Security +
6: What is risk mitigation?
6: Risk mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.
6: What are two primary models for generation of one-time passwords?
6: TOTP, or time-based one-time passwords and HMAC-based one-time password (HOTP)
6: What is tailgating?
6: Tailgating is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well.
6: What are the three security control categories?
6: Technical controls, operational controls, and managerial controls
6: What are three components in the NIST framework?
6: The Framework Core, the Framework Implementation, Framework Profiles
18: List some advantages of implementing database normalization.
18: o Prevent data inconsistency o Prevent update anomalies o Reduce the need for restructuring existing databases o Make the database schema more informative
10: What principle states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed?
10: Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.
15: What are three specific Layer 2 attacks in the Security+ exam outline?
15: Address resolution protocol (ARP) poisoning attacks, media access control (MAC), and MAC cloning
10: What are playbooks?
10: Playbooks are step by step guides intended to help incident response teams take the right steps in a given scenario.
8: What is the function to calculate the impact sub-score?
8: ISS = 1 - [(1 - Confidentiality) x (1-Integrity) x (1-Availability)]
8: List the four common EAP variants found in the Security+ exam outline.
8: PEAP, EAP-FAST, EAP-TLS, and EAP-TTLS
10: What category of information includes any information that uniquely identifies an individual person, including customers, employees, and third parties?
10: Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.
10: What are the three common detection methods to identify unwanted and potentially malicious traffic?
10: Signature-based detections rely on a known hash or signature matching to detect a threat. Heuristic or behavior-based detections look for specific patterns or sets of actions that match threat behaviors. Anomaly-based detections establish a baseline for an organization or network and then flags when out of the ordinary behavior occurs.
11: What are the three states where data might exist?
11: Data at rest, data in motion, and data in processing
11: What key element separates logic bombs from other malware?
11: Logic bombs are functions or code that are placed inside of other programs that will activate when set conditions are met instead of independent malicious programs.
11: What are runbooks?
11: Runbooks are the operational procedures guides that organizations use to perform actions.
11: What are the differences between stateless firewalls and stateful firewalls?
11: Stateless firewalls (sometimes called packet filters) filter every packet based on data like the source and destination IP and port, the protocol, and other information that can be gleaned from the packet's headers, while stateful firewalls (sometimes called dynamic packet filters) pay attention to the state of traffic between systems.
12: Give three ways that an attacker might discover a user's password.
12: 1. Conducting social engineering attacks that trick the user into revealing a password, either directly or through a false authentication mechanism 2. Eavesdropping on unencrypted network traffic 3. Obtaining a dump of passwords from previously compromised sites and assuming that a significant proportion of users reuse their passwords from that site on other sites
10: List four types of specialized systems of embedded systems.
12: Answers include: " Medical systems " Smart meters " Vehicles " Drones and autonomous vehicles (AVs) " VoIP systems " Printers " Surveillance systems
12: What is data encryption?
12: Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.
12: What are filesystem controls?
12: Filesystem controls determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files.
12: List three techniques that support removing systems, devices, or even entire network segments or zones.
12: Isolation, containment, segmentation
12: Name at least three types of viruses.
12: Memory resident viruses, non-memory resident viruses, boot sector viruses, macro viruses, and email viruses
12: What are two types of advanced security camera capabilities?
12: Motion recognition and object detection
12: What are three main methods used to exchange secret keys securely?
12: Offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm
12: What are web application firewalls?
12: Web application firewalls (WAFs) are security devices that are designed to be able to intercept, analyze, and apply rules to web traffic, including tools like database queries, APIs, and other web application tools.
12: Explain true positive, false positive, true negative, and false negative.
12: When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).
13: Give three valuable information sources for reconciling scan results.
13: " Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities " Security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence " Configuration management systems that provide information on the operating system and applications installed on a system
13: Give some ways that an attacker might obtain a cookie.
13: Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website. Installing malware on the user's browser that retrieves cookies and transmits them back to the attacker. Engaging in a man-in-the-middle attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user's behalf and obtain the cookie.
5: List four standard agreements used in third-party risk management.
5: Master service agreements (MSA), Service level agreements, Memorandum of understanding, Business partnership agreements.
5: What is open source threat intelligence?
5: Open source threat intelligence is threat intelligence that is acquired from publicly available sources.
5: List the four cloud deployment models.
5: Public cloud, private cloud, community cloud, and hybrid cloud
5: What are rootkits?
5: Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.
5: What does shoulder surfing mean?
5: Shoulder surfing is the process of looking over a person's shoulder to capture information like passwords or other data. While shoulder surfing typically implies actually looking over a person's shoulder, other similar attacks like looking into a mirror behind a person entering their credentials would also be considered shoulder surfing.
5: What information does the port/hosts section provide on the report?
5: The port/hosts section provides details on the server(s) that contain the vulnerability as well as the specific services on that server that have the vulnerability.
7: List all three definitions of prepending.
7: Prepending can mean one of three different things: 1. Adding an expression or phrase, such as adding "SAFE" to a set of email headers to attempt to fool a user into thinking it has passed an anti-spam tool. 2. Adding information as part of another attack to manipulate the outcome. 3. Suggesting topics via a social engineering conversation to lead a target toward related information you are looking for.
7: What is risk avoidance?
7: Risk avoidance is a risk management strategy where business practices are changed to completely eliminate the potential that a risk will materialize.
7: What are two decision points for VPN implementation?
7: Whether the VPN will be used for remote access, or if it will be a site-to-site VPN Whether they will be a split tunnel VPN or a full tunnel VPN
7: List all steps in site restoration.
7: 1. Restore network connectivity and a bastion or shell host. 2. Restore network security devices (firewalls, IPS). 3. Restore storage and database services. 4. Restore critical operational servers. 5. Restore logging and monitoring service. 6. Restore other services as possible.
7: What are APIs?
7: Application programming interfaces (APIs) are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.
7: What is the difference between an audit and an assessment?
7: Audits are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Assessments are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement.
7: What are backdoors?
7: Backdoors are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications.
7: Raspberry Pi, Arduinos, and FPGAs are all considered what types of systems by the Security+ exam?
7: Embedded systems
7: What are some examples of technical controls?
7: Firewall rules, access control lists, intrusion prevention systems, and encryption
7: List three common biometric technologies.
7: Possible answers include: Fingerprints Retina scanning Iris recognition Facial recognition Voice recognition Vein recognition Gait analysis
10: List and explain all three primary rules of RBAC.
10: 1. Role assignment, which states that subjects can only use permissions that match a role they have been assigned. 2. Role authorization, which states that the subject's active role must be authorized for the subject. This prevents subjects from taking on roles they shouldn't be able to. 3. Permission authorization, which states that subjects can only use permissions that their active role is allowed to use.
10: What are the advantages of guards?
10: o Guards can make decisions that technical control systems cannot, and they can also provide additional capabilities by providing both detection and response capabilities. o Guards can validate an individual's identity, ensure that they only enter the areas they are supposed to be, and that they have signed a visitor log and that their signature matches a signature on file or on their ID card.
10: Name five modes of operation of DES.
10: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode
10: How do you calculate the exploitability score for a vulnerability under CVSS?
10: Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired x UserInteraction
10: What are keyloggers?
10: Keyloggers are programs that capture keystrokes from keyboards, although keylogger applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.
10: Name all security control types.
10: Preventive controls, detective controls, corrective controls, deterrent controls, physical controls, and compensating controls
10: Give three examples of features that an organization may want or need to ensure that mobile devices and the data they contain are secure.
10: Some examples may include: • Application management features are important to allow enterprise control of applications. • Content management (sometimes called MCM, or mobile content management) ensures secure access and control of organizational files including documents and media on mobile devices. • Remote wipe capabilities are used when a device is lost, stolen, or when the owner is no longer employed by the organization. • Geolocation and geofencing capabilities allow you to use the location of the phone to make decisions about its operation. • Screen locks, passwords, and pins are all part of normal device security models to prevent unauthorized access. • Biometrics are widely available on modern devices, with fingerprints and facial recognition being the most broadly adopted and deployed. • Context aware authentication goes beyond PINs, passwords, and biometrics to understand more about user behavior. • Containerization is an increasingly common solution to handling separation of work and personal use contexts on devices. • Storage segmentation can be used to keep personal and business data separate as well. • Full device encryption (FDE) remains the best way to ensure that stolen or lost devices don't result in a data breach. • Push notifications may seem like an odd inclusion here, but sending messages to devices can be useful in a number of scenarios.
10: What is static code analysis and what is dynamic code analysis?
10: Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Static analysis does not run the program, instead it focuses on understanding how the program is written and what the code is intended to do. Dynamic code analysis relies on execution of the code while providing it with input to test the software.
11: What are three tools that can be used in the data obfuscation process?
11: Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. Tokenization replaces sensitive values with a unique identifier using a lookup table. Data masking partially redacts sensitive information by replacing some or all of sensitive fields with blank characters.
11: How do you calculate the CVSS base score for a vulnerability?
11: " If the impact is 0, the base score is 0. " If the scope metric is Unchanged, calculate the base score by adding together the impact and exploitability scores. " If the scope metric is Changed, calculate the base score by adding together the impact and exploitability scores and multiplying the result by 1.08. " The highest possible base score is 10. If the calculated value is greater than 10, set the base score to 10.
11: What are three key lengths allowed by the AES cipher and what are their corresponding number of encryption rounds?
11: 128-bit keys require 10 rounds of encryption. 192-bit keys require 12 rounds of encryption. 256-bit keys require 14 rounds of encryption.
11: What are two different approaches of CASBs?
11: " Inline CASB solutions physically or logically reside in the connection path between the user and the service. This approach requires configuration of the network and/or endpoint devices. It provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy. " API-based CASB solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider's API. This approach provides direct access to the cloud service and does not require any user device configuration.
11: What security constraints do you need to take into account when you consider security for embedded systems?
11: " The overall computational power and capacity of embedded systems is usually much lower than a traditional PC or mobile device. " Embedded systems may not connect to a network. " Without network connectivity, CPU and memory capacity, and other elements needed, authentication is also likely to be impossible. " Embedded systems may be very low cost, but many are effectively very high cost because they are a component in a larger industrial or specialized device.
11: What are the disadvantages of guards?
11: o Guards can be fallible, and social engineering attempts can persuade guards to violate policies or even to provide attackers with assistance. o Guards are relatively expensive.
11: What does blind SQL injection mean and what are two forms of blind SQL injection?
11: Attackers use a technique called blind SQL injection to conduct an attack even when they don't have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based.
11: Name five common access control schemes.
11: Attribute-based access control (ABAC), Role-based access control (RBAC), Rule-based access control (RBAC or RuBAC), Mandatory Access Control (MAC), and Discretionary access control (DAC)
13: What are the three major types of information gathering tools that are included in the Security+ exam outline?
13: Honeypots are systems that are intentionally configured to appear to be vulnerable, but which are actually heavily instrumented and monitored systems that will document everything that an attacker does while retaining copies of every file and command they use. Honeynets are networks set up and instrumented to collect information about network attacks. A Honeyfile is an intentionally attractive file that contains unique, detectable data that is left in an area that an attacker is likely to visit if they succeed in their attacks.
13: What are five basic requirements for a cryptographic hash function?
13: 1. They accept an input of any length. 2. They produce an output of a fixed length. 3. The hash value is relatively easy to compute. 4. The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). 5. The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).
13: List five basic actions you can take now as a security analyst in response to the increase in the importance of AI and machine learning in cybersecurity.
13: 1. Understand the quality and security of source data. 2. Work with AI and ML developers to ensure that they are working in secure environments and that data sources, systems, and tools are maintained in a secure manner. 3. Ensure that changes to AI and ML algorithms are reviewed, tested, and documented. 4. Encourage reviews to prevent intentional or unintentional bias in algorithms. 5. Engage domain experts wherever possible.
13: List five secure data destruction options.
13: Burning, shredding, pulping, pulverizing, and degaussing
13: What is DLP and what can it do?
13: DLP is Data Loss Prevention. Data loss prevention (DLP) systems help organizations enforce information handling policies and procedures to prevent data loss and theft.
14: Give some examples of weak configurations.
14: " The use of default settings that pose a security risk " The presence of unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges " Open ports and services that are not necessary to support normal system operations " Open permissions that allow users access which violates the principle of least privilege
14: What are two distinct goals of digital signature infrastructures?
14: Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification and unintentional modification.
14: What is an on-path attack?
14: An on-path (previously man-in-the-middle or MiTM) attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.
14: Name two different environments that DLP systems work in.
14: Host-based DLP and Network DLP
14: What is insecure direct object reference?
14: If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. This situation is known as an insecure direct object reference.
15: Name two choices you need to make when you implement encryption.
15: " The algorithm to use to perform encryption and decryption " The encryption key to use with that algorithm
15: What are some of the attributes used in an X.509 certificate?
15: Version of X.509 to which the certificate conforms Serial number (from the certificate creator) Signature algorithm identifier (specifies the technique used by the certificate authority to digitally sign the contents of the certificate) Issuer name (identification of the certificate authority that issued the certificate) Validity period (specifies the dates and times-a starting date and time and an expiration date and time-during which the certificate is valid) Subject's Common Name (CN) which clearly describes the certificate owner (e.g., "certmike.com") Certificates may optionally contain Subject Alternative Names (SAN) that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate. Subject's public key (the meat of the certificate-the actual public key the certificate owner used to set up secure communications)
15: What are two variants that file inclusion attacks come in? How do they work?
15: Local file inclusion and remote file inclusion. Local file inclusion attacks seek to execute code stored in a file located elsewhere on the web server. Remote file inclusion attacks allow the attacker to go a step further and execute code that is stored on a remote server.
15: Name two mechanisms of action of DLP systems.
15: Pattern matching and watermarking
16: What are the benefits of penetration testing?
16: 1. Penetration testing provides us with knowledge that we can't obtain elsewhere. 2. In the event that attackers are successful, penetration testing provides us with an important blueprint for remediation. 3. Penetration tests can provide us with essential, focused information on specific attack targets.
16: Why might a certificate authority need to revoke a digital certificate?
16: The certificate was compromised (for example, the certificate owner accidentally gave away the private key). The certificate was erroneously issued (for example, the CA mistakenly issued a certificate without proper verification). The details of the certificate changed (for example, the subject's name changed). The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).
16: List four tools commonly run on a local system to gather information about its network configuration and status.
16: 1. ipconfig (Windows) and ifconfig (Linux) 2. netstat 3. arp 4. Route
16: When would cross-site scripting attacks occur?
16: Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.
4: What are the differences between Agile, Waterfall, and Spiral?
4: Agile software development is an iterative and incremental process, rather than the linear processes that Waterfall and Spiral use.
16: What is data minimization and how can we do it?
16: Data minimization techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.
17: What are three techniques to verify the authenticity of certificates and identify revoked certificates?
17: Certificate Revocation Lists, Online Certificate Status Protocol (OCSP), and Certificate Stapling
17: What's the difference between cross-site scripting attacks and cross-site request forgery attacks?
17: They exploit a different trust relationship. XSS attacks exploit the trust that a user has in a website to execute code on the user's computer. XSRF attacks exploit the trust that remote sites have in a user's system to execute commands on the user's behalf.
17: What should we do if we can't completely remove data from a dataset?
17: We can transform it into a format where the original sensitive information is deidentified. The deidentification process removes the ability to link data back to an individual, reducing its sensitivity. An alternative to deidentifying data is transforming it into a format where the original information can't be retrieved. This is a process called data obfuscation.
17: What are three typical classifications that are used to describe penetration test types?
17: White box, black box, gray box
17: What is theHarvester?
17: theHarvester is an open source intelligence gathering tool that can retrieve information like email accounts, domains, usernames, and other details using LinkedIn, search engines (like Google, Bing, and Baidu), PGP servers, and other sources.
18: List at least three key elements of the rules of engagement for a penetration test.
18: " The timeline for the engagement and when testing can be conducted " What locations, systems, applications, or other potential targets are included or excluded " Data handling requirements for information gathered during the penetration test " What behaviors to expect from the target " What resources are committed to the test " Legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in-scope " When and how communications will occur
18: Name some tools we can use in the process of data obfuscation.
18: Hashing, tokenization, and masking
19: List and explain two principles we need to apply in the application resilience.
19: " Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand. " Elasticity goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.
19: Identify four key phases of a penetration test.
19: Initial access, privilege escalation, pivoting (lateral movement), and persistence
1: Define threats, vulnerabilities, and risks.
1: Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems. Vulnerabilities are weaknesses in systems or controls that could be exploited by a threat. Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.
1: What are six steps in the incident response process?
1: " Preparation " Identification " Containment " Eradication " Recovery " Lessons learned
1: What are 9 stages in the EDRM model?
1: 1. Information governance before the fact to assess what data exists and to allow scoping and control of what data needs to be provided. 2. Identification of electronically stored information so that you know what you have and where it is. 3. Preservation of the information to ensure that it isn't changed or destroyed. 4. Collection of the information so that it can be processed and managed as part of the collection process. 5. Processing to remove unneeded or irrelevant information, as well as preparing it for review and analysis by formatting or collating it. 6. Reviewing the data to ensure that it only contains what it is supposed to, and that information that should not be shared is not included. 7. Analysis of the information to identify key elements like topics, terms, and individuals or organizations. 8. Production provides the information to third parties or those involved in legal proceedings. 9. Presentation both for testimony in court and for further analysis with experts or involved parties.
1: What is a cipher?
1: A cipher is a method used to scramble or obfuscate characters to hide their value. Ciphering is the process of using a cipher to do that type of scrambling to a message.
1: Name all seven key social engineering principles that the Security+ exam focuses on.
1: Authority, intimidation, consensus, scarcity, familiarity, trust, and urgency
1: List at least five connectivity methods.
1: Cellular, Wi-Fi, Bluetooth, NFC, RFID, Infrared, GPS, USB
1: What is cloud computing?
1: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
1: What are three key objectives of cybersecurity programs?
1: Confidentiality, integrity, and availability
1: List three common elements in designs for redundancy.
1: Geographic dispersal of systems, separation of servers and other devices in datacenters, use of multiple network paths solutions, redundant network devices, protection of power, systems and storage redundancy, and diversity of technologies
1: What characteristics differentiate the types of cybersecurity threat actors?
1: Internal vs. external, level of sophistication/capability, resources/funding, and intent/motivation
1: How does network segmentation work?
1: Network segmentation divides a network up into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.
1: Name the phases of the software development life cycle.
1: Planning, requirements, design, coding, testing, training and transition, ongoing operations and maintenance, end of life decommissioning
1: What are four different types of documents in the information security policy framework?
1: Policies, standards, procedures, guidelines
1: Name five factors that influence how often an organization decides to conduct vulnerability scans against its systems.
1: Risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations
1: What is malware?
1: The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.
1: List five common ways to assert or claim an identity.
1: Usernames, certificates, tokens, SSH keys, and smart cards
20: Name the three teams that participate in a cybersecurity exercise and explain their functions.
20: Red team, blue team, and white team " Red team members are the attackers who attempt to gain access to systems. " Blue team members are the defenders who must secure systems and networks from attack. " White team members are the observers and judges.
2: List four common methods to detect malicious software and applications.
2: 1. Signature based detection 2. Heuristic 3. AI and machine learning systems 4. Sandboxing
2: List three criteria that must be met for a compensating control to be satisfactory under PCI DSS.
2: 1. The control must meet the intent and rigor of the original requirement. 2. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. 3. The control must be "above and beyond" other PCI DSS requirements.
2: What are specific goals of confidentiality, integrity, and availability?
2: 1. Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information 2. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. 3. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
2: What is the substitution cipher?
2: A substitution cipher is a type of coding or ciphering system that changes one character or symbol into another.
2: Name at least three authentication technologies.
2: EAP, Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), 802.1X, RADIUS, Terminal Access Controller Access Control System Plus (TACACS+), and Kerberos
2: Give some examples of controls that might affect scan results.
2: Firewall settings, network segmentation, intrusion detection systems (IDS), and intrusion prevention systems (IPS)
2: List the order of volatility.
2: From most volatile to least volatile: 1. CPU cache and register 2. Routing table, ARP cache, process table, kernel statistics 3. System memory - RAM 4. Temporary files and swap space 5. Data on the hard disk 6. Remote logs 7. Backups
2: List steps in the waterfall SDLC model.
2: Gather requirements, design, implement, test/validate, deploy, maintain
2: Who are the typical team members in an incident response team?
2: Members of management or organizational leadership, technical experts, communications and public relations staff, legal and human relations staff, law enforcement
2: What are two common NAC usage models?
2: NAC can either use a software agent that is installed on the computer to perform security checks, or may be agentless and run from a browser or via another means without installing software locally.
2: What is NFC and how is it most frequently used?
2: NFC, or near field communication, is used for very short range communication between devices. You've likely seen NFC used for payment terminals using Apple Pay or Google Wallet using cell phones. NFC is limited to about 4 inches of range, meaning that it is not used to build networks of devices, and instead it is primarily used for low bandwidth, device to device purposes.
2: What are the benefits of the cloud?
2: On-demand self-service computing, scalability, elasticity, measured service, agility and flexibility
2: Name at least five social engineering techniques mentioned in the book.
2: Phishing, credential harvesting, website attacks, spam, in-person techniques, identify fraud and impersonation, and reconnaissance
2: List at least three backup and replication methods.
2: RAID, copy of the live storage system, snapshot, images, VDI, copies of individual files, backup media, online backups, and offsite or on-site storage
2: What is ransomware?
2: Ransomware is malware that takes over a computer then demands a ransom or payment.
2: What is the formula to calculate the severity of a risk?
2: Risk Severity = Likelihood * Impact
1: What are two different techniques to ensure that the system is secure that modern UEFI firmware can leverage?
2: Secure boot and measured boot. Secure boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. Measured boot processes measure each component, starting with the firmware and ending with the boot start drivers.
2: What is a script kiddie?
2: The term script kiddie is a derogatory term for people who use hacking techniques but have limited skills.
5: How does FDE work?
5: Full disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device to provide a decryption key and software or hardware to decrypt the drive for use.
3: List all five key cloud roles and explain what they are.
3: Cloud service providers are the firms that offer cloud computing services to their customers. Cloud consumers are the organizations and individuals who purchase cloud services from cloud service providers. Cloud partners (or cloud brokers) are organizations who offer ancillary products or services that support or integrate with the offerings of a cloud service provider. Cloud auditors are independent organizations who provide third-party assessments of cloud services and operations. Cloud carriers serve as the intermediaries who provide the connectivity that allows the delivery of cloud services from providers to consumers.
3: What are two types of risk assessments and what are their differences?
3: Quantitative risk assessments use numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks. Qualitative risk assessments substitute subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.
3: What are allow listing and deny or block listing?
3: Allowed list (whitelisting) tools allow you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the whitelist, they will be removed, disabled, or will not be able to be installed. Deny or block lists (blacklists) are lists of software or applications that cannot be installed or run, rather than a list of what is allowed.
3: What are three key threats to cybersecurity programs?
3: Disclosure, alteration, and denial
3: List four phases used in the spiral model.
3: Identification, design, build, evaluation
3: What control should organizations put in place to ensure that successful ransomware infections do not incapacitate the company?
3: One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware.
3: What is phishing?
3: Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.
3: What is port security?
3: Port security is a capability that allows you to limit the number of MAC addresses that can be used on a single port.
3: What is RAID 5 and what are its advantages and disadvantages?
3: RAID 5 is a solution that data is striped across drives, with one drive used for parity (checksum) of the data. Parity is spread across drives as well as data. RAID 5's advantages are that data reads are fast, data writes are slightly slower; drive failures can be rebuilt as long as only one drive fails. RAID 5's disadvantages are that they can only tolerate a single drive failure at a time; rebuilding arrays after a drive loss can be slow and impact performance.
3: What is RFID?
3: RFID, or Radio Frequency Identification, is a relatively short range (from less than a foot of some passive tags to about 100 meters for active tags) wireless technology that uses a tag and a receiver to exchange information.
3: What is a right to audit clause?
3: Right to audit clauses are part of the contract between a cloud service and an organization. A right to audit clause provides either a direct ability to audit the cloud provider, or an agreement to use a third-party audit agency.
3: What is SAML?
3: Security Assertions Markup Language (SAML) is an XML based open standard for exchanging authentication and authorization information.
3: Name all three techniques used by application testing and explain their differences.
3: Static testing, dynamic testing, interactive testing Static testing analyzes code without executing it. Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.
3: What term is used to describe using cryptographic techniques to embed secret messages within another file, such as hiding a message within an image file?
3: Steganography is the art of using cryptographic techniques to embed secret messages within another file.
3: What are the three major types of exercises that incident response teams use to prepare?
3: Tabletop, walkthroughs, simulations
3: What principle says that individuals should only be granted the minimum set of permissions necessary to carry out their job functions?
3: The principle of least privilege says that individuals should only be granted the minimum set of permissions necessary to carry out their job functions.
3: What term describes the means that an attacker uses to gain access to a system?
3: Threat vectors are the means that threat actors use to obtain access to a system.
4: Give some types of configuration settings recommended by CIS benchmark for Windows.
4: Setting the password history to remember 24 or more passwords Setting maximum passwords age to "60 or fewer days, but not 0," preventing users from simply changing their passwords 24 times to get back to the same password while requiring password changes every 2 months Setting the minimum password length to 14 or more characters Requiring password complexity Disabling the storage of passwords using reversible encryption
4: Give four important considerations that come into play with cloud and off-site third-party backup options.
4: " Bandwidth requirements for both the backups themselves and restoration time if the backup needs to be restored partially or fully. " Time to retrieve files and cost to retrieve files. " Reliability is also crucial. " New security models may also be required for backups.
4: Describe the process of quantitative risk assessment.
4: 1. Determine the asset value (AV) of the asset affected by the risk. Determine the likelihood that the risk will occur. 2. Determine the amount of damage that will occur to the asset if the risk materializes. 3. Calculate the single loss expectancy. 4. Calculate the annualized loss expectancy.
4: What term describes the unauthorized modification of information?
4: Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Denial is the unintended disruption of an authorized user's legitimate access to information.
4: What is an evil twin?
4: An evil twin is a malicious fake access point that is set up to appear to be a legitimate, trusted network.
4: Give three examples of personnel management practices.
4: Answers could include: least privilege, separation of duties, job rotation and mandatory vacations, clean desk space, onboarding and offboarding, non-disclosure agreements (NDAs), social media, user training
4: List four incident response plan types.
4: Communication plans, stakeholder management plans, business continuity plans, and disaster recovery plans
4: What are four fundamental goals of cryptography?
4: Confidentiality, integrity, authentication, and nonrepudiation
4: What is credential harvesting?
4: Credential harvesting is the process of gathering credentials like usernames and passwords.
4: What are three major cloud service models?
4: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)
4: List four types of protocol level protections.
4: Loop prevention, Broadcast storm prevention, Bridge Protocol Data Unit (BPDU) guard, Dynamic Host Configuration Protocol (DHCP) snooping
4: What does a SSO system allow?
4: Single sign-on (SSO) systems allow a user to log in with a single identity, and then use multiple systems or services without re-authenticating.
4: What is the Linux dd command? Give an example to copy a drive mounted as /dev/sda to a file called example.img.
4: The Linux dd command is a command line utility that allows you to create disk images for forensic or other purposes. Example: dd if=/dev/sda of=example.img conv=noerror,sync
4: What information does the output section provide on the report?
4: The output section of the report shows the detailed information returned by the remote system when probed for the vulnerability.
4: What is threat intelligence?
4: Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.
4: What's the difference between Trojans and worms?
4: Trojans require user-interaction, while worms are self-installed and spread themselves.
5: What are four phases of the continuity of operations?
5: Phase I: Readiness and preparedness Phase II: Activation and relocation Phase III: Continuity of operations Phase IV: Reconstitution
5: List three major types of factors in multifactor authentication and explain them.
5: Something you know, including passwords, PINs, or the answer to a security question. Something you have like a smartcard, USB or Bluetooth token, or another object or item that is in your possession. Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even your typing speed and patterns are all included as options for this type of factor.
5: What is the difference between symmetric and asymmetric cryptography?
5: Symmetric cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.
5: What are two important roles served by risk assessment in the risk management process?
5: The risk assessment provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first. Quantitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach.
5: List at least three principles of the Agile methodology.
5: " Ensure customer satisfaction via early and continuous delivery of the software. " Welcome changing requirements, even late in the development process. " Deliver working software frequently (in weeks rather than months). " Ensure daily cooperation between developers and businesspeople. " Projects should be built around motivated individuals who get the support, trust, and environment they need to succeed. " Face-to-face conversations are the most efficient way to convey information inside the development team. " Progress is measured by having working software. " Development should be done at a sustainable pace that can be maintained on an ongoing basis. " Pay continuous attention to technical excellence and good design. " Simplicity-the art of maximizing the amount of work not done-is essential. " The best architectures, requirements, and designs emerge from self-organizing teams. " Teams should reflect on how to become more effective and then implement that behavior at regular intervals.
5: What are common elements in a typical forensic report?
5: 1. A summary of the forensic investigation and findings 2. An outline of the forensic process, including tools used and any assumptions that were made about the tools or process 3. A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail. 4. Recommendations or conclusions in more detail than the summary included.
5: What are a SPAN and a port mirror?
5: A port mirror sends a copy of all of the traffic sent to one switch port to another switch port for monitoring. A SPAN can do the same thing but can also combine traffic from multiple ports to a single port for analysis.
5: What are two types of Bluetooth attacks and what are their differences?
5: Bluejacking and bluesnarfing. Bluejacking simply sends unsolicited messages to Bluetooth enabled devices. Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains.
5: Name all five risk categories.
5: Financial, reputational, strategic, operational, and compliance
5: List and explain two categories of scalability and their advantages.
5: Vertical and Horizontal scalability " Vertical scalability requires a larger or more powerful system or device. Vertical scalability can help when all tasks or functions need to be handled on the same system or infrastructure. Vertical scalability can be very expensive to increase, particularly if the event that drives the need to scale is not ongoing or frequent. " Horizontal scaling uses smaller systems or devices but adds more of them. When designed and managed correctly, a horizontally scaled system can take advantage of the ability to transparently add and remove more resources, allowing it to adjust as needs grow or shrink. This also allows opportunities for transparent upgrades, patching, and even incident response.
6: What are three common questions that come into play when we assess a threat intelligence source or a specific threat intelligence notification?
6: 1. Is it timely? 2. Is the information accurate? 3. Is the information relevant?
6: What is a VPN?
6: A virtual private network, or VPN, is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.
6: What are three types of data we must think about when developing a cryptographic system for the purpose of providing confidentiality?
6: Data at rest, data in motion, data in use
6: List all eight CVSS metrics and describe what kinds of measurements they evaluate.
6: Eight metrics: attack vector metric, attack complexity metric, privileges required metric, user interaction metric, confidentiality metric, integrity metric, availability metric, and scope metric. The first four measures evaluate the exploitability of the vulnerability, whereas the next three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability.
6: What are three major types of disaster recovery sites used for site resilience?
6: Hot sites, warm sites, and cold sites
6: What kinds of potential downfalls does disk encryption bring?
6: If the encryption key is lost, the data on the drive will likely be unrecoverable since the same strong encryption that protects it will make it very unlikely that you will be able to brute force the key and acquire the data. That also means that technical support can be more challenging, and that data corruption or other issues can have a larger impact resulting in unrecoverable data.
6: Name three major attack frameworks.
6: MITRE ATT&CK, the Diamond Model of Intrusion Analysis, the Cyber Kill Chain
6: What is the best way to detect a rootkit?
6: The best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn't possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits.
6: Describe the continuous integration and continuous deployment pipeline.
6: The developer commits change, the build process is triggered, the build report is delivered, tests are run against the build, the test report is delivered, if successful, the code is deployed.
6: What is the primary responsibility of the hypervisor?
6: The primary responsibility of the hypervisor is enforcing isolation between virtual machines. This means that the hypervisor must present each virtual machine with the illusion of a completely separate physical environment dedicated for use by that virtual machine.
6: What are two major usage modes provided by WPA 2?
6: WPA2, or Wi-Fi Protected Access II, is a widely deployed and used standard which provides two major usage modes: • WPA-Personal, which uses a pre-shared key and is thus often called WPA-PSK. This allows clients to authenticate without an authentication server infrastructure. • WPA-Enterprise relies on a RADIUS authentication server as part of an 802.1x implementation for authentication. This means users can have unique credentials and can be individually identified.
7: Please interpret the following CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7: " Attack Vector: Network (score: 0.85) " Attack Complexity: Low (score: 0.77) " Privileges Required: None (score: 0.85) " User Interaction: None (score: 0.85) " Scope: Unchanged " Confidentiality: High (score: 0.56) " Integrity: None (score: 0.00) " Availability: None (score: 0.00)
7: Please list and explain three major types of authentication in modern Wi-Fi networks
7: • Open networks do not require authentication, but often use a captive portal to gather some information from users who want to use them. Open networks do not provide encryption, leaving user data at risk unless the traffic is sent via secure protocols like HTTPS. • Pre-shared keys, or PSK, require that a passphrase or key is shared with anybody who wants to use the network. This allows traffic to be encrypted, but does not allow users to be uniquely identified. • Enterprise authentication relies on a RADIUS server and utilizes an EAP protocol for authentication.
7: What are two major categories of modern ciphers and what are their methods of operation?
7: Block ciphers operate on "chunks," or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Stream ciphers operate on one character or bit of a message (or data stream) at a time.
7: What are seven stages of the Cyber Kill Chain?
7: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives
7: What are two primary types of hypervisors and what are their differences?
7: Type I hypervisors, also known as bare metal hypervisors, operate directly on top of the underlying hardware. The hypervisor then supports guest operating systems for each virtual machine. This is the model most commonly used in data center virtualization because it is highly efficient. Type II hypervisors run as an application on top of an existing operating system. In this approach, the operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system. This model is commonly used to provide virtualization environments on personal computers for developers, technologists, and others who have the need to run their own virtual machines. It is less efficient than bare metal virtualization because the host operating system introduces a layer of inefficiency that consumes resources.
7: Name some sources you can use when you build your threat research toolkit.
7: Vendor security information websites, vulnerability and threat feeds from vendors, government agencies, private organizations, academic journals and technical publications, professional conferences and local industry group meetings, and social media accounts of prominent security professionals.
8: What are two categories of cloud storage offerings?
8: Block storage allocates large volumes of storage for use by virtual server instance(s). Object storage provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider's API.
8: List some weaknesses of symmetric key cryptography.
8: Key distribution is a major problem. Symmetric key cryptography does not implement nonrepudiation. The algorithm is not scalable. Keys must be regenerated often.
8: List and explain three different categories of SOC assessment.
8: " SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting. " SOC 2 engagements assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under a non-disclosure agreement (NDA). " SOC 3 engagements also assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.
8: What steps can be used to assess embedded systems?
8: 1. Identify the manufacturer or type of embedded system and acquire documentation or other materials about it. 2. Determine how the embedded system interfaces with the world: does it connect to a network, to other embedded devices, or does it only have a keyboard or other physical interface? 3. If the device does provide a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself. 4. Learn about how the device is updated, if patches are available, and how and when those patches should be installed, then ensure a patching cycle is in place that matches the device's threat model and usage requirements. 5. Document what your organization would do in the event that the device had a security issue or compromise. Could you return to normal? What would happen if the device were taken offline due to that issue? Are there critical health, safety, or operational issues that might occur if the device failed or needed to be removed from service? 6. Document your findings and ensure that appropriate practices are included in your organization's operational procedures.
8: What term describes the original level of risk that exists before implementing any controls?
8: The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization's business.
8: What is a bollard?
8: Bollards are posts or other obstacles that prevent vehicles from moving through an area. Bollards may look like posts, pillars, or even planters, but their purpose remains the same: preventing vehicle access.
8: What are bots and what are botnets?
8: Bots are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions ranging from additional compromises and infection to denial of service attacks or acting as spam relays.
8: Name three password-related attacks.
8: Brute force attacks, password spraying attacks, and dictionary attacks
8: What are some examples of informal code review models?
8: Pair programming, over-the-shoulder, pass-around code reviews, and tool-assisted reviews
8: What are password vaults?
8: Password vaults are software solutions that store, manage, and secure passwords and other information, allowing users to use strong passwords without memorizing dozens, or hundreds, of individual complex passwords.
8: Name seven elements in the security information and event management system.
8: SIEM dashboard, sensors, sensitivity and threshold, trends, alerts and alarms, correlation and analysis, rules
8: What are some examples of operational controls?
8: User access reviews, log monitoring, and vulnerability management
8: What type of attacker acts with authorization?
8: White hat hackers are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them.
9: What kinds of issues should security analysts be aware of when dealing with IoT devices?
9: " Poor security practices, including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, weak authentication, use of embedded credentials, insecure data storage, and a wide range of other poor practices. " Short support lifespans, meaning that IoT devices may not be patched or updated leaving them potentially vulnerable for most of their deployed lifespan. " Vendor data handling practice issues, including licensing and data ownership concerns, as well as the potential to reveal data to both employees and partners of the vendor and to government and other agencies without the device owner being aware.
9: What are two types of proxy servers?
9: Forward proxies are placed between clients and servers, and they accept requests from clients and send them forward to servers. Reverse proxies are placed between servers and clients, and they are used to help with load balancing and caching of content.
9: What are three key security considerations when working with cloud storage?
9: Set permissions properly. Consider high availability and durability options. Use encryption to protect sensitive data.
9: What are four key metrics in the BIA process?
9: The Mean Time Between Failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures. The Mean Time to Repair (MTTR) is the average amount of time to restore a system to its normal operating state after a failure. The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. The Recovery Point Objective (RPO) is the amount of data that the organization can tolerate losing during an outage.
9: List some major strengths of asymmetric key cryptography.
9: The addition of new users requires the generation of only one public-private key pair. Users can be removed far more easily from asymmetric systems. Key regeneration is required only when a user's private key is compromised. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. Key distribution is a simple process. No preexisting communication link needs to exist.
9: List all the common account types used by the Security+ exam.
9: User accounts Privileged or administrative accounts Shared and generic accounts or credentials Guest accounts Service accounts associated with applications and services
9: List and explain two types of SOC report.
9: " Type 1 reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls. " Type 2 reports go further and also provide the auditor's opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly.
9: What is an access control vestibule?
9: An access control vestibule, often called a "mantrap," is a pair of doors which both require some form of authorized access to open. The first door opens after authorization, closes, and only after it is closed can the person who wants to enter provide their authorization to open the second door.
9: Name four common mobile device deployment and management models.
9: BYOD: Bring your own device; CYOD: Choose your own device; COPE: Corporate owned, personally enabled; Corporate owned
9: Name two models that many botnet command and control (C&C) systems operate in.
9: Client/server botnet control model and peer-to-peer botnet control model
9: How do you calculate the impact score for a vulnerability under CVSS?
9: Impact score = the value of the scope metric * ISS
9: Give some examples of physical attacks.
9: Malicious flash drive attacks, malicious USB cables, card cloning attacks, and supply chain attacks
9: What are some examples of managerial controls?
9: Periodic risk assessments, security planning exercises, and the incorporation of security into the organization's change management, service acquisition, and project management practices
9: List all six phases of a typical Fagan inspection process.
9: Planning, overview, preparation, meeting, rework, and follow up
9: List 10 common logs used by incident responders.
9: System logs, application logs, security logs, vulnerability scan output, network and security device logs, web logs, DNS logs, authentication logs, dump files, and VoIP & SIP logs