Security + Videos Flashcards
Pass the First Time
Which are common solutions that can contribute to a data loss prevention initiative? Select all that apply.
A. Cloud access security brokers (CASB)
B. Database activity monitors (DAM)
C. Intrusion detection systems (IDS)
D. Secure email gateways (SEG)
E. Endpoint detection and response (EDR)
F. Access control lists (ACL)
A. Cloud Access Security Brokers (CASB) B. Database Activity Monitors (DAM) D. Secure Email Gateways (SEG) E. Endpoint Detection and Response (EDR)
Explanation:
A. Cloud Access Security Brokers (CASB): Provide visibility and control over data in cloud services, ensuring compliance and protecting against data leaks.
B. Database Activity Monitors (DAM): Monitor and analyze database activities to detect unauthorized access and prevent data breaches.
D. Secure Email Gateways (SEG): Protect emails from threats like phishing and data leaks, ensuring secure communication.
E. Endpoint Detection and Response (EDR): Monitor endpoints for suspicious activities and potential data exfiltration, enabling quick responses to threats.
Not Primarily Focused on DLP:
C. Intrusion Detection Systems (IDS): Detect intrusions and malicious activities but are more focused on network security rather than direct data loss prevention.
F. Access Control Lists (ACL): Define permissions for who can access resources but are more about access management rather than comprehensive DLP.
Which port does LDAPS use?
A. 993
B. 443
C. 636
D. 389
C. 636
Which Internet service facilitates signature validation authentication using additional extensible record types?
A. DNSSEC
B. IPsec for IPv6
C. OpenDNS
D. TLS 1.3
A. DNSSEC
DNSSEC (Domain Name System Security Extensions) indeed facilitates signature validation and authentication by adding cryptographic signatures to DNS records. This ensures the authenticity and integrity of DNS data, protecting against DNS spoofing and other attacks.
Which initiative is typically supported by IEEE 802.11X port-based network access control (PNAC) on Layer 2 and Layer 3 networks?
A. Virtual private networking (VPN)
B. Network admission control (NAC)
C. Privilege access management (PAM)
D. Domainkeys identified mail (DKIM)
B. Network admission control (NAC)
Explanation:
IEEE 802.1X is a port-based network access control standard that is commonly used to enhance network security by ensuring that only authorized devices can connect to the network. This is a key component of Network Admission Control (NAC), which encompasses various technologies and policies aimed at controlling access to network resources.
Why IEEE 802.1X and NAC?:
Authentication: Ensures that devices and users are authenticated before they are granted network access.
Authorization: Determines what resources an authenticated device or user can access.
Network Integrity: Helps maintain the integrity of the network by preventing unauthorized access and potentially harmful devices.
Why the Other Options Are Less Relevant:
A. Virtual Private Networking (VPN): VPNs provide secure remote access to a network but are not directly related to port-based network access control.
C. Privilege Access Management (PAM): PAM focuses on managing and controlling elevated access permissions, not network access control.
D. DomainKeys Identified Mail (DKIM): DKIM is used for email authentication, not for network access control.
NAC with IEEE 802.1X is all about keeping your network secure by tightly controlling who and what gets on.
Which security service examines operating system files, configuration files, registries, application software, and Linux system files for changes and indicators of compromise?
A. Security information and event monitoring
B. File integrity monitoring
C. Database activity monitoring
D. Reputation filtering
B. File integrity monitoring
Explanation:
File Integrity Monitoring (FIM) is a security service designed to examine operating system files, configuration files, registries, application software, and Linux system files for changes and indicators of compromise.
Why FIM?:
Change Detection: Monitors and detects unauthorized changes to critical files and systems.
Indicators of Compromise (IOC): Identifies suspicious activity that may indicate a security breach.
Compliance: Helps meet regulatory requirements by ensuring that systems remain secure and configurations are not tampered with.
Why the Other Options Are Less Suitable:
A. Security Information and Event Monitoring (SIEM):
Collects and analyzes security events from multiple sources but does not specifically focus on file integrity.
C. Database Activity Monitoring (DAM):
Monitors database activities to detect and prevent unauthorized access, not file integrity across the operating system.
D. Reputation Filtering:
Uses known malicious signatures to filter traffic but doesn’t monitor file changes or integrity.
File integrity monitoring is like having a vigilant guard keeping an eye on your system’s vital files.
Which term refers to a network architecture where a single firewall is used with three network interfaces to provide additional protection from outside cyber-attacks by adding a perimeter network to isolate or separate the internal network from the public-facing internet?
A. Management VLAN
B. Bastion service
C. Honeynet
D. Screened subnet
D. Screened subnet
Explanation:
A screened subnet, also known as a demilitarized zone (DMZ), is a network architecture that uses a single firewall with three network interfaces to create an isolated perimeter network. This provides additional protection from external cyber-attacks by separating the internal network from the public-facing internet.
Key Features of a Screened Subnet (DMZ):
Three Interfaces: The firewall has three network interfaces: one for the internal network, one for the external network (internet), and one for the DMZ.
Isolation: The DMZ contains public-facing services (like web servers) while the internal network remains isolated and protected.
Controlled Access: The firewall enforces strict rules to control traffic between the internal network, DMZ, and external network.
Why the Other Options Are Less Suitable:
A. Management VLAN: Refers to a virtual LAN dedicated to managing network devices, not for creating a perimeter network.
B. Bastion Service: Typically a highly secured server that serves as a gateway between internal and external networks but doesn’t involve a three-interface firewall configuration.
C. Honeynet: A network of honeypots designed to attract and analyze cyber-attacks, not for isolating internal networks from the internet.
Think of a screened subnet as the buffer zone between your fortress (internal network) and the wild lands (internet), keeping the baddies at bay.
Which is an open standard that introduces a method to prevent sender address forgery by protecting the envelope sender address, which is used for message delivery?
A. SPF
B. OpenDNS
C. DNSSEC
D. SNMPv3
The correct answer is A. SPF (Sender Policy Framework).
Explanation:
SPF (Sender Policy Framework) is an open standard that specifies a method to prevent sender address forgery by protecting the envelope sender address, which is used for message delivery1
. It helps to ensure that the sender’s address is legitimate and not spoofed, reducing the risk of email-based attacks like phishing and spam.
**The answer on my quiz is SNMPv3 why is that
Copilot
I see, thanks for pointing that out! SNMPv3 (Simple Network Management Protocol Version 3) is indeed an advanced version of SNMP that provides enhanced security features, including authentication and encryption1
. However, it’s not typically associated with preventing sender address forgery in email systems.
It seems like there might be a mix-up in the quiz question. SPF (Sender Policy Framework) is the correct answer for preventing sender address forgery in email systems. SNMPv3 is more relevant to network management and security.
Which security service evolved from early HIDS solutions a “lighter” software agent installed on the host systems to detect and investigate suspicious activities on host endpoints?
A. Database activity monitors (DAM)
B. File Integrity monitoring (FIM)
C. Intrusion detection systems (IDS)
D. Endpoint detection response (EDR)
D. Endpoint detection and response (EDR)
Explanation:
Endpoint Detection and Response (EDR) evolved from early Host Intrusion Detection Systems (HIDS) and provides a “lighter” software agent installed on host systems to detect and investigate suspicious activities on host endpoints.
Why EDR?:
Advanced Threat Detection: EDR solutions continuously monitor and analyze endpoint activities to detect advanced threats.
Real-Time Response: Provides real-time monitoring, detection, and response capabilities for suspicious activities.
Comprehensive Analysis: Collects and analyzes endpoint data, offering detailed insights and forensics for incident investigations.
Integration: Works seamlessly with other security tools to enhance overall endpoint security.
Why the Other Options Are Less Suitable:
A. Database Activity Monitors (DAM):
Focus on monitoring and protecting database activities rather than general endpoint security.
B. File Integrity Monitoring (FIM):
Monitors changes to specific files and directories but does not provide comprehensive endpoint detection and response capabilities.
C. Intrusion Detection Systems (IDS):
Focus on detecting intrusions but do not provide the extensive analysis and response capabilities of EDR.
EDR is like having a security watchdog on every device, ready to sniff out and respond to anything suspicious.
Which is an application layer gateway server or service (physical or virtual) dedicated to analysis and control of HTTP and HTTPS traffic?
A. Spam filter
B. Web filter
C. Jump server
D. Reputation filter
B. Web filter
Explanation:
A web filter is an application layer gateway server or service dedicated to analyzing and controlling HTTP and HTTPS traffic. It inspects web traffic to enforce policies, block access to malicious sites, and prevent harmful content from reaching users.
Why Web Filter?:
HTTP/HTTPS Analysis: Specifically designed to handle web traffic protocols.
Content Control: Filters out unwanted or harmful web content based on predefined policies.
Security: Helps protect against web-based threats such as malware and phishing.
Why the Other Options Are Less Suitable:
A. Spam Filter: Focuses on filtering out unwanted email messages, not web traffic.
C. Jump Server: Provides secure access to and management of network devices, not dedicated to web traffic analysis.
D. Reputation Filter: Blocks or allows traffic based on reputation scores but is not specifically dedicated to HTTP/HTTPS traffic analysis.
Web filters are your gatekeepers for internet safety, keeping the web experience clean and secure.
Which is a Microsoft Windows service that enables IT administrators to centrally manage and configure the operating system settings, applications, browsers, and user settings?
A. Kerberos
B. Group Policy
C. SELinux
D. Active Directory
B. Group Policy
Explanation:
Group Policy is a feature of Microsoft Windows that allows IT administrators to centrally manage and configure operating system settings, applications, browsers, and user settings. It is a powerful tool used in Windows environments to enforce security settings, install software, and control what users can and cannot do on their computers.
Why Group Policy?:
Centralized Management: Provides a way to manage multiple users and computers from a single point.
Policy Enforcement: Enforces security policies across the network.
Configuration Control: Allows detailed configuration of operating system features and software applications.
Scalability: Suitable for both small and large organizations.
Why the Other Options Are Less Suitable:
A. Kerberos: A network authentication protocol used to provide secure authentication for users and services in a network, not for managing system settings.
C. SELinux (Security-Enhanced Linux): An access control implementation for Linux, not relevant to Windows environments.
D. Active Directory: A directory service for Windows domain networks that provides authentication and directory services but relies on Group Policy for configuration management.
Group Policy is like the command center for IT admins, making sure every setting is just the way it needs to be across the whole network.
Which IPS tuning scenario involves an error state occurring when an action is taken by the sensor?
A. True positive
B. True negative
C. False negative
D. False positive
D. False positive
Explanation:
A false positive in the context of an Intrusion Prevention System (IPS) tuning scenario occurs when the sensor mistakenly identifies normal, legitimate activity as malicious and takes action based on this incorrect identification.
Scenarios:
True Positive: Correctly identifies malicious activity and takes appropriate action.
True Negative: Correctly identifies legitimate activity and takes no action.
False Negative: Fails to identify malicious activity, resulting in no action when action is needed.
False Positive: Incorrectly identifies legitimate activity as malicious, resulting in unnecessary action.
False positives can disrupt normal network operations and cause unnecessary alerts, making it important to tune the IPS accurately.
Which security control enforces inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email?
A. Confidentiality
B. Availability
C. Integrity
D. Non-repudiation
D. Non-repudiation
Explanation:
Non-repudiation ensures that a subject cannot deny their participation in a digital transaction, agreement, contract, or communication. It combines cryptographic techniques and mechanisms like digital signatures to provide proof of the origin and integrity of data, ensuring accountability.
Why Not the Other Options?:
A. Confidentiality: Ensures that information is only accessible to those authorized to view it, but does not relate to preventing denial of participation.
B. Availability: Ensures that information and resources are available when needed, unrelated to participation verification.
C. Integrity: Ensures that data remains accurate and unaltered, but does not prevent denial of participation.
Non-repudiation is like the digital witness that ensures no one can deny their part in an electronic handshake.
What is a strict mathematical model where access to resources is determined by the system based on predefined security labels and rules?
A. ABAC
B. DAC
C. MAC
D. RBAC
C. MAC (Mandatory Access Control)
Explanation:
Mandatory Access Control (MAC) is a strict access control model where the operating system or security kernel enforces access rights based on predefined security labels and rules. Users and resources are assigned security labels, and access decisions are made by comparing these labels according to specific policies.
Why MAC?:
Predefined Labels: Access rights are determined by security labels (classification levels) and rules set by the system, not by individual users.
Centralized Control: The system enforces access control, providing a high level of security.
Non-Discretionary: Users cannot alter access rights, preventing unauthorized changes and ensuring consistent enforcement of security policies.
Why the Other Options Are Less Suitable:
A. ABAC (Attribute-Based Access Control):
Access decisions are based on attributes (e.g., user role, resource type), but it’s more flexible and less strict than MAC.
B. DAC (Discretionary Access Control):
Access rights are managed by individual users, allowing them to grant or revoke access to their resources.
D. RBAC (Role-Based Access Control):
Access rights are assigned based on roles within an organization, providing a more flexible structure than MAC.
MAC is like a strict guardian that enforces rules without exception.
What is one way enable authentication of non-traditional network endpoints such as smart card readers, HVAC systems, medical equipment, and IP-enabled door locks?
A. Packet mode
B. Endpoint fingerprinting
C. Protected access files
D. Repudiation
B. Endpoint fingerprinting.
Explanation:
Endpoint fingerprinting involves identifying and authenticating non-traditional network endpoints, such as smart card readers, HVAC systems, medical equipment, and IP-enabled door locks, by analyzing their unique characteristics and behaviors. This method ensures that only authorized devices can connect to the network.
Which type of security control is made up of mandatory policies and regulations that are in place to maintain consistency and compliance?
A. Directive
B. Corrective
C. Deterrent
D. Preventative
A. Directive
Explanation:
Directive controls are security measures that consist of mandatory policies, regulations, and procedures designed to ensure consistency and compliance within an organization. These controls guide user behavior and establish clear guidelines for expected actions.
Why Directive?:
Mandatory Policies: Establish required actions and rules that must be followed.
Consistency: Ensure uniform application of security measures across the organization.
Compliance: Help meet regulatory requirements and internal standards.
Why the Other Options Are Less Suitable:
B. Corrective: These controls aim to correct issues after they have occurred (e.g., patch management).
C. Deterrent: Intended to discourage malicious actions (e.g., warning signs).
D. Preventative: Designed to prevent security incidents (e.g., firewalls).
Directive controls are like the rulebook everyone has to follow to keep things safe and sound.
Which security control enforces the inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email?
A. Confidentiality
B. Non-repudiation
C. Availability
D. Integrity
B. Non-repudiation
Explanation:
Non-repudiation is a security control that ensures a subject cannot deny their participation in a digital transaction, agreement, contract, or communication, such as an email. It combines cryptographic techniques like digital signatures to provide proof of the origin and integrity of data, ensuring accountability and preventing the subject from denying their involvement.
Why Not the Other Options?:
A. Confidentiality: Ensures that information is only accessible to those authorized to view it but does not address denial of participation.
C. Availability: Ensures that information and resources are available when needed but is unrelated to participation verification.
D. Integrity: Ensures that data remains accurate and unaltered but does not prevent denial of participation.
Non-repudiation is like the ultimate proof that you were there and involved, making sure no one can deny it later.
Which category of controls supports ongoing maintenance, due care, and continual improvement such as conducting tested patch management?
A. Technical
B. Physical
C. Managerial
D. Operational
D. Operational
Explanation:
Operational controls are designed to support the day-to-day maintenance, due care, and continual improvement of an organization’s security posture. This includes activities such as tested patch management, user training, incident response, and system monitoring.
Why Operational?:
Day-to-Day Activities: Encompasses ongoing activities that ensure systems are functioning securely and efficiently.
Maintenance and Improvement: Focuses on continuous improvement and adaptation to new security threats.
Examples: Includes patch management, regular audits, monitoring, and security training.
Why Not the Other Options?:
A. Technical: These controls involve technology-based solutions like firewalls, intrusion detection systems, and encryption but do not encompass maintenance and ongoing improvement.
B. Physical: These controls are concerned with the physical security of facilities, such as locks, badges, and guards.
C. Managerial: These controls involve planning, policy, and management activities like risk assessments and security planning, rather than day-to-day operational tasks.
Operational controls keep the security engine running smoothly and adaptively.
Which security goal controls an attacker’s ability to get unauthorized access to data or information from an application or system?
A. Integrity
B. Confidentiality
C. Availability
D. Non-repudiation
B. Confidentiality
Explanation:
Confidentiality is the security goal that controls an attacker’s ability to get unauthorized access to data or information. It ensures that sensitive information is only accessible to those who are authorized and prevents unauthorized individuals from viewing or using the data.
Why Not the Other Options?:
A. Integrity: Ensures that data remains accurate and unaltered, but does not specifically prevent unauthorized access.
C. Availability: Ensures that information and resources are accessible when needed, focusing on uptime and reliability rather than access control.
D. Non-repudiation: Ensures that parties cannot deny their actions or involvement in a transaction, rather than controlling access.
Confidentiality is all about keeping secrets safe from prying eyes.
What is the process of granting an authenticated entity permission to access a resource or perform a specific function?
A. Authentication
B. Authorization
C. Accounting
D. Availability
B. Authorization
Explanation:
Authorization is the process of granting an authenticated entity permission to access a resource or perform a specific function. After a user’s identity is verified through authentication, authorization determines what resources or operations the user is permitted to access.
Why Not the Other Options?:
A. Authentication: Confirms the identity of an entity but does not involve granting permissions.
C. Accounting: Involves tracking user actions and resource usage, focusing on audit and monitoring.
D. Availability: Ensures that resources are accessible when needed, not related to granting access permissions.
Authorization is all about who gets to do what once they’re through the door.
Which of these are common ways to authenticate people? Choose all that apply.
A. A QR or other code they present on a device
B. An X.509 device certificate
C. A smart card token or fob that they possess
D. A password, PIN, or passphrase they know
E. A biometric attribute
F. A network interface MAC address
A. A QR or other code they present on a device C. A smart card token or fob that they possess D. A password, PIN, or passphrase they know E. A biometric attribute
Explanation:
A. QR or Other Code: Often used for multi-factor authentication (MFA) where users present a QR code for verification.
C. Smart Card/Token/Fob: These physical items are used for accessing secure systems and networks.
D. Password/PIN/Passphrase: Common method of verifying identity through something the user knows.
E. Biometric Attribute: Includes fingerprints, facial recognition, and other biometric data unique to the individual.
The other options are less common for authenticating people:
B. X.509 Device Certificate: Typically used for device authentication, not personal authentication.
F. Network Interface MAC Address: Used to identify devices on a network, not for personal authentication.
With traditional NetFlow services, a flow is technically defined by its 5-tuple, a collection of five data points. Which are valid points in a NetFlow record? Choose all that apply.
A. Source IP addresses
B. Source and destination ports
C. MAC address
D. Protocol
E. 802.1Q VLAN ID
F. Destination IP addresses
NetFlow records use the 5-tuple to define a flow. Here’s the right breakdown:
A. Source IP addresses: Yes
B. Source and destination ports: Yes
D. Protocol: Yes
F. Destination IP addresses: Yes
MAC address and VLAN ID aren’t part of the classic 5-tuple definition.
Which authentication model is used in SNMPv3?
A. User and group based
B. Community based
C. Anomaly based
D. Passphrase based
A. User and group based authentication. This model enhances security by implementing user-based access control, ensuring that only authorized users can access specific SNMP data.
Which form of monitoring leverages lightweight software on the devices or virtual machine to track the uptime and performance?
A. API-based monitoring
B. Clientless monitoring
C. Agentless monitoring
D. Agent-based monitoring
D. Agent-based monitoring. This approach uses lightweight software agents installed on devices or virtual machines to monitor uptime and performance metrics. These agents gather data and send it back to a central monitoring system.
What is a solution that helps enterprises detect, analyze, and respond to security threats before they affect business operations by gathering even log data from a range of sources and recognizes activity that diverges from the norm in real-time?
A. SNMP
B. SCAP
C. SIEM
D. SOAR
C. SIEM (Security Information and Event Management). SIEM systems gather log data from various sources, correlate and analyze the data to detect threats, and allow for real-time monitoring and alerting. It helps enterprises respond to security threats before they can disrupt business operations.
What is the process of accumulating, categorizing, standardizing, and consolidating log data from across an IT infrastructure to enable and enhance streamlined log analysis?
A. Aggregation
B. Collaboration
C. Deduplication
D. Obfuscation
A. Aggregation. This process gathers, categorizes, standardizes, and consolidates log data from various sources across an IT infrastructure to streamline and enhance log analysis. Essential for keeping things in order, really.
Which feature of an anti-virus software uses human-defined rules to dynamically find suspicious architecture and behavior in code?
A. Cloud analysis
B. Sandbox analysis
C. Heuristic detection
D. User behavioral analytics
C. Heuristic detection. This feature uses predefined rules to identify suspicious behavior and anomalies in code, helping to catch new or unknown threats dynamically.
Which is an assortment of software services and tools that allow organizations to simplify and aggregate security operations in areas of threat and vulnerability management, incident response, and security operations automation?
A. SIEM
B. SNMP
C. SOAR
D. SCAP
C. SOAR (Security Orchestration, Automation, and Response). SOAR platforms help organizations streamline security operations by integrating various tools and automating responses to incidents and vulnerabilities.
Which SCAP specification is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets?
A. Trust model for security automation data (TMSAD)
B. Software identification (SWID) tagging
C. Open checklist interactive language (OCIL)
D. Common platform enumeration (CPE)
D. Common Platform Enumeration (CPE). CPE is a standardized method used to describe and identify classes of applications, operating systems, and hardware devices. It’s all about keeping your IT assets in check.
Which service involves managing serval or many automated tasks or processes?
A. Automation
B. Scripting
C. Batching
D. Orchestration
D. Orchestration. This service involves coordinating multiple automated tasks or processes to work together efficiently.
Which type of incident response test typically involves diagrams, floor plans, logical and virtual graphical visualizations to further eliminate gaps/errors?
A. Tabletop
B. Read-through
C. Walkthrough
D. Parallel
A. Tabletop
Tabletop exercises are definitely another solid way to test incident response plans—participants verbally walk through the steps.
Which of these is a benefit of automation? Select all that apply.
A. Enforcing baselines
B. Faster reaction time
C. Standardizing infrastructure configuration
D. Enhanced customization
E. Efficiency and productivity
F. Greater user intervention
Automation brings quite a few benefits. Here’s a rundown of what fits:
A. Enforcing baselines: Yes
B. Faster reaction time: Yes
C. Standardizing infrastructure configuration: Yes
E. Efficiency and productivity: Yes
Which statements is TRUE when considering automation?
A. Automation systems can also be a technical debt if implemented in a rush or untested
B. Automation and scripting will often increase costs for provisioning/onboarding users and devices
C. Automation is useless without orchestration
D. Automation is the best solution in every case
A. Automation systems can also be a technical debt if implemented in a rush or untested. True to a point—quick fixes or poorly implemented automation can create issues down the line.
In the forensic order of volatility, what would be considered the MOST volatile?
A. Kernel statistics, tables, and caches
B. CPU registers and its cache
C. Temporary file systems and swap/slack space
D. Memory (RAM)
B. CPU registers and its cache. This is the most volatile because it can be lost almost immediately when the system is powered down. The faster it needs to be collected, the higher its volatility.
What is defined as a factor that introduced a nonconformance in an application, service, or system; the core causative issue that sets in motion the entire cause-and-effect reaction that ultimately leads to the problem?
A. Root cause
B. Threat agent
C. Kill chain
D. Threat actor
A. Root cause. It’s the underlying factor that starts the chain reaction leading to a problem in an application, service, or system. Getting to the root cause is essential for effective troubleshooting and long-term fixes.
