAE 18, also referred to as service organization controls (SOC) audits, is an ideal solution as it provides a common standard for auditors assessing service organizations. It allows the organization to undertake an external assessment instead of multiple third-party assessments, sharing the resulting report with customers and potential clients. While COBIT, ISO 27001, and ISO 27002 are valuable auditing and assessment standards, they do not specifically address the issue of multiple third-party audits. COBIT is a common framework for conducting audits and assessments, ISO 27001 describes an approach for setting up an information security management system, and ISO 27002 provides more detail on the specifics of information security controls, but none of them offer a solution like SSAE 18 for service organizations facing numerous audits.

Answer 145

A

COBIT (Control Objectives for Information and Related Technologies) is a framework for IT management and governance, providing a set of best practices and models to help organizations ensure effective control over information systems and technology.

Answer 146

A

ISO 27001 is an international standard for information security management systems (ISMS), providing a framework for establishing, implementing, maintaining, and continually improving information security within an organization.

Answer 147

A

ISO 27002 provides guidelines and best practices for implementing information security controls within the context of an ISO 27001 ISMS framework. It covers the selection, implementation, and management of controls based on risk assessment.

Answer 148

A

SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is an auditing standard for service organizations, ensuring that they have adequate controls and processes in place. It’s the standard that guides the execution of SOC 1 audits.

Answer 149

A

A next-generation firewall (NGFW) device is typically designed and built to be more capable at high speeds and throughput than a universal threat management device. A NGFW offers standard firewall capabilities such as packet filtering, along with advanced features like encrypted traffic inspection, intrusion prevention systems, and the ability to identify and block sophisticated attacks.

Answer 150

A

Unified Threat Management (UTM) provides a comprehensive security solution that combines multiple security features and services, including antivirus, anti-spam, firewall, and intrusion detection, in a single device or service package.

Answer 151

A

D. Zero-day attacks are generally known only to a small group of researchers who discover the vulnerabilities. They are not known to the general public and would likely be patched by the vendor if they became widely known. Zero-day vulnerabilities may exist in any technology component: software or hardware. They are only effective during the limited window of opportunity when they remain unpatchable before the vendor issues a fix.

Answer 152

A

D. Isaac can simply destroy all copies of the encryption key for the drive to make the data very difficult to access. Using the built-in secure erase command will ensure that the data is no longer recoverable under any normal circumstances. Overwriting SSDs and other flash media that are overprovisioned with additional space for wear leveling purposes is likely to miss remnant data in spare or replaced space. Formatting a drive simply removes the file indices and does not remove the data.

Answer 153

A

Common methods of performing a root cause analysis include the 5 Whys technique, where you ask “why” multiple times to drill down to the underlying cause; Fishbone (Ishikawa) Diagram, which identifies potential factors causing an overall effect; and the Fault Tree Analysis, which uses a tree-like model to deduce the root causes of a problem. These methods aim to uncover the primary cause of a problem rather than focusing on symptoms.

Answer 154

A

This method involves examining the problem (root) and its manifestations or symptoms (branches) to understand the cause-and-effect relationship. It helps in identifying not just what happened and how, but why it happened, ensuring that solutions address the core issue.

Answer 155

A

Data protection officer

Answer 156

A

A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.

Answer 157

A

Software-defined networking (SDN) uses software-based controllers and application programming interfaces to control networks. It is frequently used to ensure proper performance by making dynamic changes to networks and is a common element in zero-trust deployments.

Answer 158

A

A documented restoration order helps ensure that systems and services that have dependencies start in the right order and that high-priority or mission-critical services are restored first.

Answer 159

A

Time-Based One-Time Password (TOTP) generates a password that is valid for only a short period of time, using a shared secret and the current time to ensure each password is unique and temporary.

Answer 160

A

HMAC-Based One-Time Password (HOTP) generates a one-time password using a counter that increments with each new password. It relies on a shared secret key and a simple counter mechanism for password generation.

Answer 161

A

In disaster recovery, the restoration order is the sequence in which systems, applications, and data are restored to return to operational status. This order is critical for minimizing downtime and ensuring critical services are prioritized.

Answer 162

A

Trojans: Disguise themselves as legitimate software to trick users into installing them, providing a backdoor for malicious activities.
Worms: Self-replicate without human interaction, spreading across networks by exploiting vulnerabilities.
Viruses: Attach themselves to clean files and require human action (like opening a file) to execute and infect other files and systems.

Answer 163

A

The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.

Answer 164

A

Privileged Access Management (PAM) secures, manages, and monitors privileged accounts and access across an IT environment to protect critical resources and data.

Answer 165

A

This approach grants access rights as needed for a limited time, reducing the risk of unauthorized access or abuse of privileges.

Answer 166

A

A security practice where passwords are stored in a secured digital vault to prevent unauthorized access and improve password management.

Answer 167

A

Temporary credentials that are automatically generated and expire after a short duration, enhancing security by minimizing the risk of credential misuse.

Answer 168

A

Hash-Based Message Authentication Code (HMAC) is a security mechanism used to verify both the integrity and the authenticity of a message. It combines the use of a cryptographic hash function with a secret cryptographic key, creating a unique code (the MAC) that can be attached to a message. Here’s a breakdown for better understanding:

Integrity: HMAC ensures that the message has not been altered from its original form. When the message is received, the recipient can compute their own HMAC using the same hash function and secret key. If the HMAC produced matches the one sent with the message, it confirms that the message has not been tampered with during transit.
Authentication: The inclusion of a secret key that both the sender and receiver share adds a layer of authentication. Only someone with access to the same secret key could generate the correct HMAC for the message. This confirms the message’s origin, verifying that it was indeed sent by someone who possesses the shared secret key.

The process involves taking the original message and applying a hash function to it and the secret key in a specific way. This typically involves hashing the combination of the secret key and the message, then hashing that output again with the key to produce the final HMAC. This dual application of the hash function, combined with the key’s involvement, provides robust protection against tampering and impersonation.

HMAC is widely used in various security applications and protocols, including VPNs, API authentication, and securing data in transit over the internet. Its effectiveness lies in the difficulty of forging a valid HMAC without knowing the secret key, making it a reliable method for securing digital communications.

Answer 169

A

Password vaulting, which stores passwords for use with proper authentication and rights, is the most appropriate solution for Marie’s needs.

Answer 170

A

SMS messages are not secure and could be accessed by cloning a SIM card or redirecting VoIP traffic, among other possible threat models.

Answer 171

A

Input allow list approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, allow listing is definitely the most effective way to prevent injection attacks. Block lists achieve the same goal but attempt to block malicious content rather than allow approved content so they are less effective. Browser-based input validation is not a good practice because an attacker can easily bypass that validation. Signature detection is generally not used for injection attacks but rather for antivirus software.

Answer 172

A

Supervisory Control and Data Acquisition (SCADA) refers to a system used to monitor and control industrial processes across various industries. It consists of hardware and software elements that allow organizations to control industrial processes locally or at remote locations, monitor, gather, and process real-time data, and directly interact with devices such as sensors, valves, pumps, motors, and more through human-machine interface (HMI) software. SCADA systems are essential for industrial automation, helping to ensure efficiency, process control, and data collection for critical decision-making.

Answer 173

A

C. Aging infrastructure that is tightly coupled to critical systems like a power generation facility is a common issue that enterprise security practitioners encounter in many industries. Placing devices that cannot otherwise be secured onto an isolated network and ensuring that only trusted and inspected access is allowed is a common solution. Since aging devices are often out of support, cannot be patched, and do not have support for firewalls or host-based intrusion prevention systems (HIPSs), those solutions are often unable to be implemented, particularly for the embedded and specialized devices found in supervisory control and data acquisition (SCADA) and industrial control systems (ICS) environments.

Answer 174

A

Definition: Failure modes are the various ways in which a system, component, or process can fail. Identifying failure modes helps in understanding how something might go wrong, assessing the potential impact of different types of failures, and implementing measures to mitigate or prevent such failures.

Fail-Open: A security mechanism that defaults to allowing access or operation when it fails or malfunctions, prioritizing availability over security.
Fail-Closed: Conversely, this approach defaults to denying access or operation in the event of a failure, prioritizing security over availability.

Answer 175

A

In cybersecurity, social engineering principles are psychological tactics used by attackers to manipulate individuals into divulging confidential information or performing actions that compromise security. Key principles include:

Authority, where the attacker poses as someone in power
Urgency, creating a false sense of immediate action needed
Scarcity, suggesting limited time or availability
Social proof, pretending to be a trusted entity
Liking, where attackers build rapport or a sense of affinity with their target

These principles exploit human nature to bypass technical security measures.

Answer 176

A

Although it may be tempting to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses.

Answer 177

A

Unified threat management (UTM) devices are designed to be all-in-one security devices that can act as a firewall. They commonly offer services ranging from IPS and IDS to spam filtering and antivirus/antimalware.

Answer 178

A

Identity provider (IdP)

Answer 179

A

Extensible Authentication Protocol - a framework used in wireless networks and Point-to-Point connections, allowing for the deployment of various authentication methods, including passwords, tokens, and certificates.

Answer 180

A

Identity provider - a service that stores and verifies user identity information, providing authentication services to other applications within a single sign-on (SSO) or federated identity system.

Answer 181

A

The process of gathering information about a target system, network, or organization to identify potential vulnerabilities and attack vectors.

Answer 182

A

Hardware Security Modules are physical devices that provide secure cryptographic key storage and management, often used to enhance security in transaction systems, data storage, and applications requiring high assurance of key security.

Answer 183

A

Cloud Access Security Brokers - security policy enforcement points that sit between cloud service consumers and providers to ensure that network traffic complies with the organization’s security policies.

Answer 184

A

Members of management or organizational leadership act as a primary conduit to senior leadership for most incident response teams. They also ensure that difficult or urgent decisions can be made without needing escalated authority.

Answer 185

A

Secure Web Gateways - appliances or software that monitor and enforce company policies on internet usage, blocking malicious traffic and preventing unauthorized access to harmful websites.

Answer 186

A

Efficiency and time savings
Enforcing baselines
Standardizing infrastructure configurations
Scaling in a secure manner
Retaining employees
Reducing reaction time
Serving as a workforce multiplier

Answer 187

A

In an asymmetric encryption algorithm, the recipient of a message uses their own private key to decrypt messages that they receive.

Answer 188

A

Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Answer 189

A

The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Answer 190

A

Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Answer 191

A

Legacy hardware is unsupported and no longer sold. End-of-life typically means that the device is no longer being made but is likely to still have support for a period of time. End-of-sales means the device is no longer being sold, but again, may have support for some time.

Answer 192

A

CPU registers, cache
Routing table, ARP cache, process table, kernel statistics
RAM
Swap space
Data on hard disk
Remotely logged data
Data stored on backup media

Answer 193

A

AES is the successor to 3DES and DES and is the best choice for a symmetric encryption algorithm. RSA is a secure algorithm, but it is asymmetric rather than symmetric.

Answer 194

A

GLBA (Gramm-Leach-Bliley Act):
A U.S. law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

Answer 195

A

SOX (Sarbanes-Oxley Act):
A U.S. law aimed at protecting investors from fraudulent financial reporting by corporations, requiring strict financial record keeping and reporting.

Answer 196

A

The act of obtaining secret or confidential information without the permission of the holder of the information. Espionage is a method used in warfare, spying, and theft of trade secrets.

Answer 197

A

Measured boot

Answer 198

A

Validates hashes against known good hashes for those boot elements

Answer 199

A

A SIEM with correlation rules for geographic IP information as well as user IDs and authentication events will accomplish Susan’s goals. An IPS may detect attacks, but it isn’t well suited to detecting impossible travel. OS logs would need to be aggregated, and vulnerability scan data won’t show this at all.

Answer 200

A

SIEM Tool (Security Information and Event Management Tool):
A software solution that aggregates and analyzes activity from many different resources across your IT infrastructure, providing real-time analysis of security alerts generated by applications and network hardware.

Answer 201

A

A process that measures each component, from firmware up through the operating system, used during the boot process of a device to ensure they have not been tampered with.

Answer 202

A

A type of web attack where attackers manipulate or “pollute” the parameters of a web application to create unexpected outcomes, often bypassing site security measures.

Example:

http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’%20;DROP%20TABLE%20Services;–

In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Answer 203

A

Although both a checksum and a hash can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for proving a forensic image was identical, but it could be used to ensure that your work had not changed the contents of the drive.

Answer 204

A

The Center for Internet Security (CIS) provides hardening guidelines known as CIS benchmarks that Alyssa can use as a guide to secure her organization’s iOS devices. OWASP does not provide these, and NIST provides general guidance, not OS- or device-specific configuration guides.

Answer 205

A

Trojans are often found in application stores where they appear to be innocuous but desirable applications or are listed in confusingly similar ways to legitimate applications. Many organizations choose to lock down the ability to acquire applications from app stores to prevent this type of issue. Since Trojans do not self-spread and rely on user action, patching typically won’t prevent them. While users may try to transfer files via USB, this isn’t the most common means for modern Trojans to spread.

Answer 206

A

The corporate-owned, personally enabled (COPE) model allows end users to use their devices for personal as well as corporate use while providing corporate control and management of the mobile devices.

Answer 207

A

COPE Model (Corporate-Owned, Personally Enabled):
A policy where the organization owns the devices but allows employees to use them for personal tasks, providing a balance between control and flexibility.

Answer 208

A

VDI (Virtual Desktop Infrastructure):
A technology that hosts desktop environments on a centralized server and deploys them to end-users on request, allowing remote access to a desktop interface.

Answer 209

A

CYOD (Choose Your Own Device):
A policy that allows employees to choose from a list of approved devices for work use, offering flexibility while maintaining control over security.

Answer 210

A

BYOD (Bring Your Own Device):
A policy allowing employees to use their personal devices for work purposes, emphasizing convenience and personal preference, with security managed through corporate guidelines.

Answer 211

A

A network set up with intentional vulnerabilities; its purpose is to attract hackers and study their tactics, acting as a decoy to improve security defenses. Example: A fake financial website designed to lure and analyze malware attacks. The same concept as a honeypot, except on the network or group-of-systems level.

Answer 212

A

A service that intentionally delays incoming connections, slowing down attackers or automated scripts, effectively trapping them to prevent or mitigate spam and unauthorized access. Example: A mail server that uses tarpitting to slow down mass email sending operations by spammers.

Answer 213

A

A framework for managing and protecting information assets, ensuring confidentiality, integrity, and availability through a comprehensive set of policies, procedures, and controls.

Answer 214

A

Provides best practice guidelines on information security controls for implementing and achieving ISO 27001 certification, including user access management, incident management, and security policies.

Answer 215

A

Extends ISO 27001 to cover privacy-specific requirements, helping organizations manage personal data securely and in compliance with privacy regulations.

Answer 216

A

Offers guidelines on risk management principles and the implementation of risk assessment practices, aiming to help organizations identify, assess, and manage risks across different areas of operation.

Answer 217

A

The services listed are:

21—FTP
22—SSH
23—Telnet
80—HTTP
443—HTTPS

Of these services, SSH (Port 22) and HTTPS (port 443) are secure options for remote shell access and HTTP. Although secure mode FTP (FTP/S) may run on TCP 21, there is not enough information to know for sure, and HTTPS can be used for secure file transfer if necessary. Thus, Naomi’s best option is to disable all three likely unsecure protocols: FTP (port 21), Telnet (port 23), and HTTP (port 80).

Answer 218

A

All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Answer 219

A

Red Hat Enterprise uses journalctl to view journal logs that contain application information. Jim should use journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what head and tail can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log.

Answer 220

A

A host-based intrusion prevention system (HIPS) can detect and prevent attacks against services while allowing the service to be accessible. A firewall can only block based on port, protocol, and IP; encryption won’t prevent this; and an EDR is primarily targeted at malicious software and activity, not at network-based attacks on services.

Answer 221

A

Extended validation (EV) certificates provide the highest available level of assurance. The CA issuing an EV certificate certifies that they have verified the identity and authenticity of the certificate subject.

Answer 222

A

Inline CASBs: These solutions act as intermediaries, intercepting requests and data moving between the user and the cloud service provider, providing real-time security enforcement.

API-based CASBs: These solutions integrate with cloud service providers using their APIs, allowing them to monitor and manage data and user activity within cloud applications indirectly, without requiring inline traffic inspection.

Answer 223

A

Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender. Although Tina may also achieve other goals with her approach, this goal is her stated intention.

Answer 224

A

PaaS environments commonly rely on customers and providers to maintain identity and directory infrastructure, applications, and network controls. Customers manage information and data, devices, and accounts and identities, whereas providers are responsible for operating systems, physical hosts, networks, and datacenters.

Answer 225

A

Preparation > Detection > Analysis > Containment > Eradication > Recovery

Then, begin the cycle again.

Answer 226

A

Organizations should only use data for the purposes disclosed during the collection of that data.

Answer 227

A

A split-tunnel VPN sends traffic intended for the remote VPN network through the tunnel and responses back to the client.

A full tunnel sends any traffic (including internet-bound) through the corporate network. This provides enhanced security at the cost of corporate bandwidth.

Answer 228

A

Footprinting is a technique specifically designed to elicit this information.

Answer 229

A

Sideloading is the process of copying files between two devices like a phone and a laptop, desktop, or storage device.

Answer 230

A

Isolation. Mark has isolated the system by removing it from the network and ensuring that it cannot communicate with other systems.

Answer 231

A

Security groups are used to limit network access to a server instance in the cloud. They are the equivalent of network firewall rules in an on-premises environment.

Answer 232

A

Since the web interfaces are needed to manage the devices, Helen’s best option is to place the IoT devices in a protected VLAN. IoT devices will not typically allow additional software to be installed, meaning that adding firewalls or a HIPS won’t work.

Answer 233

A

POP (Post Office Protocol):
Allows email clients to retrieve emails from a server; the latest version, POP3, is widely used but considered less flexible than IMAP because it typically downloads and deletes messages from the server.

Answer 234

A

IMAP (Internet Message Access Protocol):
Enables email clients to access messages stored on a mail server, allowing for synchronization across multiple devices. It is more versatile than POP3, as emails are stored on the server and can be accessed from anywhere.

Answer 235

A

SPF (Sender Policy Framework):
An email authentication method that prevents sender address forgery by specifying which mail servers are permitted to send email on behalf of a domain.

Answer 236

A

DKIM (DomainKeys Identified Mail):
An email security standard designed to ensure that messages are not altered in transit between the sending and receiving servers, using digital signatures.

Answer 237

A

DMARC (Domain-based Message Authentication, Reporting, and Conformance):
Builds on SPF and DKIM, allowing domain owners to protect their domain from unauthorized use, commonly known as email spoofing. DMARC provides instructions to receiving servers on how to handle non-aligned emails.

Answer 238

A

Soft Token:
A software-based security token that generates a one-time use login PIN. Unlike hard tokens, soft tokens are software that can be installed on a user’s device.

Answer 239

A

Hard Token:
A physical device used to gain access to a secured resource. Hard tokens can generate or store unique authentication codes, passwords, or cryptographic keys.

Answer 240

A

SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities.

Answer 241

A

The caller is using pretexting, providing Melissa with a story that relies on urgency and perceived authority to get her to take actions she might normally question.

Answer 242

A

Telnet provides remote command-line access but is not secure. SSH is the most common alternative to telnet, and it operates on port 22.

Answer 243

A

A. A passive fail-open tap. This type of network tap is designed to allow network traffic to continue flowing even if the tap loses power or fails for some reason. Unlike active taps, which require power to actively direct traffic, passive fail-open taps ensure minimal disruption to network continuity, aligning with Georgia’s requirement for maintaining network flow during a power outage.

Answer 244

A

Journaling. Chris will need a database backup solution that supports Point-in-Time Recovery (PITR) capability. PITR allows the restoration of a database to the exact moment before an outage or corruption occurred by using saved backup files and a log of transactions (journaling) that occurred after the backup. This method ensures minimal data loss, aligning with the goal of achieving a very short Recovery Point Objective (RPO) by replaying transactions up to the specified moment, thus maintaining data integrity and continuity.

Answer 245

A

Key management system, or KMS, allows customers to securely create, store, and manage keys in a cloud environment.

Answer 246

A

Out-of-band management places the administrative interface of a switch, router, or other device on a separate network or requires direct connectivity to the device to access and manage it. This ensures that an attacker who has access to the network cannot make changes to the network devices. NAC and port security help protect the network itself, whereas trunking is used to combine multiple interfaces, VLANs, or ports together.

Answer 247

A

Virtual machine (VM) sprawl occurs when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time. Organizations should maintain instance awareness to avoid VM sprawl issues.

Answer 248

A

A tap is a device that independently sends a copy of network traffic to another path or location. Both active and passive taps exist, and they offer the advantage of not requiring the switch or router to process the traffic.

Answer 249

A

The Windows Security log records logon events when logon auditing is enabled.

Answer 250

A

Password age is set to prevent users from resetting their password enough times to bypass reuse settings.

Answer 251

A

Users in Maria’s organization are likely to be concerned about what would be wiped if the device was remotely wiped in the event it was lost. If the organization’s policy is to immediately fully wipe the device, and it is then recovered, their personal data may be lost. Organizational policies for BYOD devices can be complex, and many organizations choose to separate user and corporate data more completely via storage segmentation and other capabilities to avoid this scenario.

Answer 252

A

A security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are within or outside of the network perimeter. This approach operates on the principle “never trust, always verify,” eliminating implicit trust and continuously authenticating and authorizing users and devices.

Answer 253

A

In an asymmetric encryption algorithm, each employee needs only two keys: a public key and a private key. Adding a new user to the system requires the addition of these two keys for that user, regardless of how many other users exist.

Answer 254

A

Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points is something you know.

Answer 255

A

The aisle where systems in a datacenter exhaust warm air.

Answer 256

A

Resilience requires capacity planning to ensure that capacity—including staff, technology, and infrastructure—is available when is needed. Although a generator, UPS, various RAID levels, and backups have their place in disaster recovery and contingency planning, they are not the primary focus of resiliency and capacity planning.

Answer 257

A

DNSSEC uses digital signatures to validate information provided by a DNS server, helping to prevent issues such as DNS poisoning. The public key and signature are passed down during a query. There is a chain of trust with each of the DNS servers involved in resolving a query, so tampering isn’t feasible.

Answer 258

A

Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Answer 259

A

A testing method where small changes are made to a program’s source code to test if the existing test cases can detect the mutations. It helps evaluate the effectiveness of test cases in uncovering defects.

Answer 260

A

A process that evaluates a program’s behavior during execution to identify errors in the code. Unlike static analysis, it requires the program to be in a running state.

Answer 261

A

A security technology that uses digital signatures to verify the authenticity and integrity of software code. It assures the recipient that the software has not been altered after it was signed.

It is both for authenticity of the author and the integrity of the code itself.

Answer 262

A

Any deceitful practice or false representation intended to gain unauthorized benefits, such as manipulating digital transactions or stealing personal information.

Answer 263

A

A security measure requiring two or more authorized individuals to perform and approve sensitive operations or transactions, enhancing protection against unauthorized access or fraud.

Answer 264

A

The fact that the auditor will be assessing the effectiveness of the controls means that this is a Type 2 report, not a Type 1 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.

Answer 265

A

The hypervisor is supposed to prevent this type of access by restricting a virtual machine’s access to only those resources assigned to that machine.

Answer 266

A

The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.

Answer 267

A

A type of network where devices communicate directly without a central router, typically set up for a specific purpose or task.

Example: A group of laptops sharing files directly in a meeting.

Answer 268

A

A direct communication link between two devices, facilitating dedicated data transmission.

Example: A leased line connecting two corporate offices.

Answer 269

A

RFID (Radio-Frequency Identification):

Definition: A technology using radio waves to read and capture information stored on a tag attached to an object.

Example: Tracking inventory in a warehouse.

Answer 270

A

Proactive searching through networks to detect and isolate advanced threats that evade existing security solutions.

Example: Using threat intelligence to search for indicators of compromise within network logs.

Answer 271

A

The act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a device with Wi-Fi to detect vulnerable networks.

Example: Mapping out open Wi-Fi networks in a city.

Answer 272

A

Root CAs: The top-level certification authorities that issue Digital Certificates. They are trusted entities that issue certificates to Intermediate or lower-level CAs.
Intermediate CAs: Entities authorized by a Root CA to issue certificates to end entities or other lower-level Intermediate CAs. They act as a chain between the Root CA and end-entity certificates to spread the trust.
Public CAs: Commercial entities that issue digital certificates to the public for securing web transactions.
Private CAs: Operated within an organization for internal purposes, not trusted by external entities unless the root certificate is manually imported.

Answer 273

A

Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services.

Answer 274

A

The correct answer is role-based training. This approach tailors the training content to the specific job responsibilities of an individual. For a customer service representative like James, the focus would be on nontechnical aspects, particularly on dealing with social engineering and pretexting attacks. Anomalous behavior recognition, while important, is more focused on recognizing unexpected or risky behavior internally and is not specifically tailored to his role. Hybrid/remote work environment training and security policy training, although crucial, deal with best practices for remote work security and organizational security policies, respectively, and are not directly related to handling social engineering and pretexting attacks, which are a significant part of James’s job responsibilities.

Answer 275

A

Paul’s scenario is ideally suited to an internal audit. This is because internal audits are often conducted when management or the board of a company wishes to gain assurance that the company is meeting its compliance obligations. Furthermore, these audits are designed to identify control gaps in anticipation of a more formal external audit. While external audits and independent third-party audits can provide validation of an organization’s controls, they are typically performed by outside auditing firms or other organizations, not the organization itself and are more expensive.

Answer 276

A

MMS (Multimedia Messaging Service):

Definition: A standard way to send messages that include multimedia content over mobile networks.

Example: Sending a photo or video clip via text message.

Answer 277

A

RCS (Rich Communication Services):

Definition: A communication protocol between mobile carriers and between phone and carrier, aiming to replace SMS messages with a richer text message system.

Example: Chat features over mobile data, like group chat, video, and file sharing within text messaging.

Answer 278

A

An objective examination and evaluation of an organization’s operations and controls conducted by an internal team.

Example: A company conducts an internal audit to assess the effectiveness of its financial controls.

Answer 279

A

An evaluation performed by an external organization not affiliated with the client, to ensure transparency and objectivity.

Example: A cybersecurity firm assessing a company’s IT infrastructure for vulnerabilities.

Answer 280

A

Sending unsolicited messages to Bluetooth-enabled devices.

Example: Sending a business card or note to a nearby device through Bluetooth without the owner’s consent.

Answer 281

A

A security breach that occurs when an attacker gains physical access to a device left unattended.

Example: Installing a keylogger on a laptop left in a hotel room.

Answer 282

A

Unauthorized access to or theft of information from a Bluetooth-enabled device.

Example: Extracting a contact list from a phone without permission.

Answer 283

A

This is an example of the guard rails use case for automation. Cybersecurity professionals can use scripting to automatically review user actions and block any that are outside of normal parameters.

Answer 284

A

An on-path attack, formerly known as a man-in-the-middle (MitM) attack, occurs when an attacker intercepts the data path between a user’s device and the network’s gateway. By positioning themselves in the communication path, attackers can intercept, modify, or redirect data without the knowledge of the parties involved. In Lori’s case, the redirection of traffic to an alternate gateway suggests that an attacker has successfully inserted themselves into the data path, making “on-path attack” the most accurate description of what she is likely investigating.

Answer 285

A

Replaying previously recorded communication in order to deceive someone.

Answer 286

A

Differential backups back up the changes since the last full backup.

Answer 287

A

SSL stripping (or TLS stripping) relies on making the end user believe that they have a secure connection but instead proxies that connection via an on-path system that intercepts requests, terminates the SSL or TLS connection, and then passes those requests on to the legitimate server after either capturing or modifying the traffic.

Answer 288

A

Domain validation (DV) certificates require only verification of domain ownership, which can normally be done through an automated process. Other types of certificates require more thorough and time-consuming verification steps.

Answer 289

A

In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen’s organization, making that organization a data processor.

Answer 290

A

Site surveys are done to map existing installations and to create wireless signal heat maps to determine where a new access point may be needed or where coverage is weak.

Answer 291

A

Geofencing will allow Michelle to determine what locations the device should work in. The device will then use geolocation to determine when it has moved and where it is.

Answer 292

A

A type of cryptographic attack that exploits the mathematics behind the birthday problem in probability to find collisions in hash functions. Example: Attacker uses it to find two different inputs that produce the same hash output, compromising digital signatures.

Answer 293

A

A form of encryption allowing computation on ciphertexts, generating an encrypted result that, when decrypted, matches the result of operations performed on the plaintext.

Example: Voting systems where votes are encrypted but can still be tallied without decryption.

Answer 294

A

An attack where a secure connection is downgraded to a less secure version, making it vulnerable to breaches. Example: Forcing a connection to use outdated, less secure encryption.

Answer 295

A

A test of a system’s ability to transfer operations to a backup system in the event of failure. Example: Switching to a secondary server when the primary server crashes to ensure service continuity.

Answer 296

A

A cyberattack intended to redirect a website’s traffic to a fake website without the user’s consent or knowledge. Example: Modifying DNS settings to redirect users from a bank’s website to a fraudulent one.

Answer 297

A

An attack where the attacker intercepts and alters the communication between a client and a server, downgrading it from a secure HTTPS connection to an insecure HTTP connection. Example: Intercepting web traffic to steal information.

Answer 298

A

Simultaneous Authentication of Equals (SAE) provides a more secure initial key exchange process than PSKs (preshared keys) did in WPA2.

Answer 299

A

Mobile Device Management

Answer 300

A

D. How to exchange keys between two users or systems that have never interacted before is a key problem in cryptographic systems. Protocols like Diffie–Hellman key exchange address this issue for cryptographic systems, allowing users to securely exchange secret keys even if they have no preexisting trusted channel.

Answer 301

A

Risky login detection schemes look at impossible travel times between geographic locations using GeoIP capabilities. This means that they can detect that a user cannot reasonably have logged in from a site in one location and then traveled to a second location and logged in there. Although VPN usage can cause issues with this, in general this is a useful setting to avoid the use of stolen or shared credentials.

Answer 302

A

Ransomware groups and others commonly publish information on the dark web as well as engaging via forums and similar sites there. Kayla’s best bet is the dark web. Information-sharing organizations may gather information from the dark web, but without knowing more about a specific organization, its members, and their methodologies, that’s not certain. Responsible disclosure programs are used to notify vendors of flaws, and vendor websites may provide information specific to their products.

Answer 303

A

SASE (Secure Access Service Edge) is an innovative cybersecurity framework that merges the best of network and security architectures into a unified, cloud-native service. It integrates the flexibility and efficiency of SD-WAN (Software-Defined Wide Area Networking) with a comprehensive suite of security tools including Zero Trust network access protocols, advanced firewalls, and CASBs (Cloud Access Security Brokers). By doing so, SASE offers a more streamlined and effective approach to securing both network access and data protection across diverse environments. It is particularly well-suited for organizations with dispersed workforces, supporting secure, high-performance connections for users and devices anywhere, whether they’re in the office, on the move, or working remotely. This modern approach ensures that security policies and protections are uniformly applied, simplifying management and enhancing security posture without sacrificing the user experience or network performance.

Answer 304

A

Secure baselines are used to document the settings and procedures used to configure systems or devices.

Answer 305

A

Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws.

Answer 306

A

DNS reputation services can provide Jill with an automated feed of malicious sites that she can include in her DNS filter.

Answer 307

A

Christopher’s (recipient) public key. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient’s public key.

Answer 308

A

Offsite journaling will allow transactions to be recorded and to remain available if a significant event occurred that involved his datacenter. Snapshots are useful at a point in time but do not retain a transaction log between snapshots.

PITR is also important for this scenario.

Answer 309

A

In a symmetric encryption system, each pair of users needs a unique key to communicate securely. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required.

Answer 310

A

External audit. Audits performed to validate an organization’s financial statements are very formal audits that are performed by independent third-party auditors.

Answer 311

A

A degausser is a quick and effective way to erase a tape before it is reused. Wiping a tape by writing 1s, 0s, or a pattern of 1s and 0s to it will typically be a slow operation and is not a common method of destroying data on a tape.

Answer 312

A

sFlow samples only network traffic, meaning that some detail will be lost. The primary concern for analysts who deploy sFlow is often that it samples only data, meaning some accuracy and nuance can be lost in the collection of flow data. Sampling, as well as the implementation methods for sFlow, means that it scales well to handle complex and busy networks.

Answer 313

A

It is digitally signed. DNSSEC does not encrypt data but does rely on digital signatures to ensure that DNS information has not been modified and that it is coming from a server that the domain owner trusts.

Answer 314

A

SD-WAN (software-defined wide area network) is commonly used to replace MPLS (Multiprotocol Label Switching) networks, which are typically higher cost than other connectivity options.

Answer 315

A

Use forensic memory acquisition techniques. Firmware can be challenging to access, but both memory forensic techniques and direct hardware interface access are viable means in some cases.

Answer 316

A

The single loss expectancy (SLE) is the amount of damage expected to occur as the result of a single successful attack.

Answer 317

A

Jerome should deploy a captive portal that requires users to provide information before being moved to a network segment that allows Internet access.

Answer 318

A

Controls offered by cloud service providers have the advantage of direct integration with the provider’s offerings, often making them cost-effective and user-friendly. Third-party solutions are often more costly, but they bring the advantage of integrating with a variety of cloud providers, facilitating the management of multicloud environments.

Answer 319

A

The /etc/shadow file contains password hashes for most modern Linux implementations, and Ben can then use a tool such as rainbow tables or John the Ripper to crack passwords.

Answer 320

A

Amanda has most likely discovered a botnet’s command and control channel, and the system or systems she is monitoring are probably using IRC as the command and control channel. Spyware is likely to simply send data to a central server via HTTP/HTTPS, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443).

Answer 321

A

The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

Answer 322

A

The time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 323

A

The policy engine. In a zero-trust reference design, a subject’s use of a system that is untrusted connects through a policy enforcement point allowing trusted transactions to the enterprise resources. A policy engine makes policy decisions based on rules that are then acted on by policy administrators. Policy enforcer is not a part of the reference design.

Answer 324

A

Brenda’s company is offering a technology service to customers on a managed basis, making it a managed service provider (MSP). However, this service is a security service, so the term managed security service provider (MSSP) is a better description of the situation.

Answer 325

A

A warm site has all the hardware and networking needed to run essential operations, but it does not have the data ready to go. A cold site is essentially just space to bring in equipment, networking, and data. A hot site has everything you need, and you may have to bring just the last data update.

Answer 326

A

A real-time operating system (RTOS) is an OS that is designed to handle data as it is fed to the operating system, rather than delaying handling it as other processes and programs are run. Real-time operating systems are used when processes or procedures are sensitive to delays that might occur if responses do not happen immediately.

Answer 327

A

LDAP (Lightweight Directory Access Protocol):

Definition: A protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Example: Used by organizations for storing user contact info and integrating login systems.

Answer 328

A

IPSEC (Internet Protocol Security):

Definition: A suite of protocols designed to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet in a data stream.

Example: Used to establish secure VPN connections.

Answer 329

A

SCAP Framework (Security Content Automation Protocol):

Definition: A suite of standards for automating the way systems maintain security.

Example: Enables automated vulnerability management, measurement, and policy compliance evaluation.

Answer 330

A

MPLS (Multiprotocol Label Switching):

Definition: A routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses.

Example: Used by ISPs to improve traffic flow and speed up network performance.

Answer 331

A

Definition: A network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

Example: Used in secure network environments to authenticate users accessing services.

Answer 332

A

Definition: A web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi network before they are granted broader access.

Example: Used in airports, hotels, and cafes to require users to accept terms or provide login information.

Answer 333

A

Wi-Fi Protected Setup (WPS) is a feature in Wi-Fi security that allows for the easy setup of a secure wireless home network by capturing the WPS PIN, simplifying the process of connecting devices.

Answer 334

A

This is an example of a reflected attack because the script code is contained within the URL.

Answer 335

A

XDR (Extended Detection and Response):

Definition: A step beyond EDR, XDR extends capabilities across multiple layers of security, integrating data from emails, endpoints, servers, cloud workloads, and networks for a more comprehensive threat detection and response.

Answer 336

A

SELinux (Security-Enhanced Linux):

Definition: A security module for the Linux kernel that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC), enhancing system security by restricting programs to the least amount of privilege they need to run.

Answer 337

A

C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

Answer 338

A

Hybrid cloud (multi-cloud) environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform.

Answer 339

A

Transport Layer Security (TLS) is commonly used to wrap (protect) otherwise insecure protocols. In fact, many of the secure protocols simply add TLS to protect them.

Answer 340

A

Identify
Protect
Detect
Respond
Recover

Answer 341

A

Endpoint detection and response (EDR) tools protect endpoints while connecting to a central management and analysis console that helps detect and respond to threat behaviors.

Answer 342

A

Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode or booting from a USB drive and scanning using a trusted, known good operating system can be an effective way to determine what malware is on a potentially infected system.

Answer 343

A

C. Type I hypervisors, also known as bare-metal hypervisors, run directly on top of the physical hardware and, therefore, do not require a host operating system.

Answer 344

A

Also known as bare-metal hypervisors, run directly on top of the physical hardware and, therefore, do not require a host operating system.

Answer 345

A

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards.

Answer 346

A

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards.

Answer 347

A

Synchronous replication. This occurs in real time, whereas asynchronous replication occurs after the fact but more regularly than a backup.

Answer 348

A

D. Technology diversity helps ensure that a single failure—due to a vendor, vulnerability, or misconfiguration—will not impact an entire organization. Technology diversity does have additional costs, including training, patch management, and configuration management.

Answer 349

A

Mike’s best option is to identify the log information available from the provider and to request any additional information knowing that he may not receive more detail unless there is contractual language that specifies it.

Answer 350

A

Simultaneous Authentication of Equals (SAE) is a secure authentication method used primarily in Wi-Fi Protected Access 3 (WPA3) for establishing a mutual authentication between devices on a network. Unlike traditional methods where one party authenticates to another, SAE allows both parties to authenticate each other simultaneously, enhancing security. It protects against common attacks such as offline dictionary attacks, ensuring that the session traffic between the authenticated devices is encrypted and secure. This method is crucial for creating a protected wireless network environment where both the access point and the client can trust each other’s identity.

Answer 351

A

Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic.

Answer 352

A

This scenario describes a vishing attack. Vishing, or voice phishing, involves the use of phone calls or voice messages to deceive individuals into divulging personal, financial, or security information. In this case, the attacker uses the pretext of unpaid taxes and the guise of authority (posing as the IRS) to manipulate Madhuri into sharing sensitive information, which could be used for fraudulent activities or identity theft.

Answer 353

A

All of these statements are correct except for the statement that all cryptographic keys should be kept secret. The exception to this rule are public keys used in asymmetric cryptography. These keys should be freely shared.

Answer 354

A

Decentralized governance models use a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives and then may do so in the manner they see fit.

Answer 355

A

A centralized governance model uses a top-down approach, where a central authority creates policies and standards that are then enforced throughout the organization.

Answer 356

A

MOU (Memorandum of Understanding):

A formal agreement between two or more parties. It’s not legally binding but indicates an intended common line of action.

Answer 357

A

MSA (Master Service Agreement):

A contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements.

Answer 358

A

A Blanket Purchase Agreement (BPA) is a pre-arranged contract between an organization and a supplier to provide goods or services on an as-needed basis at set prices. It streamlines the procurement process for recurring needs, reducing the need for repetitive bidding or negotiation. BPAs are like having a “tab” with trusted vendors, making it easier and faster to reorder supplies or services without renegotiating terms. This approach is efficient for managing long-term relationships with suppliers, ensuring quick access to necessary resources while potentially leveraging volume discounts.BPA (Blanket Purchase Agreement):

Answer 359

A

The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. In this case, Howard needs to assess the laws of all three jurisdictions.

Answer 360

A

Chris could use either host-based or network-based DLP to meet his needs. The key technology in this scenario is the use of watermarking as the identification technique for sensitive data. Chris can tag all the documents in the secure repository with digital watermarks to flag them to the DLP system. Pattern recognition would not be a useful tool in this case because new documents are regularly added to the repository.

Answer 361

A

The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Answer 362

A

Chain-of-custody documentation tracks evidence throughout its life cycle, with information about who has custody or control and when transfers happened, and continues until the evidence is removed from the legal process and disposed of.

Answer 363

A

Most organizations plan to replace a device before it reaches end of support. Running devices past their end of support places the organization at risk because no support will be available if something goes wrong. End of life typically means that the device will no longer be sold, but it will continue to receive updates, patches, and support for some time to come.

Answer 364

A

Gurvinder’s requirements fit the COPE (corporate-owned, personally enabled) mobile device deployment model.

Answer 365

A

The corporate-owned, personally enabled (COPE) model provides devices to users but allows them to use the device for their own use as well. BYOD (bring your own device) simply uses personally owned devices, while CYOD (choose your own device) allows users to select typically from a limited set of devices that the organization purchases and provides. COBO (corporate owned, business only), while not found in the current exam outline, is a common model in high-security environments.

Answer 366

A

Certificate stapling. The Online Certificate Status Protocol (OCSP) provides real-time checking of a digital certificate’s status using a remote server. Certificate stapling attaches a current OCSP response to the certificate to allow the client to validate the certificate without contacting the OCSP server.

Answer 367

A

Agent-based, preadmission NAC will provide Isaac with the greatest amount of information about a machine and the most control about what connects to the network and what can impact other systems. Since systems will not be connected to the network, even to a quarantine or preadmission zone, until they have been verified, Isaac will have greater control.

Answer 368

A

NAC (Network Access Control):

Preadmission vs. Postadmission:
Preadmission control authenticates devices before they connect to the network, ensuring they meet security policies. Postadmission control monitors devices after connection for compliance and behavior.
Agent-Based vs. Agentless:
Agent-based NAC requires software installed on devices to monitor and enforce policies. Agentless NAC does not require any software on the end-user devices, using the network infrastructure to enforce access policies.

Answer 369

A

A UPS (uninterruptible power supply) relies on batteries or other stored power to keep systems online during short power outages, and it can also provide stable power during power sags and undervoltage events.

Answer 370

A

Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Answer 371

A

A web application firewall (WAF) can do exactly what Nicole needs. WAF software and hardware specialize in protecting web applications by analyzing traffic sent to the web application and blocking known malicious traffic and traffic patterns. Nicole can write a detection that will match the malicious SQL code from the zero-day attack while being careful not to write an overly broad or overly narrow detection. Once it’s deployed, she can continue to run her web application until a patch is released while remaining safe because of her WAF.

Answer 372

A

Hardware security modules (HSMs) are used to create, store, and manage cryptographic certificates and keys in a secure manner.

Answer 373

A

The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

Answer 374

A

Edge computing, which involves placing compute power at the client to allow it to perform preprocessing before sending data back to the cloud.

Answer 375

A

A. Simultaneous Authentication of Equals (SAE) is a major addition to WPA3’s Personal mode, and it actually helps prevent dictionary attacks. AES encryption remains in use, but Wi-Fi Protected Setup (WPS) is being removed.

Answer 376

A

Keyboard and other input from the user

Answer 377

A

A Type II hypervisor is the only type of hypervisor that uses a host operating system. A Type I hypervisor, or bare-metal hypervisor, runs directly on top of the physical hardware.

Answer 378

A

C. If there are known limitations or issues with the tools used, this should be included in the report. The type of system the tool was installed on may influence performance but should not influence the report or output. Training and certification may be listed as part of a team description but are not required as part of tool description. Finally, patch levels or installed versions are not critical unless there are known issues that would have been described as such.

Answer 379

A

The system attests to a verification platform about the trustworthiness of the software it is running after it completes the boot process.

Answer 380

A

UPS (Uninterruptible Power Supply):
A device that provides emergency power to a load when the input power source fails, ensuring continuous operation during short outages.

Answer 381

A

A redundancy feature in critical systems, where two power supplies operate in parallel to ensure continuous power in case one fails.

Answer 382

A

SLE (Single Loss Expectancy):
The expected monetary loss every time a risk occurs, an essential part of quantitative risk analysis.

Answer 383

A

MTBF (Mean Time Between Failures):
A reliability metric that predicts the time between inherent failures of a system during operation.

Answer 384

A

RPO (Recovery Point Objective):
The maximum targeted period in which data might be lost due to a major incident, guiding the frequency of backups.

Answer 385

A

An architectural model that uses edge devices to carry out a substantial amount of computation, storage, and communication locally and routed over the internet backbone.

Answer 386

A

In symmetric encryption algorithms, both the sender and the receiver use a shared secret key to encrypt and decrypt the message, respectively.

Answer 387

A

The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Answer 388

A

A Trusted Platform Module (TPM) is used by UEFI as part of the boot process to validate the boot objects and programs or to document what is started so that boot attestation can occur.

Answer 389

A

Business email compromise (BEC) relies on using apparently legitimate email addresses to conduct scams and other attacks.

Answer 390

A

Usernames, certificates, tokens, SSH keys, and smart cards.

Answer 391

A

They conduct site surveys and create heat maps showing where coverage is relative to existing access points.

Answer 392

A

The primary responsibility of the hypervisor is enforcing isolation between virtual machines. This means that the hypervisor must present each virtual machine with the illusion of a completely separate physical environment dedicated for use by that virtual machine.

Answer 393

A

Periodic risk assessments, security planning exercises, the incorporation of security into the organization’s change management, service acquisition, and project management practices

Answer 394

A

Set permissions properly; consider high availability and durability options; and use encryption to protect sensitive data.

Answer 395

A

Managed security service provider (MSSP).

Answer 396

A

The European Union’s General Data Protection Regulation (GDPR) requires that every data controller designate a data protection officer (DPO) who bears overall responsibility for carrying out the organization’s data privacy efforts.

Answer 397

A

They define permissible network traffic.

Answer 398

A

Strategic Risk: Risks that arise from decisions that affect the strategic direction of an organization, such as entering new markets or launching new products.
Operational Risk: Risks associated with the day-to-day operations of an organization, including failures in internal processes, systems, and people, or from external events.
Compliance Risk: Risks of legal or regulatory sanctions, financial loss, or damage to reputation an organization may suffer as a result of failing to comply with laws, regulations, codes of conduct, or standards of good practice.
Financial Risk: Risks related to the financial health of an organization, including market risk, credit risk, liquidity risk, and interest rate risk.
Reputational Risk: Risks that can damage an organization’s reputation, leading to loss of revenue, customers, or partners. This can be caused by various factors, including poor customer service, security breaches, and non-compliance with legal and ethical standards.

Answer 399

A

Analyzing code without executing it.

Answer 400

A

Executing code as a part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.

Answer 401

A

Combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.

Answer 402

A

Misinformation is incorrect information, often resulting from getting facts wrong. Disinformation is incorrect, inaccurate, or outright false information that is intentionally provided to serve an individual or organization’s goals.

Answer 403

A

MAM (Mobile Application Management):
Mobile Application Management refers to the strategy and tools used for controlling access to internally developed and commercially available mobile apps used in business settings. Unlike device management, MAM focuses on app distribution, licensing, configuration, and updating, providing data security without managing the entire device.

Answer 404

A

UEM (Unified Endpoint Management) refers to a software solution or platform designed to provide a single, integrated approach to managing and securing all types of devices and endpoints within an organization. This includes desktops, laptops, smartphones, tablets, and IoT (Internet of Things) devices, regardless of their operating systems.

Key Aspects of UEM:

Centralized Management: UEM allows IT administrators to manage, configure, and secure devices from a central console, streamlining operations and reducing the complexity traditionally associated with managing a diverse device landscape.
Policy Enforcement: It enables the enforcement of consistent policies across all endpoints, such as security configurations, application restrictions, and data access controls, enhancing overall security and compliance.
Software and Application Management: UEM platforms facilitate the deployment, updating, and management of applications across all managed devices, ensuring that software is kept up-to-date and compliant with organizational standards.
Security Features: These solutions often include security functionalities like encryption management, malware protection, and intrusion detection to safeguard devices and data against threats.
Support for BYOD and Remote Work: UEM solutions are particularly valuable in supporting Bring Your Own Device (BYOD) policies and remote or mobile workforces by providing tools to manage and secure devices that are not owned by the organization but access its resources.

In essence, UEM is not a method or practice but rather a comprehensive software solution that empowers organizations to efficiently manage and secure a wide array of endpoint devices through unified policies, tools, and procedures. It represents an evolution from traditional device management solutions like MDM (Mobile Device Management) and EMM (Enterprise Mobility Management) to address the increasing diversity and complexity of the modern endpoint environment.

Answer 405

A

Operational risks involve losses stemming from failed or inadequate internal processes, people, and systems, or from external events. This category includes technical failures, fraud, and other disruptions in day-to-day business operations.

Answer 406

A

Financial risks are associated with the financial operations and transactions of an organization. This includes market risk, credit risk, liquidity risk, and legal risks that directly affect the financial stability of the company.

Answer 407

A

Compliance risks arise from violations of, or non-conformance with, laws, regulations, codes of conduct, or organizational standards of practice. This includes failing to meet industry standards, legal sanctions, or fines.

Answer 408

A

Strategic risks are uncertainties or circumstances that can affect an organization’s ability to achieve its objectives. This includes competition, market changes, partnerships, and business model risks.

Answer 409

A

Reputational risks involve potential damage to an organization’s reputation due to some other event, action, or inaction. This can result from social media activity, customer feedback, or poor product quality, impacting customer trust and company value.

Answer 410

A

CRL (Certificate Revocation List): A list of certificates that have been revoked before their expiration date, published by the CA.
OCSP (Online Certificate Status Protocol): A protocol used to obtain the revocation status of an X.509 digital certificate without requiring CRL download.
Certificate Stapling: A method where the server periodically queries the OCSP responder and then attaches (“staples”) the response to the handshake, reducing the burden on clients.

Answer 411

A

A capability that allows you to limit the number of MAC addresses that can be used on a single port.

Answer 412

A

Local File Inclusion (LFI) attacks involve exploiting vulnerabilities to execute files located on the server, potentially leading to unauthorized access or code execution. Remote File Inclusion (RFI) attacks extend this threat by exploiting vulnerabilities to execute code from a remote server, allowing attackers to inject malicious scripts. The key difference lies in the source of the executable code: LFI targets the server’s own filesystem, while RFI uses external sources to execute code, significantly broadening the attack vector.

Answer 413

A

Root cause analysis is used to determine why an event or issue occurred

Answer 414

A

Software-defined networking (SDN) uses software-based network configuration to control networks. SDN designs rely on controllers that manage network devices and configurations, centrally managing the software-defined network.

Answer 415

A

Hashing and validating

Answer 416

A

Version of X.509; serial number; signature algorithm identifier; issuer name; validity period; subject’s Common Name (CN); certificates may optionally contain Subject Alternative Names (SAN) that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate; and subject’s public key

Answer 417

A

Tabletop, walkthroughs, simulations

Answer 418

A

The entity who determines the reasons for processing personal information and directs the methods of processing that data.

Answer 419

A

Risk appetite, regulatory requirements, technical constraints, business constraints, licensing limitations

Answer 420

A

Offline distribution, public key encryption, and the Diffie–Hellman key exchange algorithm

Answer 421

A

Forensics may be used for investigations, incident response, intelligence, and counterintelligence.

Answer 422

A

Trusted Platform Module (TPM) chips enhance device security through hardware-based encryption capabilities. They offer three critical functions: Remote Attestation, verifying device integrity by checking if the system’s hardware and software configurations are as expected; Binding, which encrypts data using TPM keys, ensuring that encrypted data can be accessed only on the TPM-enabled device; and Sealing, similar to binding but with added conditions that the TPM evaluates, allowing data decryption only if the system remains in a trusted state, enhancing data protection against unauthorized access or tampering.

Answer 423

A

Restore network connectivity and a bastion or shell host; restore network security devices (firewalls, IPS); restore storage and database services; restore critical operational servers; restore logging and monitoring service; and restore other services as soon as possible.

Answer 424

A

Cellular, Wi-Fi, Bluetooth, NFC, RFID, Infrared, GPS, USB

Answer 425

A

The certificate was compromised (e.g., the certificate owner accidentally gave away the private key); the certificate was erroneously issued (e.g., the CA mistakenly issued a certificate without proper verification); the details of the certificate changed (e.g., the subject’s name changed); and the security association changed (e.g., the subject is no longer employed by the organization sponsoring the certificate).

Answer 426

A

A service provider that processes personal information on behalf of a data controller.

Answer 427

A

Signature-based Detection: This method relies on a database of known malware signatures to identify threats by comparing files against these signatures.
Heuristic/Behavior-based Detection: Utilizes algorithms to analyze the behavior of programs and detect abnormal actions that could indicate malicious intent, rather than relying solely on known malware signatures.
Artificial Intelligence (AI) and Machine Learning (ML) Systems: These techniques leverage complex models that learn from vast amounts of data on malware characteristics and behavior, improving over time to predict and identify new types of malware.
Sandboxing: Involves executing programs in a controlled virtual environment to observe their behavior. Any suspicious or potentially harmful activity is contained within the sandbox, preventing damage to the actual system.

Answer 428

A

Known environment, unknown environment, and partially known environment

Answer 429

A

TOTP, or time-based one-time passwords and HMAC-based one-time password (HOTP)

Answer 430

A

BYOD (bring your own device), CYOD (choose your own device) COPE (Corporate owned, personally enabled), and corporate owned

Answer 431

A

A rootkit is a type of malicious software designed to gain unauthorized access to a computer system while hiding its presence. Rootkits enable continued privileged access to a computer by concealing certain processes, files, or system data from the operating system and antivirus programs. This stealthiness makes rootkits particularly dangerous and difficult to detect, allowing them to persist on a compromised system for an extended period without detection.

Answer 432

A

Endpoint Detection and Response (EDR) tools are security solutions designed for continuous monitoring and response to threats on endpoint devices. They utilize a combination of real-time monitoring, data collection, and analytics to identify suspicious activities. EDR systems excel in investigating security incidents by examining historical data, enabling IT professionals to detect, investigate, and respond to cyber threats efficiently. Their strength lies in their ability to provide detailed forensic analysis and proactive threat hunting capabilities, enhancing an organization’s ability to respond to and mitigate potential security breaches.

Typical endpoint devices monitored by EDR tools include desktops, laptops, servers, and mobile devices such as smartphones and tablets. EDR solutions can also extend their monitoring to other connected devices within a network, like IoT devices, to provide comprehensive security coverage.

Answer 433

A

Security Assertions Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization information.

Answer 434

A

Three areas for capacity planning are people, technology, and infrastructure.

Answer 435

A

Members of management or organizational leadership, technical experts, communications and public relations staff, legal and human relations staff, law enforcement

Answer 436

A

Signature-based detections rely on a known hash or signature matching to detect a threat. Heuristic or behavior-based detections look for specific patterns or sets of actions that match threat behaviors. Anomaly-based detections establish a baseline for an organization or network and then flags when out-of-the-ordinary behavior occurs.

Answer 437

A

Message-based threat vectors, wired networks, wireless networks, systems, files and images, removable devices, cloud, and supply chain

Answer 438

A

Block storage allocates large volumes of storage for use by virtual server instance(s). Block storage splits data into fixed-sized blocks, each with a unique identifier. It’s efficient for databases and applications requiring high performance, as blocks can be stored across different environments.

Object storage provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider’s API. Object storage keeps data as objects within a flat architecture, each containing the data, metadata, and a unique identifier. It’s scalable, cost-effective for storing vast amounts of unstructured data, such as photos, videos, and backup files, making it ideal for cloud storage solutions and big data analytics.

Answer 439

A

Information governance
Identification of electronically stored information
Preservation of the information
Collection of the information
Processing of the data
Review of the data
Analysis of the information
Production of the data
Presentation for testimony in court and for further analysis

Answer 440

A

An individual who carries out the intent of the data controller or stewardship responsibility but is responsible for the secure safekeeping of information.

Answer 441

A

Tabletop exercises, simulation exercises, parallel processing, and failover exercises

Answer 442

A

Attackers use a technique called blind SQL injection to conduct an attack even when they don’t have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based.

Answer 443

A

User accounts; privileged or administrative accounts; shared and generic accounts or credentials; guest accounts; and service accounts associated with applications and services

Answer 444

A

Through code signing. Developers digitally sign their code with their own private key and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Answer 445

A

The addition of new users requires the generation of only one public-private key pair
users can be removed far more easily from asymmetric systems
key regeneration is required only when a user’s private key is compromised
asymmetric key encryption can provide integrity, authentication, and nonrepudiation
key distribution is a simple process
no preexisting communication link needs to exist.

Answer 446

A

Top secret, secret, confidential, and unclassified

Answer 447

A

Audits are formal reviews of an organization’s security program or specific compliance issues conducted on behalf of a third party. Assessments are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement.

Answer 448

A

Quantitative risk analyses use numeric data, resulting in assessments that allow the very straightforward prioritization of risks. Qualitative risk analysis substitutes subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.

Answer 449

A

RFID cloning attacks work by cloning an RFID tag or card.

Answer 450

A

Confidentiality, integrity, authentication, and nonrepudiation.

Answer 451

A

KPIs quantitatively measure vendors’ performance in order to ensure that vendors are meeting the agreed-upon standards.

Answer 452

A

Environmental attacks include attacks like targeting an organization’s heating and cooling systems, maliciously activating a sprinkler system, and similar actions.

Answer 453

A

Firewall settings, network segmentation, intrusion detection systems (IDSs), intrusion prevention systems (IPSs)

Answer 454

A

DomainKeys Identified Mail (DKIM) allows organizations to add content to messages to identify them as being from their domain. Sender Policy Framework (SPF) allows organizations to publish a list of their authorized email servers. SPF records specify which systems are allowed to send email from that domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a protocol that uses SPF and DKIM to determine if an email message is authentic.

Answer 455

A

Parameter pollution is one technique that attackers have successfully used to defeat input validation controls.

Answer 456

A

Quantitative risk analysis involves evaluating the potential impact of identified risks in monetary terms. It starts by assessing the value of the assets at risk (AV), then estimating the likelihood of a risk event occurring and the potential damage or loss resulting from such an event. This process leads to the calculation of the Single Loss Expectancy (SLE), which is the cost of a single risk occurrence. Finally, by estimating how often the risk might occur in a year, the Annualized Loss Expectancy (ALE) is calculated, providing a yearly financial loss estimate.

Answer 457

A

It refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained.

Answer 458

A

Secure boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. Measured boot is intended to help prevent boot-level malware. Measured boot processes measure each component, starting with the firmware and ending with the boot start drivers.

Answer 459

A

Risk Severity = Likelihood * Impact

Answer 460

A

System logs
application logs
security logs
vulnerability scan output
network and security device logs
web logs
DNS logs
authentication logs
dump files
VoIP logs
SIP logs

Answer 461

A

The overall computational power and capacity of embedded systems is usually much lower than a traditional PC or mobile device
embedded systems may not connect to a network
without network connectivity CPU and memory capacity, and other elements, authentication is also likely to be impossible
embedded systems may be very low cost, but many are effectively very high cost because they are a component in a larger industrial or specialized device

Answer 462

A

Public cloud, private cloud, community cloud, and hybrid cloud.

Answer 463

A

Step-by-step guides intended to help incident response teams take the right steps in a given scenario.

Answer 464

A

Vulnerability Assessment: This involves identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Tools and techniques such as automated scanning software and manual testing methods are used to discover vulnerabilities in systems and network infrastructures. The aim is to find security weaknesses that could be exploited by attackers.
Threat Assessment: This component focuses on identifying the potential threats facing an organization. This includes analyzing who the attackers might be, their motives, and their methods of attack. Threat assessments help organizations understand the risks associated with different types of threats, such as cyber criminals, insider threats, or state-sponsored attackers.
Risk Assessment: This involves evaluating the identified vulnerabilities and threats to estimate the risk they pose to the organization. It considers the likelihood of a security incident occurring and its potential impact on the organization. Risk assessments help in prioritizing security measures based on the risk they mitigate and in making informed decisions about security policies, procedures, and technologies.

Together, these components help organizations understand their security posture, anticipate potential security issues, and plan appropriate defensive measures.

Answer 465

A

Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website
installing malware on the user’s browser that retrieves cookies and transmits them back to the attacker
engaging in an on-path attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user’s behalf and obtain the cookie

Answer 466

A

Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.

Answer 467

A

Preparation, identification, containment, eradication, recovery, and lessons learned

Answer 468

A

Block ciphers operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Stream ciphers operate on one character or bit of a message (or data stream) at a time.

Answer 469

A

Loop Prevention: Implements mechanisms to detect and prevent network loops, which can cause flooding and disrupt network communication.

Broadcast Storm Prevention: Utilizes techniques to limit or prevent broadcast storms, excessive broadcasting that overwhelms network resources.

Bridge Protocol Data Unit (BPDU) Guard: A security feature that prevents accidental or malicious BPDU messages from causing changes in the network topology, protecting spanning-tree protocols.

Dynamic Host Configuration Protocol (DHCP) Snooping: A security feature that filters untrusted DHCP messages to prevent rogue DHCP servers from assigning IP addresses, enhancing network integrity.

Answer 470

A

Key exchange is a major problem
symmetric key cryptography does not implement nonrepudiation
the algorithm is not scalable
keys must be regenerated often

Answer 471

A

Extensible Authentication Protocol (EAP)
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
802.1X
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System Plus (TACACS+)
Kerberos

Answer 472

A

Part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency.

Answer 473

A

Least privilege
separation of duties
job rotation and mandatory vacations
clean desk space
onboarding and offboarding
nondisclosure agreements (NDAs)
social media
user training

Answer 474

A

Application management Content management. Remote wipe Geolocation and geofencing Screen locks, passwords, and PINs are all part of normal device security models to prevent unauthorized access. Biometrics Context-aware authentication Containerization is an increasingly common solution to handling separation of work and personal use contexts on devices. Storage segmentation can be used to keep personal and business data separate as well. Full-device encryption (FDE)

Answer 475

A

They accept an input of any length
they produce an output of a fixed length
the hash value is relatively easy to compute
the hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output)
the hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value)

Answer 476

A

Initial access, privilege escalation, pivoting (lateral movement), and persistence

Answer 477

A

Host-based firewall, host intrusion prevention system (HIPS), and host intrusion detection system (HIDS)

Answer 478

A

A threat map.

Answer 479

A

VPCs are used to group systems into subnets and designate those subnets as public or private, depending on whether access to them is permitted from the Internet.

Answer 480

A

The eight Common Vulnerability Scoring System (CVSS) metrics are:

Exploitability of the vulnerability
1) Attack vector
2) Attack complexity
3) Privileges Required (PR)
4) User Interaction (UI)

Impact of the vulnerability
5) Confidentiality
6) Integrity
7) Availability

Scope of the vulnerability
8) Scope

Answer 481

A

RAID, journaling, full and incremental backups, snapshots, images, copies of individual files, backup media, cloud backups, and off-site or on-site storage

Answer 482

A

A container

Answer 483

A

Attack Vector (AV:N): The attack can be conducted over the network.
Attack Complexity (AC:L): The attack complexity is low, indicating it’s easy to exploit.
Privileges Required (PR:N): No privileges are needed to exploit the vulnerability.
User Interaction (UI:N): No user interaction is required for the exploit.
Scope (S:U): The scope remains unchanged; the vulnerability does not impact resources beyond its security context.
Confidentiality (C:H): There is a high impact on confidentiality, meaning unauthorized disclosure of information is likely.
Integrity (I:N): No impact on integrity; data is not altered or destroyed.
Availability (A:N): No impact on availability; there is no disruption to system access or reliability.

Answer 484

A

An individual whose personal data is being processed.

Answer 485

A

1) Timeline and Schedule: Specific dates and times when the penetration test will occur to minimize impact on operations.
2) Valid Targets: Clearly defined targets for testing, including systems, networks, and applications.
3) Data Handling Requirements: Guidelines on how data discovered or generated during the test will be secured, used, and disposed of.
4) Expected Behaviors: Descriptions of allowable actions and techniques during the test to avoid unnecessary risks.
5) Resource Commitment: Details on the resources (both human and technical) allocated for the test.
6) Legal and Compliance Considerations: A thorough review of applicable laws and regulations to ensure the testing complies with all legal requirements.
7) Communication Protocols: Procedures for how and when communication will occur between the testing team and the organization, including escalation paths for discovered vulnerabilities.

Answer 486

A

Memory-Resident Viruses: These viruses embed themselves in the computer’s memory, enabling them to execute malicious actions anytime the operating system runs.

Non-Memory Resident Viruses: Activated only when a specific condition is met or a specific program is run, not residing in memory otherwise.

Boot Sector Viruses: Infect the boot sector of a storage device (e.g., hard drives, USB drives), executing malicious code at startup before the operating system loads.

Macro Viruses: Written in the macro language of software applications (like Microsoft Word), executing malicious scripts when the host application runs.

Email Viruses: Spread through email attachments or links, executing when the attachment is opened or the link is clicked, potentially leading to widespread infections.

Answer 487

A

Bandwidth requirements for both the backups themselves and restoration time if the backup needs to be restored partially or fully; time to retrieve files and cost to retrieve files; reliability is also crucial; and new security models may also be required for backups.

Answer 488

A

A summary of the forensic investigation and findings; an outline of the forensic process, including tools used and any assumptions that were made about the tools or process; a series of sections detailing the findings for each device or drive—accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail; and recommendations or conclusions in more detail than the summary included.

Answer 489

A

An individual or team who does not have controller or stewardship responsibility but is responsible for the secure safekeeping of information.

Answer 490

A

A standard

Answer 491

A

Open Networks: These networks do not implement authentication or encryption, making them highly accessible but unsecured. They might use a captive portal to gather user information or consent.

Preshared Keys (PSK): This method involves a shared passphrase or key that users must know to access the network, providing a basic level of security through encryption.

Enterprise Authentication: Utilizes a RADIUS server to manage user credentials and employs Extensible Authentication Protocol (EAP) for robust, individualized authentication, suitable for larger or more security-conscious organizations.

Answer 492

A

An attack used in attempts to get users to log into their existing accounts, particularly for stores and banks.

Answer 493

A

Disclosure, alteration, and denial

Answer 494

A

Preservation

Answer 495

A

Is it timely? Is the information accurate? Is the information relevant?

Answer 496

A

Maintenance windows.

Answer 497

A

Effective vendor monitoring is crucial for managing and mitigating third-party risks.

Answer 498

A

Risk appetite, regulatory requirements, technical constraints, business constraints, licensing limitations

Answer 499

A

Physical Penetration Testing: Focuses on exploiting vulnerabilities in physical security measures (e.g., locks, security passes, and sensors) to gain unauthorized access to secure areas.

Offensive Penetration Testing: Aims to actively exploit weaknesses in an organization’s systems, applications, or networks, mimicking the actions of potential attackers to identify vulnerabilities.

Defensive Penetration Testing: Involves testing the effectiveness of an organization’s defensive mechanisms, such as firewalls, intrusion detection systems, and response protocols, against potential attacks.

Integrated Penetration Testing: Combines elements of both offensive and defensive penetration testing to provide a comprehensive assessment of an organization’s overall security posture, examining how well different security measures work together.

Answer 500

A

WPA-Personal uses Simultaneous Authentication of Equals (SAE) mode to provide authentication while protecting against offline dictionary attacks. This allows clients to authenticate without an authentication server infrastructure. The other is WPA-Enterprise, which relies on a RADIUS authentication server as part of an 802.1X implementation for authentication. This means users can have unique credentials and can be individually identified.

Answer 501

A

The best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn’t possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits.

Answer 502

A

IT implementations, systems, and services created through unofficial means, often by well-meaning employees or by employees outside of central IT.

Answer 503

A

Business Impact Analysis metrics:

Mean Time Between Failures (MTBF): The average duration between system failures, indicating overall reliability.

Mean Time to Repair (MTTR): The average time required to repair and restore a system after a failure, reflecting maintenance efficiency.

Recovery Time Objective (RTO): The maximum duration an organization can tolerate system downtime before significant harm occurs, guiding disaster recovery planning.

Recovery Point Objective (RPO): The maximum amount of data loss an organization can withstand during a disruption, used to determine backup frequency.

Answer 504

A

Poor security practices, such as weak default settings and lack of network security measures like firewalls.
Exposed or vulnerable services that can be easily exploited.
Lack of encryption for data transfer, leading to potential data interception.
Weak authentication mechanisms and the use of embedded credentials, making unauthorized access easier.
Insecure data storage practices, putting sensitive information at risk.
Short support lifespans, leaving devices without updates or patches.
Vendor data handling practice issues, raising concerns over privacy and data protection.

Answer 505

A

A port mirror duplicates all traffic from one switch port to another for monitoring purposes.
A SPAN (Switched Port Analyzer) can replicate traffic from one or multiple switch ports to a single port, facilitating comprehensive traffic analysis.

Answer 506

A

Fences, perimeter lighting, locks, fire suppression systems, and burglar alarms

Answer 507

A

The Linux dd command is a command-line utility that allows you to create disk images for forensic or other purposes.

Example: dd if=/dev/sda of=example.img conv=noerror,sync

Answer 508

A

Runbooks are detailed documentation designed to guide IT and system administrators through the procedures for routine operations and troubleshooting. They include step-by-step instructions, scripts, and workflows to efficiently manage and resolve system events, ensuring consistent and reliable operation.

Answer 509

A

Forward Proxies: Situated between clients and the external servers they wish to access, forwarding client requests to the internet. They can provide anonymity, content filtering, and bypass content restrictions.

Reverse Proxies: Positioned in front of one or more servers, intercepting requests from clients. They are utilized for load balancing, SSL termination, and caching to enhance security, performance, and scalability.

Answer 510

A

Password History: Remember the last 24 or more passwords to prevent users from reusing old passwords.

Maximum Password Age: Set to 60 days or fewer (but not 0) to mandate password changes approximately every 2 months.

Minimum Password Length: Require passwords to be 14 characters or longer for added security.

Password Complexity: Enforce the use of complex passwords that include a mix of letters, numbers, and symbols.

Reversible Encryption: Disable the storage of passwords using reversible encryption to enhance security.

Answer 511

A

User access reviews, log monitoring, and vulnerability management

Answer 512

A

To ensure that changes do not cause outages.

Answer 513

A

Version of X.509
Serial number
Signature algorithm identifier
Issuer name
Validity period
Subject’s Common Name (CN)
Subject Alternative Names (SAN) - Optionally included to specify additional items like IP addresses and domain names protected by the certificate
Subject’s public key

Answer 514

A

Zero trust presumes that there is no trust boundary and no network edge. Each action is validated when requested as part of a continuous authentication process and access is only allowed after policies are checked, including elements like identity, permissions, system configuration and security status, threat intelligence data review, and security posture.

Answer 515

A

An attack surface refers to the sum of all possible points (software, network, and human) where an unauthorized user (the attacker) can try to enter or extract data from an environment. It encompasses all the different parts of your system that are accessible to an outsider, making it a critical consideration for cybersecurity defense strategies.

Answer 516

A

Fingerprints, retina scanning, iris recognition; facial recognition; voice recognition; vein recognition, and gait analysis

Answer 517

A

HSMs manage encryption keys and perform cryptographic operations efficiently.

Answer 518

A

Master Service Agreements (MSA): Outline the general terms and conditions under which the services will be provided, including roles, responsibilities, and scope of work.

Service Level Agreements (SLAs): Detail the specific levels of service being provided, including performance metrics, response times, and remedies for service failures.

Memorandum of Understanding (MOU): A less formal agreement outlining the mutual goals and understanding between parties, often used as a preliminary agreement before a formal contract.

Memorandum of Agreement (MOA): Similar to an MOU, it details a mutual agreement between parties but is often more formal and detailed.

Business Partner Agreements (BPAs): Specify the terms and conditions under which business partners will work together, focusing on the distribution of responsibilities and benefits.

Answer 519

A

One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware.

Answer 520

A

Microwave sensors use a baseline for a room or space that is generated by detecting normal responses when the space is at a baseline. When those responses to the microwaves sent out by the sensor change, they will trigger. They can detect motion through materials that infrared sensors cannot.

Answer 521

A

Communication Plans: Detail how information about an incident is communicated internally and externally, specifying who needs to be informed, how, and when.

Stakeholder Management Plans: Outline strategies for keeping all stakeholders informed about the incident’s impact and response efforts, maintaining trust and transparency.

Business Continuity Plans: Focus on maintaining essential business functions operational during and after an incident, minimizing disruption to operations.

Disaster Recovery Plans: Specific procedures for recovering from significant disruptions, detailing how to restore systems, data, and infrastructure to normal operation.

Answer 522

A

SIEM Dashboard: The visual interface that presents a comprehensive overview of security events and alerts, allowing for quick assessment and decision-making.

Sensors: Devices or software agents that collect security data from the network, endpoints, and other systems to be analyzed by the SIEM.

Sensitivity and Threshold Settings: Configurations that determine the level of activity that will trigger an alert, helping to balance between detecting genuine threats and minimizing false positives.

Trends: Analytical features that identify patterns and trends in security data over time, aiding in the prediction and prevention of future security incidents.

Alerts and Alarms: Notifications generated by the SIEM when security events meet predefined criteria, signaling potential security incidents.

Correlation and Analysis: The process of comparing and analyzing security data from various sources to identify potential security threats and incidents.

Rules: Predefined logic that the SIEM uses to evaluate incoming security data and determine when to generate alerts or take automated actions.

Answer 523

A

Stateless firewalls (sometimes called packet filters) filter every packet based on data like the source and destination IP and port, the protocol, and other information that can be gleaned from the packet’s headers, whereas stateful firewalls (sometimes called dynamic packet filters) pay attention to the state of traffic between systems.

Answer 524

A

Planning: The initial phase where project goals, scope, and constraints are defined, along with resource allocation and project timelines.

Requirements Definition: Gathering and analyzing user and system requirements to ensure the software will meet the intended needs and specifications.

Design: Outlining the software architecture, components, interfaces, and data models, based on the requirements defined in the previous phase.

Coding: The actual development and coding of the software based on the design specifications.

Testing: Verifying that the software meets all requirements and is bug-free. This phase includes unit testing, integration testing, and system testing.

Training and Transition: Preparing end-users and administrators for the new system through training, and transitioning the software from development to production environments.

Ongoing Operations and Maintenance: Regularly updating the software and fixing issues as they arise to ensure it continues to meet user needs and operates smoothly.

End-of-Life Decommissioning: Phasing out the software when it’s no longer needed or viable, including data migration and system shutdown processes.

Answer 525

A

Chain-of-custody documentation.

Answer 526

A

The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization’s business.

Answer 527

A

Something You Know: This factor includes secrets or knowledge unique to the user, such as passwords, PINs, or answers to security questions. It’s the most traditional form of authentication.

Something You Have: Refers to a physical device in the user’s possession used for authentication, like a smart card, a security token, or a mobile phone app that generates one-time passwords (OTPs).

Something You Are: Involves biometric verification based on inherent physical or behavioral traits, such as fingerprints, facial recognition, or voice patterns, offering higher security by using unique personal characteristics.

Somewhere You Are (Location Factor): Utilizes the user’s geographical location as an authentication method. This can be determined through GPS technology, network triangulation, or IP address location, adding an additional layer of security by verifying the user’s location.

Answer 528

A

RAID 5: A RAID configuration that stripes data and parity information across three or more disks.

Advantages:
- Fast data reads due to striping.
- Can rebuild data from a failed drive using parity information, maintaining data integrity with a single drive failure.
- Efficient use of disk space compared to mirroring.

Disadvantages:
- Only tolerates the failure of one drive; losing more than one drive results in data loss.
- Data writes are slower compared to reads because of the need to calculate and write parity information.
- Rebuilding the array after a drive failure can be slow and may impact system performance, especially on large disks.

Answer 529

A

HIPAA, PCI DSS, GLBA, SOX, GDPR, and FERPA

Answer 530

A

Motion recognition and object detection

Answer 531

A

The Framework Core: Consists of cybersecurity activities, desired outcomes, and informative references organized around five functions: Identify, Protect, Detect, Respond, and Recover, providing a strategic view of the lifecycle of cybersecurity risk management.

The Framework Implementation Tiers: Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, ranging from Partial (Tier 1) to Adaptive (Tier 4), helping organizations gauge their approach to managing cybersecurity risk.

The Framework Profile: Enables organizations to establish a roadmap for improving their cybersecurity posture by comparing a “Current” Profile (the cybersecurity outcomes currently being achieved) to a “Target” Profile (the outcomes needed to achieve the desired cybersecurity risk management goals), facilitating the identification of opportunities for improvement.

Answer 532

A

Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification and unintentional modification.

Answer 533

A

Honeypots: Designed to mimic real systems that appear vulnerable to attract attackers, allowing security professionals to study attack methods and behaviors by recording interactions.

Honeynets: Specialized networks that simulate realistic environments to entice attackers, serving as a more extensive version of honeypots to gather information on network-based attacks.

Honeyfiles: Deliberately placed files containing unique, traceable data, positioned to seem appealing to intruders, aimed at detecting unauthorized access or data exfiltration attempts.

Honeytokens: Similar to honeyfiles, these are fabricated data elements (such as fake credentials or database entries) embedded within systems to lure attackers, enabling tracking and alerting on illicit activities.

Answer 534

A

E-discovery

Answer 535

A

Attribute-Based Access Control (ABAC): Decisions to grant or deny access are based on attributes of the user, resource, and environment, allowing for dynamic and context-aware policies.

Role-Based Access Control (RBAC): Access rights are assigned based on roles within an organization, simplifying management by grouping permissions into roles assigned to users.

Rule-Based Access Control (RuBAC): Access is granted or denied based on a set of rules defined by system administrators, often used in network devices like firewalls.

Mandatory Access Control (MAC): Access decisions are made based on mandated regulations determining how information is classified and who has the clearance to access it.

Discretionary Access Control (DAC): The owner of the resource decides who is allowed to access it, with the capability to delegate access control to other users.

Answer 536

A

Data Classification: The foundation of DLP, enabling organizations to identify and categorize data based on its sensitivity and value, determining which data requires protection.

Data Labeling/Tagging: Supports data classification by assigning labels or tags to data, facilitating efficient management and policy application by making the data’s nature and requirements clear.

Policy Management and Enforcement: Allows for the creation, management, and application of rules that govern how data is handled, stored, and transmitted, ensuring data is used in compliance with organizational standards and regulatory requirements.

Monitoring and Reporting: Provides continuous oversight of data handling and movement within the organization, with the ability to alert security personnel to violations, potential breaches, or other concerns, enabling rapid response to secure data.

Answer 537

A

VLAN Utilization: Segment networks based on trust levels, user groups, or system types, enhancing security by isolating sensitive areas and reducing the attack surface.

IoT Device Segregation: Place Internet of Things (IoT) devices on a dedicated, secure VLAN to minimize risks associated with these often less-secure devices.

Guest Network Isolation: Use VLANs to create separate networks for guests, ensuring unauthorized access to critical corporate resources is blocked.

VoIP Isolation: Isolate VoIP phones from workstations and other network devices on their own VLAN to protect voice communications and reduce potential attack vectors.

Default Password Changes: Replace factory-set passwords with strong, unique passwords to prevent unauthorized access facilitated by default credentials.

Software Minimization: Remove or disable unnecessary software and services to reduce vulnerabilities and limit potential entry points for attackers.

Answer 538

A

In the Continuous Integration (CI) and Continuous Deployment (CD) pipeline:

Developer Commit: The process begins when a developer commits a change to the version control repository.
Automated Build: This commit triggers an automated build process, compiling the code into an executable form.
Build Report: Upon completion, a build report is generated, detailing the success or failure of the build process.
Automated Testing: The successful build is then automatically tested against predefined test cases to ensure the new changes do not break or degrade the application.
Test Report: A test report is delivered, summarizing the outcomes of the tests. This report identifies whether the build has passed all tests and is of sufficient quality to move on to the next stage.
Code Deployment: If the build passes all tests, the code is automatically deployed to the production environment or a staging environment for further validation, completing the cycle from code commit to deployment with minimal human intervention.

Answer 539

A

Geographic Dispersion: Distributing systems across different geographical locations to protect against regional failures or disasters, ensuring continuity of operations.

Server and Device Separation: Placing servers and critical devices in separate physical zones within data centers to minimize the impact of localized incidents.

Multipath Networking: Implementing multiple network paths between devices and services to ensure continuous network connectivity in case one path fails.

Redundant Network Devices: Utilizing pairs or clusters of network devices (such as routers and switches) to prevent downtime from a single device failure.

Power Protection: Employing backup power solutions like uninterruptible power supplies (UPS) and generators to maintain operations during power outages.

Systems and Storage Redundancy: Duplication of critical system components and data storage to enable quick recovery from hardware failures.

Platform Diversity: Using a variety of hardware and software platforms to mitigate the risk of simultaneous failures across systems due to shared vulnerabilities.

Answer 540

A

Frequency analysis involves looking at the blocks of an encrypted message to determine if any common patterns exist.

Answer 541

A

128-bit keys require 10 rounds of encryption; 192-bit keys require 12 rounds of encryption; and 256-bit keys require 14 rounds of encryption.

Answer 542

A

NFC (Near-Field Communication) is a technology that enables wireless communication over short distances, typically less than 4 cm. It allows for the simple and secure exchange of data between devices. One of the most common uses of NFC is in mobile payment systems, such as Apple Pay and Google Wallet, where a user can make transactions by simply tapping their smartphone against a payment terminal. Due to its short range, NFC is not suited for creating networks of devices but is ideal for quick, low-bandwidth interactions like payments, ticketing, access control, and simple data transfers between devices.

Answer 543

A

A method used to scramble or obfuscate characters to hide their value. Ciphering is the process of using a cipher to do that type of scrambling to a message.

Answer 544

A

ISS = 1 – [(1 – Confidentiality) × (1 – Integrity) × (1 – Availability)]

Answer 545

A

Full disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.

Answer 546

A

Establishing a Baseline:
This phase involves defining the standard security settings and practices for systems and networks. It requires comprehensive analysis to determine the optimal configurations that balance security needs with business requirements.

Deploying the Security Baseline:
Once established, the baseline configurations and policies are implemented across the organization’s systems and networks. This deployment ensures that all assets adhere to the defined security standards.

Maintaining the Baseline:
The final phase involves regular reviews and updates to the baseline to adapt to new threats, vulnerabilities, and changes in the organization’s environment. This maintenance is crucial for ensuring the baseline remains relevant and effective in securing the organization’s assets.

Answer 547

A

A set of security standards or norms for the system or network, establishing a minimum level of security.

Answer 548

A

AAA (Authentication, Authorization, and Accounting): A framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These processes are critical for effective network management and security.

Answer 549

A

AH (Authentication Header): A component of the IPsec protocol suite that provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

Answer 550

A

AIS (Automated Indicator Sharing): A capability that allows the sharing of cyber threat indicators and defensive measures among federal entities, private sector partners, and international partners to help manage and mitigate cybersecurity threats.

Answer 551

A

ARP (Address Resolution Protocol): A communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This protocol is fundamental for the functioning of IPv4 networks.

Answer 552

A

ASLR (Address Space Layout Randomization): A computer security technique involved in preventing exploitation of memory corruption vulnerabilities by randomly arranging the positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries.

Answer 553

A

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge): A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations used as a foundation for developing threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

Answer 554

A

BIA (Business Impact Analysis): A process that identifies and evaluates the potential effects (financial, life, regulatory, reputation, etc.) of natural and man-made events on business operations. It is crucial for developing strategies for disaster recovery, business continuity, and crisis management.

Answer 555

A

BPDU (Bridge Protocol Data Unit): A type of network message that is exchanged across the Spanning Tree Protocol (STP) enabled switches within an extended local area network, used for detecting loops and managing the physical network topology.

Answer 556

A

CBC (Cipher Block Chaining): A mode of operation for block cipher encryption that provides stronger security by combining the plaintext of the current block with the ciphertext of the previous block, ensuring that identical plaintext blocks encrypt to different ciphertext blocks.

Answer 557

A

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): An encryption protocol used in Wi-Fi networks to provide strong data protection by combining the techniques of counter mode for data confidentiality and CBC-MAC for integrity and authentication.

Answer 558

A

CCTV (Closed Circuit Television): A surveillance technology used for security purposes, which employs video cameras to transmit a signal to a specific, limited set of monitors, differing from broadcast television.

Answer 559

A

CERT (Computer Emergency Response Team): Organizations or teams that provide expert advice and assistance in handling computer security incidents, such as cyber attacks or vulnerabilities, often working to prevent future incidents through awareness and education.

Answer 560

A

CFB (Cipher Feedback Mode) is a mode of operation used with block cipher encryption algorithms, enabling them to encrypt data in a continuous stream rather than fixed blocks. This mode effectively transforms a block cipher into a stream cipher, making it possible to encrypt data of any size, even smaller than the cipher’s designated block size. In CFB mode, each plaintext segment is XORed (combined using the bitwise exclusive OR operation) with the previous ciphertext segment before being encrypted. This process creates a chain where the encryption of each segment depends on the preceding segment, providing self-synchronization. This chaining mechanism allows for the encryption of data streams of variable lengths, offering flexibility and efficiency, especially for encrypting small amounts of data or data of unpredictable length.

Answer 561

A

CHAP (Challenge Handshake Authentication Protocol): A network authentication protocol that uses a challenge-response mechanism to authenticate a user or network host, thereby preventing transmission of both the password and the information in clear text.

Answer 562

A

CIRT (Computer Incident Response Team): A group tasked with responding to security breaches, viruses, and other potentially catastrophic incidents in computing environments. Their role involves investigating incidents, mitigating damages, and working on recovery strategies.

Answer 563

A

COOP (Continuity of Operations Plan): A set of policies and procedures that an organization follows to continue essential functions and operations during and after a significant emergency or disaster.

Answer 564

A

CP (Contingency Planning): The process of developing advance arrangements and procedures that enable an organization to respond to an event that could occur by chance or unforeseen circumstances, ensuring critical operations can continue.

Answer 565

A

CRC (Cyclic Redundancy Check): An error-detecting code used to detect accidental changes to raw data in digital networks and storage devices. It’s a popular method for checking the integrity of data.

Answer 566

A

CRL (Certificate Revocation List): A list of digital certificates that have been revoked by the issuing Certificate Authority before their scheduled expiration date and should no longer be trusted.

Answer 567

A

CSR (Certificate Signing Request): A block of encoded text submitted to a Certificate Authority when applying for an SSL/TLS certificate. It contains information that will be included in the certificate such as the organization name, common name (domain), locality, and country.

Answer 568

A

CSU (Channel Service Unit): A device used in digital telecommunications that serves as an interface between the terminal equipment (such as a router or switch) and a digital transmission medium (such as a leased line or digital circuit). The CSU performs several key functions: it connects the terminal equipment to the network, conditions the signal to ensure it is suitable for transmission, and provides protection against electrical interference and signal distortion. Additionally, it often includes diagnostic capabilities to monitor and troubleshoot the communication link, ensuring reliable and efficient data transmission.

Answer 569

A

CTM (Critical Thinking and Methodologies): Refers to the approach and practices that involve analyzing facts to form a judgment. In cybersecurity, it’s applied to assess threats, vulnerabilities, and to develop effective strategies for security management and incident response.

Answer 570

A

DEP (Data Execution Prevention): A security feature that helps prevent damage from viruses and other security threats by blocking certain types of code from executing in protected regions of memory (non-executable sections).

Answer 571

A

DES (Data Encryption Standard): A symmetric-key algorithm for the encryption of electronic data that was once widely used across the globe. Despite its age and security vulnerabilities, it laid the groundwork for modern encryption algorithms.

Answer 572

A

DHE (Diffie-Hellman Ephemeral): A method of securely exchanging cryptographic keys over a public channel, offering forward secrecy by generating unique session keys for each encryption session.

Answer 573

A

DPO (Data Protection Officer): A role within organizations aimed at ensuring compliance with data protection laws. The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR and other data protection laws.

Answer 574

A

DRP (Disaster Recovery Plan): A documented, structured approach with instructions for responding to unplanned incidents. This plan includes measures to minimize the effects of a disaster so the organization can continue to operate or quickly resume key operations.

Answer 575

A

DSA (Digital Signature Algorithm): A Federal Information Processing Standard (FIPS) specifically formulated for creating digital signatures. This algorithm is integral to numerous security protocols, offering robust verification of data integrity and authenticity. It facilitates the validation of digital communications, ensuring that messages have not been altered and confirming the sender’s identity.

Answer 576

A

DSL (Digital Subscriber Line): A family of technologies that provide internet access by transmitting digital data over the wires of a local telephone network. DSL is widely used for providing broadband internet access.

Answer 577

A

EAP (Extensible Authentication Protocol): A framework frequently used in wireless networks and point-to-point connections, which allows for the extension of the authentication methods used by the protocol.

Answer 578

A

ECB (Electronic Codebook Mode): A mode of operation for block ciphers, where each block of plaintext is encrypted independently. This simplicity leads to potential security vulnerabilities, making it less recommended for use in cryptographic protocols.

Answer 579

A

ECC (Elliptic Curve Cryptography): A method of public-key encryption that uses the mathematics of elliptic curves to generate smaller, faster, and more efficient cryptographic keys.

Answer 580

A

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): A key agreement protocol that allows two parties to establish a shared secret over an insecure channel using elliptic curve cryptography, providing forward secrecy.

Answer 581

A

ECDSA (Elliptic Curve Digital Signature Algorithm): A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography to provide enhanced security with smaller key sizes.

Answer 582

A

EDR (Endpoint Detection and Response): Security software that monitors endpoint and network events to detect malicious activities, provide investigation capabilities, and initiate response actions to eliminate threats.

Answer 583

A

EFS (Encrypting File System): A feature of some Windows operating systems that provides filesystem-level encryption, allowing users to protect data in files and folders from unauthorized access.

Answer 584

A

ERP (Enterprise Resource Planning): Integrated management software systems used by organizations to manage day-to-day business activities, such as accounting, procurement, project management, and manufacturing.

Answer 585

A

ESN (Electronic Serial Number): A unique identification number embedded by manufacturers into wireless phones, used for mobile device identification and tracking by service providers.

Answer 586

A

ESP (Encapsulating Security Payload): A component of IPsec used for providing confidentiality, data-origin authentication, integrity, and anti-replay for IP packets by encrypting the payload data.

Answer 587

A

FACL (Filesystem Access Control List): A data structure that provides detailed access control specifications for files and directories, allowing for more granified permissions beyond the standard owner/group/world model.

Answer 588

A

FIM (File Integrity Monitoring): A security process that involves continuously checking and verifying the integrity of the operating system and application software files to detect unauthorized changes, which could indicate a cyber attack.

Answer 589

A

An FPGA (Field-Programmable Gate Array) is essentially a highly versatile chip that you can reprogram to perform a wide array of functions even after it’s been created and shipped. Think of it as a chameleon of the electronic component world: it can change how it works based on what you need it to do. Unlike regular chips, whose roles are fixed from the moment they leave the factory, FPGAs can be updated or reconfigured with new instructions by the users themselves, making them incredibly adaptable. They’re often used to speed up specific tasks, such as encrypting data, by customizing the chip to execute those tasks much faster than general-purpose processors. This adaptability and speed make FPGAs valuable in diverse fields, from telecommunications to video processing and even in the secure encryption of communications.

Answer 590

A

FRR (False Rejection Rate): In biometric security systems, the measure of the likelihood that the system incorrectly rejects an access attempt by an authorized user.

Answer 591

A

GCM (Galois/Counter Mode) is an advanced encryption technique that enhances security by blending two components: the Counter Mode (CTR) for encrypting data, ensuring its confidentiality, and the Galois Mode for verifying the data’s integrity and authenticity. This dual approach allows GCM to secure the content of messages while also ensuring they come from a trusted source and have not been tampered with, making it a robust choice for protecting sensitive information.

Answer 592

A

GPG (GNU Privacy Guard) is a freely available tool that provides a secure method to encrypt and sign data and messages, adhering to the OpenPGP standard. It allows users to protect the privacy of their communications and verify the identity of the sender, ensuring that messages haven’t been altered in transit. GPG is widely used for secure email communications, file encryption, and digital signatures, making it a vital tool for maintaining confidentiality and trust in digital interactions.

Answer 593

A

GRE (Generic Routing Encapsulation): A tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

For security over VPNs that use GRE, it’s common to employ IPsec (Internet Protocol Security) alongside GRE. IPsec adds the necessary security features, such as data confidentiality, data integrity, and data origin authentication. Using GRE in combination with IPsec allows for both the flexibility of protocol encapsulation and the security benefits of IPsec.

Answer 594

A

HA (High Availability): Refers to systems or components that are continuously operational for a desirably long length of time. High availability systems aim to minimize downtime and ensure business continuity.

Answer 595

A

HMAC (Hash-Based Message Authentication Code) is a method used to ensure both the integrity and authenticity of a message. It combines a cryptographic hash function with a secret key, creating a unique code that verifies that a message hasn’t been altered and confirms its origin. This code, or MAC, is attached to the message, allowing the recipient to use the same key and hash function to check the message. If the recipient’s calculated MAC matches the one sent, it verifies that the message is intact and genuine.

Answer 596

A

IAC (Infrastructure as Code): The management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code.

Answer 597

A

IAM (Identity and Access Management): A framework of policies and technologies ensuring that the right users (in an enterprise) have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management.

Answer 598

A

ICS (Industrial Control Systems): Systems, including devices, systems, networks, and controls used to operate and/or automate industrial processes. These are used in industries such as electricity, water, oil, gas, and data.

Answer 599

A

IDEA (International Data Encryption Algorithm): A symmetric key block cipher designed as a replacement for the Data Encryption Standard (DES). IDEA is known for its strength and efficiency in secure encryption.

Answer 600

A

IDF (Intermediate Distribution Frame): A frame or rack for interconnecting cables, hardware, and devices in a telecommunications room. It serves as a central point for wiring that connects equipment within a building or campus.

Answer 601

A

IDP (Identity Provider): A system or service that creates, maintains, and manages identity information, providing authentication services to other applications or services within a single sign-on or federated identity framework.

Answer 602

A

IRP (Incident Response Plan): A documented plan that outlines the procedures, strategies, and tools to detect, respond to, and recover from network security incidents to minimize impact and restore operations.

Answer 603

A

IV (Initialization Vector): A random or pseudo-random number used to ensure that identical plaintexts encrypt to different ciphertexts in cryptographic operations, enhancing security by introducing randomness.

Answer 604

A

KDC (Key Distribution Center): A central authority in Kerberos-based authentication systems that issues session keys to parties in a secure network to enable them to establish a secure communication channel.

Answer 605

A

KEK (Key Encryption Key): A key used specifically to encrypt and decrypt other keys, such as Data Encryption Keys (DEKs), in cryptographic systems, providing an additional layer of security for key management.

Answer 606

A

L2TP (Layer 2 Tunneling Protocol): A tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide encryption or confidentiality by itself but is often combined with IPsec for security.

Answer 607

A

LEAP (Lightweight Extensible Authentication Protocol): A proprietary wireless LAN authentication method developed by Cisco, providing dynamic WEP keys and mutual authentication between clients and servers.

Answer 608

A

LDAP (Lightweight Directory Access Protocol) is a protocol designed to manage and access directory information over an IP network. It enables the organization, search, and modification of directory information like users, groups, and services. Think of LDAP as a digital phonebook for a company or organization. Just as you might use a phonebook to look up a colleague’s office number, computers use LDAP to look up information such as email addresses, usernames, and shared resources on a network. For example, when you log into your computer at work, LDAP helps verify your username and password against the company’s directory services, ensuring you have access to your emails, files, and printers configured for your account. It’s a crucial tool for centralized management and security in networked environments.

Answer 609

A

MAN (Metropolitan Area Network): A network that spans a larger geographic area than a LAN but is typically confined to a specific geographic area, such as a city or metropolitan area, providing high-speed networking services.

Answer 610

A

MBR (Master Boot Record): The first sector of a storage device that contains code for starting the boot process and a partition table for the disk. It plays a crucial role in booting up the operating system.

Answer 611

A

MD5 (Message Digest Algorithm 5): A widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically rendered as a 32-character hexadecimal number. It’s used for checking data integrity but is not recommended for security due to vulnerabilities.

Answer 612

A

MFP (Multi-Function Printer): A device that consolidates the functionalities of multiple devices in one, such as a printer, scanner, copier, and sometimes a fax machine, to save space and improve efficiency in office environments.

Answer 613

A

MMS (Multimedia Messaging Service): A standard way to send messages that include multimedia content such as images, audio, and video, over mobile networks to other mobile devices.

Answer 614

A

MPLS (Multiprotocol Label Switching): A routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, improving data flow efficiency.

Answer 615

A

MSA (Master Service Agreement): A contract reached between two parties, where the parties agree to most of the terms that will govern future transactions or future agreements, streamlining future negotiations.

Answer 616

A

MSP (Managed Service Provider): A company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model, offering a broad range of IT services.

Answer 617

A

MSSP (Managed Security Service Provider): A specialized type of MSP focused on security services, offering solutions like firewall and intrusion detection, virtual private network management, vulnerability scanning, and antiviral services.

Answer 618

A

NAC (Network Access Control): A security method that enforces policy compliance on devices attempting to access network resources, ensuring they meet certain security criteria before granting access.

Answer 619

A

NTLM (NT LAN Manager): A suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is used for network authentication in Windows environments.

Answer 620

A

NTP (Network Time Protocol): A protocol used to synchronize clocks of computer systems over packet-switched, variable-latency data networks. It ensures that all devices on a network agree on the time.

Answer 621

A

OCSP (Online Certificate Status Protocol): A protocol used for obtaining the revocation status of a digital certificate, allowing devices to check in real-time whether a certificate is valid or has been revoked.

Answer 622

A

OSPF (Open Shortest Path First) is a powerful network protocol designed to efficiently manage the routes for sending data across Internet Protocol (IP) networks. Unlike simpler protocols that may cause data to take longer paths, OSPF dynamically finds the quickest route for data packets to travel between devices. It achieves this by using a method called link state routing (LSR), where each router creates a map of the network’s topology to navigate data efficiently. OSPF is classified as an interior gateway protocol (IGP), meaning it’s used within a single large network or autonomous system (AS) to keep internal traffic flowing smoothly. This makes OSPF ideal for large enterprise networks, where ensuring fast and reliable data delivery is critical.

Answer 623

A

OT (Operational Technology): Hardware and software that monitors or controls equipment, assets, and processes. It is used in industries such as manufacturing, energy, and utilities, often for industrial control systems.

Answer 624

A

OTA (Over The Air): A method of distributing new software updates to devices wirelessly, as opposed to physical or manual update methods. Commonly used for updating mobile phones and other smart devices.

Answer 625

A

OVAL (Open Vulnerability and Assessment Language): A community standard designed to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community.

Answer 626

A

P12 (PKCS #12): A file format used to store multiple cryptographic elements within a single file, including private keys, certificates, and intermediate certificates. It’s often used for exporting and importing back-up certificates and keys.

Answer 627

A

PAC (Proxy Auto-Configuration): A method used by web browsers to automatically find and load a proxy configuration file to determine the appropriate proxy for a given URL, improving network efficiency and access control.

Answer 628

A

PAP (Password Authentication Protocol): A simple, plain-text authentication protocol where a user’s username and password are sent over the network, often considered insecure due to the lack of encryption.

Answer 629

A

PBKDF2 (Password-Based Key Derivation Function 2): A cryptographic algorithm that derives a secure cryptographic key from a password. It applies a pseudorandom function, such as HMAC, to the input password along with a salt value and repeats the process many times to produce a derived key.

Answer 630

A

PBX (Private Branch Exchange): A private telephone network used within an organization that allows users to communicate internally and externally using different communication channels like VoIP, ISDN, or analog.

Answer 631

A

Personal Electronic Device

Answer 632

A

PEM (Privacy-Enhanced Mail) is a standard format for storing and transmitting cryptographic materials like X.509 certificates, private keys, and public keys. It encases this sensitive data in a base64 encoding, flanked by descriptive header and footer lines, transforming the binary information into ASCII text. This conversion facilitates the secure handling and sharing of cryptographic data across different systems and platforms. Importantly, the base64 encoding is not a security feature in itself but a method to ensure compatibility and ease of distribution. The actual security is derived from the cryptographic mechanisms employed, such as encryption algorithms and key management, not from the encoding process. PEM format’s versatility extends beyond email encryption, making it foundational in various security contexts where cryptographic data needs to be accurately and securely managed.

Answer 633

A

PFS (Perfect Forward Secrecy) is a security feature of certain encryption protocols that ensures each communication session has its own unique encryption key. This means that even if an attacker manages to obtain a long-term key used for securing multiple sessions, they cannot use it to decrypt past or future session data. Perfect Forward Secrecy achieves this by generating a new key for each session that is not based on any fixed secret or long-term key. As a result, the compromise of one session’s key does not affect the security of others, safeguarding the privacy of individual sessions against future key exposures.

Answer 634

A

PGP (Pretty Good Privacy): A data encryption and decryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions to increase the security of email communications.

Answer 635

A

PIV (Personal Identity Verification): A United States federal government standard for secure and reliable forms of identification for federal employees and contractors. PIV cards are used to access federally controlled facilities and information systems at appropriate security levels.

Answer 636

A

PKCS (Public Key Cryptography Standards): A group of standards developed and published by RSA Laboratories for public-key cryptography, including standards for secure email, certificate requests, and key storage.

Answer 637

A

POTS (Plain Old Telephone Service): The traditional voice transmission phone system over copper twisted pair wires. It is the basic form of residential and small business telephone service in most parts of the world.

Answer 638

A

PPP (Point-to-Point Protocol): A data link protocol commonly used to establish a direct connection between two networking nodes. It supports connection authentication and compression, and can facilitate transmission encryption via extensions like the Encryption Control Protocol (ECP, RFC 1968).

Answer 639

A

PPTP (Point-to-Point Tunneling Protocol): A method for implementing virtual private networks, widely used to support VPNs. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

Answer 640

A

PSK (Pre-Shared Key): A shared secret which was previously shared between the two parties using some secure channel before it needs to be used. It is typically used in wireless networks to establish a secure communication channel.

Answer 641

A

PTZ (Pan-Tilt-Zoom): A camera feature allowing remote directional and zoom control, enabling it to cover a wide area and focus on specific points of interest, commonly used in surveillance and video conferencing.

Answer 642

A

PUP (Potentially Unwanted Program): Software that a user may perceive as unwanted, despite possibly giving consent to download it. PUPs can include spyware, adware, and dialers, often bundled with legitimate software.

Answer 643

A

Recovery Agent: A designated individual or entity in an organization with the authority and ability to recover or decrypt data that has been encrypted by others, typically used in managing encryption keys and digital certificates.

Answer 644

A

Registration Authority (RA): An authority in a public key infrastructure (PKI) that verifies user requests for a digital certificate and approves or rejects the certificate request before it is sent to the Certificate Authority (CA) for issuance.

Answer 645

A

RACE (Research and Development in Advanced Communications Technologies in Europe) is an initiative focused on advancing telecommunications technology across Europe. Its mission encompasses developing innovative and unified telecommunications standards, enhancing the infrastructure to support a wide range of services, and fostering the integration of European telecommunications systems. RACE aims to position Europe at the forefront of global telecommunications technology, ensuring competitiveness and paving the way for future advancements in communication networks.

Answer 646

A

A parity block in a RAID setup is a chunk of data generated and stored across the RAID array’s disks to provide fault tolerance. It’s created by performing a mathematical operation (typically an XOR operation) on corresponding bits of data across a set of blocks on different disks. The result of this operation is the parity block.

Here’s a simplified way to understand it: Imagine you have data blocks A and B on two different disks in a RAID array. To create a parity block P for A and B, the system performs an XOR operation on them. If A and B are the same, P will be 0; if A and B are different, P will be 1. This parity block P is then stored on another disk within the array.

The beauty of this system is that if any one of the disks fails, the lost data block can be reconstructed using the parity block along with the remaining data blocks. For instance, if disk A fails, you can recover A by performing an XOR operation on B and P. This method allows RAID arrays to continue operating without data loss in the event of a single disk failure, ensuring data integrity and system resilience.

Answer 647

A

RAD (Rapid Application Development): A software development methodology that prioritizes rapid prototyping and iterative delivery over long drawn-out development and testing cycles. It aims to produce high-quality systems quickly and efficiently.

Answer 648

A

RAS (Remote Access Service): A service that allows users to connect to a network remotely over a telecommunications or internet connection, typically used for accessing network services from offsite locations.

VPNs and RDP are examples of RAS.

Answer 649

A

RC4 (Rivest Cipher 4): A stream cipher that was widely used in applications such as SSL (Secure Sockets Layer) and WEP (Wired Equivalent Privacy) for encrypting data. It is known for its simplicity and speed but is considered insecure by today’s standards.

Answer 650

A

RIPEMD (RACE Integrity Primitives Evaluation Message Digest): A family of cryptographic hash functions developed in Europe. It is designed to be used in various applications where a secure and efficient hash function is needed, with RIPEMD-160 being one of the most commonly used versions.

Answer 651

A

RTBH (Remotely Triggered Black Hole): A technique used to mitigate denial-of-service attacks, allowing network operators to drop all traffic destined to a targeted IP, preventing malicious traffic from reaching its intended destination.

Answer 652

A

RTOS (Real-Time Operating System): An operating system intended for applications with fixed deadlines (real-time computing). It manages hardware resources, hosts applications, and processes data on a timely basis, critical in environments where timing is crucial.

Answer 653

A

RTP (Real-time Transport Protocol): A protocol designed for delivering audio and video over networks in a way that supports real-time data transmission, making it essential for services like video conferencing and streaming media.

Answer 654

A

S/MIME (Secure/Multipurpose Internet Mail Extensions): A standard for public key encryption and signing of MIME data, used to secure email by allowing users to encrypt the content and attach digital signatures for verification.

Answer 655

A

SAML (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data between parties, especially between an identity provider and a service provider, enabling single sign-on (SSO) for web applications.

Answer 656

A

A SAN is a high-speed, specialized network that connects servers to their logical disk units stored on shared storage devices. SANs separate storage from servers and consolidate it so that it can be accessed by multiple hosts, thereby improving storage utilization and providing greater flexibility and efficiency in data management.

Answer 657

A

Subject Alternative Name (SAN): A part of an SSL certificate that allows additional domain names to be secured by a single certificate, enabling the protection of multiple domain names or subdomains with one certificate.

Answer 658

A

SCADA (Supervisory Control and Data Acquisition): A system used for controlling industrial processes locally or at remote locations, monitoring, gathering, and processing real-time data, and interacting with devices such as sensors and valves.

Answer 659

A

SCAP (Security Content Automation Protocol): A suite of standards for automating the way systems maintain security. It enables automated vulnerability management, measurements, and policy compliance evaluation.

Answer 660

A

SCEP (Simple Certificate Enrollment Protocol): A protocol that simplifies the process of securely enrolling devices for digital certificates, allowing devices to easily obtain the necessary certificates for secure communications.

Answer 661

A

SDLM (Software Development Lifecycle Management): A methodology for managing the process of developing software, including planning, creating, testing, and deploying applications, with a focus on improving quality and efficiency.

Answer 662

A

SED (Self-Encrypting Drive): A storage device that automatically encrypts the data stored on it without requiring software or user intervention, providing an added layer of security for data at rest.

Answer 663

A

SEH (Structured Exception Handling): A programming mechanism in Windows that provides a way for applications to handle exceptions (errors) that occur during the execution of a program, helping to maintain stability and security.

Answer 664

A

SOAP (Simple Object Access Protocol): A protocol used for exchanging structured information in the implementation of web services in computer networks. SOAP relies on XML for its message format, which ensures that the data can be easily understood in heterogeneous environments — making it highly effective for complex enterprise environments that involve diverse operating systems and technologies. Typically, SOAP utilizes other application layer protocols, such as HTTP or SMTP, for message negotiation and transmission. It is widely used when a robust standard is needed to ensure data integrity and security in scenarios where web services require formal contracts between client and server, such as in financial services, telecommunication, and large-scale manufacturing applications.

Answer 665

A

SOAR (Security Orchestration, Automation, and Response): A suite of software solutions and tools that allow organizations to streamline security operations in three key areas: orchestration, automation, and response, enhancing their ability to quickly respond to security incidents.

Answer 666

A

System on Chip (SoC): An integrated circuit that incorporates all components of a computer or other electronic system into a single chip, including a CPU, memory interfaces, I/O devices, and often other features such as a GPU.

This is not a tower. Some examples are: smart phones, tablets, IoT devices, and embedded systems.

Answer 667

A

SOC (Security Operations Center): A centralized unit within an organization that deals with security issues on an organizational and technical level, dedicated to monitoring, analyzing, and protecting an organization from cyber threats.

Answer 668

A

SOW (Statement of Work): A document detailing the work requirements for a specific project or contract, including objectives, schedule, deliverables, and detailed tasks, serving as a guideline and agreement between parties.

Answer 669

A

SPF (Sender Policy Framework): An email authentication method designed to prevent sender address forgery, allowing email senders to define which IP addresses are allowed to send mail for their domain.

Answer 670

A

SPIM (Spam Over Instant Messaging): Unsolicited messages sent via instant messaging (IM) systems, similar to spam emails, but targeting IM platforms to distribute unwanted or malicious content.

Answer 671

A

SRTP (Secure Real-time Transport Protocol): An extension of RTP (Real-time Transport Protocol) that provides encryption, message authentication, and integrity verification for media streams in applications like VoIP and video conferencing.

Answer 672

A

TACACS+ (Terminal Access Controller Access-Control System Plus): A protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers, supporting more granular control over authentication and authorization processes.

Answer 673

A

TGT (Ticket Granting Ticket): Used in Kerberos authentication protocol as part of the process to authenticate a user. The TGT is issued by the Key Distribution Center (KDC) and allows the user to request service tickets for other resources within the network.

Answer 674

A

TKIP (Temporal Key Integrity Protocol) is an advanced security protocol developed to enhance wireless network security, specifically designed to rectify the vulnerabilities found in the older WEP (Wired Equivalent Privacy) system. TKIP incorporates three main security mechanisms to safeguard Wi-Fi communications:

Per-Packet Key Mixing: TKIP uses a more sophisticated key mixing function for each data packet, making it much harder for attackers to predict or crack the encryption key compared to the static key used in WEP.

Message Integrity Check (MIC): This feature adds a strong integrity check that is specifically designed to prevent tampering and forgery of packets. It ensures that the data transmitted over the network has not been altered or tampered with during transmission.

Re-Keying Mechanism: TKIP automatically changes encryption keys at a set interval or after a certain number of packets have been sent. This frequent change of keys dramatically reduces the risks associated with key exposure and makes it difficult for attackers to decipher the encryption over time.

Together, these enhancements make TKIP a significant improvement over WEP, providing stronger security measures that were necessary as wireless networking became more prevalent. However, it’s important to note that TKIP has been succeeded by more advanced protocols like AES (Advanced Encryption Standard) with WPA2, as it too has shown vulnerabilities and is considered deprecated in modern security standards.

Answer 675

A

TSIG (Transaction Signature) is a security protocol used to add a layer of authentication to DNS (Domain Name System) communications, including updates and requests. This protocol helps ensure that the exchanges between DNS servers and clients are both secure and verified, thereby safeguarding against unauthorized modifications to DNS records.

Here’s how TSIG enhances DNS security:

Authentication of DNS Messages: TSIG uses shared secret keys and one-way hashing to authenticate DNS messages. Each message is appended with a unique signature generated from the message content and a secret key known only to the communicating parties.

Prevention of Spoofing and Replay Attacks: The signatures include timestamps and unique identifiers, which help prevent replay attacks (where old messages are resent to trick the server) and ensure that the messages have not been tampered with during transit.

Secure Zone Transfers: TSIG is commonly used to authenticate zone transfers (AXFR/IXFR) between DNS servers. This is crucial for preventing unauthorized access and ensuring that only legitimate servers can exchange DNS data.

Dynamic DNS Updates: For environments that use dynamic DNS, TSIG can authenticate update requests to the DNS server, ensuring that only authorized clients can modify DNS records. This is particularly important in preventing DNS hijacking.

By employing TSIG, DNS servers enhance their security protocols, making sure that every transaction is authenticated and verified, thus maintaining the integrity and reliability of the domain name resolution process.

Answer 676

A

UAT (User Acceptance Testing): The final phase of the software testing process, where end users test the software to ensure it can handle required tasks in real-world scenarios, meeting the business requirements and functioning as expected.

Answer 677

A

UTP (Unshielded Twisted Pair): A widely used type of cable that consists of two unshielded wires twisted around each other. It is used for various types of local area networks (LANs) and telephone connections, known for its cost-effectiveness and ease of installation.

Answer 678

A

VBA (Visual Basic for Applications): A programming language developed by Microsoft that is built into most Microsoft Office applications. It allows users to automate tasks and add custom functionality to Office suites, such as Excel, Word, and Access.

Answer 679

A

VDE (Virtual Desktop Environment): A computing model where a user’s desktop environment is stored on a remote server rather than on a local PC or laptop. VDE allows users to access their desktop from any device, promoting mobility and flexibility.

VDI and RDP are subsets of VDE.

Answer 680

A

VDI (Virtual Desktop Infrastructure): A technology that hosts desktop environments on a centralized server and deploys them to end-users over a network. VDI allows for centralized management, increased security, and reduced hardware costs.

Answer 681

A

VLSM (Variable Length Subnet Masking): A technique in IP networking that allows for more efficient allocation of IP addresses by dividing an IP address space into subnets of different sizes, optimizing the use of a limited number of IP addresses.

Answer 682

A

VPC (Virtual Private Cloud): A service offered by cloud providers that allows customers to provision a logically isolated section of the cloud where they can launch resources in a virtual network that they define. It combines the scalability of the cloud with the data isolation of a private network.

Answer 683

A

VTC (Video Teleconferencing): A technology that allows users in different locations to hold face-to-face meetings without having to move to a single location together. It uses audio and video transmissions to simulate a conference environment.

Answer 684

A

WPA (Wi-Fi Protected Access): A security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks. WPA improves upon the security features of WEP (Wired Equivalent Privacy) and was further enhanced with WPA2.

Answer 685

A

WO (Work Order): A formal document (or an electronic record) detailing authorized work to be completed. In IT, a work order may specify tasks related to hardware, software, or network maintenance, upgrades, or installations.

Answer 686

A

XDR (Extended Detection and Response): A security solution that extends beyond traditional endpoint detection and response (EDR) by collecting and automatically correlating data across multiple security layers—email, endpoint, server, cloud workloads, and network—enabling a more comprehensive threat detection, investigation, and response capability.

Answer 687

A

GBICs (Gigabit Interface Converters): Modular transceivers that convert electrical signals into optical signals and vice versa, allowing gigabit ethernet networks to use fiber optic cables for long-distance communication. GBICs are inserted into network switches or routers to facilitate network connections.

Answer 688

A

NetFlow Analyzer: A software tool that uses the NetFlow protocol to collect and analyze network traffic data, helping administrators understand traffic patterns, identify bandwidth hogs, and detect potential security threats by monitoring flow data from routers and switches.

Answer 689

A

WiFi Analyzer: A software application or hardware tool that assesses and optimizes wireless network performance. It provides information on signal strength, channel congestion, and network security settings, aiding in the planning and troubleshooting of WiFi networks.

Answer 690

A

ARP Cache: Part of the Address Resolution Protocol, the ARP cache is used to maintain a correlation between each IP address and its corresponding MAC address. It allows for the efficient routing of data on a LAN.

Answer 691

A

Process Table: A kernel data structure that tracks the processes currently being managed by the operating system. It includes information like process IDs, process state, priority, and pointers to memory locations.

Answer 692

A

Kernel Statistics: Data collected by the operating system’s kernel, providing insights into system performance, resource usage, and various activities. This information is critical for system management and troubleshooting.

Answer 693

A

Swap Space: A space on a hard drive used as the virtual memory extension of a computer’s real memory (RAM). It allows for the temporary moving of pages of data from RAM to disk storage, making room for new processes in physical memory. This space plays a crucial role in managing system resources but is slower to access than RAM.

Answer 694

A

Counter Mode (CTR) is a mode of operation for block cipher encryption that converts a block cipher into a stream cipher. It encrypts data by combining plaintext with an encrypted counter. The counter, typically a sequence of numbers, is encrypted and then XORed (bitwise exclusive OR) with the plaintext to produce ciphertext. Each block of data uses a unique counter value, ensuring that identical plaintext blocks produce different ciphertext. Counter Mode is known for its simplicity and parallel processing capabilities, making it widely used in various encryption tasks, including securing data in transmission and storage.

Answer 695

A

Encryption Input: CTR encrypts a counter value, whereas CFB encrypts the previous ciphertext block (or IV for the first block).
Parallel vs. Sequential Processing: CTR allows for parallel processing of blocks, making it faster and more efficient in some scenarios, while CFB must process data sequentially.
Use Cases: CTR is widely appreciated for applications requiring high throughput and parallel processing. In contrast, CFB’s self-synchronizing property makes it useful for certain scenarios where data streams need to be encrypted/decrypted with some resilience to errors in transmission.

Answer 696

A

Trusted Boot: Trusted Boot, also known as Secure Boot, ensures that each component of the boot process is signed by a trusted authority and validates each component before it is executed. Unlike Measured Boot, Trusted Boot actively prevents the execution of untrusted components, not just measures them.
Measured Boot: Measured Boot involves measuring each component of the boot process, from firmware up through the boot start drivers, and recording these measurements in a secure and tamper-resistant hardware component called the TPM (Trusted Platform Module). The purpose is to create a log that can be used to verify the integrity of the boot process.

Brainscape's Knowledge GenomeTM

Security+ Flashcards

Brainscape's Knowledge Genome^TM