Security+
Netstat
displays a listing of all open TCP connections. Is short for network statistics and allows you to view statistics for TCP/IP protocols on a system.
Netstat -n
displays addresses and port numbers in numerical order. This can be useful if you're looking for information related to a specific IP address or a specific port.
Netstat -e
displays details on network statistics, including how many bytes the system sent and received.
Homomorphic encryption
allows data to remain encrypted while it is being processed.
Motion detection
many alarm systems have this to detect potential intruders and raise alarms.
TCP (Transmission Control Protocol)
A connection-oriented, guaranteed-delivery protocol used to send data packets between computers over a network like the Internet.
APT
A tech company recently discovered an attack on its organization, resulting in a significant data breach of customer data. After investigating the attack, they realized it was very sophisticated and likely originated from a foreign country. Which of the following identifies the most likely threat actor in this attack?
DNS poisoning
Also known as "DNS Cache Poisoning" - Manipulating the data in a DNS Server's cache to point to different IP addresses - Attacker could redirect a site's traffic from the legitimate site to one they own
Netstat -r
Displays the routing table
ip link set eth0 up
Enables a network interface
Administrators
Have complete access and control over everything on the server, including all the projects managed on the server.
Email Integrity
Provides assurances that the message has not been modified or corrupted.
Public datA
available to anyone
Block ciphers
encrypt data in a specific-sized block such as 64-bit or 128-bit blocks.
simulations
hands on exercises.
Pharming
is also an attack on DNS, and it manipulates the DNS anme resolution process.
Elliptic curve cryptography
A developer is creating an application that will encrypt and decrypt data on mobile devices. These devices don't have a lot of processing power. Which of the following cryptographic methods has the LEAST overhead and can provide encryption for these mobile devices?
He did not account for the time offset
A forensic analyst was told of a suspected attack on a Virgina-based web server from IP address 72.52.230.233 at 01:23:45 GMT. However, after investigating the logs, he doesn't see any traffic from that IP at that time. Which of the following is the MOST likely reason why the analyst was unable to identify the traffic?
Masking
A health care organization manages several hospitals and medical facilities within a state, and they have treated thousands of patients who have suffered from a recent viral outbreak. Doctors from another state are performing studies of this virus and would like to access the information that the health care organization has amassed. Management has authorized the release of this information but has mandated that the data cannot reveal any personal information about patients, Which of the following methods will BEST meet these requirements?
Impersonation
A man in a maintenance uniform walked up to your organization's receptionist desk. He said he was called by the CIO and asked to fix an issue with the phones and needed access to the wiring closet. The receptionist asked the man to show his building access badge, and then she verified that he was on the list of approved personnel to access this secure area. What type of attack will the checks performed by the receptionist prevent?
A DDoS
An IDS has sent multiple alerts in response to increased traffic. Upon investigation, you realize it is due to a spike in network traffic from several sources. Assuming this is malicious, which of the following is the MOST like explanation?
Insider
Anyone who has legitimate access to an organization's internal resources such as employee of a company.
Normalization
Database administrators have created a database used by a web application. However, testing shows that application queries against the database take a significant amount of time. Which of the following actions is MOST likely to improve the overall performance of the database?
Account disablement policy
Ensures that user accounts are disabled when an employee leaves the organization.
Server Redundancies
Failover clusters include redundant servers and ensure a service will continue to operate, even if a server fails. The server switches from the failed server in a cluster to an operational server in the same cluster. Virtualization can also increase the availability of servers by reducing the unplanned downtime.
Disk redundancies
Fault-tolerant disks, such as RAID-1 (mirroring), RAID-5 (striping with parity), and RAID-10 (striping with a mirror), allow a system to continue to operate even if a disk fails.
Operational Controls
Help ensure that day-to-day operations of an organization comply with their overall security policy. People implement them.
Leave of absence
If an employee will be absent for an extended period, the account should be disabled while the employee is away.
Guest
Operating systems running on the host system are guests or guest machines.
Privilege escalation attacks
Requiring administrators to use two accounts, one with administrator privileges and another with regular privileges, helps prevent this, users should not use shared accounts.3
Firewalls
Restrict network traffic going in and out of a network.
Two-factor autentication
Sometimes called dual factor authentication. uses two different authentication factors such as something you have and something you know. Often uses combinations of a smart card and a PIN, a USB token and a PIN, or a hardware token and a password.
virtualization
a popular technology used within data centers. it allows you to host one or more virtual systems or virtual machines on a single physical system.
stateless firewall
blocks traffic using an ACL, and blocks traffic based on the state of the packet within a session.
RAID-10
configuarate combines the features of mirroring (RAID-1) and striping (RAID-0). Is sometimes called RAID 1+0.
Supporting confidentiality
encryption protocols are used to provide this, this prevents unauthorized users from accessing data.
User training
helps keep personnel up to tdate on security policies and current threats.
Gait analysis
identifies individuals based on the way they walk
IP Theft (Intellectual property theft)
includes things like copyrights, patents, trademarks, aand trade secrets.
Scalability
is a system's ability to handle increased workload by scaling up or out.
Annual loss expectancy (ALE)
is the value of SLE x ARO. Identifies the expected annual loss.
Rooting
modifies an Android device, giving users root-level access to the device.
walk throughs
provide training to personnel prior to a tabletop exercise or to create a formal tabletop exercise plan.
Autehenticated encryption
provides both confidentiality and authenticity
physical controls
refers to controls you can physically touch
Unknown environment testing
testers have zero knowledge of the environment prior to starting this test. Instead they approach the test with the same knowledge as an attacker.
Hypervisor
the software that creates, run and manages the VMs is this.
HMAC-based one-time password (HOTP)
An open standard used for creating one-time passwords. It combines a secret key and a counter, and then uses HMAC to create a hash of the result.
Pinning
An organization hosts several web servers in a web farm used for e commerce. Due to recent attacks, management is concerned that attackers might try to redirect website traffic, allowing the attackers to impersonate their ecommerce site. Which of the following methods will address this issue?
NAC
An organization is hosting a VPN that employees are using while working from home. management wants to ensure that all VPN clients are using up to date operating systems and antivirus software. Which of the following would BEST meet this need?
Dumpster diving
An organization's security policy requires employees to place all discarded paper documents in containers for temporary storage. These papers are later burned in an incinerator. Which of the following attacks are these actions MOST likely trying to prevent?
The newest fully supported version of TLS
An outside consultant performed an audit of the Municipal House of Pancakes network. She identified a legacy protocol being used to access browser based interfaces on switches and routers within the network. She recommended replacing the legacy protocol with a secure protocol to access these network devices using the same interface. Which of the following protocols should be implemented?
Alternate FLow
All purchases won't be the same. For example, instead of using existing billing and shipping information, Lisa might want to use a different credit card or a different shipping address. It's also possible for Lisa to change her mind and abandon the process before completing the purchase or even cancel the purchase after completing the process.
Salt
An online application requires users to log on with their email address and a password. The application encrypts the passwords in a hashed format. Which of the following can be added to decrease the likelihood that attackers can discover passwords?
Preventive Controls
Controls used to prevent security incidents, this includes, Hardening, training, security guards, changed management, account disablement policy, intrusion prevention system (IPS).
grep
Lisa is manually searching through a large log file on a Linux system looking for brute force attack indicators. Which of the following commands will simplify this process for her?
Remove all shared accounts
List is reviewing an organization's account management processes. She wants to ensure that security log entries accurately report the identity of personnel taking specific actions. Which of the following steps would BEST meet this requirement?
Network Redundancies
Load balancing uses multiple servers to support a single service, such as a high-volume website. Network Interface Card (NIC) teaming can provide both redundancy support and increased bandwidth.
Conditional Access
Microsoft has implemented this within Azure Active Directory environments. It can be used with traditional access control schemes but adds additional capabilities to enforce organizational policies. Uses policies, which are if-then statements.
Wireless jamming attack
Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but they don't have any problems on other days. You suspect this is due to an attack. Which of the following attacks is MOST likely to cause these symptoms?
Precondition
Must occur before the process can start. For example, Lisa needs to select an item to purchase before she can place the order.
Remediation
NAC method can detect some changes to baseline settings and automatically isolate or quarantine systems in a remediation network.
Secure starting point
The image includes mandated security configurations for the system. Personnel who deploy the system don't need to remember or follow extensive checklists to ensure that new systems are set up with all the detailed configuration and security settings.
IP
The internet protocol identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses.
System log
The operating system uses this to record events related to the functioning of the operating system. This can include when it starts, when it shuts down, information on services starting and stopping, drivers loading or railing or any other system component event deemed important by the system developers.
Redundancy
adds duplication to critical system components and networks and provides fault tolerance. If a critical component has a fault, the duplication allows the service to continue as if a fault never occurred. In other words, a system with fault tolerance can suffer a fault, but it can tolerate it and continue to operate.
Redudancy
adds duplication to critical systems and provides fault tolerance. If a critical component has a fault, then this duplication allows the service to continue without interruption.
Gamification
adds game design elements into training to increase user participation and interaction.
GPS tagging
adds geographical data to to files such a pictures
Salting
adds random text to passwords before hashing them and thwards many password attacks, including rainbow table attacks.
initial baseline configuration
administrators use various tools to deploy systems consistently in a secure state.
Eradication
after containing the incident, it's often necessary to remove components from the attack
Containment
after identifying an incdent, security personnel attempt to isolate or contain it
Lessons learned
after personnel handle an incident, security personnel perform this review.
Identifcation
all events aren't security incidents, so when a potential incident is reported, personnel take the time to verify it is an actual incident.
Fencing, lighting and alarms
all provide physical security. They are often used together to provide layered security. Motion detection methods are also used with these methods to increase their effectiveness. Infrared detectors detect movement by objects of different temperatures.
Full tunnel
all traffic goes through the encrypted tunnel while the user is connected to the VPN.
Tethering and mobile hotspots
allow devices to access the internet and bypass network controls.
Access control vestibules
allow only a single person to pass at a time
Infrastructure as a Service (IaaS)
allows an organization to outsource its equipment requirements, including the hardware and all support operations. The service provided owns the equipment, houses it in its data center, and performs all required hardware maintenance.
CRL
Users within an organization frequently access public web servers using HTTPS. Management wants to ensure that users can verify that certificates are valid even if the public CAs are temporarily unavailable. Which of the following should be implemented to meet this need?
TFTP (Trivial File Transfer Protocol)
Uses UDP port 69 and is used to transfer smaller amounts of data, such as when communicating with network devices.
Hash-based Message Authentication Code (HMAC)
Uses a hash function and cryptographic key for many different cryptographic functions.
ping 192.168.1.1
Verifies that your computer can connect with another computer on your network, assuming that the computer has the IP address.
Preparation
Your organization recently suffered a costly malware attack. management wants to take steps to prevent damaage from malware in the future. Which of the following phases of common incident respons procedures is the BEST phase to address this?
One-factor
Your organization recently updated an online application that employees use to log on when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?
Block write capabilities to removable media
Your organization recently updated its security policy to prohibit the use of external storage devices. The goal is to reduce threats from insiders. Which of the following methods would have the BEST chance of reducing the risk of data exfiltration using external storage devices?
Authentication
Your organization recently updated the security policy and mandated that emails sent by all upper level executives include a digital signature. Which security goal does this policy address?
facial & Gait analysis
Your organization wants to identify biometric methods used for identification. The requirements are: - collect the data passively - bypass a formal enrollment process - avoid obvious methods that let the subject know data is being collected Which of the following biometric methods BEST meet these requirements?
HTTP Outboard
Your organization's network looks like the following graphic, and you've been asked to verify that Firewall 1 has the correct settings. All firewalls should enforce the following requirements: - Use only secure protocols for remote management - Block cleartext web traffic You're asked to verify the rules are configured correctly, Which rule, if any, should be changed to ensure Firewall 1 meets the stated requirements?
SSh
Your organization's security policy requires that confidential data transferred over the internal network must be encrypted. Which of the following protocols would BEST meet this requirement?
Split tunnel
a VPN administrator determines what traffic should use the encrypted tunnel. for example it's possible to configure this to encrypt only traffic going to private IP addresses used within the private network.
Supporting high resiliency
a common use case of encryption algorithms is to provide this. Within cryptography, this refers to the security of an encryption key even if an attacker discovers part of the key.
Thin client
a computer with enough resources to boot and connect to a server to run specific applications or desktops
Captive portal
a technical solution that forces clients using web browsers to complete a specific process before it allows them to the network.
Transparent proxy servers
accepts and forward requests without modifying them.
Device
access can be allowed or blocked based on the device. For example, a policy can allow access from desktop PCs but deny access to any mobile device.
User or group membership
access may be allowed for users in a Nuclear Inspector group, but anyone else is blocked.
Data protection officer
acts as an independent advocate for customer data.
host-based intrusion detection system (HIDS)
additional software installed on a system such as a workstation or a server. Can monitor all traffic on a single host system such as a server or a workstation. In some cases, it can detect malicious activity missed by antivirus software.
Virtualization
allows multiple virtual servers to operate on a single physical server providing increased cybersecurity resilience with lower operating costs. Keeping systems up to date with current patches is the best protection from VM escape attacks.
Audit trail
allows security professionals to recreate the events that preceded a security incident.
WI-FI Protected Setup (WPS)
allows users to configure wireless devices without typing in the passphrase. Allows users to easily configure a wireless device by entering a eight-digit PIN.
route add
allows you to add a path to a different network.
NIC teaming
allows you to group two or more physical network adapters into a single software-based virtual network adapter.
head command
allows you to see only the beginning of the log file. By default, it shows the first 10 lines of the file.
screened subnet
also known as a demilitarized zone, is a buffered zone between a private network and the internet. It allows access to services while segmenting access to the internal network. In other words, internet clients can access the services hosed on servers in this, but it provides a layer of protection for the intranet (internal network)
Self-encrypting drives
also known as hardware-based FDE drives. Include encryption circuitry built into the drive. These typically allow users to enter credentials when they set up the drive.
Incremential backup strategy
also starts with a full backup. After the full backup, this then back up data that has changed since the last backup.
Challenge Handshake Authentication Protocol (CHAP)
also uses PPP and authenticates remote users, but it is more secure then PAP. The goal of this is to allow the client to pass credentials over a public network (such as a phone or the internet) without allowing attackers to intercept the data and later use it in an attack.
compensating controls
alternative controls used when a primary control is not feasible
Security Assertion Markup Language (SAML)
an Extensible Markup Language (XML) - based data format used for SSO on web browsers. Used to exchange authentication and authorization information between different parties.
Terminated employees
an account disablement policy specifies that accounts for ex-employees are disabled as soon as possible. This ensures that this type of employee doesn't become a disgruntled one who wreaks havoc on the network.
Terminal Access Controller Access-Control System Plus (TACACS+)
an alternative to RADIUS, and it provides two essential security benefits over RADIUS. First it encrypts the entire authentication process, whereas RADIUS encrypts only the password by default. Second, it uses multiple challenges and responses between the client and the server.
distributed denial of service (DDoS) attack
an attack from two or more computers against a single target.
domain hijacking attack
an attacker changes a domain name registration without permission from the owner.
near field communication attack
an attacker uses an NFC reader to capture data from another NFC device. One method is an eavesdropping attack. The NFC reader uses an antenna to boost its range and intercepts the data transfer between two other devices.
OpenID
an authentication standard maintained by an this foundation. Holds users credentials, and websites that support this prompt users to enter this.
OAuth
an open standard for authorization many companies use to provide secure access to protected resources.
Avoidance
an organization can avoid a risk by not providing a service or not participating in a risky activity.
MAC filtering
another example of port security. In a simple implementation, the switch remembers the first one or two MAC address that connect to a port. It then blocks access to systems using any other MAC addresses.
SHA
are a group of hashing algorithems with variations in grouped four families.
Mission essential functions
are activities that must continue or be restored quickly after a disaster.
Certificates
are an important part of asymmetric encryption. Include public keys along with details on the owner of the certificate and on the CA that issues the certificate. Owners share their public key by sharing a copy of their certificate.
Internal risk
are any risks from within the organization
Public clouds
are available to everyone.
Proximity cards
are credit card sized access cards. users pass the cards near a proximity card reader, and the card reader then reads data on the cards.
external risk
are from outside the organization, includes threats for attacks. Could include natural threats, such as hurricanes, earthquakes and tornadoes.
Botnets
are groups of computers controlled by attackers and computers in a this check in with command and control servers periodically for instructions. Attackers frequently use this to launch DDoS attacks.
Qualitative risk assessment
uses judgment to categorize risks based on the likelihood of occurrence (or probability) and impact. The likelihood of occurrence is the probability that an event will occur, such as the likelihood that a threat will attempt to exploit a vulnerability.
Quantum Cryptography
uses quantum mechanical properties to perform cryptographic tasks.
Role Based access control
uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges.
Role-based access control (role BAC)
uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions.
Rule based access control (rule-BAC)
uses rules. The most common example is with rules in router or firewalls. However, more advanced implementations cause rules to trigger within applications too. Is based on a set of approved instructions, such as an access control list. Some of these systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.
PBKDF2
uses salts of at least 64 bits and uses a pseudo-random function such as HMAC to protect passwords.
WPA3
uses simultaneous Authentication of Equals (SAE) instead of a pre-shared key (PSK) used with WPA2.
Social engineering
uses social tactics to trick users into giving up information or performing actions they wouldn't normally take. Attacks can occur in person, over the phone, while surfing the internet, and via email.
Symmetric encryption
uses the same key to encrypt and decrypt data. In other words, if you encrypt data with a key of three, you decrypt it with the same key of three. Is also called secret-key encryption or session-key encryption.
RAID-1 (mirroring)
uses two disks. Data written on one disk is also written to the other disk. If one of the disks fails, the other disk still has all the data, so the system can continue to operate without any data loss. With this in mind, if you mirror all the drives in a system, you can actually lose half of the drives and continue to operate.
Asymmetic Encryption
uses two keys in a matched pair to encrypt and decrypt data -- a public key and a private key.
Testing
validates a disaster recovery plan
HMAC
verifies both. the integrity and authenticity of a message with the use of a shared secret.
Hashing
verifies the integrity of data, such as downloaded files and files stored on a disk.
Input validation
verifies the validity of inputted data before using it, and server-side validation si more secure than client-side validation. Protects against many attacks, such as buffer overflow, SQL injection, dynamic link library injection, and cross-site scripting attacks.
Examples of artifacts
web history, recycle bin, windows error reporting, remote desktop protocol cache.
Acceptance
when the cost of control outweighs a risk, an organization will often accept the risk.
Geofencing
creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization's property
Identity provider
creates, maintains, and manages identity information for principal, the IdP could be the nuclear power plant, school system, or a third party.
rootkit
group of programs that hides the fact that the system has been infected or compromised by malicious code. Hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.
Trusted Platform Module
hardware chip included on many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. Includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.
Kill chain
has been a military concept related to an attack. It starts with the identification of a target, dispatching resources to the target, someone deciding to attack and giving the order, and it ends with the destruction of the target.
Supervisory Control and Data Acquisition (SCADA)
has embedded systems that control an industrial control system (ICS), such as one used in a power plant or water treatment facility. Embedded systems are also used fo rmany special purposes, such as medical devices, automotive vehicles, aircraft, and unmanned aerial vehicles (UAVs).
Supporting integrity
hashing protocols are used to support this. They can verify that data has been changed by an unauthorized entity.
Project managers
have full control over their own projects but do not control projects owned by other project managers
Attack frameworks
help cybersecurity professionals understand the tactics, techniques, and procedures used by attackers.
Permission auditing reviews
help ensure that users have only the access they need and no more and can detect privilege creep issues.
Threat assessment
helps an organization identify and categorize threats.
risk assessment
helps organization quantify and qualify risks within an organization so that they can focus on the serious risks.
Public Key Pinning
helps prevent attackers from impersonating a website with fraudulent certificate. The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions.
Cybersecurity insurance
helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage.
Steganography
hides data inside other data, or, as some people have said, it hides data in plain sight. The goal is to hide the data in such a way that no one suspects there is a hidden message.
Embedded certificate
holds a user's private key and is matched with a public key (which is only accessible to the user) and is matched with a public key (that is publicly available to others).
Virtual desktop infrastructure (VDI)
hosts a users desktop operating system on a server.
Data retention polciy
identifies how long data is retained, and sometimes specifies where it is stored. This reduces the amount of resources, such as hard drive space or backup tapes, required to retain the data. Also help reduce legal liabilities.
Disaster Recovery Plan (DRP)
identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage.
Risk analysis
identifies potential issues that could negatively impact an organization's goals and objectives.
Recovery point objective (RPO)
identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA.Refers to the amount of data you can afford to lose.
Account disable policy
identifies what to do with accounts for employees who leave permanently or are on a leave of absence. Most policies require administrators to disable the account as soon as possible so that ex employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but the security keys (and data they encrypted) are no longer accessible if it is deleted.
Voice recognition
identifies who is speaking using speech recognition methods to identify different acoustic features.
facial recognition
identify people based on facial features.
Fault tolerance
if a system has this then it can suffer a fault, but it can tolerate it and continue to operate.
var/log/httpd/
if the system is configured as an apache web server, you can view access and error logs within this directory.
Full backup
if you have unlimited time and money, this alone provides the fastest recovery time.
Normalization
is a process used to optimize databases. While secer normal forms are avaliable, a database is considered normalized when it fonforms to the first three normal forms.
FTK imager
is part of the Forensic Toolkit (FTK) sold by AccessData. It can capture an image of a disk as a single file or multiple files and save the image in various formats.
Data custodian/steward
is responsible for routine daily tasks such as backing up data, storage of the data, and implementation of business rules.
RAID-0
is somewhat of a misnomer because it doesn't provide any redundancy or fault tolerance. It includes two or more physical disks. Files stored on this array are spread across each of the disks. The benefit is increased read and write performance.
Risk awareness
is the acknowledgement that risks exist and must be addressed to mitigate them.
Data tokenization
replaces sensitive data elements with a token. The token is a substitute value used in place of the sensitive data. Can convert the token back to its original form.
Data breach notification laws
require organizations to notify customers about a data breach and take steps to mitigate the loss. When the data is stored in the cloud, this could require notification based on several different laws.
Memorandum of understanding (MOU)
sometimes called a memorandum of agreement, expresses an understanding between two or more parties indicating their intention to work together toward a common goal
IP scanner
sometimes called a ping scanner, searchers a network for active IP addresses. It typically send an internet control message protocol (ICMP) ping to a range of IP addresses in a network.
Heuristic/behavioral-based detection
sometimes called anomaly-based detection starts by identifying the network's regular operation or normal behavior.
Signature-based IDSs
sometimes called definition-based, use a database of known vulnerabilities or known attack patterns. For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack.
Account lockout duration
this indicates how long an account remains locked. It could be set to 30, indicating that the system will lock the account for 30 minutes. After 30 minutes the system automatically unlocks the account.
honeyfile
this is a file used to attract the attention of an attacker. The primary way a file can attract an attacker is by the name. As an example, a file named password.txt will probably contain passwords.
Virus
this is a malicious code that attaches itself to an application and runs when the application is started.
Keberos
this is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. It uses a database of objects such as Active Directory and KDC (or TGT server) to issus timestamped tickets that expire after a certain time period.
Tcpreplay
this is a suite of utilities used to edit packet captures and then send the edited packets over the network. It includes tcpreplay, tcpprep, tcprewrite and more. It is often used for testing network devices.
Vulnerability
this is a weakness, and a threat is a potential danger
Certificate stapling
this is an alternative to OCSP. The certificate presenter (such as web server) appends the certificate with a timestamped digitally signed OCSP response from the CA. This reduces OCSP traffic to and from teh CA.
false positive
this is from a vulnerability scan, indicates that a scan detected a vulnerability, but the vulnerability doesn't exist.
Jump server
this is placed between different security zones and provides secure access from devices in one zone to devices in the other zone. It can provide secure access to devices in a screened subnet from an internal network.
Tag
this is placed on evidence items when they are ideitified
Time of check to time of use (TOCTOU)
this is sometimes called a state attack. The attacker tries to race the operating system to do something malicious with data after the operating system verifies access is allowed (time of check) but before the operating system performs a legitimate action at the time of use.
Risk
this is the likelihood that a threat will exploit a vulnerability.
Account lockout threshold
this is the maximum number of times a user can enter the wrong password. When the user exceeds it the system locks the account.
ESTABLISHED
this is the normal state for the data transfer phase of a connection. It indicates an active open connection.
id_rsa.pub
this is the public key. It is copied to the remote server.
TLS
this is the replacement for SSL. It requires certificates issued by certificate authorities (CAs). It also encrypts HTTPS traffic, but it can also encrypt other traffic.
Principal
this is typically a user. The user logs on once. If necessary, they request an identity from the identity provider.
car/log/faillog
this log contains information on failed login attempts. It can be viewed using the faillog command
Preparation
this phase occurs before an incident and provides guidance to personnel on how to respond to an incident.
bring your own device
this policy allows employees to connect their own personal devices to the corporate network.
Choose your own device
this policy includes a list of approved devices that employees can purchase and connect to the network.
Appllication log
this records events sent to it by applications or programs running on the system.
SOC 2 Type II
this report describes an organizations systems and covers security controls' operational effectiveness over a range of dates, such as 12 months. In this context, operational effectiveness refers to how well the security controls worked when mitigating risks during the range of dates.
SOC 2 Type I
this report describes an organizations' systems and covers the design effectiveness of security controls on a specific date, such as March 30. In this context, design effectiveness refers to how well the security controls address the risks, but not necessarily how well they work when mitigating risks.
Usage auditing
this reviews looks at the logs to see what users are doing and it can be used to recreate an audit trail.
Argon2
uses a password and salt that is passed through an algorithm several times. Has been improved with each new version using a lowercase letter such as Argon2d and Argon2i.
WPA2-PSK
uses a pre-shared key and does not provide individual authentication. Open mode doesn't use any security and allows all users to access the AP. Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.
Data processor
uses and manipulates the data on behalf of the data controller.
Bollards
whort vertical posts composed of reinforced concrete and/or steel. They often place these in front of entrances about three or four feet apart and paint them with colors that match their store so that they blend in.
Jailbreaking
removes all software for an apple device
SHA-0
Secure Hash Algorithms that isn't used
Recovery
during this process, administrators return all affected systems to normal operation and verify they are operating normally
ISO 27001
"information security management' provides information on information security management systems (ISMS) requirements. Organization that implement the ISMS requirements can go through a three-stage certification process.
ISO 27002
"information technology security techniques", is a complement to ISO 27001. While ISO 27001 identifies the requirements to become certified, this provides organizations with best practice guidance.
ISO 27701
"privacy information management system (PIMS)" is based on ISO 27001, and it outlines a framework for managing and protecting personally identifiable information (PII). It provides organizations with guidance to comply with global privacy standards, such as the European Union General Data Protection Regulation (EU GDPR).
ipconfig
(short for internet protocol configuration) shows the transmission control protocol/ internet protocol (TCP/IP) configuration information for a windows system. entered by itself, this command provides basic information about the NIC, such as the IP address, subnet mask, and default gateway. Windows systems use this to view network interfaces.
Time based logins
(sometimes referred to as time of day restrictions) ensure that users can only log on to computers during specific times. If a user tries to log on to a system outside the restricted time, the system denies access to the user.
Data minimization
is a principle requiring organization to limit the information they collect and use.
Non-repudiation
A DLP system detected confidential data being sent out via email from Bart's account. However, he denied sending the email. Management wants to implement a method that would prevent Bart from denying accountability in the future. Which of the following are they trying to enforce?
DoS and DDoS attacks
A Denial of Service (DoS) attack is a network security incident where intended authorized users are prevented from using a system, network, or applications. The attack is a "one-on-one", where a single attacker targets a single machine or organization.
Signature-based
A HIDS reported a vulnerability on a system based on a known attack. After researching the alert from the HIDS, you identify the recommended solution and begin applying it. What type of HIDS is in use?
Keep a record of everyone who took possession of the physical asset
After a recent cybersecurity incident resulting in a significant loss, your organization decided to create a security policy for incident response. Which of the following choices is the BEST choice to include in the policy when an incident requires confiscation of a physical asset?
Closed/proprietary intelligence
refers to trade secrets such as intellectual property.
Take hashes for provenance
After a recent incident, a forensic analyst was given several hard drives to analyze. Which of the following actions should she take first?
Requirements for Kerberos to work properly
A method of issuing tickets used for authentication, time synchronization - all systems to be synchronized and within 5 minutes of each other. A database of subjects and users.
Rogue AP
A network administrator routinely tests the network looking for vulnerabilities. He recently discovered a new access point set to open. After connecting to it, he found he was able to access network resources. What is the BEST explanation for this device?
RTO
A project manager is reviewing a business impact analysis. It indicates that a key website can tolerate a maximum of three hours of downtime. Administrators have identified several systems that require redundancy additions to meet this maximum downtime requirement. Of the following choices, what term refers to the maximum of three hours of downtime?
Disable the accounts
A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, no one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. Which of the following is the BEST response to this situation?
SFTP (Secure File Transfer Protocol)
A secure implementation of FTP. It is an extension of Secure Shell (SSH) using SSH to transmit the files in an encrypted format.
netstat
A server in your network's DMZ was recently attacked. The firewall logs show that the server was attacked from an external IP address with the following socket: 72.52.230.233:6789. You want to see if the connection is still active. What of the following tools would be BEST to use?
$2,400
A server within your organization has suffered six hardware failures in the past year. IT management personnel have valued the server at $4,000, and each failure resulted in a 10 percent loss. What is the ALE?
Normal Flow
A use case typically lists each of the steps in a specific order. In this example, you might see a dozen steps that start when lisa picks an item to order and end when she completes the order and exits the purchase system.
Validation on the server side
A web developer is adding input validation techniques to a website application. Which of the following should the developer implement during this process?
Business partners agreement (BPA)
A written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.
Perform regular testing and validation of full backups
After reading about increased ransomware attacks against the health sector, hospital administrators want to enhance organizational resilience against these attacks. Which of the following could IT personnel implement to support this goal?
Weak Cipher suites and weak Protocols
Administrators should disable these on servers. When a server has both a strong and weak cipher suites, attackers can launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite.
SNMPv3
Administrators use this to manage and monitor network devices. It encrypts credentials before sending them over the network and is more secure than earlier versions.
Rancomware
After Bart logged on to his computer, he was unable to access any data. Instead, his screen displayed a message indicating that unless he made a payment, his hard drive would be formatted and he'd permanently lose access to his data. What does this indicate?
BIA
After a recent attack causing a data breach, an executive is analyzing the financial losses. She determined that the attack is likely to result in losses of at least $1 million. She wants to ensure that this information is documented for future planning purposes. Which of the following documents is she MOST likely to use?
DNSSEC
Administrators are configuring a server within your organizations screen subnet. This server will have the following capabilities when it is fully configured: - it will use RRSIG - it will perform authenticated requests for A records - it will perform authenticated requests for AAAA records. what BEST identifies the capabilities of this server?
Virtual Private Networks
Administrators connect to servers remotely using protocols such as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In some cases, administrators use this to connect to remote systems.
Shadow IT
refers to unauthorized systems or applications installed on a network without authorization or approval.
Kerberos
An administrator is implementing a network from scratch for a medical office. The owners want to have strong authentication and authorization to protect the privacy of data on all internal systems. They also want regular employees to use only a single username and password for all network access. Which of the following is the BEST choice to meet these needs?
Role-Based Access Control
An administrator needs to grant users access to different shares on file servers based on their job functions. Which of the following access control schemes would BEST meet this need?
Detective
An administrator recently installed an IDS to help reduce the impact of security incidents. Which of the following BEST identifies the control type of an IDS?
On-path attack
An administrator regularly connects to a server using SSH without any problems. Today, he sees a message similar to the following graphic when he connects to the server. WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS UP TO NO GOOD! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The figerprint for the RSA key sent by the remote host is 12:34:56:78:9a:bc:de:f1:23:45:67:89:ab:cd:ef:12. Please contact your system administrator. Add correct host key in /home/hostname /.ssh/known_hosts:4 RSA host key for ycda has changed and you have requested strict checking. Host key verification failed. Which of the following is the MOST likely reason for this message?
Bluesnarfing
An attacker can access email contact lists on your smartphone. What type of attack is this?
Script Kiddle
An attacker purchased an exploit on the internet. He then used it to modify item's price in an online shopping cart during checkout. Which of the following BEST describes this attacker?
zero-day attack
An attacker recently attacked a web server hosted by your company. After investigating the attack, security professionals determined that the attacker used a previously unknown application exploit. Which of the following BEST identifies this attack?
context-aware authentication
An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more.
Lessons Learned
An incident response team is following typical incident response procedures. Which of the following phases is the BEST choice for analyzing an incident to identify steps to prevent a reoccurrence of the incident?
Control risk
refers tot he risk that exists if in place controls do not adequately manage risks.
Anonymization
An urban hospital has recently treated hundreds of patients after a viral outbreak. Researchers trying to learn more about the virus has asked the hospital for information on treatment methods they used and their outcomes. The hospital management has asked IT department to remove all personal information about patients before releasing this data. Which of the following methods will BEST meet these requirements?
Supporting integrity
Apu manages network devices in his store and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, he creates hashes for these files and compares them with hashes he created on the same files the previous week. Which of the following use cases is he MOST likely using?
Ensure his account is disabled during his exit interview
Artie has been working at Ziffcorp as an accountant. however, after a disagreement with his boss, he decides to leave the company and gives a two-week notice. He has a user account allowing him to access network resources. Which of the following is the MOST appropriate step to take?
Sniffing attack
Attackers often use a protocol analyzer to capture data sent over a network. After capturing the data, attackers can easily read the data within the protocol analyzer when it has been sent in cleartext.
Disabling unnecessary services
Attackers recently exploited vulnerabilities in a web server hosted by your organization. Management has tasked administrators with checking the server and eliminating any weak configurations on it. Which of the following will meet this goal?
SQL injection attacks
Attackers use this to pass queries to back-end databases through web servers. Many of these attacks use the phrase or '1' = '1' to trick the database server into providing information. Input validation techniques and stored procedures help prevent these attacks.
Modes of operation
Authenticated: Unauthenticated: Counter:
PUP
Bart downloaded and installed a nmap security scanner from https://passsecurityplus.com. After completing the install, he noticed that his browser's home page and default search engine was changed. What is the MOST likely cause of the activity?
Jailbreaking
Bart is showing Wendell a new app that he downloaded from a third party onto his iphone. Wendell has the same model of smartphone but when he searched for the app he is unable to find it. Of the following choices, what is the MOST likely explanation for this?
Rules of engagement weren't obtained
Bart, a database administrator in your organization, told you about recent attacks on the network and how they have been disrupting services and network connectivity. In response, he said he has been using Nmap to run vulnerability scans and identify vulnerabilities. WHich of the following is wrong with this scenario?
Order of volatility from most to least
Cache, RAM, Swap or pagefile, Disk, Attached, Network
Code signing
Developers in the YCDA organization have created an application that users can download and install on their computers. Management wants to provide users with a reliable method of verifying that the application has not been modified after YCDA released it. Which of the following methods provides the BEST solution?
Code Signing
Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified.
Offboarding
removes this access often by disabling or deleting a user's account. Also includes collecting everything issued to the employee.
cmdlet
this get-command will give you a list of all PowerShell commands.
Netstat -a
Displays a listing of all TCP and User Datagram Protocol (UDP) ports that a system is listening on, in addition to all open connections. This listing displays sockets (the IP address followed by a colon and the port number). You can use the port number to identify protocols.
Netstat -s
Displays statistics of packets sent or received for specific protocols [such as IP, ICMP, TCP, UDP]
SNMP
uses UDP ports 161 and 162.
DNS sinkhole
DNS server that gives incorrect results for one or more domain names. If you enter a domain name into your web browser during normal operation, the web browser queries DNS for the website and takes you to the site. However if the DNS server has a sinkhole for the domain name, you won't be able to reach the site.
Supporting low power devices
ECC and other lightweight cryptography algorithms support deploying cryptography on these.
ipconfig /displaydns
Each time a system queries DNS to resolve a hostname to an IP address, it stores the result in the DNS cache, and this command shows the contents of the DNS cache. It also shows any hostname to IP address mappings included in the hosts file.
CCTV
Employees access the data center by entering a cipher code at the door. However, everyone uses the same code, so it does not identify individuals. After a recent security incident, management has decided to implement a key card system that will identify individuals who enter and exit this secure area. However, the installation might take six months or longer, Which of the following choices can the organization install immediately to identify individuals who enter or exit the secure area?
Confidentiality
Ensures that data is only viewable by authorized users. The best way to protect the (?) of data is by encrypting it. This includes any type of data, such as PII, data in databases, and data on mobile devices. Access controls help protect (?) by restricting access.
Training
Ensuring that users are aware of security vulnerabilities and threats helps prevent incidents.
denyanyany, drop all
Firewalls use these statements at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn't previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
Integrity of updates and patches
GCGA, a software development company, occasionally updates its software with major updates and minor patches. Administrators load these updates to the company website along with a hash associated with each update. Which of the following BEST describes the purpose of the hash?
DNS server logs
Home complains that his system started acting erractically today. You discover that malware infected his system, but you discover he didn't open any email during the day. he mentions that he has been browing the interet all day. Which of the following could you check to see where the malware MOST likely orginiated?
RAM & Cache
Homer called the help desk complaining his computer is giving random errors. Cybersecurity professionals suspect his system is infected with malware and decide to use digital forensic methods to acquire data on his system. Which of the following should be collected before turning the system off? (Choose TWO)
Rootkit
Homer complained of abnormal activity on his workstation. After investigating, an administrator discovered his workstation connects to systems outside the organization's internal network using uncommon ports, The administrator discovered the workstation is also running several hidden processes,. Which of the following choices BEST describes this activity?
Scarcity
Homer has been looking for the newest version of a popular smartphone. However, he can't find it in stock anywhere. Today, he received an email advertising the smartphone. After clicking the link, his system was infected with malware. Which of the following principles is the email sender employing?
The segment between 192.168.7.1 and 192.168.5.1
Homer is complaining that he frequently has trouble accessing files on a server in the network. You determine the server's IP address is 172.16.17.11, but ping doesn't show any problem. You decide to use pathping and see the following results: C:\>pathping 172.16.17.11 Traction route to 172.16.17.11 over a maximum of 30 hops: 0 192.168.7.34 1 192.168.7.1 2 192.168.5.1 3 10.5.48.1 4 10.80.73.150 5 172.16.17.11 Computing statistics for 125 seconds... Source to Here This Node/Link Hop RTT Lost/Sent=Pct. Lost/Sent=Pct. Address 0 192.168.7.34 0/100 = 0% 1 45 ms 0 / 100 = 0% 0/100 = 0% 192.168.7.1 14/100 = 14%. | 2 25 ms 15 / 100 = 15%. 0/100 = 0%. 192. 168.5.1 0/100=0% | 3 22 ms 16 / 100 = 16%. 0/100=0% 10.5.48.1 0/100=0% | 4 - - - 100/100=100%. 100/100=100% 10.80.73.150 0/100=0% | 5 23 ms 16 / 100 = 16%. 0/100=0% 172. 16.17.11 Which of the following is most likely the problem?
Whaling
Homer, the chief financial office (CFO) of a bank, received an email from Lisa, the company's chief executive officer (CEO). Lisa states she is on vacation and lost her purse containing all her cash and credit cards. She asks home to transfer $5,000 to her account. Which of the following best identifies this attack?
Email Authentication
Identifies the sender of the email. Email recipients have assurances the email came from who it appears to be coming from.
ssh gcga
Imagine Maggie wants to connect to a server in the network named gcga from a Linus system, she could use this command.
Security information and event management (SIEM) systems
In addition to monitoring logs to detect any single incident, you can also use this to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.
Continuous deployment
In this process, code changes are deployed automatically to the production environment.
Certificate Revocation List (CRL)
Includes a list of revoked certificates and is publicly available. An alternative to using this is the Online Certificate Status Protocol (OCSP), which returns answers such as good, revoked or unknown. CAs revoke certificates for several reasons such as when the private key is compromised or the CA is compromised.
Software as a Service (SaaS)
Includes any software or application provided to users over a network such as the internet. Internet users access these applications with a web browser.
Availability
Indicates that data and services are avilable when needed. Ensures that systems are up and operational when needed and often addresses single points of failure. You can increase this by adding fault tolerance and redundancies, such as RAID, failover clusters, backups, and generators.
Gamification
Investigations have shown that several recent security incidents originated after employees responded inappropriately to malicious emails. The IT department has sent out multiple emails describing what to do with these emails, but employees continue to respond inappropriately. The chief information officer has directed the Human Resources department to find and implement a solution that will increase user awareness and reduce these incidents. Which of the following would be the BEST solution?
Legal Hold
Is a court order to preserve data for the purposes of an investigation.
AES (Advanced Encryption Standard)
Is a strong symmetric block cipher that encrypts data in a 128 - bit blocks. The National Institute of Standards and Technology (NIST) adopted it from the Rijndael encryption algorithm after a lengthy evaluation of several different algorithms.
perfect forward secrecy
Is an important characteristic that ephemeral keys comply with in asymmetric encryption.
Implement an inline NIPS.
Lenny noticed a significant number of logon failures for administrator accounts on the organizations public website. After investigation it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?
Port Security
Limits the computers that can connect to physical ports on a switch. At the most basic level, administrators disable unused ports. Limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.
ifconfig
Linux systems use this and it can also manipulate the settings on the network interfaces. You can enable promiscuous mode on a NIC with this.
Run the scans as credentialed scans
Lis periodically runs vulnerability scans on the organization's network. Lately, she has been receiving many false positives. Which of the following action can help reduce the false positives?
The document is a honeyfile.
Lisa created a document called password.txt and put the usernames of two accounts with elevated privileges. She then placed the file on her administrator account desktop on several servers. Which of the following BEST explains her actions?
Tabletop exercise
Lisa has scheduled quarterly meetings with department leaders to discuss how they would respond to various scenarios such as natural disasters or cyberattacks. During the meetings, she presents a scenario and asks attendees to indicate their responses. Also, during the meetings, she injects variations of the scenario similar to what may happen during a live event and encourages attendees to discuss their responses. What does this describe?
Thank the caller and end the call, report the call to her supervisor, and independently check the vendor for issues
Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. He said he's calling customers to inform them of a problem with database servers they've sold, but he said the problem only affects servers running a specific operating system version. He asks Lisa what operating system versions the company is running on their database servers. Which of the following choices is the BEST response from Lisa?
Pretexting
Lisa is a database administrator. She received a phone call from someone identifying himself as a representative from a known hardware vendor. he said he's calling customers to inform them of a problem with database servers they've sold, but he said the problem only affects servers running a specific operating system version. he asks Lisa what operating system version the company is running on their database servers. Which of the following BEST describes the tactic used by the caller in this scenario?
Least privilege
Lisa is a training instructor and she maintains a training lab with 16 computers. She has enough rights and permissions on these machines to configure them as needed for classes. However, she does not have the rights to add them to the organization's domain. Which of the following choices BEST describes the reasoning for this? specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, but no more.
Wireless footprinting
Lisa is creating a detailed diagram of wireless access points and hotspots within your organization. What is another name for this?
Stored procedures
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: 'or'1'='1';- Which of the following provides the BEST protection against this attack?
Risk register
Maggie is performing a risk assessment on a database server. While doing so, she created a document showing all the known risks to this server, along with the risk score for each risk. Which of the following BEST identifies the name of this document?
chmod
Maggie needs access to the project.doc file available on a Linux server. Lisa, a system administrator responsible for this server, sees the following permissions for the file. rwx rw- --- What should Lisa use to grant Maggie access to the file? (short for change mode) command is used to modify permissions on Linus system files and folders.
SNMPv3
Maggie needs to collect network device configuration information and network statistics from devices on the network. She wants to protect the confidentiality of credentials used to connect to these devices. Which of the following protocols would BEST meet this need?
ssh-copy-id-i-.ssh/id_rsa.pub maggie@gcga
Maggie regularly connects to a remote server named gcga using Secure Shell (ssh) from her Linux system. However, she has trouble remembering the password, and she wants to avoid using it without sacrificing security. She creates a cryptographic key pair to use instead. Which of the following commands is the BEST choice to use after creating the key pair?
Nmap
Maggie suspects that a server may be running unnecessary services. Which of the following tools is the BEST choice to identify the services running on the server?
Backdoor
Maggie was on the programming team that developed an application used by your Human Resources department. Personnel use this application to store and manage employee data. Maggie programmed in the ability to access this application with a username and password that only she knows to perform remote maintenance on the application if necessary. Which of the following does this describe?
Detective control
Maggie works in the security section of the IT department. Her primary responsibilities are to monitor security logs, analyze trends reported by the SIEM and validate alerts. Whhich of the following choices BEST identifies the primary security control she's implementing?
PaaS
Maggie, the new CTO at your organization, wants to reduce costs by utilizing more cloud services. She has directed the use of a cloud service instead of purchasing all the hardware and software needed for an upcoming project. She also wants to ensure that the cloud provider maintains all the required hardware and software. Which of the following BEST describes the cloud computing service model that will meet these requirements?
Next-generation SWG
Management at your organization wants to add a cloud based service to filer all traffic, going to or from the internet from internal clients. At a minimum, the solution should include URL filtering, DLP protection, and malware detection and filtering. Which of the following will BEST meet these requirements?
Supporting non-repudiation
Management has mandated the use of digital signatures by all personnel within your organization. Which of the following use cases does this support?
Mandatory vacation
Management recently decided to upgrade the organization's security policy. Among other items, they want to implement a policy thta will reduce the risk of personnel within the organization colluding to embezzle company funds. Which of the following is the BEST choice to meet this need?
the lowest possible CER
Management within your organization has decided to implement a biometric solution for authentication into the data center. They have stated that the biometric system needs to be highly accurate. Which of the following provides the BEST indication of accuracy with a biometric system?
Encryption
Management within your organization has defined a use case to support the confidentiality of data stored in a database. Which of the following solutions will BEST meet this need? is a strong technical control used to protect the confidentiality of data. Includes data transferred over a network and data stored on devices, such as servers, desktop computers, and mobile devices.
TOTP
Management within your organization wants to add 2FA security for users working from home. Additionally, management wants to ensure that 2FA passwords expire after 30 seconds. Which of the following choices BEST meets this requirement?
AUP
Management within your organization wants to ensure that users understand the rules of behavior when they access the organization's computer systems and networks. Which of the following BEST describes what they would implement to meet this requirement?
Remote attestation
Managers within your organization want to implement a secure boot process for some key computers. During the boot process, each computer should send data to a remote system to check the computer's configuration. Which of the following will meet this goal?
Poisoning attack
Many protocols store data in cache for temporary access. Poisoning attacks attempt to corrupt the cache with different data.
Directory services
Microsoft Active Directory Domain Services (AD DS), provide authentication services for a network. AD DS uses LDAP, encrypted with TLS when querying the directory.
Integrity Measurements
Network administrators have identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of applications from the master image, you verify this application is very likely the problem. What allowed you to make this determination?
Use SSH
Network administrators manage network devices remotely. However, a recent security audit discovered they are using a protocol that allows them to send credentials over the network in cleartext. Which of the following methods should be adopted to eliminate this culverability?
Supporting low latency
OCSP supports a use case of this. When a certificate is revoked, it adds the certificate to a CRL.
ping -t <ip address>
On linux based systems, ping continues until you press the Ctrl + C keys to stop it. You can mimic this behavior on windows systems by using this.
Dictionary Attack
One of the original password attacks. It uses a dictionary of words and attempts every word in the dictionary to see if it works.
Domain Name System Security Extensions (DNSSEC)
One of the primary methods of preventing DNS cache poisoning is with this, it is a suite of extensions to DNS that provides validation for DNS responses.
w3af (Web Application Attack and Audit Framework)
Open source framework focuses on web application vulnerabilities. The stated goal is to find and exploit all web application vulnerabilities and make this information known to others. Web application developers can then ensure their web applications are not vulnerable to the exploits.
ssh-keygen -t rsa
OpenSSH supports a use case of supporting authentication using a passwordless SSH login. You can use OpenSSH to create a public and private key pair. Maggie keeps the private key on her system and copies the public key to the remote server. Later, when she connects to the remote server, it prompts her system to authenticate with the private key. Creates a public/private key pair.
Data protection officer
Organizations that conduct business in the EU must have a position within the organization that can act as an independent advocate for the proper care and use of customer information. Which of the following BEST identifies this position?
Pass the hash attack
Passwords are typically stored as hashes. This attack attempts to use an intercepted Hash to access an account. These attacks can be detected in Event ID 4624 with a Logon Process of NtLmSSP and/or Authentication Package of NTLM.
Managerial controls
Primarily administrative in function. They are typically documented in an organization's security policy and focus on managing risk.
SSL (Secure Sockets Layer)
Protocol was the primary method used to secure HTTP traffic as Hypertext Transfer Protocol Secure (HTTPS).
Logic Bomb
Recently, malware on a computer at the Monty Burns Casino destroyed several important files after it detected that Homer was no longer employed at the casino. Which of the following BEST identifies this malware?
ARP (Address Resolution Protocol)
Resolves IP addresses to media access control (MAC) addresses to enable communication between devices.
Bridge Protocol Data Unit (BPDU)
STP send this message in a network to detect loops. When the loops are detected, STP shuts down or blocks traffic from switch ports sending redundant traffic.
SEDs
Salespeople within a company regularly take company-owned laptops with them on the road. The company wants to implement a solution to protect laptop drives against data theft. The solution should operate without user interaction for ease of use. Which of the following is the BEST choice to meet these needs?
Snapshots
Security experts use this to capture data for forensic analysis. Various tools are available to capture these of memory, disk contents, cloud based storage, and more.
Version control
Several developers in your organization are working on a software development project. Recently, Bart made an unauthorized change to the code that effectively broke several modules. Unfortunately, there isn't any record of who made the change or details of the change. Management wants to ensure it is easy to identify who makes any changes in the future. Which of the following provides the BEST solution for this need?
Log monitoring
Several different logs record details of activity on systems and networks.
stateful firewall
Several servers in your organization's screened subnet were recently attacked. After analyzing the logs, you discover that many of these attacks used TCP, but the packets were not part of an established TCP session. Which of the following devices would provide the BEST solution to prevent these attacks in the future?
ip -s link
Shows statistics on the network interfaces
ip link show
Shows the interfaces along with some details on them
Lightweight Directory Access Protocol (LDAP)
Specifies the formats and methods used to query directories, such as microsoft AD DS. Is an extension of the X.500 standard that novell and early Microsoft Exchange Server versions used extensively.
Trigger
Starts the use case. In this case, it could be when Lisa clicks on the shopping cart to being the purchase process.
Incident Response Procedures
Starts with preparation to perpare for and prevent incidents. Preparation helps prevent incidents such as malware infections.
Supporting obfuscation
Steganography is used to support this, it allows people to hide data in plain sight and obscure the fact that a file is holding a hidden message.
Broadcast storm and loop prevention
Such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.
audio files, image files, and video files
The 3 primary types of files used in steganography are?
Sandbox
The BizzFad organization develops and sells software. Occasionally they update the software to fix security vulnerabilities and/or add additional features. However, before releasing these updates to customers, they test them in different environment.s Which of the following solutions provides the BEST method to test the updates?
Red team
The IT department at your organization recently created an isolated test network that mimics the DMZ. They then hired an outside company to perform simulated cyber attack on this isolated test network as part of testing campaign. Which of the following BEST describes the role of personnel from the outside company?
Vein Scans
The Marvin Monroe Memorial Hospital was recently sued after removing a kidney from the wrong patient. Hospital executives want to implement a method that will reduce medical errors related to misidentifying patients. They want to ensure medical personnel can identify a patient even if the patient is unconscious. Which of the following would be the BEST solution?
Continuous monitoring
The continuous monitoring process automatically monitors code changes to detect compliance issues and security threats.
Encryption and strong access controls
The primary methods of protecting the confidentiality of data are these. Database column encryption protects individual fields within a database.
Air gap the computers
The springfield nuclear power plant has several stand alone computers used for monitoring. Employees log on to these computers using a local account to verify proper operation of various processes. The CIO of the organization has mandated that these computers cannot be connected to the organization's network or have access to the internet. Which of the following would BEST meet this requirement?
Biometric
The third factor of authentication, is the strongest individual authentication factor. Includes fingerprints, palm veins, retina scans, iris scans, voice recognition, facial recognition, and gait analysis.
These certificate are used for encryption of emails and digital signatures.
Data owners
They are responsible for ensuring adepquate security controls are in place to protect the data.
General Data Protection Regulation (GDPR)
This EU directive mandats the protection of privacy data for individuals who live in the EU. It applies to any organization that collects and maintains this data, regardless of the location of the organization.
Self-Signing
This certificate is not issued by a trusted CA. Private CAs within an enterprise often create these. They aren't trusted by default. However, admins can use automated means to place copies of these into the trusted root CA store for enterprise computers. These certificates from private CAs eliminate the cost of purchasing certs from public CAs.
Refactoring
This code is the process of rewriting the code's internal processing without changing its external behavior. It is usually done to correct problems related to software design.
journalctl --since "1 hour ago"
This command allows you to limit the journal entries to a specific amount of time.
ifconfig eth0 allmulti
This command enables multicast mode on the NIC. This allows the NIC to process all multicast traffic received by the NIC.
ifconfig eth0 promisc
This command enables promiscuous mode on the first Ethernet interface. Promiscuous mode allows a NIC to process all traffic it receives.
ipconfig /all and ifconfig -a
This command shows a comprehensive listing of TCP/IP configuration information for each NIC. It includes the media access control (MAC) address, the address of assigned DNS servers, and the address of a Dynamic Host Configuration Protocol (DHCP) server if the system is a DHCP client. You can use ifconfig -a on Linux systems.
journalctl --list-boots journal ctl -1
This command shows the available boot logs and retrieve the boot log identified with the number -1.
ifconfig eth0
This command shows the configuration of the first Ethernet interface (NIC) on a Linux system. If the system has multiple NICs, you can use eth1, eth2, and so on. You can also use wlan0 to view information on the first wireless interface.
NXLog Enterprise Edition
This edition of NXLog includes all the features of the community edition but adds additional capabilities.
NXLog Community Edition
This edition of NXLog is a propriety log management tool available from https://nxlog.co. Installation packages are available for microsoft windows and GNU/Linux. White it's free it includes a feature set comparable with some SIEM solutions.
LISTEN
This indicates the system is waiting for a connection request. The well-known port a system is listening on indicates the protocol.
CLOSE_WAIT
This indicates the system is waiting for a connection termination request.
TIME_WAIT
This indicates the system is waiting for enough time to pass to be sure the remote system received a TCP-based acknowledgment of the connection.
SYN_SENT
This indicates the system sent a TCP SYN (synchronize) packet as the first part of the SYN, SYN-ACK (synchronize-acknowledge), ACK (acknowledge) handshake process and it is waiting for the SYN-ACK response.
SYN_RECEIVED
This indicates the system sent a TCP SYN-ACK packet after receiving a SYN packet as the first part of the SYN, SYN-ACK, ACK handshake process. It is waiting for the ACK response to establish the connection.
ssh root@gcga
This initiates an SSH connection to the remote server using the default SSH port of 22 and Maggie's username on the client. This command initiates an SSH connection using the root account of the remote system.
Gramm-Leach-Bliley Act (GLBA)
This is also known as the Financial Services Modernization Act and includes a Financial Privacy Rule. This rule requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used.
id_rsa
This is the private key. It is stored on the client and must stay private.
Subject Alternative Name (SAN)
This is used for mutliple domains that have different names but are owned by the same organization. Google uses this of *.google.com, *.andriod.com, *.cloud.google.com and more. It is often used for systems with the same base domain names but different top level domains.
Reflected XSS or non persistent.
This starts by an attacker crafting malicious email and then encouraging a user to click it. The malicious URL is often placed within a phishing email, but it could also be placed on a public website, such as a link within a comment.
Security Information and Event Management (SIEM)
This system provides a centralized sollution for collecting, analyzing, and managing data from multiple sources. It combines the services of security event management (SEM) and security information management (SIM) solutions.
Zero-day
This vulnerability is a weakness or bug that is unkown to trusted sources, such as antivirus and operating vendors. This attack exploits and undocumented vulnerability.
Sarbanes-Oxley Act (SOX)
This was passed after several accounting scandals by major corporations, such as Enron and WorldCom. Companies engaged in accounting fraud to make their financial condition look better than it was and prop up their stock price.
Intrusion detection System (IDSs) and intrusion prevention systems (IPSs)
can monitor a network or host for intrusions and provide ongoing protection against various threats.
MD5 and SHA-256
Two popular hashing algorithms used to verify integrity.
Power Redundancies
Uninterruptible power supplies (UPSs) and power generators can provide power to key systems even if commercial power fails.
FTP (File transfer protocol)
Uploads and downloads large files to and from an FTP server. by default it transmits data in cleartext.
P12
Use the PKCS version 12 (PKCS#12) format and they are DER based (binary). They are commonly used to hold certificates within the private key.
ICMP (Internet Control Message Protocol)
Used for testing basic connectivity and includes tools such as ping, pathping, and tracert.
Password Authentication Protocol (PAP)
Used with point to point protocol (PPP) to authenticate clients. A significant weakness of this is that it sends passwords over a network in cleartext, representing a considerable security risk. It was primarily used with dial-up connections.
Identification
Users claim this with a unique username. For example, both Maggie and Homer have separate user accounts identified with unique usernames. When Maggie uses her account, she is claiming this of her account. This occurs when a user claims an identity, such as with a username or email address.
Hashing
Users in your organization sign their emails with digital signatures. Which of the following provides integrity for these digital signatures?
Push notifications
Users regularly log on with a username and password. However, management wants to add a second authentication factor for any users who launch the gcga application. The method needs to be user-friendly and non-disruptive. Which of the following will BEST meet these requirements?
Display a generic error message but log detailed information on the error.
Web developers are implementing error handling in a database application accessed by a web server. Which of the following would be the BEST way to implement this?
SAML 2
Web developers in your organization are creating a web application that will interact with other applications running on the internet. They want their application to receive user credentials from an app running on a trusted partner's web domain. Which of the following is the BEST choice to meet this need?
A stream cipher encrypts data 1 bit or 1 byte at a time
What is the primary difference between a block cipher and a stream cipher?
Delete account
When the organization determines the account is no longer needed, administrators delete it.
Race condition
When two or more modules of an application, or two or more application, attempt to access a resource at the same time, it can cause a conflict known as....
Payment Card Industry Data Security Standard (PCI DSS)
When using credit cards, a company would comply with this. Many organizations use the RIsk Management Framework (RMF) and Cybersecurity Framework (CMF) to identify and mitigate risks.
Group based privileges
You administer access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice? this reduces the administrative workload of access management. Admins put user accounts into security groups and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.
An evil twin
You are an administrator at a small organization. Homer contacted you today and reported the following: - He logged o normally on monday morning and accessed network shares. - Later, when he tried to access the internet, a pop-up window with the organization's wireless SSID prompted him to log on. - After doing so, he could access the internet but no longer had access to the network shares. - Three days later, his bank notified him of suspicious activity on his account. Which of the following indicates the MOST likely explanation for this activity?
syslog
Which of the following describes the proper format of log entries for Linux systems? Protocol specifies a general log entry format and the details on how to transport log entries,. You can deploy a centralized (?) server to collect these entries from a variety of devices in the network, similar to how a SIEM server collects log entries.
Firewall
Which of the following devices would MOST likely have the following entries used to define its operation? permit IP any any eq 80 permit IP any any eq 443 deny IP any any
Advisories and bulletins & intelligence fusion
Which of the following elements are used as part of threat hunting? (choose two)
MD5
Which of the following is a cryptographic algorithm that will create a fixed-length outpur from a data file but cannot be used to re-create the original file?
IaaS
You are asked to research prices for a cloud-based services. The cloud service provider needs to supply servers storage, and networks, but nothing else. Which of the following will BEST meet your needs?
Use Open mode
You are assisting a small business owner in setting up a public wireless hotspot for her customers. She wants to allow customers to access the hotspot without entering a password. Which of the following is MOST appropriate for this hotspot?
Enforce an application allow list
While investigating a recent data breach, investigators discovered a RAT on Bart's computer. Antivirus software didn't detect it. Logs show a user with local administrator privileges installed it. Which of the following answers has the BEST chance of preventing this from happening?
Resource exhaustion
While investigating performance issues on a web server, you verified that the CPU usage was about 10% five minutes ago. However, it now shows that the CPU usage has been averaging over 98% for the last two minutes. Which of the following BEST describes what this web server is experiencing?
Buffer overflow
While reviewing logs for a web application, a security analyst notices that it has crashed several times, reporting a memory error. Shortly after it crashes, the logs show malicious code that isn't part of a known application. Which of the following is MOST likely occurring?
Spraying attack
While reviewing logs on a web server hosted by your organization, you notice multiple logon failures to an FTP account, but they're only happening about once every 30 minutes. You also see that the same password is being tried against the SSH account right after the FTP account logon failure. What BEST describes what is happening?
fake telemetry
corrupts the data sent to monitoring systems and can disrupt a system.
CSR
You are configuring a web server that will be used by salespeople via the internet. Data transferred to and from the server needs to be encrypted, so you are tasked with requesting a certificate for the server. Which of the following would you MOST likely use to request the certificate?
A SQL injection attack
You are examining logs generated by an online web application. You notice that the following phrase is appearing in several queries. ' or ' 1 ' = ' 1 ' ; -- Which of the following is the MOST likely explanation for this?
Baseline
You are preparing to deploy a heuristic-based detection system to monitor network activity. Which of the following would you create first?
providing time synchronization
You are tasked with enabling NTP on some servers within your organizations screened subnet. Which of the following use cases are you MOST likely supporting with this action?
SAN
You are tasked with getting prices for certificates. you need to find a source that will provide a certificate that can be used for multiple domains that have different names. Which of the following certificates is the BEST choice?
the mx1.emailsrvr.com is a backup mail server
You are trying to determine what information attackers can gain about your organization using network reconnaissance methods via the internet. Using a public wireless hotspot, you issue the following command: nslookup -querytype=mx gcgapremium.com you then see these results: Server: Unknown Address: 10.0.0.1 Non-authoritative answer: gcgapremium.com MX preference = 90, mail exchanger = mxl.emailsrvr.com gcgapremium.com MX preference = 20, mail exchanger = mx2.emailsrvr.com What does this tell you?
ipconfig /flushdns
You can erase the contents of the DNS cache with this command. Us this when the cache has incorrect information, and you want to ensure that the system queries DNS for up to date information.
ping -c 4 <ip address>
You can mimic the behavior of a windows ping on a linux system using this switch.
Use the route command
You have added another router in your network. This router provides a path to a limited access network that isn't advertised. However, a network administrator needs to access this network regularly. Which of the following could he do to configure his computer to access this limited network?
Switch
can learn learn which computers are attached to each of its physical ports. It then uses this knowledge to create internal switched connections when two computers communicate with each other.
Lateral movement
Your organization has hired outside penetration testers to identify internal network vulnerabilities. After successfully exploiting vulnerabilities in a single computer, the testers attempt to access other systems within the network. Which of the following BEST describes their current actions?
Disable unused ports
Your organization has several switches in use throughout the internal network. Management wants to implement a security control to prevent unauthorized access to these switches within the network. Which of the following choices would BEST meet this need?
Mission-essential functions
Your organization hired a security consultant to create a BIA. She is trying to identify processes that can potentially cause losses in revenue if they stop functioning. Which of the following BEST describes what she is identifying?
RAID-6
You need to add disk redundancy for a critical server in your organization's screen subnet. Management wants to ensure it supports two-drive failure. WHich of the following is the BEST solution for this requirement?
User account
You need to provide a junior administrator with appropriate credentials to rebuild a domain controller after it suffers a catastrophic failure. Of the following choices, what type of account would BEST meet this need?
Biometrics, Access control vestibule, CCTV
You need to secure access to a data center. Which of the following choices provides the NEST physical security to meet this need? (Select three)
False negaitve
You recently completed a vulnerability scan on a database server. The scan didn't report any issues. However, you know that it is missing a patch. The patch wasn't applied because it causes problems with the database application. Which of the following BEST describes this?
Private
Your organization recently lost access to some decryption keys, resulting in the loss of some encrypted data. The chief information office (CIO) mandated the creation of a key escrow. Which of the following cryptographic keys are MOST likely to be stored in key escrow?
Vulnerability scan
You suspect that a database server used by a web application is not up to date with current patches. Which of the following is the BESt action to take to verify the server has up to date patches?
tracert
You suspect that traffic in your network is being rerouted to an unauthorized router within your network. Which of the following command-line tools would help you narrow down the problem? This command lists all the routers between two systems. In this context, each router is referred to as a hop. It identifies the IP address and sometimes the hostname of each hop in addition to the round-trip times (RTTs) for each hop.
Certificate Signing Request (CSR)
You typically request certificates using this. The first step is to create the RSA-base private key, which is used to create the public key. you then include the public key in this and the CA will embed the public key in the certificate. The private key is not sent to the CA.
Port scanner
You want to identify all the services running on a server in your network. Which of the following tools is the BEST choice to meet this goal?
hping
You're troubleshooting a connectivity issue with a server that has an IP address of 192.168.1.10 from your Linux system. The server does not respond to the ping command, but you suspect that a router is blocking the ping traffic. Which of the following choices would you use to verify the server is responding to traffic? similar to a ping command, but it can send the pings using TCP, UDP and ICMP.
PowerShell script to list local administrators
Your SIEM sent an alert after detecting the following script was run on a system within your network. invoke-command ( $a = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed"} | select -skip 4 } What BEST describes this script?
Fileless virus
Your SIEM system alerted on potential malicious activity from a system in your network. After investigating the alert, you determine it was generated after it detected suspicious activity generated through a PowerShell script. Additionally, you verified that the system is sending traffic to and from an unknown IP address in the internet. Which of the following is the BEST description of this threat?
2
Your database backup strategy includes full backups performed on saturdays at 12:01 a.m. and differential backups performed daily at 12:01 a.m. if the database fails on thursday afternoon, how many backups are required to restore it?
Cable locks
Your local library is planning to purchase new laptops that patrons can use for internet research. However, management is concerned about possible theft. Which of the following is the BEST choice to prevent theft of these laptops?
Add the following rule to the firewall: DENY IP ALL ALL 53 and add an implicit deny rule at the end of the ACL.
Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with only the following two rules in the ACL: PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80 You have detected DNS requests and DNS zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? ( select TWO. Each answer is a full solution)
CASB
Your organization has been using more cloud resources and Lisa the CIO is concerned about security. She wants to add a service that is logically placed between the organization's network and the cloud provider. This service will monitor all network traffic, and ensure that data sent to the cloud for storage is encrypted, which of the following will BEST meet these requirements?
Cross-Site Request Forgery
Your organization has created a web application that will go live after testing is complete. An application tester sees the following URL: https://gcgapremium.com/info.php?sessionID=10123&acct=homer. The tester resend the following URL to the website: https://gcgapremium.com;info.php?sessionID=32101&acct=homer Which of the following attacks is the tester checking?
Tcpreplay
Your organization recently purchased and deloplloyed an IDS within the network. Security administrators want to verify it will detect a syn stealth scan. Which of the following tools will BEST meet your need?
Time-of-day restrictions
Your organization hires students during the summer for temporary help. They need access to network resources, but only during working hours, Management has stressed that it is critically important to safeguard trade secrets and other confidential information. Which of the following account management concepts would be MOST important to meet these goals?
Elasticity
Your organization hosts an e-commerce web server selling digital products. The server randomly experiences a high volume of sales and usage, which causes spikes in resource usage. These spikes occasionally take the server down. Which of the following should be implemented to prevent these outages? is the ability of a system to handle an increased workload by dynamically scaling up or out as the need arises.
Supply chain assessment
Your organization hosts an e-commerce web site used to sell digital products. You are tasked with evaluating all the elements used to support this web site. What are you performing?
NIC teaming
Your organization hosts an e-commerce website that has been receiving a significant increase in traffic. The CPU is handling the load, but the server is unable to process the bandwidth consistently. Which of the following is the BEST choice to solve this problem?
OCSP
Your organization hosts an internal website used only by employees, The website uses a certificate issued by a private CA and the network download a CRL from the CA once a week. However, after a recent compromise, security administrators want to use a real time alternative to the CRL. Which of the following will BEST meet this need?
Multipath
Your organization hosts several databases on two servers. Management wants to increase the redundancy of data storage for these servers. Which of the following is the BEST choice to meet this requirement?
To enforce a job rotation policy
Your organization includes a software development division within the IT department. One developer writes and maintains applications for the Sales and Marketing departments. A second developer writes and maintains applications for the Payroll department. Once a year, they switch roles for at least a month. What is the purpose of this practice?
Full tunnel
Your organization is allowing more employees to work from home, and they want to upgrade their VPN. Management wants to ensure that after a VPN client connects to the VPN server, all traffic from the VPN client is encrypted. Which of the following would BEST meet this goal?
Persistence
Your organization is planning to deploy a new e-commerce website. Management anticipates heavy processing requirements for a back-end application used by the website. The current design will use one web server and multiple application servers. Additionally, when beginning a session, a user will connect to an application server and remain connected to the same application server for the entire session. Which of the following BEST describes the configuration of the application servers?
MDM
Your organization is planning to implement a BYOD policy. However, management wants to implement a comprehensive solution to protect the organization's data when the BYOD policy is put into place. Which of the following is the BEST choice to meet these needs?
PEAP
Your organization is planning to upgrade the wireless network used by employees. It will provide encrypted authentication of wireless users over TLS. Which of the following protocols are they MOST likely implementing?
Dynamic code analysis
Your organization is preparing to deploy a web-based application, which will accept user input. Which of the following will BEST test the reliability of this application to maintain availability and data integrity?
PCI DSS
Your organization is setting up an e-commerce site to sell products online. Management wants to ensure the website can accept credit cards for payment. Which of the following standards are they MOST likely to follow?
Containerization
Your organization is switching from a COPE model to a BYOD model due to the cost of replacing lost or damaged mobile devices. Which of the following is the BEST choice to protect the organization's data when using the BYOD model?
Ensuring data is classified and labled correctly
Your organization is updating the policy, and management wants to ensure that employees get training on their responsibilities based on their role. Which of the following BEST describes the responsibilities of data owners and indicates what training they need?
Air gap
Your organization needs to create a design for a high-security network for a US government contract. The network should not be accessible by your organization's existing networks or the internet. Which of the following options will BEST meet this need?
Partially known environment
Your organization outsourced the development of a software module to modify an existing proprietary application's functionality. The developer completed the module and is now testing it with the entire application. What type of testing is the developer performing?
Site-to-site VPN
Your organization plans to implement a connection between the main site and a remote office giving remote employees on-demand access to resources at headquarters. The chief information officer (CIO) wants to use the internet for this connection. Which of the following solutions will BEST support this requirement?
Agentless
Your organization recently implemented a BYOD policy. However, management wants to ensure that mobile devices meet minimum standards for security before they can access any network resources. Which of the following would the NAC MOST likely use?
MDM application
Your organization recently implemented a security policy requiring that all endpoint computing devices have a unique identifier to simplify asset inventories. Administrators implemented this on servers, desktop PC's and laptops with RFID system. However, they haven't found a reliable method to tag corporate-owned smartphones and tablet devices. Which of the following choices would be the best alternative?
Resilience
Your organization recently implemented two servers in an active/passive load-balancing configuration. What security goal does this support?
Private clouds
are only available for one organization.
Vulnerability scans
are passive and have little impact on a system during a test.
Forensic artifacts
are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. In general, logs and data files show direct content, but the artifacts are not so easy to see.
Test restores
are the best way to test the integrity of a company's backup data. Backup media should be protected with the same level of protection as the data on the backup. Geographic considerations for backups include storing backups off-site, choosing the best location, and considering legal implications and data sovereignty.
jamming
attackers can transmit noise or another radio signal on the same frequency used by a wireless network. This interferes with the wireless transmissions and can seriously degrade performance. This type of denial of service attack is commonly called this, usually prevents all users from connecting to a wireless network.
Spraying attacks
attempt to avoid account lockout policies, but logs will show a large volume of failed login attempts, but with a time lapse between each entry.
Detective Controls
attempt to detect incidents after they have occurred
deterrent controls
attempt to discourage individuals from causing an incident
Password crackers
attempt to discover passwords and can identify weak passwords, or poorly protected passwords.
Offline password attacks
attempt to discover passwords from a captured database or captrued paket scan. Logs will show a large volume of failed logon attempts as event id 4625 and/or several accounts being locked out as event id 4740..
Preventive controls
attempt to prevent an incident from occurring
Corrective controls
attempt to reverse the impact of an incident
Online password attacks
attempts to discover a password from an online system.
vulnerability assessments
attempts to discover current vulnerabilities.
Brute force attack
attempts to guess all possible character combinations.
DNS poisoning attack
attempts to modify or corrupt DNS data.
Integrity measurements for baseline deviation
automated tools monitor the systems for any baseline changes, which is a common security issue.
Vulnerability scanner
can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up to date patches. is a passive and non intrusive and has little impact on a system during the test. In contrast, a penetration test is active and intrusive and can potentially compromise a system.
Bcrypt
based on the Blowfish block cipher and is used on many Unix and Linus distributions to protect the passwords stored in the shadow password file.
HOTP and TOTP
both of these are open source standards used to create one-time-use passwords.
ARP request
broadcasts the IP address and essentially asks, "who has this IP address?"
Open ID Connection (OIDC)
builds on OpenID for authorization and uses the OAuth 2.0 framework for authentication. Instead of authorization toke, it uses a javascript object notation (JSON) web token (JWT), sometimes called an ID token.
Rsyslog
came out as an improvement over syslog-ng. One significant change is the ability to send log entries directly into database engines. It also supports TCP and TLS.
Executives
can access data from any project held on the server but do not have access to modify server settings
Faraday cage
can be a large room or a box, and it prevents signals from emanating beyond the enclosure.
Adversary
can be identified by email addresses, handles used in online forums, memberships in advanced persistent threat groups, and other identifiers.
Victim
can be identified by their names, email addresses, or network identifiers.
Intrusion prevention system (IPS)
can block malicious traffic before it reaches a network.
protocol analyzer
can capture packets using this, which is sometimes called sniffing or using a sniffer. Provide administrators and attackers with the ability to analyze and modify packet headers and their payloads. Administrators use this to capture, display and analyze packets sent over a network. It is useful when troubleshooting communications problems between systems. It is also useful to detect attacks and manipulate or fragment packets.
Network scanners
can detect all the hosts on a network, including the operating system and services or protocols running on each host.
Intrusion detection system (IDS)
can detect malicious traffic after it enters a network. Typically raises an alarm to notify IT personnel of a potential attack.
cloud based DLP
can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information is encrypted.
Security audit
can examine the security posture of an organization.
Social engineer
can gain unauthorized information just by looking over someone's shoulder. This might be in person, such as when a user is at a computer or remotely using a camera. Screen filters help prevent shoulder surfing by obscuring peoples view unless they are directly in front of the monitor.
sophisticated mantraps
can identify and authenticate individuals before allowing access.
MAC filtering
can restrict access to a wireless network to a specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It's relatively simple for an attack to spoof a MAC address.
Team members
can typically report on work that project managers assign to them, but they have little access outside the scope of their assignments.
Keyloggers
capture a user's keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on this.
Security controls
categorized as managerial (documented in written policies), operational (performed day-to-day operations), or technical (implemented with technology).
Privacy Enhanced Mail (PEM)
certificate name implies that these based certs are used for email only, but that is misleading. They can be used for just about anything. They can be formatted as CER (ASCII files) or DER (binary files). They can also be used to share public keys within a certificate, request certificates from a CA as a CSR, install a private key on a server, publish a CRL, or share the full cert chain.
User
certificates can also be issued to these people. They can be used for encryption, authentication, smart cards and more. For example, Microsoft systems can create user certificates allowing the user to encrypt data using Encrypting File System (EFS)
Machine/computer
certificates issued to a device or a computer are commonly called this. Ther certificate is typically used to identify the computer within a domain.
Secure sockets layer (ssl) stripping
changes the hypertext transfer protocol secure (HTTPS) connection to a Hypertext Transfer Protocol (HTTP) connection. HTTPS uses Transport Layer Security (TLS) instead of SSL in almost all instances, so you can also think of this as TLS stripping.
Wireless audit
checks a wireless signal footprint, power levels, antenna placement, and encryption of wireless traffic. Also use war driving can detect rogue access points and identify unauthorized users.
Dynamic code analysis
checks the code whilte it is running.
Certificate chaining
combines all the certificates from the root CA down to the certificate issued to the end user.
Unified threat management (UTM)
combines multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and content inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.
Blockchain
commonly defined as distributed, decentralized, public ledger. In other words, it is a public record-keeping technology. The first word refers to pieces of digital information (the ledger), and chain refers to public database. Together they create a database of public records.
access point
connects wireless clients to a wired network
var/log/messages
contains a wide variety of general system messages. It includes messages logged during startup, some messages related to mail, the kernel and messages related to authentication.
var/log/kern.log
contains information logged by the system kernel, which is the central part of the Linus operating system.
Incident response policy
defines a security incident and incident response procedures.
Change management
defines the process for any type of system modifications or upgrades including changes to applications. It provides two key goals: to ensure changes to IT systems do not result in unintended outages. To provide an accounting structure or method to document all changes.
Reduced costs
deploying imaged systems reduces the overall maintenance costs and improves reliability.
Antivirus software
detects and removes malware, such as viruses, trojans, worms. Signature based detects known malware based on signature definitions. Heuristic based software detects unknown malware based on behavior.
Data controller
determines why and how personal data should be processed. Is the entity that determines why and how personal data should be processed. For example, a business may outsource payroll. They control all employee data and decide what data to release to the payroll company.
Secure development environment stages
development, test, staging, production, quality assurance
Corporate-owned, personally enabled (COPE)
devices are owned by the organization, but employees can use them for personal reasons.
Supporting non-repudiation
digital signatures are used to support this. When someone sends an email with a digital signature, recipients know it was sent by that person.
Clean desk space policy
directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data. More specifically, it helps prevent the possibility of data theft or inadvertent disclosure of information.
Tabletop exercise
discussion-based only and are typically performed in a conference setting.
Tall command
displays the last 10 lines of a log by default.
Elliptic Curve Cryptography (ECC)
doesn't take as much processing power as other cryptographic methods. It uses mathematical equations to formulate an elliptical curve. It then graphs points on the curve to create keys. A key benefit is that these keys can be much smaller when compare to non these keys.
disassociate attack
effectively removes a wireless client from a wireless network. It's easier to understand this attack if you understand the normal operation of wireless devices and wireless APs.
Stream ciphers
encrypt data a single bit, or a single byte, at a time in a stream. More efficient than block ciphers when encrypting data in a continuous steam.
full disk encryption
encrypts an entire disk
Public Key
encrypts information, only the matching private key can decrypt the same information.
Private key
encrypts information, only the matching public key can decrypt the same information.
Cyptomalware
encrypts the user's data.
SSH (Secure Shell)
encrypts traffic in transit and can be used to encrypt other protocols such as FTP. Secure copy (SCP) is based on SSH and is used to copy encrypted files over a network.
Recipients Public Key
encrypts when encrypting an email message and the recipient uses the recipient's private key to decrypt an encrypted email message.
Back up and system recovery
ensure that personnel can recover data if it is lost or corrupted. Also ensures administrators can recover a system after a failure.
Change management
ensures that changes don't result in unintended outages. Instead of admins making changes on the fly, they submit the change to a change management process.
Role Based Training
ensures that employees receive appropriate training based on their roles in the organization.
patch management
ensures that systems and applications stay up to date with current patches. This protects systems against known vulnerabilities. Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.
attribute-based access control (ABAC)
evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.
Measurement systems analysis (MSA)
evaluates the processes and tools used to make measurements. It uses various methods to identify variations within a measurement process that can result in invalid results.
Risk control assessment
examines an organization's known risks and evaluates the effectiveness of in place controls. Focuses on the in place controls to determine if the adequately mitigate the known risks.
Static code analysis
examines the code without running it. In a manual review, a developer goes through the code line by line, looking for vulnerabilities.
site survey
examines the wireless environment to identify potential problem areas. A heat map shows the wireless coverage and dead spots if they exist. WIreless footprinting gives you a detailed diagram of wireless access points, hotspots, and dead spots within an organization.
syslog-ng
extends syslogd, allowing a system to collect logs from any source. It also includes correlation and routing abilities to route log entries to any log analysis tool.
firewall
filters incoming and outgoing traffic for a single host or between networks. The purpose of it in a network is similar to in a car. If a fire starts in the engine compartment, it provides a layer of protection for passengers in the passenger compartment. Similarly, in a network, it will try to keep the bad traffic out of the network.
proxy server
forwards requests for services from a client. It provides caching to improve performance and reduce internet bandwidth usage.
Privileged access management (PAM) systems
implement stringent security controls over accounts with elevated privileges such as administrator or root-level accounts. Some capabilities include allowing authorized users to access the administrator account without knowing the password, logging all elevated privileges usage, and automatically changing the administrator account password.
SHA-2
improved SHA-1 to overcome potential weaknesses. It includes four versions. SHA-256 creates 256 bit hashes and SHA-512 creates 512--bit hashes. SHA-224 and SHA-384 create truncated versions of SHA-256 and SHA-512 respectively.
Reference architecture
in cybersecurity, this is a document or set of documents that provides a set of standards. As an example, a software reference architecture documents high-level design decisions. It may stress the need to create reusable modules and follow a specific standard related to interfaces.
Physical security and environmental controls
include motion detectors and fire suppression systems.
Door access systems
include physical locks, cipher locks, and biometrics. Physical locks can help prevent access to secure ares by unauthorized individuals. Cable locks are effective threat deterrents for small equipment such as laptops and some workstations. When used properly, they prevent losses due to theft of small equipment.
Malware
includes a wide variety of malicious code, including viruses, worms, trojans, ransomware, and more.
Suppy chain
includes all the elements required to produce and sell products and services. In some cases, the supply chain becomes an attack vector. By exploiting vulnerabilities in the supply chain, attacks can impact the primary organization.
var/log/boot.log
includes entries created when the system boots
Personally identifiable information
includes information such as full name, birth date, biometric data, and identifying numbers such as SSN. Personal Health Information is part of this as well and includes medical or health information. Organizations have an obligation to protect this and typically identify procedures for handling and retaining it in data policies.
Network Access control (NAC)
includes methods to inspect clients for health, such as having up to date antivirus software, and can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and internal clients.
Hot site
includes personnel equipment, software and communication capabilities of the primary site with all the data up to date. Provides the shortest recovery time compared with warm and cold sites. It is the most effective disaster recovery solution, but it is also the most expensive to maintain.
DNS zone
includes records such as A records for IPv4 addresses and AAAA records for IPv6 addresses. MX records identify mail servers and MX record with the lowest preference is the primary mail server. It uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. DNSSEC adds a Resource Record Signature (RRSIG), which provides data integrity and authentication and helps prevent DNS poisoning attacks.
Cyber Kill Chain
includes seven elements tracking an attack from reconnaissance to performing actions to achieve the attacker's objectives.
Load balancing
increases the overall processing power of a service by sharing the load among multiple servers. Configurations can be active/passive or active/active. Scheduling methods include round-robin and source IP address affinity. Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.
Annual rate of occurrence (ARO)
indicates how many times the loss will occur in a year. If it is less than 1, it is represented as a percentage. identifies the number of failures in a year.
confidential data
information is kept secret among certain group of people
Stored XSS or presistent
instead of the user sending the malicious code to the server, it is stored in a database or other location trusted by the web application.
Risk types
internal, external, IP theft, software compliance/licensing/ legacy systems and legacy platforms, multiparty.
Background checks
investigates the history of an individual prior to employment and, sometimes, during employment. They may include criminal checks, credit checks, and an individual's online activity.
Ping
is a basic command used to test connectivity for remote systems. Can also use it to verify a system can resolve valid hostnames to IP addresses, test the NIC, and assess organizational security.
3DES
is a block cipher that encrypts data in 64-bit blocks, was originally designed as a replacement for DES, but NIST selected AES as the current standard, however it is still used in some applications, such as when legacy hardware doesn't support AES.
Memory leak
is a bug in a computer application that causes the application to consume more and more memory the longer it runs. In extreme cases, the application can consume so much memory that the operating system crashes. They are typically caused y an application that reserves memory for short-term use but never releases it.
Remote Authentication Dial-In User Service (RADIUS)
is a centralized authentication service. Instead of each individual VPN server needing a separate database to identify who can authenticate, the VPN servers forward the authentication requests to a central RADIUS server. RADIUS can also be used as an 802.1X server with WPA2 Enterprise mode.
video surveillance
is a closed circuit television (CCTV) system can record the activity and detect events that have occured.
Netcat
is a command-line tool that administrators often use for remotely accessing Linux systems. Testers often use it for banner grabbing, a technique used to gain information about remote systems.
Arp
is a command-line tool that is related to the address resolution protocol; however, this command and the protocol are not the same thing.
SYN Flood attack
is a common DDoS attack used against servers on the internet. They are easy for attackers to launch and can cause significant problems. Disrupts the Transmission Control Protocol (TCP) handshake process and can prevent legitimate clients from connecting.
MD5
is a common hashing algorithm that produces a 128 bit hash. Hashes are commonly shown in hexadecimal format instead of a stream of 1s and 0s. This has is displayed as 32 hexidecimal characters instead of 128 bits.
Single point of failure
is a component within a system that can cause the entire system to fail if the component fails. Elements such as RAID, load balancing, UPSs, and generators remove many single points of failure. If only one person knows how to perform specific tasks, that person becomes a single point of failure.
Automated courses of action
is a core principle of the DevOps model. After developers do almost anything to the code, it will trigger an automated response.
ISO 31000
is a family of standards related to risk management. it provides guidelines that organization can adopt to manage risk.
NetFlow
is a feature available on many routers and switches that can collect IP traffic statistics and send them to a collector. The collector receives the data and stores it, and analysis software on this collector allows administrators to view and analyze the network activity.
Vulnerability
is a flaw or weakness in software, hardware, or a process that a threat could exploit, resulting in a security breach.
Counter mode
is a form of authenticated encryption and allow block ciphers to function as stream ciphers.
Vishing
is a form of phishing that uses the phone system or VoIP. Some attempts are fully automated. Others start as automated calls, but an attacker takes over at some point during the call.
Smishing
is a form of phishing using text messages.
whaling
is a form of spear phishing that attempts to target high level executives. Las vegas casinos refers to the big spenders as this, and casino managers are willing to spend extra time and effort to bring them into their casinos.
Autopsy
is a graphical user interface (GUI) digital forensics platform. It allows users to add command-line utilities from The Sleuth Kid (TSK).
honeynet
is a group of honeypots within a separate network or zone but accessible from an organization's primary network. Security professionals often create these using multiple virtual servers contained within a single physical server.
advanced persistent threat (APT)
is a group of organized threat actors that engage in targeted attacks against organizations.Nation-states (governments) sponsor them and give them specific targets and goals.
NITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
is a knowledge base of tactics and techniques used in real world attacks. The knowledge base is presented in a matrix or table format. Tactics represent the adversary's tactical objective for performing an action or why the adversary is doing what he's doing. The techniques document how an adversary achieves a tactical objective or what the adversary gains by performing an action.
Rayburn box
is a lockbox that allows people to securely transfer items over long distances. It has two keys. One key can lock the box but can't unlock it. The only key can unlock the box but can't lock it.
Nmap
is a network scanner that you can run from the command prompt. It includes many capabilities, including identifying all the active hosts on a network, their IP address, the protocols and services running on each of these host's operating system.
Hash
is a number derived from performing a calculation on data, such as message, patch, or file.
Air gap
is a physical security control that ensures that a network is physically isolated from other networks, including the internet.
Threat
is a potential danger, within the context of risk management, this is any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system.
Personal information exchange (PFX)
is a predecessor to the P12 certificate and it has the same usage. Administrators often use this format on Windows systems to import ane export certs.
Hardware security module (HSM)
is a removable or external device that can generate, store and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys. A microSD HSM is an HSM device installed on a microSD chip and can be installed on any device with a microSD or SD slot.
Risk control self assessment
is a risk control assessment, but employees perform it.
sn1per
is a robust automated scanner used for vulnerability assessments and to gather information on targets during penetration testing. It combines the features of many common tools into a single application.
Dual supply
is a second power supply that can power a device if the primary power supply fails.
IPsec
is a secure encryption protocol used with VPNs.
Two person integrity
is a security control that requires the presence of at least two authorized individuals to perform tasks.
Tailgating
is a social engineering tactic that occurs when one user follows closely behind another user without using credntials.
Cloud Access Security Broker (CASB)
is a software tool or service deployed between an organization's network and the cloud provider. It proides security by monitoring traffic and encorcing security policies.
Spraying attack
is a special type of brute force or dictionary attack designed to avoid being locked out.
Directory traversal
is a specific type of injection attack that attempts to access a file by including the full directory path or traversing the directory structure on a computer. For example, in a Unix systems, the passwd file includes user logon information, and it is stored in the /etc directory with a full directory path of /etc/passwd. Attackers can use commands including the path to the file (such as ../../etc/passwd or /etc/passwd) to read it.
Wi-Fi Direct
is a standard that allows devices to connect without a wireless access point or wireless router.
Logic bomb
is a string of code embedded into an application or script that will execute in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.
OpenSSH
is a suite of tools that simplify the use of SSh to connect to remote servers securely. It also supports the use of SCP and SFTP to transfer files securely. While it is open source, many commercial products have integrated it into their applications.
honeypot
is a sweet looking server - at least its intended to look sweet to the attacker, similar to how honey looks sweet to a bear. It's a server that is left open or appears to have been locked down sloppily, allowing an attacker relatively easy access. Diverts the attacker away from the live network.
Managed Security Service Provider (MSSP)
is a third party vendor that provides security services for an organization.
Downgrade attack
is a type of attack that forces a system to downgrade security. The attacker exploits the lesser security control.
Ransomware
is a type of malware that takes control of a users system or data. Criminals will attempt to extort payment from the victim with this. Often includes threats of damage to user's system or data if the victim does not pay the ransom, and attackers increasingly target hospitals, cities and other larger organizations.
Nessus
is a vulnerability scanner developed by Tenable Network Security. It uses plug-ins to perform various scans against both windows and unix systems and is often used for configuration.
Cross-site scripting (XSS)
is a web application vulnerability that allows attackers to inject scripts into webpages.
WinHex
is a windows based hexadecimal editor used for evidence gatehring, data analysis, editing, recovery of data and data removal. It can work with data on all drives, such as hard drives, CDs and DVDs.
Rogue access point
is an AP placed within a network without official authorization. It might be an employee who is bypassing security or installed by an attacker.
LAMP
is an acronym for Linux, Apache, MySQL, and PHP or Perl or Python. Linus is the operating system, apache is the web server application, and MySQL is the database management system. Developers create dynamic webpages with a scripting language such as PHP (short for PHO: Hypertext Preprocessor, Perl or Phython).
Penetration test
is an active test that can assess deployed security controls and determine the impact of a threat. It starts with reconnaissance and then tries to exploit vulnerabilities by attacking or simulating an attack. Intrusive and active.
Service Level agreement (SLA)
is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use these when contracting services from service providers, such as internet service providers (ISP).
MAC flooding
is an attack against a switch that attempts to overload it with different MAC addresses associated with each physical port. You typically have only one device connected to any phsyical port. During normal operation, the switch's internal table stores the MAC address associated with this device and mapts it to the port.
denial of service (dos) attack
is an attack from one attacker against one target
VM escape
is an attack that allows an attacker to access the host system from within the virtual system.
ARP poisoning
is an attack that attempts to mislead systems about the actual MAC address of a system. Is sometimes used in on parth attacks.
DLL injection
is an attack that injects this into a system's memory and causes it to run. For example, imagine an attacker creates a DLL named malware.dll that includes several malicious functions. In a successful attack, the attacker attaches this malicious to a running process, allocates memory within the funning process, connects it within the allocated memory, and then executes functions within it.
Cross-site request forgery (XSRF or CSRF)
is an attack where an attacker tricks a user into performing an action on a website. The attacker creates a specially crafted HTML link, and the user performs the action without realizing it.
Script Kiddie
is an attacker who uses existing computer scripts or code to launch attacks. Typically have very little expertise, sophistication and funding. A hacktivist launches attacks as part of an activist movement to further a cause.
Digital signature
is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create this. The recipient decrypts the hash with the senders public key. If successful, it provides authentication, non repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.
FTPS (File Transfer Protocol Secure)
is an extension of FTP and uses TLS to encrypt FTP traffic.
RAID-6
is an extension of RAID-5. The big difference is that it uses an additional parity block and requires an additional disk. A huge benefit is that the disk subsystem will continue to operate even if two disk drives fail. Requires a minimum of four disks.
Implicit deny
is an important concept to understand, especially in the context of ACLs, it indicates that all traffic that isn't explicitly allowed is implicitly denied.
Business impact analysis
is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organizations success. These critical systems support mission-essential functions.Also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.
RAID (redundant array of independent disks)
is an inexpensive method used to add fault tolerance and increase availability.
Python
is an interpreted programming language that includes extensive libraries,which simplify many programming tasks. After installing this on a computer, you can enter code in its shell and run it. You can also create files and launch them from the shell. Most of these scripts end with .py.
Quality assurance
is an ongoing process used throughout the lifetime of the project from development and after it is deployed.
cuckoo sandbox
is an open source automated software analysis system. Its primary purpose is to analyze suspicious files, such as suspected malware. Unlike malware that analyzes file in real time, you need to submit files to it.
Metasploit framework
is an open source project that runs on linux systems. It has data on over 1,600 exploits and includes methods to develop, test and use exploit code. Rapid7 acquired it in 2009.
BeEF (Browser Exploitation Framework)
is an open source web browser exploitation framework. It focuses on identifying web browser vulnerabilities. Successful attacks allow testers (and attackers) to launch attacks from within an exploited web browser.
SHA-1
is an updated version that creates 160-bit hashes. It is similar to the MD5 algorithm.
NXLog
is another log management tool and is similar to rsyslog and syslog-ng. However, it supports log formats for Windows, such as event log entries. Additionally, it can be installed on both windows and linus like systems. It functions as a log collector and it can integrate with most SIEM systems.
Embedded system
is any device that has dedicated function and uses a computer system to perform that function. It includes any devices in the internet of things (IoT) category, such as wearables and home automation systems. Some embedded systems use a system on a chip (SoC).
sensitive data
is any kind of data that needs to be protected against unauthorized access.
proprietary data
is data related to ownership, such as patents or trade secrets
Critical Data
is data that is critical to the success of a mission within an organization. This can be the primary mission of the entire organization or any specific function within the organization.
Birthday Attack
is named after the birthday paradox in mathematical probability theory. The birthday paradox states that for any random group of 23 people, there is a 50 percent change 2 of them have the same birthday. In this attack the attacker exploits collisions in hashing algorithm. An attacker attempts to create a password that produces the same hash as the user's actual password.
Computer based training
is on computers or online and allows students to learn at their own pace
Cleanup
is one of the last steps of a penetration test. It includes removing all traces of the penetration tester's activities. Includes, removing any user accounts created on systems in the network, removing any scripts or applications added or installed on systems, removing any files, such as logs or temporary files, created on systems, reconfiguring all settings modified by testers during the penetration test.
lack of input validation
is one of the most common security issues on web-based applications.
replay attack
is one where an attacker replays data that was already part of a communication session. The attacker first captures data sent over a network between two systems. The attacker modifies the data and then tries to impersonate one of the clients in the original session and send the modified data in session replays. Can occur on both wired and wireless networks.
Single loss expectancy (SLE)
is the cost of any single loss, identifies each loss's amount
eDiscovery
is the identification and collection of electronically stored information. Includes files of any kind, voice mail, social media entries and website data.
Risk
is the likelihood that a threat will exploit a vulnerability.
Impact
is the magnitude of harm resulting from a risk. It includes the negative results of an event, such as the loss of confidentiality, integrity, or availability or a system or data.
Risk management
is the practice of identifying, monitoring, and limiting risks to a manageable level. It doesn't eliminate risks but instead identifies methods to limit or mitigate them.
Hardening
is the practice of making a system or application more secure than its default configuration. Uses a defense in depth strategy with layered security. Includes disabling unnecessary ports and services, implementing secure protocols, keeping a system patched, using strong passwords along with a robust password policy, and disabling default and unnecessary accounts.
phishing
is the practive of sending email to users with the purpose of tricking them into revealing personal information or clicking a link.
Onboarding
is the process of granting new employees access to resources.
Key Escrow
is the process of placing a copy of a private key in a safe environment.
Pivoting
is the process of using various tools to gain additional information. For example, imagine a tester gains access to Homer's computer within a company's network. The tester can then pivot and use Homer's computer to gather information on other computers.. Homer might have access to network shares filled with files on nuclear power plant operations.
RAID-5
is three or more disks that are striped together, similar to RAID-0. However, the equivalent of one drive includes parity information. This parity information is striped across each of the drives in RAID-5 and provides fault tolerance. If one of the drives fails, the disk subsystem can read the remaining drives' information and re-create the original data. If two of the drives fail, the data is lost.
checksum
is typically a small piece of data, sometimes only 1 or 2 bits, and is used to quickly verify the integrity of data.
Air gap
isolates one network from another by ensuring there is physical space (literally a gap of air) between all systems
Certificate authority
issues, manages, validates and revokes certificates. In some contexts, you might see them referred as the abbreviation or the full name. They can be large, such as a comodo, DigiCert, or Symantec, which are public versions of this. They can also be small such as a single service running on a service within a private network.
Risk register
lists all known risks for a system or an organization. It's often in a table format or as a risk log and is a living document. A table format would have redefined columns such as the risk, the risk owner, mitigation measures, the impact, the likelihood of occurrence, and a risk score.
Account audit
looks at the rights and permissions assigned to users and helps enforce the least privilege principle.
Threat types
malicious human threats, accidental human threats, environmental threats.
not all APs are wireless routers
many APs do not have any additional capabilities. They provide connectivity for wireless clients to a wired network but do not have routing capabilities.
or '1' = '1'
many SQL injection attacks use this phrase to create a true condition.
Quantitative risk assessment
measures the risk of using a specific monetary amount. This monetary amount makes it easier to prioritize risks. uses specific monetary amounts to identify cost and asset values.
Exploitation framworks
metasploit, BeEf (browser exploitation framwork), w3af (Web Application Attack and Audit Framework)
Redundancy and Fault Tolerance
methods increase the availability of systems and data. Scalability refers to manually adding or removing resources to a system to scale it up or out. Elasticity refers to dynamically adding or removing resources to a system to scale it.
Phishing simulations
mimic the type of phishing campaigns used by attackers and allow an organization to safely check to see if employees will respond to phishing emails.
Spyware
monitors a user's computer and often includes a keylogger.
Network-Based Intrusion Detection System (NIDS)
monitors activity on the network. An administrator installs NIDS sensors or collectors on network devices such as switches, routers, or firewalls. Installed on a network appliance. It can also use taps or port mirrors to capture traffic. Cannot monitor encrypted traffic and cannot monitor traffic or individual hosts.
Sensors
monitors the environment and can detect changes. They can detect motion, noise, moisture, temperature changes and more.
host based firewall
monitors traffic going in and out of a single host, such as a server or a workstation. It monitors traffic passing through the NIC and can prevent intrusions into the computer via the NIC. Provides protection for individual hosts.
Discretionary access control (DAC) scheme
objects, such as files and folders, have an owner, and the owner establishes access for the objects.
Postcondition
occur after the actor triggers the process. In this case, Lisa's order is placed into the system after she completes the purchase. She'll receive an acknowledgement for her order, the Billing department may take additional steps to bill her.
Continuous integration
occurs after continuous validation. It refers to the practice of merging code changes into a version control repository regularly.
Integer overflow
occurs if an application receives a numeric value that is too big for the application to handle. The result is that the application gives inaccurate results. As an example, if an application reserves 8 bits to store a number, it can store any value between 0 and 255.
True negative
occurs when an IDS or IPS does not send an alarm or alert, and there is no actual attack.
False negative
occurs when an IDS or IPS fails to send an alarm or alert even though an attack is active.
True positive
occurs when an IDS or IPS sends an alarm or alert after recognizing an attack.
False positive
occurs when an IDS or IPS sends an alarm or alert when there is no actual attack. Incorrectly indicates an attack is occuring when an attack is not active.
butter overflow
occurs when an application receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible. Often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent these attacks.
VM sprawl
occurs when an organization has many VMs that aren't appropriately managed.
Collision
occurs when the hashing algorithm creates the same hash from different inputs. This is not desirable.
Hash collision
occurs when the hashing algorithm creates the same hash from different passwords.
authentication
occurs when the user proves the claimed identity (such as with a password) and the credentials are verified.
Virtual Private Network (VPN)
often used for remote access. Direct access ones allow users to access private networks via a public network. Screened subnet and reachable through a public IP address. Makes it accessible from any other host on the internet. This server needs to authenticate clients, and a common method is to use an internal remote authentication dial in user server (RADIUS) server. When a user logs on, it sends the users credentials to the RADIUS server.
Smart card
often used with a dual factor authentication where users have something (this) and know something (such as a password or PIN). They include embedded certificates used with digital signatures and encryption. They are used to gain access to secure locations and to log on to computer systems.
Antivirus Software
once installed, provides protection against malware infection.
Open-Source Intelligence (OSINT)
one common method that attackers often use before launching an attack is to gather information for this. Penetration testers also use its methods to gather information on targets.
dd
one of the oldest disk imaging tools used for forensics is this command available in Linux systems, including kali linux.
Broadcast
one to all traffic. one host sends traffic to all other hosts on the subnet, using a broadcast address such as 255.255.255.255.
Unicast
one to one traffic. one host sends traffic to another hose using a destination IP address.
Vendor diversity
organizations sometimes implement policies requiring this to provide cybersecurity resilience. Using more than one vendor for the same supply reduces the organization's risk if that vendor can no longer provide product or service.
Software Compliance/Licensing
organizations typically put in a lot of time and effort when developing softare. They make their money back by selling the licenses to use the software. However, if individuals or organizations use the software without the license, the development company loses money.
Scnaless
penetration testers often use this. Its a python-based command line utility to perform port scans. A benefit is that this uses an online website to perform the scans so that the scans don't come from the tester's IP address.
Routers and stateless firewalls
perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. They can use implicit deny as the last rule in the access control list.
Risk matrix
plots risks onto a graph or chart.
IP location
policies can block access from entire countries or regions based on their IP address. It's also possible to allow specific IP addresses or ranges.
Phases of an incident response
preparation, identification, containment, eradication, recovery, lessons learned.
Separation of Duties
prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing the tasks between employees. This helps prevent potential fraud such as if a single person prints and signs checks.
Email Non-repudiation
prevents the senders from later denying they sent an email.
SHA-3
previously known as Keccak, is an alternative to SHA-2. The U.S. National Security Agency (NSA) created SHA-1 and SHA-2. This one was created outside of the NSA and was selected in a non-NSA public competition.
SMTP, POP3 and IMAP4
primary email protocols. Well-known ports for encrypted and unencrypted traffic (respectively) are: SMTP uses ports 25 and 587, POP3 uses 110 and 95, IMAP4 uses 143 and 993. HTTP and HTTPS use ports 80 and 443, respectively.
TLS (Transport Layer Security)
protocol is designated replacement for SSL and should be used instead of SSL for browsers using HTTPS.
autentication
proves an identity with some type of credentials, such as username and password.
Access control systems
provide authorization by granting access to resources based on permissions granted to the proven identity.
Steganography
provides a level of confidentiality by hiding data within other files.
Mean time between failures (MTBF)
provides a measure of a system's reliability and would provide an estimate of how often the systems will experience outages.
Master image
provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when a system deviates from the baseline.
backdoor
provides another way of accessing a system, similar to how this works in a house and provides another method of entry.
Managed Service Provider
provides any IT services needed by an organization, including security services provided by an MSSP.
integrity
provides assurances that data has not been modified. Hashing ensures that data has retained this.
integrity
provides assurances that data was not changed. Verifies that data has not been modified. Loss of this can occur through unauthorized or unintended changes. Hashing algorithms, such as SHA, calculate hashes to verify integrity. A has is simply a number created by applying the algorithm to a file or message at different times,. By comparing the hashes, you can verify this has been maintained.
Chain of Custody
provides assurances that evidence has been controlled and properly handled after collection. it documents who handled the evidence and when they handled it.
Encryption
provides confidentiality and helps ensure that data is viewable only by authorized users. This applies to any data at rest (such as data stored in a database) or data in transit being sent over a network.
Unauthenticated mode
provides confidentiality, but not authenticity
Encapsulating Security Payload (ESP)
provides confidentiality, integrity, and authentication for VPN traffic. IPsec use Tunnel mod for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE over port 500.
UDP (User Datagram Protocol)
provides connectionless sessions (without a three-way handshake)
Platform as a service (PaaS)
provides customers with a preconfigured computing platform they can use as needed. It provides the customer with an easy to configure operating system, combined with appropriate applications and on demand computing.
Next generation secure web gateway (SWG)
provides proxy services for traffic from clients to internet sites, such as filtering URLs and scanning for malware.
Video surveillance
provides reliable proof of a persons location and activity. It can identify who enters and exits secure areas and can record theft of assets. many cameras include motion detection and object detection capabilities. CCTV systems can be used as compensating control in some situations.
Uninterruptible power supplies
provides short term power and can protect against power failures.
Web application firewall
provides strong protection for web servers. They protect against several different types of attacks, focusing on web application attacks.
Shimming
provides the solution that makes it appear that the older drivers are compatiable
Snapshot
provides you with a copy of a VM at a moment in time, which you can use as a backup. You are still able to use the VM just as you normally would. However, after taking a snapshot, the hypervisor keeps a record of all changes to the VM.
test stage
put the application through its paces and attempt to discover any bugs or errors in this stage
journalctl
queries the Linus system logging utility (journald) and displays log entries from several sources. You can't query journald directly because it stores log data in a binary format, but this displays the data as text.
Full/incremental strategies
reduce the amount of time needed to perform backups.
Risk mitigation
reduces the chances that a threat will exploit a vulnerability or reduces the risk's impact by implementing security controls.
Capabilities
refer to the malware, exploits, and other hacker tools used in the intrusion.
Continuous delivery
refers to a process where code changes are released automatically to a testing or staging environment.
Single Sign-on
refers to a user's ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down.
telemetry
refers to collecting information such as statistical data and measurements and forwarding it to a centralized system for processing.
strategic intelligence
refers to collecting, processing, and analyzing information to create long term plans and goals.
Lightweight cryptography
refers to cryptographic methods that can be deployed on smaller devices such as wireless devices and IoT devices.
Data masking
refers to modifying data to hide the original content. The primary reason for doing so is to protect sensitive information such as PII. The process retains usable data but converts it to inauthentic data.
data recovery
refers to restoring lost data, such as restoring a corrupt file from a backup. In context of forensics, data recovery goes further. Even without backups, it's often possible to recover data that a user has intentionally or accidentally deleted.
Ephemeral
refers to something that lasts a short time. In the context of cryptography, an ephemeral key has a short lifetime and is re-created for each session.
Host elasticity
refers to the ability to dynamically change resources assigned to the VM.
Host scalability
refers to the ability to resize the computing capacity of the VM.
Risk appetite
refers to the amount of risk an organization is willing to accept. This varies between organization based on their goals and strategic objectives.
Infrastructure
refers to the internet domain names, email addresses, and IP addresses used by the adversary.
Order of volatility
refers to the order in which you should collect evident. Doesn't mean it's explosive but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.
Data governance
refers to the processes an organization uses to manage, process and protect data. Some of the methods help ensure or improve the quality of data. Other methods are driven by regulation and laws. Properly doing this ensures that critical data elements are identified.
Entropy
refers to the randomness of a cryptographic algorithm. A higher level of randomness results in a higher level of security when using the algorithm. A lack of this results in a weaker algorithm and makes it much easier for the algorithm to be cracked.
Inherent risk
refers to the risk that exists before controls are in place to manage the risk.
Mean time to repair (MTTR)
refers to the time it takes to restore a system. Identifies the average (the arithmetic mean) time it takes to restore a failed system.
lateral movement
refers to the way attackers maneuver throughout a network. As an example, Windows Management instrumentation (WMI) and PowerShell are frequently used to scan a windows network.
Provenance
refers to tracing something back to its origin. In the context of digital forensics, hashing and checksums allow you to prove the analyzed copy of data is the same as the original data.
Enterprise Mode
requires an 802.1X server. EAP-FAST supports certificates. PEAP and EAP-TTLS require a certificate on the 802.1X server. EAP-TLS also uses TLS, but it requires certificates on both the 802.1X server and each of the clients. An 802.1X server provides port-based authentication, ensuring that only authorized clients can connect to a device or a network. It prevents rogue devices from connecting.
Job Rotation
requires employees to change roles regularly. Employees must change roles temporarily, such as for three to four weeks, or permanently. This helps ensure that employees cannot continue with fraudulent activity.
Cold site
requires power and connectivity but not much else. Generally if it has a roof, electricity, running water and internet access, you're good to go. The organization brings all the equipment, software, and data to the site when it activates.
Multiparty
risks occur when an organization contracts with an external organization for goods or services.
Evil Twin
rogue access point with the same SSID (or similar) as a legitimate access point.
Access control lists (ACL)
rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied.
fileless viruses
run in memory instead of from a file on a disk. They are often scripts that are injected into legitimate programs. They can also be hidden in vCards.
Credentialed Scans
run under the context of a valid account and can get more detailed information on targets, such as the software versions of installed applications. They are typically more accurate than non-credentialed scans and result in fewer false positives.
Container virtualization
runs services or applications within isolated containers or application cells.
Dumpster divers
search through trash looking for information.
worm
self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.
Remote wipe
sends a signal to a lost or stolen device to erase all data.
Virtual Local Area Networks (VLAN)
separate or sement traffic on physical networks, and you can create multiple VLANs with a single layer 3 switch. A VLAN can logically group several different computers together or logically separate computers without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on one VLAN and data traffic on a separate VLAN.
managed power distribution units
server racks within a data center house multiple computing devices, and it's common to use these with the racks to power the devices.
Netstat -p protocol
shows statistics on a specific protocol, such as TCP or UDP. For example, you could use netstat -p tcp to show only TCP stats.
time-based one-time password (TOTP)
similar to HOTP, but it uses a timestamp instead of a counter. One time passwords created by this typically expire after 30 seconds, but the time is adjustable.
War flying
similar to war driving, however instead of walking or driving around, ppl fly around in private plans. In some cases, ppl have intercepted wireless transmission at altitudes of 2500 fee. Most of these transmissions are using 2.4 GHz, which can travel farther thatn 5-GHz signals.
Staging
simulates the production environment and is uses for late stage testing
development stage
software developers use an isolated development environment to create the application
Token key
sometimes called a key fob or just token, is an electronic device about the size of a remote key for a car.
on path attack
sometimes referred to as a man in the middle attack is a form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. The two computers are unaware of the attacking computer, but the attacker can interrupt the traffic at will, insert malicious cod, or simply eavesdrop.
DHCP snooping
sounds malicious, but it's actually a preventive measure. The primary purpose is to prevent unauthorized DHCP servers (often called rogue DHCP servers) from operating on a network. You enable it on layer 2 switch ports.
Disable policy
specifies how to manage accounts in different situations. For example, most organizations require administrators to disable user accounts as soon as possible when employees leave the organization.
Least privilege
specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or function. By implementing this it limits potential losses if any individual or process is compromised.
Differential backup
starts with a full backup. After the full backup, differential backups back up data that has changed or is different since the last full backup.
Wildcard
starts with an asterisk (*) and can be used for multiple domains if each domain name has the same root domain. For example, Google uses this issued to *.google.com. This same cert can be used for other google domains, such as accounts.google.com and support.google.com. These certs can reduce the admin burden associated with managing multiple certs.
WPA2
supports CCMP (based on AES) and replaced earlier wireless cryptographic protocols.
Public Key Infrastructure (PKI)
supports issuing and managing certificates.
Zero-day expolits
take advantage of vulnerabilitites that don't have available patches. It could be because vendors don't know about the vulnerability or haven't written patches to fix it yet. Can evade up to date antivirus software.
spear phishing
targeted form of phishing. instead of sending the email out to everyone indiscriminately, a spear phishing attack attempts to target specific groups of users, or even a single user. Attacks may target employees within a company or customer of a company.
Known environment testing
testers have full knowledge of the environment before starting this test. For example, they would have access to product documentation, source code, and possibly even logon details.
Partially known environment testing
testers have some knowledge of the environment prior to this test. For example they might have access to some network documentation but not know the full network layout.
Reisdual risk
the amount of risk that remains after managing or mitigating risk to an acceptable level.
production
the application goes live as the final project. Includes everything needed to support the application and allow customers to use it.
ARP reply
the computer with the IP address in the ARP request responds with its MAC address. The computer that sent the ARP request caches the MAC address for the IP. In many operating systems, all computers that hear this also cache the MAC address.
Review
the final phase of a disaster recovery plan, used to identify any lessons learned and may include and update of the plan.
Warm site
the goldilocks situation, not to hot, not to cold, just right. Hot sites are generally too expensive for most organizations, and cold sites sometimes take too long to configure for full operation. However, the warm site provides a compromise that an organization can tailor to meet its needs.
Mitigation
the organization implements controls to reduce risks. These controls either reduce the vulnerabilities or reduce the impact of the threat.
Transference
the organization transfers the risk to another entity or at least shares the risk with another entity.
Host
the physical system hosting the VMs is this. It requires more resources than a typical system, such as multiple processors, massive amounts of RAM, fast and abundant hard drive space, and one more or more fast network cards.
War driving
the practice of looking for a wireless network. Although it is more common in cars, you can just as easily do it by walking around in a large city. Attackers use this to discover wireless networks that they can exploit and often use directional antennas to detect wireless networks with weak signals. Administrators use this as part of a wireless audit.
var/log/syslog
the syslog file stores all system activity, including startup activity.
Data exfiltration
the unauthorized transfer of data out of a network. Data loss prevention (DLP) techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers.
Iris and retina scanners
there are the strongest biometric methods mentioned.
all wireless routers are APs
these are APs with an extra capability---routing
Bcrypt, PBKDF2, and Argon2
these are key stretching techniques that help prevent brute force and rainbow table attacks. They salt the password with additional bits and then send the result through a cryptographic algorithm.
Domain validation
these certificates indicates that the certificae requestor has some control over the DNS doman. The CA takes extra steps to contact the requestor such as by email or telephone. The intent is to provide additional evidence to clients that the certificate and the organization are trustworthy.
Data sanitization
these methods ensure that data is removed or destroyed from any devices before disposing of the devices. A computing devices life cycle starts when it's put into service and ends when it is disposed of. Information also has a life cycle. It begins when the data is created and should end when the data is no longer needed. However if computing devices aren't sanitized when they reach the end of their life cycle, unauthorized entities may gain access to the data.
Security Orchestration, Automation, and Response (SOAR)
these platforms use internal tools to respond to low level security events automatically, reducing administrator workload. This playbook provides a checklist of things to check for suspected incidents. This runbook implements the playbook checklist using available tools within the organization.
Mandatory Vacation
these policies help detect when employees are involved in malicious activity, such as fraud or embezzlement. Requires employees to take time away from their job.
Vein matching
these system identify individuals using near-infrared light to view their veins. Most of these systems measure the vein in the individuals palm because there are more there instead of the finger.
Authentication, authorization and accounting (AAA)
these work together with identification to provide comprehensive access management system if you understand identification (claiming an identity, such as with a username) and authentication (proving the identity, such as with a password), it's easier to add in the other two elements of AAA.
pipe operator (|)
this allows you to send the results of the first command (sudo cat /var/log/auth.log) to the second command (more). It displays the log one page at a time.
Trojan
this appears to be something useful but includes a malicious component, such as installing a backdoor on a user's system. Many are delivered via drive-by downloads. They can also infect systems from fake antivirus software, pirated software, games and browser extensions.
malicious Universal Serial Bus (USB)
this cable has an embedded wi-fi controller capable of receiving commands from nearby wireless devices, such as a smartphone. A computer detects this is a Human Interface Device as if it is a keyboard or mouse. If an attacker can connect to the malicious USB cable, he can send commands to the computer.
memdump
this can dump any addressable memory space to the terminal or redirect the output to a dump file.
P7B
this certificate uses the PKCS version 7 (PKCS#7) format and they are CER-based (ASCII). They are commonly used to share public keys with proof of identify of the cert holder. Recipients use the public keys to encrypt or decrypt data.
sudo
this command (short for super use do) allows you to run the command with root, or elevated privileges, assuming you have permission to do so. In many cases, the command displays "permission denied" if you don't use it. Running the command as shown shows the entire contents of the auth.log file, scrolling it so fast, you can't see the beginning of the file.
sha1sum
this command allows you to create and compare hashes.
pathping
this command combines the functions of the ping and the tracert command. The tracert function identifies all hops (routers) on the path. The ping function then sends pings to each router and computers statistics based on the number of responses.
ssh-copy-id
this command copies the public key to a remote server.
cat
this command is short for concatenate and is used to display contents of files. It has other uses, such as making copies of a file or merging multiple files into one, but it's one of the easiest ways to view a file's contents.
curl (client URL)
this command is used to transfer and retrieve data to and from servers, such as web servers.
Dnsenum
this command will enumerate (or list) Domain Name System (DNS) records for domains. It lists the DNS servers holding the records and identifies the mail servers (if they exist) by listing the mx records.
hping
this command you can use to send pings using TCP, UDP, or ICMP.
Security log
this functions as an audit log, and an access log. It records auditable events such as successes or failures. Success indicates an audited event completed successfully, such as a user logging on or successfully deleting a file. Failure means that a user tried to perform an action but failed, such as failing to log on or attempting to delete a file but receiving a permission error instead.
Mandatory access control (MAC)
this scheme uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Uses sensitivity labes for users data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.
Continuous validation
this stage revalidates code after every change. As a simple example,, imagine code has a module that receives two numbers and returns the result. Code changes shouldn't break this module, but sometimes they do. By revalidating the code after every change, it allows developers to see problems as soon as they occur.
Retina scanners
this uses the pattern of blood vessels at the back of the eye for recognition.
Account lockout policies
thwart some password attacks, such as brute force and dictionary attackers. Many application and devices have default passwords. These should be changed before putting application or device into service.
Mobile device management (MDM)
tools help enforce security policies on mible devices. This includes the use of storage segmentation, containerization, and full device encryption to protect data.
SMTP (Simple Mail Transfer Protocol)
transfers email between clients and SMTP servers. SMTP use TCP port 25 for unencrypted email and port 587 for email encrypted with TLS.
POP3 and Secure POP (Post Office Protocol v3 (POP3))
transfers emails from servers down to clients.
NAT (network address translation)
translates public IP addresses to private IP addresses and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP address, while static NAT uses a single public IP address.
HTTP (Hypertext Transfer Protocol)
transmits web traffic on the internet and in intranets. Web servers use HTTP to transmit webpages to clients' web browsers, and Hypertext Markup Language (HTML) is the common language used to display webpages. HTTP uses TCP port 80.
approved lists, block lists
two additional methods used as endpoint security solutions. They can help protect hosts, including workstations, servers and mobile devices.
Nslookup and dig
two command-line tools used to test DNS. Microsoft systems include nslookup and Linus systems include dig. They can be used to query specific records such as mail servers. When a system has multiple mail servers, the lowest number preference identifies the primary mail server.
Bash scripts
typically call either /bin/bash or /bin/sh.
Two-step verification
typically use a PIN retrieved from a user's smartphone. They can be send via SMS, a phone call, a push notification or retrieved from an authentication application.
Non-transparent proxy servers
use URL filters to restrict access to certain sites, Both types can log user activity.
Complex passwords
use a mix of character types
strong passwords
use a mix of character types and have a minimum password length of at least eight characters.
PowerShell cmdlets
use a verb-noun structure such as invoke-command.
Extended validation
use additional steps beyond domain validation. Some browsers display the name of the company before the URL when this is used. Usage of this cert is on the decline. Most web browsers stopped including the name in the URL. Part of the reason is that the absence of the company name doesn't mean anything to many users. Think of the user who clicks on a phishing email. he probably doesn't know to look for a company name in the URL, so its absence doesn't alarm him.
Iris scanners
use camera technologies to capture the patters of the iris around the pupil for recognition.
Technical controls
use technology to reduce vulnerabilities. Some examples include encryption, antivirus software, IDSs, IPSs, firewalls, and the least privilege principle. Use technology such as hardware, software, and firmware to reduce vulnerabilities.
Network reconnaissance and discovery methods
use tools to send data to systems and analyze the responses. This phase typically starts by using various scanning tools such as network scanners and vulnerability scanners.
Route command
used to display or modify a system's routing table on both windows and linux systems.
IPSec (Internet Protocol Security)
used to encrypt traffic. It is native to IPv6 but also works with IPv4. It encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect virtual private network (VPN) traffic.
IMAP4 and Secure IMAP (Internet Message Access Protocol version 4)
used to store email on an email server and it allows users to organize and manage email in folders on the server.
Geolocation
uses GPS to identify a devices location.
logger
you are writing a script that will perform backups on a Linux system and you plan to schedule the script to run after midnight daily. You want to ensure that the script records when the backup starts and when the backup ends. Which of the following is the BEST choice to meet this requirement? this command is used to add entries in the /var/log/syslog file from the terminal or from scripts and applications. Administrators sometimes use this command before performing an operation, such as when starting a backup operations.
route print
you can see all the paths known by the computer to other networks
head
you want to verify that the syslog file is being rotated successfully on a Linux system. Which of the following commands is the BEST choice to use?