Security+

Question 1

Another name for Symmetric algorithm

Answer 1

Private Key Algorithm

Question 2

Another name for Asymmetric algorithm

Answer 2

Public Key algorithm

Question 3

Advantage of asymmetric algorithm

Answer 3

Overcomes multiple key issue associated with symmetric algorithms

Question 4

Hybrid encryption implementation

Answer 4

Use asymmetric encryption to establish connection, then exchange symmetric keys for continued communication

Question 5

Advantage of symmetric algorithm

Answer 5

Faster

Question 6

Stream cipher

Answer 6

Encrypt data one byte (or bit) at a time
Used for securing real-time data streams
Tend to be symmetric algorithms
Tend to be hardware encrypted

Question 7

Block cipher

Answer 7

Breaks input into fixed lengths for encryption
Padding added if data is less than fixed length
Easier to implement than stream cipher
Tend to be software encrypted

Question 8

DES algorithm

Answer 8

Data Encryption Standard
Symmetric algorithm
deprecated

Question 9

3DES

Answer 9

Triple DES
Symmetric algorithm
3 symmetric keys - encrypt, decrypt, encrypt

Question 10

IDEA

Answer 10

International Data Encryption Algorithm
Symmetric algorithm

Question 11

AES

Answer 11

Advanced Encryption Standard
Symmetric algorithm
Current symmetric standard, most commonly used

Question 12

Blowfish

Answer 12

Symmetric algorithm
Intended to replace DES
open source

Question 13

Twofish

Answer 13

Symmetric algorithm
open source

Question 14

RC4

Answer 14

Rivest Cipher 4
Symmetric stream cipher
Used in SSL and WEP

Question 15

RC5

Answer 15

Rivest Cipher 5
Symmetric block cipher

Question 16

RC6

Answer 16

Rivest Cipher 6
Symmetric block cipher
Introduced to replace DES; superceded by AES

Question 17

Public key cryptography

Answer 17

Asymmetric algorithm
For confidentiality: Anyone can encrypt with public key, but only private key can decrypt
For non-reputiation: sender should sign messiage with private key, reader should read with public key

Question 18

Digital Signature

Answer 18

Hash digest for message sent with sender’s private key

Question 19

Diffle-Hellman (DH) algorithm

Answer 19

Asymmetric algorithm
Used to distribute keys of unsecure network
Often used for create VPN tunnels; part of IPSec

Question 20

Rivest, Shamir and Adleman (RSA) Algorithm

Answer 20

Asymmetric algorithm
Relies on difficulty of factoring prime numbers

Question 21

Elliptic Curve Cryptography (ECC)

Answer 21

Asymmetric algorithm
Heavily used on mobile devices
More efficient than RSA

Question 22

Hashing

Answer 22

one way cryptographic function that outputs unique message digest
always the same length per the algorithm in use

Question 23

Pass the Hash attack

Answer 23

login with stored hash rather than plaintext password

Question 24

Rainbow table

Answer 24

Precomputed table for reversing cryptographic hash functions

Question 25

Wildcard certificate

Answer 25

Allows all subdomains to use same public key and have it display as valid

Question 26

Subject Alternate Name (SAN) Field

Answer 26

Certificate field that specifies what additional domains and IP addresses are going to be supported

Question 27

Single-Sided Certificate

Answer 27

Only requires server to be validated

Question 28

Dual-Sided Certificate

Answer 28

Requires both server and user to be validated

Question 29

Self-signed certificate

Answer 29

certificate is signed by same party whose identity it certifies

Question 30

Third-Party Certificate

Answer 30

Certificate issued and signed by a trusted certificate authority

Question 31

Certificate Signing Request

Answer 31

Block of encoded text containing information about the entity requesting the certificate

Question 32

OSCP

Answer 32

Online Certificate Status Protocol
Allows to determine the revocation status of any digital certificate using its serial number

Question 33

OSCP Stapling

Answer 33

Allows the certificate holder to get OCSP record from the server at regular intervals

Question 34

TPM

Answer 34

Trusted Platform Module
Dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Question 35

HSM

Answer 35

Hardware Security Module
Physical device that manages digital keys

Question 36

Secure Enclave

Answer 36

Co-processor integrated into the main processor of some devices, designed with the sole purpose of ensuring data protection

Question 37

Steganography

Answer 37

Hiding secret data in non-secret files or messages

Question 38

Tokenization

Answer 38

substiture sensitive data elements with non-sensitive equivalents; can only be fixed by authorized systems

Question 39

Data Owner

Answer 39

Senior executive responsible for maintaining the confidentiality, integrity and availability of the information asset.

Question 40

Data Controller

Answer 40

Responsible for deciding purposed and methods of data storage, collection, usage and guaranteeing legality of processes

Question 41

Data Processor

Answer 41

Hired by data controller to help with tasks like collecting, storing and analyzing data

Question 42

Data Custodian

Answer 42

Responsible for management of system(s) on which data assets are stored

Question 43

Data Steward

Answer 43

Focused on quality of data and associated metadata

Question 44

Data Privacy Officer

Answer 44

Responsible for oversight of privacy-related data (PHI, SPI, PII)

Question 45

BYOD

Answer 45

Bring your own device

Question 46

COPE

Answer 46

Corporate-Owned, Personally Enabled

Question 47

Time-of-use (TOU)

Answer 47

Race condition that occurs when a process performs an action on a resource without verifying that it is still in the same state or value as when it was last checked. It can lead to incorrect or unauthorized actions based on invalid assumptions.

Question 48

Buffer Overflow

Answer 48

Type of memory corruption that occurs when a program writes more data than the allocated buffer can hold, causing it to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation.

Question 49

Memory injection

Answer 49

Insertion of malicious code into a system’s memory, not the exploitation of a time gap between a check and use of a condition.

Memory injection is a technique that involves injecting code into a running process to alter its behavior or gain access to its memory. It can be used for malicious or legitimate purposes on mobile devices, such as debugging or hooking.

Question 50

Time-of-check (TOC)

Answer 50

Race condition that occurs when a process checks the state or value of a resource before using it, but another process changes it in between. It can lead to incorrect or unauthorized actions based on outdated information.

Question 51

Remote Access Trojan (RAT)

Answer 51

Mimics legitimate remote control programs but operates covertly. It provides the threat actor unauthorized access to a host, enabling them to upload files, install software, or execute commands.

Question 52

Worm

Answer 52

Malware that replicate themselves to spread to other computers.

Question 53

Adware

Answer 53

Displays unwanted ads on a user’s device.

Question 54

Rootkit

Answer 54

Provides unauthorized access to a computer, but it doesn’t specifically mimic legitimate remote control programs.

Question 55

Vendor assessment

Answer 55

Involves evaluating the security measures and vulnerabilities of a vendor’s systems and infrastructure, but it does not specifically focus on ethical and legal requirements. It occurs after the vendor is chosen.

Question 56

Pretexting

Answer 56

Type of human vector/social engineering attack that involves creating a fabricated scenario or pretext to justify the request for confidential information or action from the target.

Question 57

Cloning

Answer 57

Duplication of items such as badges, access cards, or even digital identities. It’s about copying something authentic to gain unauthorized access.

Question 58

Tailgating

Answer 58

Also known as “piggybacking,” is a method where unauthorized individuals follow authorized personnel into secure locations by exploiting their courtesy or distraction. It relies on physical access rather than fabricated stories.

Question 59

Phishing

Answer 59

Attacker sends deceptive emails (or other forms of communication) to a broad audience, enticing recipients to click on malicious links, download malware, or provide sensitive information. The attacker’s goal is to trick recipients into believing the message is from a trusted source.

Question 60

Vendor selection

Answer 60

Process of evaluating and choosing vendors based on various criteria, including their alignment with the organization’s ethical and legal requirements. It occurs before the partnership begins.

Question 61

Vendor monitoring

Answer 61

Refers to continuously evaluating a vendor’s security performance and compliance with contractual requirements, but it does not directly relate to ethical and legal criteria. It occurs after the vendor is chosen.

Question 62

Master Service Agreement (MSA)

Answer 62

Agreement precisely designed to establish the overall framework for a long-term business relationship between an organization and a vendor. It provides a foundation for future agreements and contracts by outlining general terms, conditions, and responsibilities. It generally is concluded after a vendor is chosen.

Question 63

Downtime

Answer 63

Period when a system is unavailable or its performance is degraded, often due to planned maintenance or unforeseen incidents. In the scenario, the server’s unavailability during the upgrade process is a clear example of downtime.

Question 64

Service Restart

Answer 64

Act of stopping and then starting a service, often to apply changes or updates. While this can lead to downtime, the scenario specifically mentioned a system upgrade, not just a service restart.

Question 65

Maintenance Window

Answer 65

Predefined time frame during which system changes or updates are applied to minimize disruption to business operations. This indicates when changes may occur but does not specifically define the period of system unavailability.

Question 66

Change Management

Answer 66

Formalized procedure to ensure changes are reviewed and approved before implementation. This is a process but does not specifically define the time a system is unavailable.

Question 67

Sensitive Personal Data under GDPR

Answer 67

Sensitive personal data refers to specific categories of personal information that could harm an individual if made public. This includes, but is not limited to:
- religious beliefs
- political opinions
- trade union membership
- gender
- sexual orientation
- racial or ethnic origin
- genetic data
- health information

Question 68

FIPS (Federal Information Processing Standards)

Answer 68

Standards that provide important guidelines and requirements for cryptography used to secure federal information systems, except those related to national security.

Question 69

ISO/IEC 27001

Answer 69

Important standard for information security management systems. It does not set specific requirements for cryptographic modules within federal computer systems.

Question 70

PCI DSS

Answer 70

Relates to the protection of cardholder data

Question 71

Secure Enclave

Answer 71

Chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices.

Question 72

Trusted Platform Module (TPM)

Answer 72

Hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems.

Question 73

Hardware Security Module (HSM)

Answer 73

Physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard.

Question 74

Key Management System

Answer 74

Process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a chip or device.

Question 75

Side loading

Answer 75

Mobile device vulnerability that results from installing applications from sources other than the official app store, such as third-party websites, USB drives, or email attachments. It can expose the device to malware, spyware, or unauthorized access.

Question 76

Jailbreaking

Answer 76

Creates a vulnerability on mobile device by bypassing the restrictions imposed by the manufacturer or provider of a device, such as an iPhone or iPad, to gain root access and install unauthorized applications or customizations. It can expose the device to malware, spyware, or unauthorized access.

Question 77

Typosquatting

Answer 77

Human vector/social engineering attack that involves creating a fake website or domain name that resembles a legitimate one, but with slight spelling or punctuation differences.

Question 78

Business email compromise

Answer 78

Human vector/social engineering attack that involves compromising or spoofing a legitimate business email account to request fraudulent payments or transfers from unsuspecting employees or customers.

Question 79

Impersonation

Answer 79

Human vector/social engineering attack that involves pretending to be someone else, such as an authority figure or a trusted person, to persuade users to share confidential information or perform certain actions.

Question 80

Statement of Work (SOW) or Work Order (WO)

Answer 80

Document used to specify the specific tasks, deliverables, and timelines for a particular project or service. It is not intended to establish an overall framework for a long-term relationship.

Question 81

Service-level Agreement (SLA)

Answer 81

Outlines specific performance metrics, service levels, and responsibilities for ongoing services, rather than establishing an overall framework for a long-term relationship.

Question 82

Memorandum of Understanding (MOU)

Answer 82

Non-binding document used to express mutual understanding and intentions between parties. It is not typically suitable for establishing a formal framework for a long-term business relationship.

Question 83

Risk register

Answer 83

Comprehensive record that lists all identified risks, their potential impacts, assigned risk owners, and current risk status. It serves as a central repository for tracking and monitoring risks over time.

Question 84

Risk assessment

Answer 84

Initial step in the risk management process, involving the identification, analysis, and evaluation of potential risks.

Question 85

Business impact analysis

Answer 85

Assesses the potential consequences of specific risks on critical business functions, helping prioritize risk response efforts.

Question 86

Risk reporting

Answer 86

The regular communication and documentation of identified risks, their potential impact, and risk management strategies to relevant stakeholders.

Question 87

Cryptographic Downgrade Attack

Answer 87

Attacker forces network participants to resort to a weaker encryption standard, making it easier to compromise the data. It deliberately reduces the security of encrypted communications.

Question 88

Cipher Block Chaining (CBC) Attack

Answer 88

Type of side-channel attack targeting implementations of block ciphers in CBC mode.

Question 89

key exchange attack

Answer 89

Attacker aims to intercept or manipulate the key exchange process, potentially gaining access to the shared secret key.

Question 90

Resource reuse

Answer 90

Type of vulnerability that involves accessing or modifying data or communications from other virtual machines by exploiting the shared CPU between them. It can allow an attacker to execute malicious code or commands on other virtual machines.

Question 91

CPU starvation

Answer 91

Type of performance issue that occurs when a process or thread does not receive enough CPU time to perform its tasks. It can affect the responsiveness and functionality of the process or thread.

Question 92

Probability (risk)

Answer 92

Expected frequency of occurrence of a specific risk within a given time frame.

Question 93

Likelihood (risk)

Answer 93

Qualitative term used to express the chance of a risk occurring, typically described in terms of low, medium, or high.

Question 94

Exposure Factor

Answer 94

The percentage of asset loss that would occur if a specific risk is realized. It is a quantitative risk analysis metric.

Question 95

Annualized Rate of Occurrence (ARO)

Answer 95

Quantitative risk analysis metric that represents the expected number of times a specific risk occurs in a year.

Question 96

Kerberos

Answer 96

Authentication protocol that uses tickets to prevent eavesdropping and replay attacks. It relies on a trusted third-party, the Key Distribution Center (KDC), to facilitate mutual authentication between clients and services.

Question 97

LDAP

Answer 97

Protocol used to access and manage directory information over a network.

Question 98

OAuth

Answer 98

Open standard for access delegation. It allows third-party services to use account information without exposing user passwords.

Question 99

SAML

Answer 99

XML-based standard for exchanging authentication and authorization data between parties. It’s focused more on Single Sign-On (SSO) and doesn’t use the Kerberos ticketing mechanism.

Question 100

Salting

Answer 100

Technique used in cryptography to add random data to the input of a hash function to increase security.

Question 101

Key stretching

Answer 101

Method used that repeatedly hashing the password to make it more random and longer than it originally appeared. The key difference between key stretching and regular hashing or salting is the number of times the hashing is done.

Question 102

Hashing

Answer 102

Process of converting an input of any length into a fixed size string of text, using a mathematical function. Hashing doesn’t add data to the input before completing the conversion.

Question 103

Digital signature

Answer 103

Type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document.

Question 104

Infrastructure Monitoring

Answer 104

Focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure.

Question 105

Systems monitoring

Answer 105

Evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT.

Question 106

Applications monitoring

Answer 106

Pertains to overseeing individual software solutions and ensuring their security and performance.

Question 107

Risk appetite

Answer 107

Refers to an organization’s willingness to take on risk in pursuit of its business objectives. It reflects the organization’s strategic approach to risk and how much risk it is willing to undertake to achieve specific goals.

Question 108

Risk tolerance

Answer 108

Extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization’s ability to withstand potential losses or disruptions.

Answer 109

Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren’t levels of risk acceptance.

Question 110

Risk deterrence

Answer 110

Taking measures to reduce or mitigate the impact of an event.

Question 111

MTTR

Answer 111

• mean time to repair
• refers to the measure of the time taken to repair a system or process after it experiences a failure or disruption.
• average time it takes to restore functionality

Question 112

RTO

Answer 112

• recovery time objective
• measure of the maximum time it takes to recover a system or process after a disruption
• represents the time within which normal operations need to be restored

Question 113

MTBF

Answer 113

• mean time between failures
• the measure of the average time between two consecutive failures of a system or component
• represents the average reliability or time between incidents.

Question 114

RPO

Answer 114

• recovery point objective
• measure of the maximum amount of data loss an organization is willing to tolerate in the event of a disruption
• determines the point in time to which data must be restored after recovery.

Question 115

Technical debt

Answer 115

• future cost of rectifying present-day shortcuts or less optimal solutions. It can arise when known inefficiencies aren’t addressed due to various constraints, like time.

Question 116

Complexity

Answer 116

Primarily denotes the intricacy of a system or process.

Question 117

Single point of failure

Answer 117

Refers to a vulnerable component whose failure can disrupt an entire system, not the consequence of avoiding known system inefficiencies.

Question 118

Cost

Answer 118

Pertains to the financial considerations of a decision or action, not the implications of deferring system improvements.

Question 119

Virtualization

Answer 119

Technology that allows creating multiple isolated environments on a single physical device. It can offer benefits such as resource optimization, isolation, flexibility, and security.

Question 120

Industrial control systems (ICS)

Answer 120

Systems that are designed to monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities, not creating multiple isolated environments on a single physical device.

Question 121

Containerization

Answer 121

Technology that allows running applications in isolated environments called containers, not creating multiple isolated environments on a single physical device.

Question 122

Software-defined networking (SDN)

Answer 122

Network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device.

Question 123

Capability

Answer 123

Pertains to a threat actor’s proficiency in devising new exploit techniques and tools. It can range from using commonly found attack tools to creating zero-day exploits in various systems. Those with the highest capabilities can even deploy non-cyber tools, such as political or military assets.

Question 124

Sophistication

Answer 124

Relates to the level of intricacy and advancement of a threat actor’s methods and tools, but does not directly address their skill in crafting novel exploits.

Question 125

SRTP

Answer 125

Secure Real-time Transport Protocol
- provides encryption, message authentication, and integrity for voice communications over IP
- designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic.

Question 126

ICMP

Answer 126

• Internet Control Message Protocol
• mainly used by operating systems of networked computers to send error messages

Question 127

SAML

Answer 127

• Security Assertion Markup Language
• login federation protocol
• most effective approach for achieving a seamless user login experience for both internal employees and external partners
• allows for the secure exchange of authentication and authorization data between different organizations, enabling users to log in using their own organization’s credentials while accessing resources and applications from other federated organizations without the need for separate accounts
  -simplifies identity management and enhances user experience while maintaining centralized control.