CompTIA Sec+ Flash Cards

What are three key lengths allowed by the AES cipher and what are their corresponding number of encryption rounds?

128-bit keys require 10 rounds of encryption. 192-bit keys require 12 rounds of encryption. 256-bit keys require 14 rounds of encryption.

List three major types of factors in multifactor authentication and explain them.

Something you know, including passwords, PINs, or the answer to a security question. Something you have like a smartcard, USB or Bluetooth token, or another object or item that is in your possession. Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even your typing speed and patterns are all included as options for this type of factor.

What are the differences between stateless firewalls and stateful firewalls?

Stateless firewalls (sometimes called packet filters) filter every packet based on data like the source and destination IP and port, the protocol, and other information that can be gleaned from the packet's headers, while stateful firewalls (sometimes called dynamic packet filters) pay attention to the state of traffic between systems.

What is static code analysis and what is dynamic code analysis?

Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Static analysis does not run the program, instead it focuses on understanding how the program is written and what the code is intended to do. Dynamic code analysis relies on execution of the code while providing it with input to test the software.

What are two types of Bluetooth attacks and what are their differences?

Bluejacking and Bluesnarfing. Bluejacking simply sends unsolicited messages to Bluetooth enabled devices. Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains.

What is a bollard?

Bollards are posts or other obstacles that prevent vehicles from moving through an area. Bollards may look like posts, pillars, or even planters, but their purpose remains the same: preventing vehicle access.

What are filesystem controls?

Filesystem controls determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files.

Name all five risk categories.

Financial, reputational, strategic, operational, and compliance

What are some examples of technical controls?

Firewall rules, access control lists, intrusion prevention systems, and encryption

Give some examples of controls that might affect scan results.

Firewall settings, network segmentation, intrusion detection systems (IDS), and intrusion prevention systems (IPS)

What are two types of proxy servers?

Forward proxies are placed between clients and servers, and they accept requests from clients and send them forward to servers. Reverse proxies are placed between servers and clients, and they are used to help with load balancing and caching of content.

List the order of volatility.

From most volatile to least volatile: CPU cache and register Routing table, ARP cache, process table, kernel statistics System memory - RAM Temporary files and swap space Data on the hard disk Remote logs Backups

How does Full Disk Encryption (FDE) work?

Full disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device to provide a decryption key and software or hardware to decrypt the drive for use.

List steps in the waterfall SDLC model.

Gather requirements, design, implement, test/validate, deploy, maintain

List three common elements in designs for redundancy.

Geographic dispersal of systems, separation of servers and other devices in datacenters, use of multiple network paths solutions, redundant network devices, protection of power, systems and storage redundancy, and diversity of technologies

What are the disadvantages of guards?

Guards can be fallible, and social engineering attempts can persuade guards to violate policies or even to provide attackers with assistance. Guards are relatively expensive.

What are the advantages of guards?

Guards can make decisions that technical control systems cannot, and they can also provide additional capabilities by providing both detection and response capabilities. Guards can validate an individual's identity, ensure that they only enter the areas they are supposed to be, and that they have signed a visitor log and that their signature matches a signature on file or on their ID card.

What are three tools that can be used in the data obfuscation process?

Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. Tokenization replaces sensitive values with a unique identifier using a lookup table. Data masking partially redacts sensitive information by replacing some or all of sensitive fields with blank characters.

Name some tools we can use in the process of data obfuscation.

Hashing, tokenization, and masking

What are 9 stages in the Electronic Discovery Reference Model (EDRM) model?

Information governance Identification of electronically stored information Preservation of the information Collection of the information Processing Reviewing the data to ensure Analysis of the information to identify key elements Production Presentation

What are three major cloud service models?

Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)

Identify four key phases of a penetration test.

Initial access, privilege escalation, pivoting (lateral movement), and persistence

What are two different approaches of Cloud access security brokers (CASBs)?

Inline CASB solutions physically or logically reside in the connection path between the user and the service. This approach requires configuration of the network and/or endpoint devices. It provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy. API-based CASB solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider's API. This approach provides direct access to the cloud service and does not require any user device configuration.

What characteristics differentiate the types of cybersecurity threat actors?

Internal vs. external, level of sophistication/capability, resources/funding, and intent/motivation

List three techniques that support removing systems, devices, or even entire network segments or zones.

Isolation, containment, segmentation

What control should organizations put in place to ensure that successful ransomware infections do not incapacitate the company?

One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware.

Please list and explain three major types of authentication in modern Wi-Fi networks

Open networks do not require authentication, but often use a captive portal to gather some information from users who want to use them. Open networks do not provide encryption, leaving user data at risk unless the traffic is sent via secure protocols like HTTPS. Pre-shared keys, or PSK, require that a passphrase or key is shared with anybody who wants to use the network. This allows traffic to be encrypted, but does not allow users to be uniquely identified. Enterprise authentication relies on a RADIUS server and utilizes an EAP protocol for authentication.

What is open source threat intelligence?

Open source threat intelligence is threat intelligence that is acquired from publicly available sources.

List the four common EAP variants found in the Security+ exam outline.

PEAP, EAP-FAST, EAP-TLS, and EAP-TTLS

What are some examples of informal code review models?

Pair programming, over-the-shoulder, pass-around code reviews, and tool-assisted reviews

What is RAID 5 and what are its advantages and disadvantages?

RAID 5 is a solution that data is striped across drives, with one drive used for parity (checksum) of the data. Parity is spread across drives as well as data. RAID 5's advantages are that data reads are fast, data writes are slightly slower; drive failures can be rebuilt as long as only one drive fails. RAID 5's disadvantages are that they can only tolerate a single drive failure at a time; rebuilding arrays after a drive loss can be slow and impact performance.

List at least three backup and replication methods.

RAID, copy of the live storage system, snapshot, images, VDI, copies of individual files, backup media, online backups, and offsite or on-site storage

What is RFID?

RFID, or Radio Frequency Identification, is a relatively short range (from less than a foot of some passive tags to about 100 meters for active tags) wireless technology that uses a tag and a receiver to exchange information.

What is ransomware?

Ransomware is malware that takes over a computer then demands a ransom or payment.

What are seven stages of the Cyber Kill Chain?

Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives

Name the three teams that participate in a cybersecurity exercise and explain their functions.

Red team, blue team, and white team Red team members are the attackers who attempt to gain access to systems. Blue team members are the defenders who must secure systems and networks from attack. White team members are the observers and judges.

Name all three techniques used by application testing and explain their differences.

Static testing, dynamic testing, interactive testing Static testing analyzes code without executing it. Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.

What term is used to describe using cryptographic techniques to embed secret messages within another file, such as hiding a message within an image file?

Steganography is the art of using cryptographic techniques to embed secret messages within another file.

List and explain two principles we need to apply in the application resilience.

Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand. Elasticity goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.

What are two different techniques to ensure that the system is secure that modern UEFI firmware can leverage?

Secure boot and measured boot. Secure boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. Measured boot processes measure each component, starting with the firmware and ending with the boot start drivers.

What is SAML?

Security Assertions Markup Language (SAML) is an XML based open standard for exchanging authentication and authorization information.

What are three key security considerations when working with cloud storage?

Set permissions properly. Consider high availability and durability options. Use encryption to protect sensitive data.

Give some types of configuration settings recommended by CIS benchmark for Windows. (Password related)

Setting the password history to remember 24 or more passwords Setting maximum passwords age to "60 or fewer days, but not 0," preventing users from simply changing their passwords 24 times to get back to the same password while requiring password changes every 2 months Setting the minimum password length to 14 or more characters Requiring password complexity Disabling the storage of passwords using reversible encryption

What does shoulder surfing mean?

Shoulder surfing is the process of looking over a person's shoulder to capture information like passwords or other data. While shoulder surfing typically implies actually looking over a person's shoulder, other similar attacks like looking into a mirror behind a person entering their credentials would also be considered shoulder surfing.

List four common methods to detect malicious software and applications.

Signature based detection Heuristic AI and machine learning systems Sandboxing

What are the three common detection methods to identify unwanted and potentially malicious traffic?

Signature-based detections rely on a known hash or signature matching to detect a threat. Heuristic or behavior-based detections look for specific patterns or sets of actions that match threat behaviors. Anomaly-based detections establish a baseline for an organization or network and then flags when out of the ordinary behavior occurs.

What does a SSO system allow?

Single sign-on (SSO) systems allow a user to log in with a single identity, and then use multiple systems or services without re-authenticating.

Give three examples of features that an organization may want or need to ensure that mobile devices and the data they contain are secure.

Some examples may include: Application management features Content management Remote wipe capabilities Geolocation and geofencing capabilities Screen locks, passwords, and pins and/or biometrics Storage segmentation Full device encryption (FDE)

What is the difference between symmetric and asymmetric cryptography?

Symmetric cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.

List 10 common logs used by incident responders.

System logs, application logs, security logs, vulnerability scan output, network and security device logs, web logs, DNS logs, authentication logs, dump files, and VoIP & SIP logs

What are two primary models for generation of one-time passwords?

TOTP, or time-based one-time passwords and HMAC-based one-time password (HOTP)

What are the three major types of exercises that incident response teams use to prepare?

Tabletop, walkthroughs, simulations

What is tailgating?

Tailgating is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well.

What are the three security control categories?

Technical controls, operational controls, and managerial controls

What are three components in the NIST framework?

The Framework Core, the Framework Implementation, Framework Profiles

What is the Linux dd command? Give an example to copy a drive mounted as /dev/sda to a file called example.img.

The Linux dd command is a command line utility that allows you to create disk images for forensic or other purposes. Example: dd if=/dev/sda of=example.img conv=noerror,sync

What is the primary responsibility of the hypervisor?

The primary responsibility of the hypervisor is enforcing isolation between virtual machines. This means that the hypervisor must present each virtual machine with the illusion of a completely separate physical environment dedicated for use by that virtual machine.

What principle says that individuals should only be granted the minimum set of permissions necessary to carry out their job functions?

The principle of least privilege says that individuals should only be granted the minimum set of permissions necessary to carry out their job functions.

What are two important roles served by risk assessment in the risk management process?

The risk assessment provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first. Quantitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach.

What is malware?

The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.

What is a script kiddie?

The term script kiddie is a derogatory term for people who use hacking techniques but have limited skills.

List at least three key elements of the rules of engagement for a penetration test.

The timeline for the engagement and when testing can be conducted What locations, systems, applications, or other potential targets are included or excluded\ Data handling requirements for information gathered during the penetration test What behaviors to expect from the target What resources are committed to the test Legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in-scope When and how communications will occur

Give some examples of weak configurations.

The use of default settings that pose a security risk The presence of unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges Open ports and services that are not necessary to support normal system operations Open permissions that allow users access which violates the principle of least privilege

What are five basic requirements for a cryptographic hash function?

They accept an input of any length. They produce an output of a fixed length. The hash value is relatively easy to compute. The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).

What's the difference between cross-site scripting attacks and cross-site request forgery attacks?

They exploit a different trust relationship. XSS attacks exploit the trust that a user has in a website to execute code on the user's computer. XSRF attacks exploit the trust that remote sites have in a user's system to execute commands on the user's behalf.

What is threat intelligence?

Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

What term describes the means that an attacker uses to gain access to a system?

Threat vectors are the means that threat actors use to obtain access to a system.

Define threats, vulnerabilities, and risks.

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems. Vulnerabilities are weaknesses in systems or controls that could be exploited by a threat. Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.

What is the highest priority of agile software development?

To satisfy the customer through early and continuous delivery of valuable software.

What's the difference between Trojans and worms?

Trojans require user-interaction, while worms are self-installed and spread themselves.

List four tools commonly run on a local system to gather information about its network configuration and status.

ipconfig (Windows) and ifconfig (Linux) netstat arp Route

What is theHarvester?

theHarvester is an open source intelligence gathering tool that can retrieve information like email accounts, domains, usernames, and other details using LinkedIn, search engines (like Google, Bing, and Baidu), PGP servers, and other sources.

What are three common questions that come into play when we assess a threat intelligence source or a specific threat intelligence notification?

1. Is it timely? 2. Is the information accurate? 3. Is the information relevant?

What is a cipher?

A cipher is a method used to scramble or obfuscate characters to hide their value. Ciphering is the process of using a cipher to do that type of scrambling to a message.

What are a SPAN and a port mirror?

A port mirror sends a copy of all of the traffic sent to one switch port to another switch port for monitoring. A SPAN can do the same thing but can also combine traffic from multiple ports to a single port for analysis.

What is the substitution cipher?

A substitution cipher is a type of coding or ciphering system that changes one character or symbol into another.

What are common elements in a typical forensic report?

A summary of the forensic investigation and findings An outline of the forensic process, including tools used and any assumptions that were made about the tools or process A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail. Recommendations or conclusions in more detail than the summary included.

What is a VPN?

A virtual private network, or VPN, is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.

Explain active/active vs. active/passive load balancers.

Active/active load balancer designs distribute the load amongst multiple systems that are online and in use at the same time. Active/passive load balancer designs bring backup or secondary systems online when an active system is removed or fails to respond properly to a health check.

What are three specific Layer 2 attacks in the Security+ exam outline?

Address resolution protocol (ARP) poisoning attacks, media access control (MAC), and MAC cloning

What are the differences between Agile, Waterfall, and Spiral?

Agile software development is an iterative and incremental process, rather than the linear processes that Waterfall and Spiral use.

What are allow listing and deny or block listing?

Allowed list (whitelisting) tools allow you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the whitelist, they will be removed, disabled, or will not be able to be installed. Deny or block lists (blacklists) are lists of software or applications that cannot be installed or run, rather than a list of what is allowed.

What term describes the unauthorized modification of information?

Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Denial is the unintended disruption of an authorized user's legitimate access to information.

Name five common access control schemes.

Attribute-based access control (ABAC), Role-based access control (RBAC), Rule-based access control (RBAC or RuBAC), Mandatory Access Control (MAC), and Discretionary access control (DAC)

What is an access control vestibule?

An access control vestibule, often called a "mantrap," is a pair of doors which both require some form of authorized access to open. The first door opens after authorization, closes, and only after it is closed can the person who wants to enter provide their authorization to open the second door.

What is an evil twin?

An evil twin is a malicious fake access point that is set up to appear to be a legitimate, trusted network.

What is an on-path attack?

An on-path (previously man-in-the-middle or MiTM) attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.

Give three examples of personnel management practices.

Answers could include: least privilege, separation of duties, job rotation and mandatory vacations, clean desk space, onboarding and offboarding, non-disclosure agreements (NDAs), social media, user training

List four types of specialized systems of embedded systems.

Answers include: Medical systems Smart meters Vehicles Drones and autonomous vehicles (AVs) VoIP systems Printers Surveillance systems

What are APIs?

Application programming interfaces (APIs) are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

Please interpret the following CVSS vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector: Network (score: 0.85) Attack Complexity: Low (score: 0.77) Privileges Required: None (score: 0.85) User Interaction: None (score: 0.85) Scope: Unchanged Confidentiality: High (score: 0.56) Integrity: None (score: 0.00) Availability: None (score: 0.00)

What does blind SQL injection mean and what are two forms of blind SQL injection?

Attackers use a technique called blind SQL injection to conduct an attack even when they don't have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based.

What is the difference between an audit and an assessment?

Audits are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Assessments are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement.

Name all seven key social engineering principles that the Security+ exam focuses on.

Authority, intimidation, consensus, scarcity, familiarity, trust, and urgency

Give four important considerations that come into play with cloud and off-site third-party backup options.

Bandwidth requirements for both the backups themselves and restoration time if the backup needs to be restored partially or fully. Time to retrieve files and cost to retrieve files. Reliability is also crucial. New security models may also be required for backups.

What are two major categories of modern ciphers and what are their methods of operation?

Block ciphers operate on "chunks," or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Stream ciphers operate on one character or bit of a message (or data stream) at a time.

What are two categories of cloud storage offerings?

Block storage allocates large volumes of storage for use by virtual server instance(s). Object storage provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider's API.

Name four common mobile device deployment and management models.

BYOD: Bring your own device; CYOD: Choose your own device; COPE: Corporate owned, personally enabled; Corporate owned

What are backdoors?

Backdoors are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications.

What are bots and what are botnets?

Bots are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions ranging from additional compromises and infection to denial of service attacks or acting as spam relays.

Name three password-related attacks.

Brute force attacks, password spraying attacks, and dictionary attacks

List five secure data destruction options.

Burning, shredding, pulping, pulverizing, and degaussing

What is data encryption?

Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

List at least five connectivity methods.

Cellular, Wi-Fi, Bluetooth, NFC, RFID, Infrared, GPS, USB

What are three techniques to verify the authenticity of certificates and identify revoked certificates?

Certificate Revocation Lists, Online Certificate Status Protocol (OCSP), and Certificate Stapling

Name two models that many botnet command and control (C&C) systems operate in

Client/server botnet control model and peer-to-peer botnet control model

What is cloud computing?

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

List all five key cloud roles and explain what they are.

Cloud service providers are the firms that offer cloud computing services to their customers. Cloud consumers are the organizations and individuals who purchase cloud services from cloud service providers. Cloud partners (or cloud brokers) are organizations who offer ancillary products or services that support or integrate with the offerings of a cloud service provider. Cloud auditors are independent organizations who provide third-party assessments of cloud services and operations. Cloud carriers serve as the intermediaries who provide the connectivity that allows the delivery of cloud services from providers to consumers.

List four incident response plan types.

Communication plans, stakeholder management plans, business continuity plans, and disaster recovery plans

Give three ways that an attacker might discover a user's password.

Conducting social engineering attacks that trick the user into revealing a password, either directly or through a false authentication mechanism Eavesdropping on unencrypted network traffic Obtaining a dump of passwords from previously compromised sites and assuming that a significant proportion of users reuse their passwords from that site on other sites

What are specific goals of confidentiality, integrity, and availability?

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

What are three key objectives of cybersecurity programs?

Confidentiality, integrity, and availability

What are four fundamental goals of cryptography?

Confidentiality, integrity, authentication, and nonrepudiation

What is credential harvesting?

Credential harvesting is the process of gathering credentials like usernames and passwords.

When would cross-site scripting attacks occur?

Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.

List all eight CVSS metrics and describe what kinds of measurements they evaluate.

Eight metrics: attack vector metric, attack complexity metric, privileges required metric, user interaction metric, confidentiality metric, integrity metric, availability metric, and scope metric. The first four measures evaluate the exploitability of the vulnerability, whereas the next three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability.

What is DLP and what can it do?

DLP is Data Loss Prevention. Data loss prevention (DLP) systems help organizations enforce information handling policies and procedures to prevent data loss and theft.

What are the three states where data might exist?

Data at rest, data in motion, and data in processing

What are three types of data we must think about when developing a cryptographic system for the purpose of providing confidentiality?

Data at rest, data in motion, data in use

What is data minimization and how can we do it?

Data minimization techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.

What principle states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed?

Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.

Describe the process of quantitative risk assessment.

Determine the asset value (AV) of the asset affected by the risk. Determine the likelihood that the risk will occur. Determine the amount of damage that will occur to the asset if the risk materializes. Calculate the single loss expectancy. Calculate the annualized loss expectancy.

What are two distinct goals of digital signature infrastructures?

Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification and unintentional modification.

What are three key threats to cybersecurity programs?

Disclosure, alteration, and denial

Name five modes of operation of Data Encryption Standard (DES).

Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode

Raspberry Pi, Arduinos, and FPGAs are all considered what types of systems by the Security+ exam?

Embedded systems

Give some ways that an attacker might obtain a cookie.

Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website. Installing malware on the user's browser that retrieves cookies and transmits them back to the attacker. Engaging in a man-in-the-middle attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user's behalf and obtain the cookie.

How do you calculate the exploitability score for a vulnerability under CVSS?

Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired x UserInteraction

Name at least three authentication technologies.

Extensible Authentication Protocol (EAP), Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), 802.1X, RADIUS, Terminal Access Controller Access Control System Plus (TACACS+), and Kerberos

What are three main methods used to exchange secret keys securely?

Offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm

What are the three major types of information gathering tools that are included in the Security+ exam outline?

Honeypots are systems that are intentionally configured to appear to be vulnerable, but which are actually heavily instrumented and monitored systems that will document everything that an attacker does while retaining copies of every file and command they use. Honeynets are networks set up and instrumented to collect information about network attacks. A Honeyfile is an intentionally attractive file that contains unique, detectable data that is left in an area that an attacker is likely to visit if they succeed in their attacks.

Name two different environments that DLP systems work in.

Host-based DLP and Network DLP

What are three major types of disaster recovery sites used for site resilience?

Hot sites, warm sites, and cold sites

What is the function to calculate the impact sub-score?

ISS = 1 − [(1 − Confidentiality) × (1-Integrity) × (1-Availability)]

List four phases used in the spiral model.

Identification, design, build, evaluation

What steps can be used to assess embedded systems?

Identify the embedded system and acquire documentation Determine how the embedded system interfaces with the world Identify any services or access it provides and how to secure it Understand how the device can be patched Document what your organization would do in the event that the device had a security issue or compromise Document and implement your findings

What is insecure direct object reference?

If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. This situation is known as an insecure direct object reference.

What kinds of potential downfalls does disk encryption bring?

If the encryption key is lost, the data on the drive will likely be unrecoverable since the same strong encryption that protects it will make it very unlikely that you will be able to brute force the key and acquire the data. That also means that technical support can be more challenging, and that data corruption or other issues can have a larger impact resulting in unrecoverable data.

How do you calculate the CVSS base score for a vulnerability?

If the impact is 0, the base score is 0. If the scope metric is Unchanged, calculate the base score by adding together the impact and exploitability scores. If the scope metric is Changed, calculate the base score by adding together the impact and exploitability scores and multiplying the result by 1.08. The highest possible base score is 10. If the calculated value is greater than 10, set the base score to 10.

How do you calculate the impact score for a vulnerability under CVSS?

Impact score = the value of the scope metric * ISS

List some weaknesses of symmetric key cryptography.

Key distribution is a major problem. Symmetric key cryptography does not implement nonrepudiation. The algorithm is not scalable. Keys must be regenerated often.

What are keyloggers?

Keyloggers are programs that capture keystrokes from keyboards, although keylogger applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.

What are two variants that file inclusion attacks come in? How do they work?

Local file inclusion and remote file inclusion. Local file inclusion attacks seek to execute code stored in a file located elsewhere on the web server. Remote file inclusion attacks allow the attacker to go a step further and execute code that is stored on a remote server.

Give three valuable information sources for reconciling scan results.

Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities Security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence Configuration management systems that provide information on the operating system and applications installed on a system

What key element separates logic bombs from other malware?

Logic bombs are functions or code that are placed inside of other programs that will activate when set conditions are met instead of independent malicious programs.

List four types of protocol level protections.

Loop prevention, Broadcast storm prevention, Bridge Protocol Data Unit (BPDU) guard, Dynamic Host Configuration Protocol (DHCP) snooping

Name three major attack frameworks.

MITRE ATT&CK, the Diamond Model of Intrusion Analysis, the Cyber Kill Chain

Give some examples of physical attacks.

Malicious flash drive attacks, malicious USB cables, card cloning attacks, and supply chain attacks

What are the benefits of the cloud?

On-demand self-service computing, scalability, elasticity, measured service, agility and flexibility

List four standard agreements used in third-party risk management.

Master service agreements (MSA), Service level agreements, Memorandum of understanding, Business partnership agreements.

Who are the typical team members in an incident response team?

Members of management or organizational leadership, technical experts, communications and public relations staff, legal and human relations staff, law enforcement

Name at least three types of viruses.

Memory resident viruses, non-memory resident viruses, boot sector viruses, macro viruses, and email viruses

What are two types of advanced security camera capabilities?

Motion recognition and object detection

What are two common NAC usage models?

NAC can either use a software agent that is installed on the computer to perform security checks, or may be agentless and run from a browser or via another means without installing software locally.

What is NFC and how is it most frequently used?

NFC, or near field communication, is used for very short range communication between devices. You've likely seen NFC used for payment terminals using Apple Pay or Google Wallet using cell phones. NFC is limited to about 4 inches of range, meaning that it is not used to build networks of devices, and instead it is primarily used for low bandwidth, device to device purposes.

How does network segmentation work?

Network segmentation divides a network up into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.

What are password vaults?

Password vaults are software solutions that store, manage, and secure passwords and other information, allowing users to use strong passwords without memorizing dozens, or hundreds, of individual complex passwords.

Name two mechanisms of action of DLP systems.

Pattern matching and watermarking

What are the benefits of penetration testing?

Penetration testing provides us with knowledge that we can't obtain elsewhere. In the event that attackers are successful, penetration testing provides us with an important blueprint for remediation. Penetration tests can provide us with essential, focused information on specific attack targets.

What are some examples of managerial controls?

Periodic risk assessments, security planning exercises, and the incorporation of security into the organization's change management, service acquisition, and project management practices

What are two major usage modes provided by WPA 2?

Personal/Preshared Key (PSK) & Enterprise (EAP/RADIUS) mode

What category of information includes any information that uniquely identifies an individual person, including customers, employees, and third parties?

Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

What are four phases of the continuity of operations?

Phase I: Readiness and preparedness Phase II: Activation and relocation Phase III: Continuity of operations Phase IV: Reconstitution

What is phishing?

Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.

Name at least five social engineering techniques mentioned in the book.

Phishing, credential harvesting, website attacks, spam, in-person techniques, identify fraud and impersonation, and reconnaissance

List all six phases of a typical Fagan inspection process.

Planning, overview, preparation, meeting, rework, and follow up

Name the phases of the software development life cycle.

Planning, requirements, design, coding, testing, training and transition, ongoing operations and maintenance, end of life decommissioning

What are playbooks?

Playbooks are step by step guides intended to help incident response teams take the right steps in a given scenario.

What are four different types of documents in the information security policy framework?

Policies, standards, procedures, guidelines

What kinds of issues should security analysts be aware of when dealing with IoT devices?

Poor security practices, including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, weak authentication, use of embedded credentials, insecure data storage, and a wide range of other poor practices. Short support lifespans, meaning that IoT devices may not be patched or updated leaving them potentially vulnerable for most of their deployed lifespan. Vendor data handling practice issues, including licensing and data ownership concerns, as well as the potential to reveal data to both employees and partners of the vendor and to government and other agencies without the device owner being aware.

What is port security?

Port security is a capability that allows you to limit the number of MAC addresses that can be used on a single port.

List three common biometric technologies.

Possible answers include: Fingerprints Retina scanning Iris recognition Facial recognition Voice recognition Vein recognition Gait analysis

What are six steps in the incident response process?

Preparation Identification Containment Eradication Recovery Lessons learned

List all three definitions of prepending ( adding something)

Prepending can mean one of three different things: Adding an expression or phrase, such as adding "SAFE" to a set of email headers to attempt to fool a user into thinking it has passed an anti-spam tool. Adding information as part of another attack to manipulate the outcome. Suggesting topics via a social engineering conversation to lead a target toward related information you are looking for.

List some advantages of implementing database normalization.

Prevent data inconsistency Prevent update anomalies Reduce the need for restructuring existing databases Make the database schema more informative

Name all security control types.

Preventive controls, detective controls, corrective controls, deterrent controls, physical controls, and compensating controls

List the four cloud deployment models.

Public cloud, private cloud, community cloud, and hybrid cloud

What are two types of risk assessments and what are their differences?

Quantitative risk assessments use numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks. Qualitative risk assessments substitute subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.

What information does the port/hosts section provide on the report?

The port/hosts section provides details on the server(s) that contain the vulnerability as well as the specific services on that server that have the vulnerability.

List all steps in site restoration.

Restore network connectivity and a bastion or shell host. Restore network security devices (firewalls, IPS). Restore storage and database services. Restore critical operational servers. Restore logging and monitoring service. Restore other services as possible.

What is a right to audit clause?

Right to audit clauses are part of the contract between a cloud service and an organization. A right to audit clause provides either a direct ability to audit the cloud provider, or an agreement to use a third-party audit agency.

What is the formula to calculate the severity of a risk?

Risk Severity = Likelihood * Impact

Name five factors that influence how often an organization decides to conduct vulnerability scans against its systems.

Risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations

What is risk avoidance?

Risk avoidance is a risk management strategy where business practices are changed to completely eliminate the potential that a risk will materialize.

What is risk mitigation?

Risk mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.

List and explain all three primary rules of Role-Based Access Control (RBAC).

Role assignment, which states that subjects can only use permissions that match a role they have been assigned. Role authorization, which states that the subject's active role must be authorized for the subject. This prevents subjects from taking on roles they shouldn't be able to. Permission authorization, which states that subjects can only use permissions that their active role is allowed to use.

What are rootkits?

Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.

What are runbooks?

Runbooks are the operational procedures guides that organizations use to perform actions.

Name seven elements in the security information and event management system.

SIEM dashboard, sensors, sensitivity and threshold, trends, alerts and alarms, correlation and analysis, rules

List and explain three different categories of SOC assessment.

SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting. SOC 2 engagements assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under a non-disclosure agreement (NDA). SOC 3 engagements also assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

What are four key metrics in the business impact assessment (BIA) process?

The Mean Time Between Failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures. The Mean Time to Repair (MTTR) is the average amount of time to restore a system to its normal operating state after a failure. The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. The Recovery Point Objective (RPO) is the amount of data that the organization can tolerate losing during an outage.

List some major strengths of asymmetric key cryptography.

The addition of new users requires the generation of only one public-private key pair. Users can be removed far more easily from asymmetric systems. Key regeneration is required only when a user's private key is compromised. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. Key distribution is a simple process. No preexisting communication link needs to exist.

Name two choices you need to make when you implement encryption.

The algorithm to use to perform encryption and decryption The encryption key to use with that algorithm

What is the best way to detect a rootkit?

The best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn't possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits.

Why might a certificate authority need to revoke a digital certificate?

The certificate was compromised (for example, the certificate owner accidentally gave away the private key). The certificate was erroneously issued (for example, the CA mistakenly issued a certificate without proper verification). The details of the certificate changed (for example, the subject's name changed). The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).

List three criteria that must be met for a compensating control to be satisfactory under PCI DSS.

The control must meet the intent and rigor of the original requirement. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. The control must be "above and beyond" other PCI DSS requirements.

Describe the continuous integration and continuous deployment pipeline.

The developer commits change, the build process is triggered, the build report is delivered, tests are run against the build, the test report is delivered, if successful, the code is deployed

What term describes the original level of risk that exists before implementing any controls?

The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization's business.

What information does the output section provide on a vulnerability report?

The output section of the report shows the detailed information returned by the remote system when probed for the vulnerability.

What security constraints do you need to take into account when you consider security for embedded systems? i.e rasperry pi

The overall computational power and capacity of embedded systems is usually much lower than a traditional PC or mobile device. Embedded systems may not connect to a network. Without network connectivity, CPU and memory capacity, and other elements needed, authentication is also likely to be impossible. Embedded systems may be very low cost, but many are effectively very high cost because they are a component in a larger industrial or specialized device.

List and explain two types of SOC report.

Type 1 reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls. Type 2 reports go further and also provide the auditor's opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly.

What are two primary types of hypervisors and what are their differences?

Type I hypervisors, also known as bare metal hypervisors, operate directly on top of the underlying hardware. The hypervisor then supports guest operating systems for each virtual machine. This is the model most commonly used in data center virtualization because it is highly efficient. Type II hypervisors run as an application on top of an existing operating system. In this approach, the operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system. This model is commonly used to provide virtualization environments on personal computers for developers, technologists, and others who have the need to run their own virtual machines. It is less efficient than bare metal virtualization because the host operating system introduces a layer of inefficiency that consumes resources.

List five basic actions you can take now as a security analyst in response to the increase in the importance of AI and machine learning in cybersecurity.

Understand the quality and security of source data. Work with AI and ML developers to ensure that they are working in secure environments and that data sources, systems, and tools are maintained in a secure manner. Ensure that changes to AI and ML algorithms are reviewed, tested, and documented. Encourage reviews to prevent intentional or unintentional bias in algorithms. Engage domain experts wherever possible.

What are some examples of operational controls?

User access reviews, log monitoring, and vulnerability management

List all the common account types used by the Security+ exam.

User accounts Privileged or administrative accounts Shared and generic accounts or credentials Guest accounts Service accounts associated with applications and services

List five common ways to assert or claim an identity.

Usernames, certificates, tokens, SSH keys, and smart cards

Name some sources you can use when you build your threat research toolkit.

Vendor security information websites, vulnerability and threat feeds from vendors, government agencies, private organizations, academic journals and technical publications, professional conferences and local industry group meetings, and social media accounts of prominent security professionals.

What are some of the attributes used in an X.509 certificate?

Version of X.509 to which the certificate conforms Serial number (from the certificate creator) Signature algorithm identifier (specifies the technique used by the certificate authority to digitally sign the contents of the certificate) Issuer name (identification of the certificate authority that issued the certificate) Validity period (specifies the dates and times—a starting date and time and an expiration date and time—during which the certificate is valid) Subject's Common Name (CN) which clearly describes the certificate owner (e.g., "certmike.com") Certificates may optionally contain Subject Alternative Names (SAN) that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate. Subject's public key (the meat of the certificate—the actual public key the certificate owner used to set up secure communications)

List and explain two categories of scalability and their advantages.

Vertical and Horizontal scalability Vertical scalability requires a larger or more powerful system or device. Vertical scalability can help when all tasks or functions need to be handled on the same system or infrastructure. Vertical scalability can be very expensive to increase, particularly if the event that drives the need to scale is not ongoing or frequent. Horizontal scaling uses smaller systems or devices but adds more of them. When designed and managed correctly, a horizontally scaled system can take advantage of the ability to transparently add and remove more resources, allowing it to adjust as needs grow or shrink. This also allows opportunities for transparent upgrades, patching, and even incident response.

What should we do if we can't completely remove data from a dataset?

We can transform it into a format where the original sensitive information is deidentified. The deidentification process removes the ability to link data back to an individual, reducing its sensitivity. An alternative to deidentifying data is transforming it into a format where the original information can't be retrieved. This is a process called data obfuscation.

What are web application firewalls?

Web application firewalls (WAFs) are security devices that are designed to be able to intercept, analyze, and apply rules to web traffic, including tools like database queries, APIs, and other web application tools.

Explain true positive, false positive, true negative, and false negative.

When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).

What are two decision points for VPN implementation?

Whether the VPN will be used for remote access, or if it will be a site-to-site VPN Whether they will be a split tunnel VPN or a full tunnel VPN

What are three typical classifications that are used to describe penetration test types?

White box, black box, gray box

What type of attacker acts with authorization?

White hat hackers are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them.