Security+ Flashcards
1
Q
What is a phishing campaign?
A
Testing your team by sending out a phishing test and recording the results.
2
Q
What are the best practices to tell your team when it comes to security training?
A
Have guidance and training provided for members of your organization and third-parties through various means, including policy handbooks, and training on situational awareness. Maintain password management. Don’t leave cords and USBs laying around. Alert your people to social engineering. Let your people know what data attackers are looking for (operational security). Don’t let anyone other than the specified person access their systems if they’re working from home.
3
Q
What is an insider threat?
A
Someone in your organization attacking you. Defend against it by adding multiple approvals for critical processes, monitor your files and systems as much as possible, and make it difficult for anyone to make an unauthorized change.
4
Q
In terms of security awareness, what is anomalous behavior?
A
Evidence of modifying host files, uploading sensitive files, replacing core OS files, logins from other countries, increased data transfers, etc.
5
Q
What is active reconnaissance?
A
Information needed before an attack that is gathered by going into the devices and systems themselves. Ping scans, port scans, DNS queries, etc. for example.
6
Q
What is passive reconnaissance?
A
Information needed before an attack that is gathered by learning as much as you can from open sources. Social media, websites, online forums, and social engineering, for example.
7
Q
In terms of pen tests, what is a partially known environment?
A
Partial disclosure. The pen test attacker is given only some information about the systems before the test begins. Focused on only certain systems.
In terms of pen tests, what is an unknown environment? Blind. The pen test attacker is given no information about the systems before the test begins.
8
Q
What are integrated penetration tests?
A
Red Vs Blue going together.
In terms of pen tests, what is a known environment? Full disclosure. The pen test attacker is given all of the information about the systems before the test begins.
9
Q
What are defensive penetration tests?
A
A pen test where a group (The Blue Team) attempts to identify pen test attacks in real-time and tries to prevent unauthorized access.
10
Q
What are offensive penetration tests?
A
A pen test where your systems are attacked and vulnerabilities are looked for to exploit (The Red Team).
11
Q
In terms of penetration tests, what makes them physical?
A
Making a device’s OS operate the way you want it to by physically modifying it, so lock your stuff up. A physical pen test is literally someone trying to physically gain access to your stuff.
12
Q
What is an independent third-party audit?
A
An audit performed by an external third-party that has no connection to the organization.
13
Q
In terms of external audits, what are assessments?
A
The third-party’s results of the examination (“You could make more money with a flop than with a hit”)
14
Q
In terms of external audits, what are examinations?
A
Hands-on researching in which records are viewed, reports are compiled, and details are gathered. (Leo Bloom).
15
Q
What is a regulatory audit?
A
An independent third-party performing an audit based upon an individual organization’s regulations and frequency requirements.
16
Q
What are external audits?
A
Audits done by a third-party.
17
Q
What are self-assessments?
A
Having the organization perform their own checks, and then consolidating the self-assessments into ongoing reports.
18
Q
What is an audit committee?
A
A committee of people that oversees risk management activities. They determine whether audits start or not.
19
Q
What is compliance?
A
Following the rules and regulations set up. Duh.
20
Q
What is attestation and acknowledgement?
A
Someone signing off that the compliance is in good standing. Also the guy responsible if documentation is incorrect.
21
Q
What is the right to be forgotten?
A
The user having the power, control, and decision of where their data goes and can request the removal of that data from search engines if they so choose.
22
Q
What is data inventory and retention?
A
Specific data that your organization stores and an inventory of that data (a listing of all managed data).
23
Q
Who is the data processor?
A
The person who processes and uses the data on behalf of the data controller. Often a third-party or different group, for example, a payroll company that processes and stores employee information.
24
Q
Who is the data controller?
A
The person who manages the purposes and means by which the data is processed. Manages how the data will be used, for example, the payroll department defines payroll amounts and timeframes.
25
Who is the data owner?
The person who is broadly responsible for data being stored and is accountable for specific data, for example, a VP of sales owns the customer relationship data, a treasurer owns the financial information of a company, etc.
26
What is the data subject?
Any information relating to an identified or identifiable natural person with personal data.
27
In terms of compliance monitoring, what is attestation and acknowledgement?
Someone signing off that the compliance is in good standing. Also the guy responsible if documentation is incorrect.
28
In terms of compliance monitoring, what is due diligence/care?
A duty to act honestly and in good faith. Investigating and verifying if things are in compliance. Due diligence is you checking yourself, due care is a third party checking on you.
29
What is compliance monitoring?
Ensuring compliance in day-to-day operations through various methods. Can be performed internally, externally and (in large companies) automatically.
30
Name some consequences of non-compliance?
Fines, sanctions, reputational damage, loss of license, and contractual impacts.
31
What is external compliance reporting?
A third-party comes to your organization and evaluates your compliance with the rules.
32
What is internal compliance reporting?
An organization performing their own internal compliance, where they monitor and report on organizational compliance efforts. Headed by a CCO. This information is used to provide details to customers or potential investors.
33
What are rules of engagement?
An important document used during a pen test that defines the pen test’s parameters and what’s going to be simulated in the attack.
34
What are questionnaires?
A part of due diligence and ongoing vendor monitoring by getting answers directly from the vendor by asking them a series of security related questions.
35
What is vendor monitoring?
Ongoing management of the vendor relationship after a contract is signed.
36
What is a BPA?
Business Partners Agreement. A document outlining that you’re going into business with another company. Describes the financial contract, what owners have what stake in what parts of the business, and who is making what business decisions.
37
What is a NDA?
Non-disclosure Agreement. A confidential agreement between parties containing information that is not disclosed. If you know what’s in the NDA, you can’t talk about it with people outside of the agreement. Always formal and signed, but can either be unilateral or bilateral.
38
What is a WO?
Work Order (or Statement of Work). Specific list of items to be completed used in conjunction with the MSA that details the scope of the job, the location, acceptance criteria, etc.
39
What is a MSA?
Master Service Agreement. A legal contract that sets the terms between both organizations, and sets up a framework to be used to add additional work to the contract in the future.
40
What is a MOU?
Memorandum of Understanding. An informal letter of intent that outlines the basic services provided to a customer. Similar to an SLA, but not signed and less formal. MOUs can lead to SLAs.
41
What is a MOA?
Memorandum of Agreement. The step above an MOU. Both sides conditionally agree to the objectives lined out and can be considered a legal document, but doesn’t have to contain all of the legal language.
42
What is a SLA?
Service Level Agreement. An agreement between customers and service providers that details the terms for services provided. Includes things like uptime, response time, etc. It keeps everyone on the same page.
43
What is conflict of interest?
Something that compromises the judgment on either side of the business relationship.
44
What are the four security control categories?
Technical, Managerial, Operational, and Physical.
45
What are Technical controls?
Controls implemented using some type of technical system, for example, setting up policies and procedures in an OS that would allow or disallow different functions from occurring. Firewalls, anti-virus, and other similar software fall under this category.
46
What are Managerial controls?
A series of policies that explain to end users the best way to manage their computers, data, or other systems. A security policy document or manual is an example of this.
47
What are Operational controls?
Controls implemented and/or made by people . Security guards, awareness programs, and posters are all examples of this.
48
What are Physical controls?
Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this.
49
What are the six security control types?
Preventive, Deterrent, Detective, Corrective, Compensating, and Directive.
50
What is a Preventive control type?
A control type that block access to a resource.
51
What is a Deterrent control type?
A control type that discourages an intrusion, but does not directly prevent access.
52
What is a Detective control type?
A control type that identifies and logs an intrusion attempt.
53
What is a Corrective control type?
A control type that applies a control after an event has been detected.
54
What is a Compensating control type?
A control type that uses other means instead to compensate for what was originally intended (Plan B).
55
What is a Directive control type?
A control type that directs a subject towards security compliance.
56
A firewall is an example of what control category and type?
Technical Preventive.
57
Being informed you may receive a demotion for not following policy is an example of what control category and type?
Managerial Deterrent.
58
Guards patrolling a property is an example of what control category and type?
Operational Detective.
59
A fire extinguisher is an example of what control category and type?
Physical Corrective.
60
Requiring multiple security staff is an example of what control category and type?
Operational Compensating.
61
Compliance policies is an example of what control category and type?
Managerial Directive.
62
An on-boarding policy that states what you can and can’t do with company equipment is an example of what control category and type?
Managerial Preventive.
63
A splash screen issuing a warning is an example of what control category and type?
Technical Deterrent.
64
Reviewing printed out login reports is an example of what control category and type?
Managerial Detective.
65
Contacting the authorities after an incident has occurred is an example of what control category and type?
Operational Corrective.
66
Utilizing a power generator is an example of what control category and type?
Physical Compensating.
67
Having staff undergo security policy training is an example of what control category and type?
Operational Directive.
68
A guard shack set up outside of the entrance to a building is an example of what control category and type?
Operational Preventive.
69
A door lock is an example of what control category and type?
Physical Preventive.
70
A reception desk at the entrance of a building is an example of what control category and type?
Operational Deterrent.
71
Warning signs are an example of what control category and type?
Physical Deterrent.
72
Motion detectors an example of what control category and type?
Physical Detective.
73
Writing out policies for how staff are to report issues after an issue has occurred is an example of what control category and type?
Managerial Corrective.
74
A backup recovery on a computer is an example of what control category and type?
Technical Corrective.
75
Having system logs on your computer is an example of what control category and type?
Technical Detective.
76
A sign that reads, “Authorized Personnel Only” is an example of what control category and type?
Physical Directive.
77
Separating duties to multiple staff members is an example of what control category and type?
Managerial Compensating.
78
Blocking an incomplete application on a system instead of patching the application is an example of what control category and type?
Technical Compensating.
79
File storage polices on an OS is an example of what control category and type?
Technical Directive.
80
What is the CIA Triad?
A combination of principles concerning the fundamentals of security; Confidentiality, Integrity, and Availability.
81
In the CIA Triad, what is Confidentiality?
Ensures that information being exchanged is confidential or private. The concept includes the prevention of disclosure of information to unauthorized individuals or systems. This is achieved through encryption, two-factor authentication, and access controls.
82
In the CIA Triad, what is Integrity?
Ensures that information stored or sent to someone else will stay the same while in transit or while it’s saved. This is achieved by hashing, digital signatures, certificates and non-repudiation.
83
In the CIA Triad, what is Availability?
Ensures that all of your systems and networks remain up and running. This is achieved through redundancy, fault tolerance, and patching.
84
How does encryption ensure confidentiality is achieved in the CIA Triad?
Messages are encrypted so that only certain people can read it. If someone receives a message without the means to decode it, they are out of luck.
85
How does two-factor authentication ensure confidentiality is achieved in the CIA Triad?
Two-factor authentication requires an additional confirmation of who the person receiving the information is before access is allowed. If they cannot provide this, access is not given.
86
How do access controls ensure confidentiality is achieved in the CIA Triad?
Access controls set limits to who has access to certain types of information. A person will not be able to access information if they have not been allowed access in the access controls.
87
How does hashing ensure integrity is achieved in the CIA Triad?
The person sending the data will create a hash of the data and send you both the data and the hash at the same time. When you receive the data, you’ll perform the same hashing function, and if your hash matches the sender’s hash, then you’ll know the data you’ve received is exactly the same as the data that was sent.
88
How do digital signatures ensure integrity is achieved in the CIA Triad?
A digital signature takes a hash and encrypts it. If the receiver can decode the digital signature (encrypted hash) AND the data hash, then they know the data is good.
89
How do certificates ensure integrity is achieved in the CIA Triad?
Certificates identify devices or people sending data from one device to another.
90
How does non-repudiation ensure integrity is achieved in the CIA Triad?
Non-repudiation provides proof of integrity that proves data originated from an original party.
91
How does redundancy and fault tolerance ensure availability is achieved in the CIA Triad?
Redundancy and fault tolerance allows for multiple technologies to be in play at once so that if one fails another can take its place.
92
How does patching ensure availability is achieved in the CIA Triad?
By making sure your systems don’t go down due to software being out of date and failing, you’ll need to constantly make sure your systems are managed and updated by patching them. Patching closes security holes and makes your systems stable.
93
What is non-repudiation?
The ability to verify whether the information received is from the sender that the information says it’s from. A non-technological example would be like you signing a document. Only you have your own signature, so that adds non-repudiation to the document you’re signing.
94
What is proof of integrity?
Any data that’s received can be verified that it is the exact same data that was originally sent, and nothing inside of the data has been changed. This can be accomplished by using a hash.
95
What is a hash?
A short string of text that can be created based upon data contained within the plain text. Also known as a message digest or a fingerprint. It’s impossible to recover the original message with just the hash.
96
True or False: If data changes, the hash changes?
True
97
What is tokenization?
Replacing sensitive data sent across the network with a non-sensitive placeholder. The number is replaced with a nonsense number while being sent and then decrypted to the actual number on the other end. Used during credit card purchases.
98
What is steganography?
Hiding information inside of an image, TCP packets, audio files, video files, and invisible watermarks on printed pages. Security through obscurity. Can be reverse engineered if you figure out how it was hidden.
99
What are the downsides of a hash?
The downside of a hash is that it only tells you if the data has changed, but it doesn’t tell you who changed it. Hashes are not associated with individuals.
100
What is proof of origin?
An additional level of integrity that verifies the individual who sent you the data by providing a digital signature from the sender. Anybody can see the signature, but only the signer has the private key. The receiver uses a public key that anybody can get to examine the digital signature, decrypt it, and verify that the hash of the plain text has not been altered.
A digital signature is created with a private key that’s shared, and verified with a public key, the opposite of the process of encrypting data.
101
What are the three A’s in the AAA framework?
Authentication, Authorization, and Accounting.
102
What is Authentication?
The check between your username, your password, and any other authentication factors. It proves we are who we say we are.
103
What is Authorization?
What type of access one has after they’ve proven who they are through identification and authentication.
104
What is Accounting?
A log of who has logged in, sent and received data, and logged out.
105
What is Identification?
Who you claim to be. This is usually a username.
106
Briefly explain how The AAA Framework works?
Here’s how it works: You’re trying to access an internal file server remotely, one that’s on the other side of a VPN concentrator. You try to access the file server, and the VPN concentrator prompts you to authenticate. Now, the VPN concentrator itself doesn’t store your authentication credentials, but it does have access to a AAA server that does, so when you put in your credentials, the VPN concentrator asks the AAA server if what you put in matches info already put into the database. If it does, you’re approved and you can access the file server.
107
What does someone do if someone is trying to authenticate but there is no end user to physically type in a password?
We do this by putting a digitally signed certificate on the device so that firewalls and VPNs can recognize the device as one that is owned by the organization. Management software can validate the end device.
108
How do you make device certificates?
You can make device certificates by utilizing a CA (Certificate Authority). Most organizations maintain their own CAs. They’re usually a type of software. The organization creates a certificate on the device and then digitally signs it. The digital signature validates the certificate. It’s like a software version of an asset tag, and allows only certified devices to access certain things.
109
What is an authorization model?
Also called an abstraction. The model used to give groups of users specific rights and permissions to different data. (Bruh, it’s just OUs).
110
What is gap analysis?
A study of where we are versus where we would like to be. It requires research and consideration of many different IT and security factors in order to close that gap and make sure everything is completed without tripping over itself.
111
What are the four gap analysis strategies?
-Work towards a known baseline, or internal set of goals
-Get a baseline of employees, their experience, training and knowledge
-Look at what your currently have IT wise, and compare and research better alternatives
-Create a final document that summarizes everything you’ve discovered, how much time, money, and change control it’s going to take, a formal description of the current state, and how to get to the established baseline. This is called a Gap Analysis Report.
112
What is zero trust?
A holistic approach to network security that covers every device, process and person. You have to authenticate every time you want to gain access to a particular resource.
113
Explain the concept of planes of operation?
Having your network split into functional planes. A common practice is splitting your network into a data plane (the plane that includes all of your data processing, forwarding, trunking, encrypting, NAT, etc.) and the control plane (the plane that manages how that data is moved and forwarded). Think of it this way: On a switch, you have your ports that process and move data from one place to another, and that’s your data plane, but that switch is also configured to know how that data is supposed to move and has specific network address settings, and those ports are configured to do so. That’s your control plane.
114
What is adaptive identity?
Where you examine the identity of an individual and apply security controls based on other factors than just what the end user told you, such as the end user’s physical location, their relationship to the organization, their type of connection, and their IP address.
115
What is threat scope reduction?
Limiting how many places can be used to get into the network, such as only allowing people in the building access, or only allowing access to the network via a specific VPN.
116
What is policy-driven access control?
Combining adaptive identity with a predefined set of rules to determine if the person trying to log in is really that person.
117
What are security zones?
Examines where you’re connecting from to where you’re connecting to to determine what devices can be trusted to connect to the network. They will allow devices connecting from a trusted zone and disallow devices connecting from an untrusted zone.
118
What is PDP?
Policy Decision Point: (PDP) A policy engine and policy administrator working together to determine whether traffic supplied by the PEP can be allowed or disallowed.
119
What is PEP?
Policy Enforcement Point: (PEP) The gatekeeper that all network traffic goes through. Can be one device or multiple devices working together checking different policies on things.
120
What is a policy engine?
Thing that looks at all of the requests that are coming through the network, examines each request, compares it to a set of predefined security policies, and then makes a decision on whether the request is granted, denied, or revoked.
121
What is a policy administrator?
Takes the decision made by the policy engine and provides that information to the PEP.
122
What are barricades and bollards?
Allow people access by channeling them to a specific point, but prevent vehicles.
123
What is an access control vestibule?
A place people have to go into first before accessing another part of the building. Opening one door causes another one to lock, or vice versa.
124
What is video surveillance?
Or CCTV. Security cameras that watch areas to see if unauthorized people are gaining access. Can have motion or object detection.
125
What are guards?
A person physically protecting something at the reception area of a facility. They also validate the identification of existing employees.
126
What is two-person integrity/control?
Two guards working together for security. Sometimes jobs are divided between the two so that no one person has access to everything.
127
What are access badges?
Badge that identifies you. Has your picture, name, and other details printed on it, must be worn at all times, and is sometimes electronically logged.
128
How does lighting enhance security?
More light means more security. Attackers avoid the light, so keep your entrances well lit for both guards and cameras.
129
What are infrared sensors?
A common sensor found in motion detectors that detect infrared radiation in both light and dark rooms.
130
What are pressure sensors?
Detects a change in force in a room.
131
What are microwave sensors?
Similar to infrared sensors, but utilized in large rooms.
132
What are ultrasonic sensors?
Detect motion and collision through ultrasonic sound waves reflected off of surfaces.
133
What is a honeypot?
Setting up a fake system to attract a bad guy, monitoring how they are attempting to override your fake system, and then recording their methods to implement securities on your real system. Tricking evil Winnie the Pooh and trapping him.
134
What is a honeynet?
A bunch of honeypots networked together. Very sticky.
135
What is a honeyfile?
A fake file with fake information to attract a bad guy. An alert is sent once the file is accessed.
136
What are honeytokens?
A bit of traceable data added to your honeynet. If data is stolen and shared, you will be notified and can trace it to who stole it.
137
What is change management?
Or Change Approval Process. The formal process an IT administrator goes through to ensure that a change to the systems goes through properly and without messing anything up.
138
What are the basic best practices of change management?
Have clear policies that include the frequency, duration, installation process, and rollback procedures should they not work, of updates and changes to your systems.
139
What are the seven steps of the change control process?
-1) Fill out an approval process request form.
-2) Explain what the change is and why it’s being implemented.
-3) Identify the scope of the change, or how big this change will be.
-4) Schedule a date and time for the change to take place.
-5) Determine the affected systems and the impact on those systems.
-6) Analyze the risk associated with the change.
-7) Get approval from the change control board to go ahead with the change.
140
In terms of change management, what is ownership?
The individual or entity who discovers a change needs to be made. For example, the head of Shipping and Receiving gets a notification on his computer saying all of the departments’ address label printers need to be updated. Shipping and Receiving owns this process, but it’s the IT department that will actually be making this change.
141
What are stakeholders?
Individuals or departments that will be impacted by the change you’re proposing. They’re going to want input on the change management process, and some type of control over when the change occurs. Take into account who all is going to be impacted by the change. Look beyond the immediate impact and look through the whole process.
142
What is impact analysis?
Determining what sort of risk is going to be involved when a change is made, i.e., fixes that don’t fix anything, fixes that break something else, OS failures, etc.
Alternatively, it could also mean what risks are going to be involved if a change is NOT made, i.e., security vulnerability, application unavailability, or unexpected downtime. Risks can be high, medium, or low.
143
What is sandbox testing?
An environment set up to test changes that has no actual connection to the real world or your production systems. A technological safe space. A place to test and confirm before deployment. Also a really good place to test your backout plan.
144
In terms of change management, what is a backout plan?
A plan to back out of an implemented change should things go wrong and mess up your systems. Always have a way to revert to your original settings before the change was implemented. Always have backups.
145
What is a maintenance window?
When the best time would be to implement a change, that would have as little impact on production as possible.
146
In terms of change management, what should be included on your company’s intranet?
Standard operating procedures should be available on your company’s intranet, along with any and all well documented change processes.
147
What is an allow list?
Nothing runs unless it’s approved. Very restrictive.
148
What is a deny list?
Everything runs unless it’s denied. Very flexible.
149
True or False: Anti-Virus programs are basically really big deny lists?
True
150
In terms of the change control process, what are restricted activities?
In the change control process, this is a specified list of things you can actually do during the change window to implement the change. You can’t do anything outside of this scope unless change management says so. Scope can be expanded and approved as the change progresses.
151
What is downtime?
The time during a change in the change control process where services are unavailable because of the change, usually scheduled during non-production hours.
152
What is the best practice to implement if there is no way to prevent downtime during a change control process?
If there’s no way to prevent any downtime in your organization while making a change, try switching users to a secondary system, upgrading their primary systems, and then switch them back.
153
What are service restarts?
Usually, after a change is made to systems, you’ll need to restart either the service, the application, the OS, or the whole system in order for the change to start working.
154
What are legacy applications?
Applications that have been running in the organization for a long, long time and are probably no longer supported by the developer. Be careful with deleting or changing these because there may not be a way to bring them back. Document how they’re installed and hang onto it in case a change needs to be made.
155
What are dependencies?
Applications or services dependent on another in order to run. Changes will need to be made to one application or service before you’re able to install or update another application or service. It’s a pain.
156
In terms of the change control process, what is documentation?
It’s difficult to keep up with all of the changes that are made in an organization so document EVERYTHING and keep it up to date. Stay organized. It will save you headaches in the future. Update your diagrams and IP addresses. Rewrite your processes and procedures and keep them handy.
157
What is version control?
Keeping track of changes to a file or configuration of data over time. If a file updates, save the previous version before upgrading to the new so you’ll have a backup of the old on hand in case something goes wrong.
158
What is PKI?
Policies and procedures that are responsible for creating, distributing, managing, storing, revoking, and performing processes associated with digital certificates.
PKI used as a verb means to associate a certificate to people or devices.
159
What is symmetric encryption?
A single, shared key. You encrypt data with the key and decrypt data with the key. If the key gets out, you’ll need another key. Also known as a secret key algorithm or a shared secret. It doesn’t really scale very well because it’s only one key shared between a bunch of people. It is very fast, however.
160
What is asymmetric encryption?
Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source.
161
True or False: You can derive the private key from the public key?
False
162
What is key escrow?
Someone else holding onto your decryption keys, either within your organization or with a third party.
163
What is data at rest?
Data that’s stored on storage devices such as SSDs, hard drives, USB drives, cloud storage, etc.
164
What are two examples of full-disk and partition/volume encryption software?
BitLocker (Windows OS) and FileVault (Mac OS).
165
True or False: You can encrypt individual files on Windows using EFS (Encrypting File System), and other OSs using other third party utilities?
True
166
True or False: Data used online is stored in a database?
True
167
What is transparent encryption?
Symmetric key encryption for databases. Things have to be unlocked every time data is pulled from the database.
168
What is record-level encryption?
Data in a database that’s encrypted at the record level while everything else is public. For example, names in the database are decrypted, but SSNs are encrypted.
169
What is transport encryption?
Protecting data as it crosses the network. This is done by browsers using secure ports such as HTTPS that encrypt data as it crosses the network. VPNs are another example, either site to site VPNs using IPsec, or client based VPNs using SSL/TLS.
170
What are algorithms?
The formula used to encrypt and decrypt data. Both sides of the data decide on the algorithm being used before data is encrypted. The details are often hidden from the end user, however. You’ve gotta encrypt and decrypt with the same algorithm, or it won’t work.
There’s very little that isn’t known about the cryptographic process. The algorithms being used are usually known entities. The only thing that isn’t known is the key. In other words, just by knowing the mathematical process of how an algorithm creates a key, doesn’t allow you to know how to reverse engineer the key itself.
171
True or False: Keys are not subject to brute-force attacks?
False. Keys are subject to brute-force attacks, however. This is why key length is important. The longer the key, the harder it is to brute-force guess what it is.
172
What is key strengthening?
Also known as key hashing or key stretching. The process of making your key stronger by hashing the hashes of your password multiple times. The hash of a hash of a hash of a password is difficult to brute-force.
173
What is key exchange?
Sharing an encryption key across an insecure medium.
174
What is out-of-band key exchange?
Using other means than the internet to share an encryption key. Telephone, using a courier, handing it off in person, etc.
175
What is in-band key exchange?
Sharing an encryption key on the network and protecting the encryption with additional encryption.
176
What are session keys usually used for?
Session keys are usually used for temporary services.
177
Briefly explain how to create a symmetric key using public key cryptography?
Bob on his computer has a private and public key. Alice on her computer also has her own private key and public key. Bob shares his public key with Alice, and Alice shares her public key with Bob. Together, combining their own private key with each other’s public key, they’ve created an identical symmetric key that both of them now have.
178
What is TPM?
Trusted Platform Module. Cryptography hardware on a device. Contains a cryptographic processor, a random number generator, key generators, and both persistent memory with unique keys burned in during manufacturing, and versatile memory for storing all the keys you make with the hardware.
179
What is HSM?
Hardware Security Module. A standalone device whose sole purpose is to provide cryptographic keys to many devices in large environments. It securely stores thousands of cryptographic keys.
180
What is a key management system?
A centralized console that keeps track of all of your different keys for all of your different servers, users, and devices. Logs key use and other important events.
181
What is a secure enclave?
A security processor built into the systems we use.
182
What is obfuscation?
The process of making something unclear and more difficult to understand.
183
True or False: If you use tokenization, you don’t need to encrypt or hash your data because the only thing that will be intercepted is nonsense.
True
184
What is an IPS signature rule?
An IPS looks at traffic as it passes by. A signature based rule in an IPS is looking for a perfect match of specific malicious traffic.
185
What is an IPS trend rule?
An IPS looks at traffic as it passes by. A trend based rule in an IPS is looking for a trend of traffic that is similar to malicious traffic, and blocks all traffic that looks like the trend.
186
What is due diligence?
Investigating a company before doing business with them.
187
What is supply chain analysis?
A security analysis of the entire system involved in creating a product within the supply chain. An understanding of this entire chain and tweaking it in case there are any weaknesses.
188
In terms of third party risk assessment, independent assessments?
Bringing in an expert or team of experts from outside of your company to evaluate security and provide recommendations.
189
In terms of third party risk assessment, what are the evidences of internal audits?
The security details summarized by a different third-party performing an audit on the security details between you and a third-party vendor.
190
What is a right-to-audit clause?
A legal agreement to have the option to perform a security audit on a third-party vendor at any time.
191
What is penetration testing?
Simulating an attack to exploit vulnerabilities.
192
What is vendor assessment?
Analyzing how good, trustworthy, reliable, and safe a vendor is so your company may utilize them.
193
What is MTBF?
Mean Time Between Failures. The average time between one outage or break and the next.
194
What is MTTR?
Mean Time To Repair. Basically, the average time required to fix a particular problem.
195
What is RPO?
Recovery Point Objective: How much data needs to be available to adequately say we’re back up and running.
196
What is RTO?
Recovery Time Objective. The amount of time it takes to get your systems up and running to a particular service level.
197
What is a risk reporting document?
A formal document that identifies the risks of a project so that the company knows what they’re getting into.
198
What is the mitigate risk management strategy?
A company attempting to decrease a risk level.
199
What is the avoid risk management strategy?
A company says nope and stops participating in risky activity.
200
What is the accept with exception risk management strategy?
The company takes the risk, and even though they’re taking the risk, their policies for whatever they’re accepting are still valid. For example, not accepting a bad patch to software even though policies say you need to.
201
What is the accept with exemption risk management strategy?
The company takes the risk, and they exempt their existing policies by doing so.
202
What is the accept risk management strategy?
The company takes the risk and accepts the responsibility for that risk.
203
What is the transfer risk management strategy?
Move the risk to another party, or buy some cybersecurity insurance, for example.
204
What are the four risk management strategies?
Transfer
Accept
Avoid
Mitigate
205
What is risk tolerance?
An acceptable variance (usually larger) from the risk appetite. For example, drivers are ticketed for going over the speed limit, but it’s usually for going 20 mph over and not 5 mph over. The tolerance is larger than the appetite.
206
What is risk appetite?
A broad description of risk-taking deemed acceptable. The amount of accepted risk before taking any action to reduce that risk. For example, the government set the speed limit to 55 mph. This limit is deemed an acceptable balance between safety and convenience.
207
What is risk threshold?
The balance of time and money spent by the risk owner to manage the key risk indicators on the risk register.
208
Who is the risk owner?
The person responsible for managing the key risk indicators on the risk register.
209
What are key risk indicators?
The individual risks listed out on the Risk Register.
210
What is a risk register?
A document that identifies the risk associated with each step of a project, and offers possible solutions to those risks.
211
In terms of risk analysis, what is impact?
List of considerations for a company, including life, property, safety, and finance.
212
What is exposure factor?
The percentage of the value of an asset lost due to an incident.
213
What is likelihood?
A qualitative measurement of risk (is it rare, possible, almost certain, etc.)
214
What is probability?
A quantitative measurement of risk (a statistical measurement based upon historical data).
215
What is AV?
Asset Value. The value or importance of a particular asset to an organization.
216
What is ARO?
Annualized Rate of Occurrence. How often a risk will occur in a single year.
217
What is ALE?
Annualized Loss Expectancy. The monetary loss received over the course of a year. ARO x SLE = ALE
218
What is SLE?
Single Loss Expectancy. The monetary loss received if one single event occurs. AV x EF = SLE
219
What is quantitative risk analysis?
A statistical measurement of how exactly risky something is based upon data.
220
What is qualitative risk analysis?
Looks at different risk factors and the criteria for each of the risk factors in broad terms.
221
What is a continuous risk assessment?
A risk assessment of a continuous process such as change control.
222
What is a one-time risk assessment?
A risk assessment specifically designed to assess a one-time project.
223
What is a recurring risk assessment?
A risk assessment repeatedly done on a standard schedule.
224
What is an ad hoc risk assessment?
A risk assessment designed to look at only one specific threat.
225
What are the four types of risk assessment?
Ad hoc
Recurring
One-time
Continuous
226
What is risk management?
Broadly looking at security and understanding potential risks. Allows an organization to identify where risks might be and be able to address them before they become a much larger problem.
227
In terms of data roles and responsibilities, who are custodians/stewards?
The person responsible for data accuracy, privacy, and security. Works directly with the data.
228
In terms of data roles and responsibilities, who are processors?
The person who processes and uses the data on behalf of the data controller. Often a third-party or different group, for example, a payroll company that processes and stores employee information.
229
In terms of data roles and responsibilities, who are controllers?
The person who manages the purposes and means by which the data is processed. Manages how the data will be used, for example, the payroll department defines payroll amounts and timeframes.
230
In terms of data roles and responsibilities, who are owners?
The person who is broadly responsible for data being stored and is accountable for specific data, for example, a VP of sales owns the customer relationship data, a treasurer owns the financial information of a company, etc.
231
What are the three levels of geographic security considerations?
Local/regional, national, and global.
232
What are industry security considerations?
The security processes and procedures for specific industry requirements, depending on what that industry is. For example, the security procedures for maintaining electrical power and public utilities.
233
What are legal security considerations?
The processes and procedures for holding data required for legal proceedings, reporting illegal activities, and mandates for the timely reporting of security breaches.
234
What are regulatory security considerations?
The common, foundational security practices and mandates done by every organization, including logging, data storage, data protection, and retention.
235
What is the difference between centralized and decentralized governance?
Centralized governance is located in one location with a group of decision makers. Decentralized governance spreads the decision-making process around to other individuals or locations.
236
What are government entities?
Government employees that meet publicly that attempt to move forward with objectives while being concerned with legal issues, administrative requirements, and political issues.
237
What are committees?
Subject-matter experts that consider the input from a board and work on putting the next steps together to meet particular goals and objectives set by the board. Once completed, they present what they’ve done to the board.
238
What are boards?
A panel of specialists that set the tasks or series of requirements for a committee to follow. Usually very broad objectives.
239
What are three examples of governance structures?
Boards, committees, and government entities.
240
In terms of security procedures, how should you approach monitoring and revision?
Technology is always changing, and because of that, processes and procedures have to change also. For example, you might at some point need to update your security posture and have tighter change control, or update your playbooks.
241
What are playbooks?
Conditional steps to follow in the case of a particular event. For example, a checklist of what happens if, say, there’s a data breach, or you need to recover a device from ransomware. Can sometimes be implemented into a SOAR platform (Security Orchestration, Automation, and Response), and automated.
242
What is onboarding/offboarding?
A policy that describes how a user comes onboard the network and how they leave the network. Accounts are created (or disabled) for them, documents are signed, they’re provided with (or give back) company technology, etc.
243
What are the steps in the change management procedures?
The Change Management procedure is: Determine the scope of the change, Analyze the risk associated with the change, Create a plan, Get end-user approval, Present the proposal to the change control board, Have a back out plan if the change doesn’t work, and Document the changes.
244
In terms of security standards, what are the best practices to have for encryption?
Your organization should have a standard definition of what and how data should be encrypted. How passwords are stored, what hashing algorithm is used, and the minimum amount of encryption required at all of data’s different states.
245
In terms of security standards, what are the best practices to have for physical security?
Your organization should have a standard definition of rules and policies regarding physical security controls, such as doors and building access. It should detail how users are granted physical access (whether they’re employees or visitors).
246
In terms of security standards, what are the best practices to have for access control?
Your organization should have a standard definition of how the organization accesses data, who can access it, what can they access, what time can they access, and under which circumstances. It should detail whether discretionary access is allowed or not. How users get access and how access is removed.
247
In terms of security standards, what are the best practices to have for passwords?
Your organization should have a standard definition of what makes a good, complex password, and should have documentation that everyone knows about and follows. Acceptable authentication methods should be defined in this documentation as well, along with the policies for password resets.
248
What are security standards?
A formal definition for using security technologies and processes. Everyone understands the expectations, and complete documentation of this reduces security risk.
249
What is change management?
Change management includes the frequency (how often changes are made), duration (the time frame in which changes can be made), installation process (the time it takes for the actual change to be implemented), and fallback procedures (to employ in case something goes wrong during the change) of a change being made on the network.
250
What is SDLC?
Software Development Lifecycle. Moving through the idea phase of developing software, all the way to the successful launch of an application. There’s the waterfall method and the agile method.
251
What is an incident response plan?
Incident response plan. What to do if there is an IT specific breach of the network. An incident response team may be necessary in the response.
252
What is a disaster recovery plan?
What to do if a disaster happens. Very comprehensive.
253
What is business continuity?
What to do when the devices and systems you use every day just stops working. How you continue on with business as planned without having your primary technology up and running.
254
What is an AUP?
Acceptable Use Policy. A policy that describes what a user can and cannot do with company assets, those being internet use, phones, computers, mobile devices, etc. Limits legal liability for the organization.
255
What are information security policies?
The big list of all security-related policies, and a centralized resource for all the processes. Usually compliance requirements, not opinions. Contains detailed security procedures, and a list of roles and responsibilities.
256
What are packet captures?
Using a utility like Wireshark to get details on packets sent across your network. Detailed information about traffic flows at the packet level. Everything is captured.
257
