Comptia Security+
POP (Post Office Protocol)
TCP port 110 protocol that enables a client to access email messages stored in a mailbox on a remote server. The server usually deletes messages once the client has downloaded them.
EOL (end of life)
Product life cycle phase where sales are discontinued and support options reduced over time.
EOSL (end of service life)
Product life cycle phase where support is no longer available from the vendor.
code of conduct
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
backdoor
A mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.
smart meter
A utility meter that can submit readings to the supplier without user intervention.
attack framework
Models and tools used to analyze threat actor tactics, techniques, and procedures.
carrier unlocking
Removing restrictions placed on a handset that was sold by a telecoms provider.
MTBF (mean time between failures)
The rating on a device or component that predicts the expected time between failures.
A client and server have agreed on the use of the cipher suite ECDHE-ECDSA-AES256- GCM-SHA384 for a TLS session. What is the key strength of the symmetric encryption algorithm?
256-bit (AES).
hashing
A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output. Also referred to as message digest.
WEP (Wired Equivalent Privacy)
A legacy mechanism for encrypting data sent over a wireless connection.
zero-fill
A method of sanitizing a drive by setting all bits to zero.
amplification attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor. Sometimes referred to as a Distributed Reflection Denial of Service (DRDoS) attack.
stateful inspection
A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.
MAC flooding
A variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses.
fingerprint scanner
Biometric authentication device that can produce a template signature of a user's fingerprint then subsequently compare the template to the digit submitted for authentication.
Why is it vital to ensure the security of an organization's DNS service?
DNS resolves domain names. If it were to be corrupted, users could be directed to spoofed websites. Disrupting DNS can also perform denial of service.
IoT (Internet of Things)
Devices that can report state and configuration data and be remotely managed over IP networks.
dump file
File containing data captured from system memory.
Cuckoo
Implementation of a sandbox for malware analysis.
intelligence fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
What steps should be taken to enroll a new employee on a domain network?
Perform checks to confirm the user's identity, issue authentication credentials securely, assign appropriate permissions/privileges to the account, and ensure accounting mechanisms to audit the user's activity.
What type of organizational policies ensure that at least two people have oversight of a critical business process?
Shared authority, job rotation, and mandatory enforced vacation/holidays.
sflow
Web standard for using sampling to record network traffic statistics.
ASCII
7-bit code page mapping binary values to character glyphs. Standard ASCII can represent 127 characters, though some values are reserved for non-printing control characters.
What is a VDE?
A Virtual Desktop Environment (VDE) is the workspace presented when accessing an instance in a virtual desktop infrastructure (VDI) solution. VDI is the whole solution (host server and virtualization platform, connection protocols, connection/session broker, and client access devices).
ipconfig command
A Windows-based utility used to gather information about the IP configuration of a workstation.
differential backup
A backup type in which all selected files that have changed since the last full backup are backed up.
incremental backup
A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.
full backup
A backup type in which all selected files, regardless of prior state, are backed up.
What is a hardened configuration?
A basic principle of security is to run only services that are needed. A hardened system is configured to perform a role as client or application server with the minimal possible attack surface, in terms of interfaces, ports, services, storage, system/registry permissions, lack of security controls, and vulnerabilities.
least privilege
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
UPS (Uninterruptible Power Supply)
A battery-powered device that supplies AC power that an electronic device can use in the event of power failure.
brownout
A brownout occurs when the power that is supplied by the electrical wall socket is insufficient to allow the computer to function correctly. Brownouts are long sags in power output that are often caused by overloaded or faulty grid distribution circuits or by a failure in the supply route from electrical power station to a building.
MEF (mission essential function)
A business or organizational activity that is too critical to be deferrred for anything more than a few hours, if at all.
managerial control
A category of security control that gives oversight of the information system.
operational control
A category of security control that is implemented by people.
certificate extensions
A certificate field defined by version 3 of the X.509 standard that enables additional information to be included about a certificate.
NTLM authentication (NT LAN Manager authentication)
A challenge-response authentication protocol created by Microsoft for use in its products.
In organizational policies, what two concepts govern change?
A change control process governs the way changes are requested and approved. A change management process governs the way that planned change is implemented and the way unplanned change is handled.
SSID (service set identifier)
A character string that identifies a particular wireless LAN (WLAN).
PFS (perfect forward secrecy)
A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.
playbook
A checklist of actions to perform to detect and respond to a specific type of incident
key fob
A chip implanted in a plastic fob. The chip can store authentication data (such as a digital certificate) that can be read when put in proximity with a suitable scanner. Another use for fobs is to generate a One Time Password, valid for a couple of minutes only and mathematically linked to a code generated on a server.
asymmetric algorithm
A cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
rootkit
A class of malware that modifies system files, often at the kernel level, to conceal its presence.
SPoF (single point of failure)
A component or system that would cause a complete interruption of a service if it failed.
ISO/IEC 31K (International Organization for Standardization 31000 Series)
A comprehensive set of standards for enterprise risk management.
embedded system
A computer system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.`
data emanation
A concern for wireless media, as the signals can be received for a considerable distance and shielding/containment is not a realistic option in most environments.
DHCP snooping
A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.
dashboard
A console presenting selected information in an easily digestible format, such as a visualization.
Which sanitization solution meets all the following requirements: compatible with both HDD and SSD media, fast operation, and leaves the media in a reusable state?
A crypto erase or Instant Secure Erase (ISE) sanitizes media by encrypting the data and then erasing the cryptographic key.
self-signed certificate
A digital certificate that has been signed by the entity that issued it, rather than by a CA.
tabletop exercise
A discussion of simulated emergency situations and security incidents.
What is a tabletop exercise?
A discussion-based drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated.
SED (self-encrypting drive)
A disk drive where the controller can automatically encrypt data that is written to it.
EMI (electromagnetic interference)
A disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.
RIP (Routing Information Protocol)
A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.
risk register
A document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
What is a risk register?
A document highlighting the results of risk assessments in an easily comprehensible format (such as a heat map or "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
call list
A document listing authorized contacts for notification and collaboration during a security incident.
certificate policy
A document that defines the different types of certificates issued by a CA.
DRP (disaster recovery plan)
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
What type of attack against HTTPS aims to force the server to negotiate weak ciphers?
A downgrade attack.
screened host
A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.
Image
A duplicate of an operating system installation (including installed software, settings, and user data) stored on removable media. Windows makes use of image-based backups and they are also used for deploying Windows to multiple PCs rapidly.
OTA (over the air)
A firmware update delivered on a cellular data connection.
white hat
A hacker engaged in authorized penetration testing or other security consultancy.
XSRF (cross-site request forgery)
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. Also referred to as client-side request forgery (CSRF).
Trojan
A malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer.
reverse shell
A maliciously spawned remote command shell where the victim host opens the connection to the attacking host.
beaconing
A means for a network node to advertise its presence and establish a link with other nodes, such as the beacon management frame sent by an AP. Legitimate software and appliances do this but it is also associated with Remote Access Trojans (RAT) communicating with a Command & Control server.
IPS (Indoor Positioning System)
A means of deriving a device's location when indoors, by triangulating its proximity to radio sources such as Bluetooth beacons or WAPs.
black hole
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic.
HMAC (hash-based message authentication code)
A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.
What is containerization?
A mobile app or workspace that runs within a partitioned environment to prevent other (unauthorized) apps from interacting with it.
A threat actor gained access to a remote network over a VPN. Later, you discover footage of the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?
A mobile device management (MDM) suite can prevent use of the camera function of a smartphone.
GCM (Galois/Counter Mode)
A mode of block chained encryption that provides message authenticity for each block.
purple team
A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.
kill chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.
What is EAPoL?
A network access server that supports 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.
collector
A network appliance that gathers or receives log and/or state data from other network systems.
SAN (storage area network)
A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.
router
A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and price.
LDAP (Lightweight Directory Access Protocol)
A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
directory service
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
DNS poisoning (Domain Name System poisoning)
A network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.
ARP poisoning
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle. Sometimes referred to as ARP spoofing.
PtH attack (pass the hash attack)
A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
rule-based access control
A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
MITRE Corporation
A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.
VPC (virtual private cloud)
A private network segment made available to a single cloud consumer on a public cloud.
extranet
A private network that provides some access to outside parties, particularly vendors, partners, and select customers.
malicious process
A process executed without proper authorization from the system owner for the purpose of damaging or compromising the system.
port forwarding
A process in which a router takes requests from the Internet for a particular application (such as HTTP) and sends them to a designated host on the LAN. Also referred to as destination network address translation (DNAT).
federation
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
FPGA (field programmable gate array)
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.
SSH (Secure Shell)
A remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.
robot sentry
A remote-controlled or autonomous robot capable of patrolling site premises or monitoring gateways.
quantitative analysis
A risk analysis method that is based on assigning concrete values to factors.
block-listing
A security configuration where access is generally permitted to any entity (software process, IP/domain, and so on) unless the entity appears on a block list.
salt
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to ("salting") each plaintext input.
compensating control
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
defense in depth
A security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack's progress, rather than eliminating it outright.
DMZ (demilitarized zone)
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
CAN bus (controller area network bus)
A serial network designed to allow communications between embedded programmable logic controllers.
CA (certificate authority)
A server that guarantees subject identities by issuing signed digital certifcate wrappers for their public keys.
proxy server
A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance. Also referred to as forward proxy.
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
bastion host
A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.
What type of interoperability agreement is designed to ensure specific performance standards?
A service level agreement (SLA). In addition, performance standards may also be incorporated in business partner agreements (BPAs).
botnet
A set of hosts that has been infected by a control program called a bot that enables attackers to exploit the hosts to mount attacks.
Kerberos
A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.
SIM (subscriber identity module)
A small chip card that identifies the user and phone number of a mobile device, via an International Mobile Subscriber Identity (ISMI).
patch
A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.
shoulder surfing
A social engineering tactic to obtain someone's password or PIN by observing him or her as he or she types it in.
EPP (endpoint protection platform)
A software agent and monitoring system that performs multiple security tasks.
serverless
A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.
DLP (data loss/leak prevention)
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
stress test
A software testing method that evaluates how software performs under extreme load.
memory leak
A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.
SPIM (spam over internet messaging)
A spam attack that is propagated through instant messaging rather than email.
unintentional threat
A threat actor that causes a vulnerability or exposes an attack vector without malicious intent.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
reverse proxy
A type of proxy server that protects servers from direct contact with client requests.
DNS amplification attack (Domain Name System amplification attack)
A type of reflected attack in which a small query to a DNS server returns a reply up to eight times larger and makes it easier for the attacker to flood the target.
corrective control
A type of security control that acts after an incident to eliminate or minimize its impact.
jitter
A variation in the time it takes for a signal to reach the recipient. Jitter manifests itself as an inconsistent rate of packet delivery. If packet loss or delay is excessive, then noticeable audio or video problems (artifacts) are experienced by users.
CSP (cloud service provider)
A vendor offering public cloud service models, such as PaaS, IaaS, or SaaS.
SDN (software defined networking)
APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.
SDV (software defined visibility)
APIs for reporting configuration and state data for automated monitoring and alerting.
DAC (discretionary access control)
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource's owner (or owners).
MAC (Mandatory Access Control)
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
OOB (out-of-band management)
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.
You are consulting with a medium-size company about endpoint security solutions. What advantages does a cloud-based analytics platform have over an on-premises solution that relies on signature updates?
Advanced persistent threat (APT) malware can use many techniques to evade signature-based detection. A cloud analytics platform, backed by machine learning, can apply more effective behavioral-based monitoring and alerting.
rules of engagement
Agreeing scope, operational parameters, and reporting requirements for a penetration test.
BPA (business partnership agreement)
Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.
UTM (unified threat management)
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
AH (authentication header)
An IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
CN (common name)
An X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate.
social engineering
An activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.
NDA (non-disclosure agreement)
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
spoofing
An attack technique where the attacker disguises their identity.
DDoS attack (distributed denial of service attack)
An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request/response traffic.
VM escaping (virtual machine escaping)
An attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.
whaling
An email-based or web-based form of phishing which targets senior executives or wealthy individuals.
spear phishing
An email-based or web-based form of phishing which targets specific individuals.
CBC (cipher block chaining)
An encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block.
PBF (primary business function)
An important business or organizational activity that supports MEFs but is capable of being deferred during a disaster event scenario.
TOTP (Time-based One-time Password)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
data steward
An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
C&C (command and control)
An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets. Also referred to as C2.
NIPS (network intrusion prevention system)
An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
Snort
An open source NIDS. A subscription ("oinkcode") is required to obtain up to date rulesets, which allows the detection engine to identify the very latest threats. Non-subscribers can obtain community-authored rulesets.
XOR (exclusive OR)
An operation that outputs to true only if one input is true and the other input is false.
ARP inspection
An optional security feature of a switch that prevents excessive ARP replies from flooding a network segment.
DoS attack (denial of service attack)
Any type of physical, application, or network attack that affects the availability of a managed resource.
URL (uniform resource locator)
Application-level addressing scheme for TCP/IP, allowing for human-readable resource addressing. For example: protocol://server/file, where "protocol" is the type of resource (HTTP, FTP), "server" is the name of the computer (www.microsoft.com), and "file" is the name of the resource you wish to access.
MAC filtering
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
hot/cold aisle
Arrangement of server racks to maximize the efficiency of cooling systems.
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell.
How does RAID support fault tolerance?
Aside from RAID 0, RAID provides redundancy between a group of disks, so that if one disk were to fail, that data may be recoverable from the other disks in the array.
canonicalization attack
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
CHAP (Challenge Handshake Authentication Protocol)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
You are advising a customer on backup and disaster recovery solutions. The customer is confused between data breaches and data loss and whether the backup solution will protect against both. What explanation can you give?
Backup solutions mitigate risks from data loss, where files or information is deleted, corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen (exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.
PEM (privacy-enhanced mail)
Base64 encoding scheme used to store certificate and key data as ASCII text.
Considering that cryptographic hashing is one-way and the digest cannot be reversed, what makes hashing a useful security technique?
Because two parties can hash the same data and compare checksums to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.
FAR (false acceptance rate)
Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
gait analysis
Biometric mechanism that identifies a subject based on movement pattern.
What type of deployment model(s) allow users to select the mobile device make and model?
Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD).
How can an enterprise DMZ be implemented?
By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).
output encoding
Coding methods to sanitize output created from user input.
KDC (key distribution center)
Component of Kerberos that authenticates users and issues tickets (tokens).
BAS (building automation system)
Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.
What are the properties of a secure information processing system?
Confidentiality, Integrity, and Availability (and Non-repudiation).
JBOD (Just a Bunch Of Disks)
Configuring a spanned volume across a number of disks without any sort of RAID striping functionality.
governance
Creating and monitoring effective policies and procedures to manage assets, such as data.
lightweight cryptography
Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.
Is Cuckoo a type of malware or a security product?
Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment.
diversity
Cybersecurity resilience strategy that increases attack costs by provisioning multiple types of controls, technologies, vendors, and crypto implementations.
deception and disruption
Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.
threat hunting
Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.
default account
Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.
What type of physical destruction media sanitization method is not suitable for USB thumb drives?
Degaussing is ineffective against all types of flash media, including thumb drives, SSDs, hybrid drives, and memory cards.
PPTP (Point-to-Point Tunneling Protocol)
Developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.
SAS (Serial Attached Small Computer Systems Interface)
Developed from parallel SCSI, SAS represents the highest performing hard disk interface available.
NIST (National Institute of Standards and Technology)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
PPP (Point to Point Protocol)
Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks.
retention policy
Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.
Why does Diffie-Hellman underpin perfect forward secrecy (PFS)?
Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other pre-agreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server's private key, and that it is easy to generate ephemeral keys that are different for each session.
public key
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
What port security feature mitigates ARP poisoning?
Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.
PEAP (Protected Extensible Authentication Protocol)
EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.
What are the properties of a public/private key pair?
Each key can reverse the cryptographic operation performed by its pair but cannot reverse an operation performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.
What mechanism informs clients about suspended or revoked keys?
Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.
incident reporting
Employees are a vital component of an effective security and health and safety model. Company policy should set out the procedure for reporting incidents, such as who to contact and how quickly.
Why should an organization design role-based training programs?
Employees have different levels of technical knowledge and different work priorities. This means that a "one size fits all" approach to security training is impractical.
What is the name of the policy that prevents users from choosing old passwords again?
Enforce password history.
Why is a rooted or jailbroken device a threat to enterprise security?
Enterprise Mobility Management (EMM) solutions depend on the device user not being able to override their settings or change the effect of the software. A rooted or jailbroken device means that the user could subvert the access controls.
port scanning
Enumerating the status of TCP and UDP ports on a target system using software tools.
MSA (measurement systems analysis)
Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.
John is given a laptop for official use and is on a business trip. When he arrives at his hotel, he turns on his laptop and finds a wireless access point with the name of the hotel, which he connects to for sending official communications. He may become a victim of which wireless threat?
Evil twin.
code injection
Exploit technique that runs malicious code with the ID of a legitimate process.
XaaS (anything as a service)
Expressing the concept that most types of IT requirements can be deployed as a cloud service model.
MMS (multimedia messaging service)
Extension to SMS allowing digital data (picture, video, or audio) to be sent over a cellular data connection.
How could a deception-based cybersecurity resilience strategy return fake telemetry to a threat actor?
Fake telemetry means that when a threat actor runs port or host discovery scans, a spoof response is returned. This could lead the threat actor to waste time probing the port or host IP address trying to develop an attack vector that does not actually exist.
A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not running CentOS. What type of scanning error event is this?
False positive.
True or false? It is important to publish all security alerts to all members of staff.
False—security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.
SAN (subject alternative name)
Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.
What two ways can biometric technologies be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
write blocker
Forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media.
WinHex
Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.
P12 (Public Key Cryptography Standard #12)
Format that allows a private key to be exported along with its digital certificate.
IKE (Internet Key Exchange)
Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.
PAM (pluggable authentication module)
Framework for implementing authentication providers in Linux.
EAP (Extensible Authentication Protocol)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
Why are exercises an important part of creating a disaster recovery plan?
Full-scale or functional exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan.
correlation
Function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
ICMP (Internet Control Message Protocol)
IP-level protocol for reporting errors and status information supporting the function of troubleshooting utilities such as ping.
ESP (Encapsulating Security Protocol)
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.
Why should an Internet service provider (ISP) be informed before pen testing on a hosted website takes place?
ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.
BCP (business continuity plan)
Identifies how business processes should deal with both minor and disaster-level disruption by ensuring that there is processing redundancy supporting the workflow.
fingerprinting
Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.
patch management
Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.
MSCHAP (Microsoft Challenge Handshake Authentication Protocol)
Implementation of CHAP created by Microsoft for use in its products.
data processor
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
data controller
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
You've fulfilled your role in the forensic process and now you plan on handing the evidence over to an analysis team. What important process should you observe during this transition, and why?
It's important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person's custody. This is an important tool in validating the evidence's integrity.
What format is often used to write permissions statements for cloud resource policies?
JavaScript Object Notation (JSON).
spam
Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?
Layer 2 Tunneling Protocol (L2TP).
What is the policy that states users should be allocated the minimum sufficient permissions?
Least privilege.
data remnant
Leftover information on a storage medium even after basic attempts have been made to remove that data.
shellcode
Lightweight block of malicious code that exploits a software vulnerability to gain initial access to a victim system.
tail command
Linux utility for showing the last lines in a file.
logger command
Linux utility that writes data to the system log.
cipher suite
Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.
Which network access control framework supports smart cards?
Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.
You are assisting with the preparation of security briefings on embedded systems tailored to specific implementations of embedded systems. Following the CompTIA Security+ syllabus, you have created the industry-specific advice for the following sectors—which one do you have left to do? Facilities, Industrial, Manufacturing, Energy, ???
Logistics—transportation of components for assembly or distribution of finished products.
narrrowband
Low-power cellular networks designed to provide data connectivity to IoT devices.
ZigBee
Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.
What is measured by MTBF?
Mean time between failures (MTBF) represents the expected reliability of a product over its lifetime.
homomorphic encryption
Method that allows computation of certain fields in a data set without decrypting it.
industrial camouflage
Methods of disguising the nature and purpose of buildings or parts of buildings.
deployment model
Methods of provisioning mobile devices to users, such as BYOD and CYOD.
AES-GCM (Advanced Encryption Standard Galois Counter Mode)
Mode of operation for AES that ensures authenticated encryption.
DNAT (destination network address translation)
NAT service where private internal addresses are mapped to one or more public addresses to facilitate Internet connectivity for hosts on a local network via a router.
You are discussing a security awareness training program for an SME's employees. The business owner asserts that as they do not run Microsoft Office desktop apps, there should be no need to cover document security and risks from embedded macros and scripts. Should you agree and not run this part of the program?
No. While Visual Basic for Applications (VBA) can only be used with Microsoft Office, other types of document can contain embedded scripts, such as JavaScript in PDFs. Other Office suites, such as OpenOffice and LibreOffice, use scripting languages for macros too.
What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?
PKCS #12 / .PFX / .P12.
PSK (pre-shared key)
Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.
In the context of penetration testing, what is persistence?
Persistence refers to the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
e-discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
VBA (Visual Basic for Applications)
Programming languages used to implement macros and scripting in Office document automation.
fog computing
Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.
edge computing
Provisioning processing resource close to the network edge of IoT devices to reduce latency.
OSINT (open-source intelligence)
Publicly available information plus the tools used to aggregate and search it.
What is the main advantage of IKE v2 over IKE v1?
Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account authentication method, such as Extensible Authentication Protocol (EAP).
Backup
Recovery of data can be provided through the use of a backup system. Most backup systems provide support for tape devices. This provides a reasonably reliable and quick mechanism for copying critical data. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore.
proximity reader
Scanner that reads data from an RFID or NFC tag when in range.
CVE (Common Vulnerabilities and Exposures)
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
Company policy requires that you ensure your smartphone is secured from unauthorized access in case it is lost or stolen. To prevent someone from accessing data on the device immediately after it has been turned on, what security control should be used?
Screen lock.
What security protocol does SFTP use to protect the connection and which port does an SFTP server listen on by default?
Secure Shell (SSH) over TCP port 22.
You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider and which would you choose as most suitable?
Security Assertion Markup Language (SAML) and OAuth + OpenID Connect (OIDC). OAuth with OIDC as an authentication layer offers better support for native mobile apps so is probably the best choice.
zero trust
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.
BYOD (bring your own device)
Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.
permissions
Security settings that control access to objects including file system items and network resources.
threat feed
Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.
SEAndroid (Security-Enhanced Android)
Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.
What factor is most likely to reduce a system's resiliency?
Single points of failure.
nslookup command
Software tool for querying DNS server records.
sn1per
Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.
eavesdropping
Some transmission media are susceptible to eavesdropping (listening in to communications sent over the media). To secure transmissions, they must be encrypted.
How does a specially configured compiler inhibit attacks through software diversity?
The compiler can apply obfuscation routines to make the code difficult for a threat actor to reverse engineer and analyze for vulnerabilities.
risk management
The cyclical process of identifying, assessing, analyzing, and responding to risks.
tunneling
The practice of encapsulating data from one protocol for safe transfer over another network such as the Internet.
version control
The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.
mandatory vacations
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
onboarding
The process of bringing in a new employee, contractor, or supplier.
deprovisioning
The process of removing an application from packages or instances.
degaussing
The process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive's magnetic charge.
refactoring
The process of restructuring application code in such a way that the same functionality is provided by different programming methods. Refactoring is often used to improve an application's design without affecting the external behavior of the application, or to enable it to handle particular situations.
chain of custody
The record of evidence history from collection, to presentation in court, to disposal.
In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?
This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.
What type of cloud solution would be used to implement a SAN?
This would usually be described as Infrastructure as a Service (IaaS).
accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
True or false? To ensure evidence integrity, you must make a hash of the media before making an image.
True.
adversarial AI (adversarial artificial intelligence)
Using AI to identify vulnerabilities and attack vectors to circumvent security systems.
HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
third-party risks
Vulnerabilities that arise from dependencies in business relationships with suppliers and customers.
PFX (personal information exchange)
Windows file format for storing a private key and certificate data. The file can be password-protected.
impersonation
impersonation
NOS firewall (network operating system firewall)
A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.
What is meant by a public cloud?
A solution hosted by a third-party cloud service provider (CSP) and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns.
SIEM (security information and event management)
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
TPM (Trusted Platform Module)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
appliance firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
IEEE 802.1X
A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.
NFC (Near Field Communication)
A standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
What is an SOP?
A standard operating procedure (SOP) is a step-by-step listing of the actions that must be completed for any given task.
RADIUS (Remote Authentication Dial-in User Service)
A standard protocol used to manage remote and wireless authentication infrastructures.
NAS (network attached storage)
A storage device with an embedded OS that supports typical network file access protocols (TCP/IP and SMB for instance).
Sysinternals
A suite of tools designed to assist with troubleshooting issues with Windows.
PNAC (port-based network access control)
A switch (or router) that performs some sort of authentication of the attached device before activating the port.
UEFI (Unified Extensible Firmware Interface)
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.
criminal syndicates
A type of threat actor that uses hacking and computer fraud for commercial gain. Also referred to as organized crime.
insider threat
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
containerization
A type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
ad hoc network
A type of wireless network where connected devices communicate directly with each other instead of over an established medium.
MAC address (Media Access Control address)
A unique hardware address hard-coded into a network adapter. This provides local addressing on Ethernet and Wi-Fi networks. A MAC address is 48 bits long with the first half representing the manufacturer's Organizationally Unique Identifier (OUI).
How does accounting provide non-repudiation?
A user's actions are logged on the system. Each user is associated with a unique computer account. As long as the user's authentication is secure and the logging system is tamper-proof, they cannot deny having performed the action.
What physical security system provides mitigation against juice-jacking?
A USB data blocker can be attached to the end of a cable to prevent a charging port from trying to make a data connection.
implicit deny
A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.
fuzzing
A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.
WPS (Wi-Fi Protected Setup)
A feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.
caching engine
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
What physical security device could you use to ensure the safety of onsite backup tapes?
A fireproof safe or vault.
WAF (web application firewall)
A firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.
personal firewall
A firewall implemented as applications software running on the host, and can provide sophisticated filtering of network traffic as well as block processes at the application level. Also referred to as a host-based firewall.
MitM attack (Man-in-the-Middle attack)
A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
SMiShing
A form of phishing that uses SMS text messages to trick a victim into revealing information.
Diamond Model
A framework for analyzing cybersecurity incidents.
STIX (Structured Threat Information eXpression)
A framework for analyzing cybersecurity incidents.
hot site
A fully configured alternate network that can be online quickly after a disaster.
SOX (Sarbanes-Oxley Act)
A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization's financial and business operations.
API (application programming interface)
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
OSPF (Open Shortest Path First)
A link-state routing protocol used on IP networks.
CRL (certificate revocation list)
A list of certificates that were revoked before their expiration date.
clustering
A load balancing technique where a group of servers are configured as a unit and work together to provide network services.
warm site
A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
ICS (industrial control system)
A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
behavioral analysis
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences. Also referred to as behavior-based detection.
anomaly analysis
A network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range. Also referred to as anomaly-based detection
signature-based detection
A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.
How does OTP protect against password guessing or sniffing attacks?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.
OTP (one-time password)
A password that is generated for use in one specific session and becomes invalid after the session ends.
BGP (Border Gateway Protocol)
A path vector routing protocol used by ISPs to establish routing between one another. Also referred to as Autonomous System (AS)
What distinguishes host-based personal software firewall from a network firewall appliance?
A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. A personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.
token
A physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.
video surveillance
A physical security control that uses cameras and recording devices to visually monitor the activity in a certain area.
layered security
An approach that incorporates many different avenues of defense when securing systems and their data against attack. Also known as defense in depth.
nonce
An arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.
white box
An assessment methodology that simulates an inside attacker that knows everything about the target.
gray box
An assessment methodology that simulates an inside attacker who knows something about a target, but not everything.
black box
An assessment methodology where the assessor is given no privileged information about the configuration of the target of assessment.
ECC (elliptic curve cryptography)
An asymmetric encryption algorithm that leverages the algebraic structures of elliptic curves over finite fields to derive public/private key pairs.
integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.
MAC cloning
An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface. Sometimes referred to as MAC spoofing.
DNS hijacking (Domain Name System hijacking)
An attack in which an attacker modifies a computer's DNS configurations to point to a malicious DNS server.
DHCP spoofing (Dynamic Host Configuration Protocol spoofing)
An attack in which an attacker responds to a client requesting address assignment from a DHCP server.
watering hole attack
An attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.
buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
jamming
An attack in which radio waves disrupt 802.11 wireless signals.
SQL injection (Structured Query Language injection)
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
hybrid password attack
An attack that uses multiple attack methods, such as dictionary and brute force attacks, when trying to crack a password.
MitB attack (Man-in-the-Browser attack)
An attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs.
replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.
How might wireless connection methods be used to compromise the security of a mobile device processing corporate data?
An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower (cellular) to perform eavesdropping or man-in-the-middle attacks. For Personal Area Network (PAN) range communications, there might be an opportunity for an attacker to run exploit code over the channel.
input validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
standard naming convention
Applying consistent names and labels to assets and digital resources/identities within a configuration management system.
database encryption
Applying encryption at the table, field, or record level via a database management system rather than via the file system.
What range of information classifications could you implement in a data labeling project?
One set of tags could indicate the degree of confidentiality (public, confidential/secret, or critical/top secret). Another tagging schema could distinguish proprietary from private/sensitive personal data.
ifconfig command
A UNIX/Linux-based utility used to gather information about the IP configuration of the network adapter or to configure the network adapter. It has been replaced with the ip command in most Linux distributions.
If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?
A cybersecurity framework and/or benchmark and secure configuration guides.
GLBA (Gramm-Leach-Bliley Act)
A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.
CIS (Center for Internet Security)
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).
TAXII (Trusted Automated eXchange of Indicator Information)
A protocol for supplying codified information to automate incident detection and analysis.
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
A security operations center (SOC).
IoC (indicator of compromise)
A sign that an asset or network has been attacked or is currently under attack.
attack vector
A specific path by which a threat actor gains unauthorized access to a system. Also referred to as a vector
hacktivist
A threat actor that is motivated by a social issue or political cause.
intentional threat
A threat actor with a malicious purpose.
supply chain attack
An attack that targets the end-to-end process of manufacturing, distributing, and handling goods and services.
script kiddie
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
SSAE SOC (Statements on Standards for Attestation Engagements Service Organization Control)
Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.
reputation data
Block lists of known threat sources, such as malware signatures, IP address ranges, and DNS domains. Also referred to as reputational threat intelligence.
Which type of threat actor is primarily motivated by the desire for social change?
Hacktivist
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
Non-repudiation.
Your CEO wants to know if the company's threat intelligence platform makes effective use of OSINT. What is OSINT?
Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.
ISSO (Information Systems Security Officer)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.
Removable media and supply chain.
exploitation framework
Suite of tools designed to automate delivery of exploits against common software and firmware vulnerabilities.
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day's consultancy to patch the vulnerability. How should you categorize this threat?
This is either gray hat (semi-authorized) hacking or black hat (non-authorized) hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat.
What type of tool could you use to fingerprint the host acting as the default gateway?
This requires a tool that performs fingerprinting—service and version detection—by examining responses to network probes and comparing them to known responses from common platforms. Nmap is very widely used for this task, or you could use hping or Netcat.
AIS (Automated Indicator Sharing)
Threat intelligence data feed operated by the DHS.
DNS harvesting
Using Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on). Also referred to as Domain Name System harvesting.
UAT (user acceptance testing)
Usually one of the last stages in software development before release (beta testing), UAT proves that a program is usable and fit-for-purpose in real-world conditions.
curl command
Utility for command-line manipulation of URL-based protocol requests.
data acquisition
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
time offset
In forensics, identifying whether a time zone offset has been applied to a file's time stamp.
A recent security evaluation concluded that your company's network design is too consolidated. Hosts with wildly different functions and purposes are grouped together on the same logical area of the network. In the past, this has enabled attackers to easily compromise large swaths of network hosts. What technique(s) do you suggest will improve the security of the network's design, and why?
In general, you should start implementing some form of network segmentation to put hosts with the same security requirements within segregated zones. For example, the workstations in each business department can be grouped in their own subnets to prevent a compromise of one subnet from spreading to another. Likewise, with VLANs, you can more easily manage the logical segmentation of the network without disrupting the physical infrastructure (i.e., devices and cabling).
escrow
In key management, the storage of a backup key with a third party.
What use might a proximity reader be for site security?
One type of proximity reader allows a lock to be operated by a contactless smart card. Proximity sensors can also be used to track objects via RFID tags.
ISAC (Information Sharing and Analysis Center)
Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.
PIN (personal identification number)
Number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.
logs
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamper-proof.
PAP (Password Authentication Protocol)
Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.
hacker
Often used to refer to someone who breaks into computer systems or spreads viruses, Ethical Hackers prefer to think of themselves as experts on and explorers of computer security systems.
GPO (Group Policy Object)
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
Onboarding.
stored procedure
One of a set of pre-compiled database statements that can be used to validate input to a database.
Nessus
One of the best-known commercial vulnerability scanners, produced by Tenable Network Security. Also referred to as Tenable.
Which port(s) and security methods should be used by a mail client to submit messages for delivery by an SMTP server?
Port 587 with STARTTLS (explicit TLS) or port 465 with implicit TLS.
code reuse
Potentially unsecure programming practice of using code originally written for a different context.
Other than cost, which factor primarily constrains embedded systems in terms of compute and networking?
Power—many embedded systems must operate on battery power, and changing the batteries is an onerous task, so power-hungry systems like processing and high bandwidth or long-range networking are constrained.
What are the six phases of the incident response life cycle?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
What should be the first action at a crime scene during a forensic investigation?
Preserve the crime scene by recording everything as is, preferably on video.
port security
Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?
Preventive and corrective.
pseudo-anonymization
Removing personal information from a data set to make identification of individuals difficult, even if the data set is combined with other sources.
geographic dispersal
Resiliency mechanism where processing and data storage resources are replicated between physically distant sites.
dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
bug bounty
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
inherent risk
Risk that an event will pose if no controls are put in place to mitigate it.
control risk
Risk that arises when a control does not provide the level of mitigation that was expected.
residual risk
Risk that remains even after controls are put into place.
What type of risk mitigation option is offered by purchasing insurance?
Risk transference.
What are the two main options for mobile camera surveillance?
Robot sentries and drone/UAV-mounted cameras.
routing protocols
Rules that govern how routers communicate and forward traffic between networks.
What type of files most need to be audited to perform third-party credential management?
SSH and API keys are often unsecurely embedded in computer code or uploaded mistakenly to repositories alongside code. Also, managing shared credentials can be difficult, and many sites resort to storing them in a shared spreadsheet.
JavaScript
Scripting language used to add interactivity to web pages and HTML-format email.
code signing
The method of using a digital signature to ensure the source and integrity of programming code.
forensics
The process of gathering and submitting computer evidence to trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified. Also referred to as the collection of evidence.
identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
PRNG (pseudorandom number generator)
The process by which an algorithm produces numbers that approximate randomness without being truly random.
anti-forensics
The process by which an attacker impedes a forensic investigation.
lateral movement
The process by which an attacker is able to move from one part of a computing environment to another.
data exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
change control
The process by which the need for change is recorded and approved.
posture assessment
The process for verifying compliance with a health policy by using host health checks.
data classification
The process of applying confidentiality and privacy labels to information.
virtualization
The process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.
provisioning
The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.
trend analysis
The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or better understand past events.
execution control
The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.
authorization
The process of determining what rights and privileges a particular entity has.
shimming
The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.
risk assessment
The process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.
data ownership
The process of identifying the person responsible for the confidentiality, integrity, availability, and privacy of information assets.
CTI (cyber threat intelligence)
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
offboarding
The process of ensuring that all HR and other requirements are covered when an employee leaves an organization. Also referred to as an exit interview.
carving
The process of extracting data from a computer when that data has no associated file system metadata.
quarantine
The process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident.
non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
What bit of information confirms the identity of an SSH server to a client?
The server's public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a Certificate Authority.
You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack. What command line tool(s) can you use from a Windows client PC in the same subnet to check the interface properties of the default gateway?
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.
Which information resource is required to complete usage auditing?
Usage events must be recorded in a log. Choosing which events to log will be guided by an audit policy.
SIP (Session Initiation Protocol)
Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.
You are planning a security awareness program for a manufacturer. Is a pamphlet likely to be sufficient in terms of resources?
Using a diversity of training techniques will boost engagement and retention. Practical tasks, such as phishing simulations, will give attendees more direct experience. Workshops or computer-based training will make it easier to assess whether the training has been completed.
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?
Using a key stretching password storage library, such as PBKDF2, improves resistance to brute-force cracking methods. You might also mention that you could use policies to make users choose longer, non-trivial passwords.
RTBH (remote triggered black hole)
Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.
quantum cryptography
Using quantum computing for cryptographic tasks, such as distributing keys or cracking (traditional) cryptographic systems. Quantum computing works on the principle that its units (qubits) have more properties than the bits used in "classical" computers, notably (and very crudely) that a qubit can have a probability of being 1 or 0 and that inspecting the value of one qubit can instantly determine that of others (entanglement).
automation
Using scripts and APIs to provision and deprovision systems without manual intervention.
tethering
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).
MoU (memorandum of understanding)
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
mtr command (my traceroute command)
Utility combining the ping and traceroute commands.
theHarvester
Utility for gathering results from open source intelligence queries.
ncat
Utility for reading and writing raw data over a network connection. Also referred to as netcat.
scanless
Utility that runs port scans through third-party websites to evade detection.
dig
Utility to query a DNS and return information about a particular domain name. Also referred to as domain information groper.
netstat command
Utility to show network information on a machine running TCP/IP, notably active connections and the routing table.
What is the risk from a VM escaping attack?
VM escaping refers to attacking other guest OSes or the hypervisor or host from within a virtual machine. Attacks may be to steal information, perform Denial of Service (DoS), infect the system with malware, and so on.
full tunnel
VPN configuration where all traffic is routed via the VPN gateway.
split tunnel
VPN configuration where only traffic for the private network is routed via the VPN gateway.
L2TP (Layer 2 Tunneling Protocol)
VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.
How can DLL injection be exploited to hide the presence of malware?
Various OS system functions allow one process to manipulate another and force it to load a dynamic link library (DLL). This means that the malware code can be migrated from one process to another, evading detection.
You are preparing some briefing notes on diversity strategies for cybersecurity resilience for the executive team. You have prepared sections on Technologies, Crypto, and Controls so far. What other topic do you need to cover?
Vendor diversity.
You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network. What configuration check should you make in the vulnerability scanning software before running the scan?
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.
Nmap
Versatile port scanner used for topology, host, service, and OS discovery and enumeration.
What feature is essential for managing code iterations within the provisioning and deprovisioning processes?
Version control is an ID system for each iteration of a software product.
SRTP (Secure Real-time Protocol)
Version of RTP secured using TLS.
How does VDI work as a mobile deployment model?
Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed.
ciphertext
Data that has been enciphered and cannot be read without the cipher key.
IP (intellectual property)
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.
fake telemetry
Deception strategy that returns spoofed data in response to network probes.
What vulnerabilities does a rogue DHCP server expose users to?
Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance).
A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance or server is producing these logs?
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.
Netflow
A Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
measured boot
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.
secure boot
A UEFI feature that prevents unwanted processes from executing during the boot operation.
CSR (certificate signing request)
A Base64 ASCII file that a subject sends to a CA to get a certificate.
sinkhole
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
SYN flood
A DoS attack where the attacker sends numerous SYN requests to a target server, hoping to consume enough resources to prevent the transfer of legitimate traffic.
What addressing component must be installed or configured for NB-IoT?
A LTE-based cellular radio, such as narrowband-IoT, uses a subscriber identity module (SIM) card as an identifier. This can either be installed as a plug-in card or configured as an eSIM chip on the system board or feature in a SoC design.
packet filtering
A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
circuit-level stateful inspection firewall
A Layer 5 firewall technology that tracks the active state of a connection, and can make decisions based on the contents of network traffic as it relates to the state of the connection.
application aware firewall
A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
ip command
A Linux-based utility used to gather information about the IP configuration of the network adapter or to configure the network adapter. Replaces the older ifconfig command.
What type of data source(s) would you look for evidence of a suspicious MTA in?
A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or the Internet header metadata of an email message.
SCAP (Security Content Automation Protocol)
A NIST framework that outlines various accepted practices for automating vulnerability scanning.
authenticator
A PNAC switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
Backup Generator
A Standby Power Supply fueled by diesel or propane. In the event of a power outage, a UPS must provide transitionary power, as a backup generator cannot be cut-in fast enough.
You are writing a security awareness blog for company CEOs subscribed to your threat platform. Why are backdoors and Trojans different ways of classifying and identifying malware risks?
A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor and a backdoor can be established by exploits other than using Trojans. The term remote access trojan (RAT) is used for the specific combination of Trojan and backdoor.
What type of forensic data is recovered using a carving tool?
A carving tool allows close inspection of an image to locate artifacts. Artifacts are data objects and structures that are not obvious from examination by ordinary file browsing tools, such as alternate data streams, cache entries, and deleted file remnants.
SOAR (security orchestration, automation, and response)
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
PTZ (pan-tilt-zoom)
A class of surveillance camera that allows a remote operator to move the device and zoom the image.
multi-cloud
A cloud deployment model where the cloud consumer uses mutiple public cloud services.
hybrid cloud
A cloud deployment that uses both private and public elements.
community cloud
A cloud that is deployed for shared use by cooperating tenants.
public cloud
A cloud that is deployed for shared use by multiple independent tenants.
private cloud
A cloud that is deployed for use by a single entity.
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
ACL (Access Control List)
A collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).
site survey
A collection of information about a location for the purposes of building an ideal infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identifying sources of interference.
baseline configuration
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
PowerShell
A command shell and scripting language built on the .NET Framework.
bash (Bourne again shell)
A command shell and scripting language for Unix-like systems.
tcpdump command
A command-line packet sniffing utility.
tcpreplay command
A command-line utility that replays packets saved to a file back through a network adapter.
FTK (Forensic Toolkit)
A commercial digital forensics investigation management and utilities suite, published by AccessData.
OT (operational technology)
A communications network designed to implement an industrial control system rather than data networking.
How can cryptography support high resiliency?
A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.
sandbox
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.
SECaaS (Security as a Service)
A computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.
IaaS (Infrastructure as a Service)
A computing method that uses the cloud to provide any or all infrastructure needs.
PaaS (Platform as a Service)
A computing method that uses the cloud to provide any platform-type services.
SaaS (Software as a Service)
A computing method that uses the cloud to provide application services to users.
blockchain
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
separation of duties
A concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
MD5 (Message Digest Algorithm v5)
A cryptographic hash function producing a 128-bit output.
SHA (Secure Hash Algorithm)
A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.
hardware root of trust
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys and elliptic curve cryptography.
DHE (Diffie-Hellman Ephemeral)
A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys.
DH (Diffie-Hellman)
A cryptographic technique that provides secure key exchange.
What vulnerabilities might default error messages reveal?
A default error message might reveal platform information and the workings of the code to an attacker.
tokenization
A deidentification method where a unique token is substituted for real data.
data masking
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
pinning
A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
What is a RADIUS client?
A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.
smart card
A device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.
spectrum analyzer
A device that can detect the source of interference on a wireless network.
wireless controller
A device that provides wireless LAN management for multiple APs.
sensor
A device that transforms one type of energy into another (typically light into an electrical signal).
What type of scheduled Windows backup job does not clear the archive attribute?
A differential backup. This type of backup selects all new and modified data since the previous full backup. You could also mention copy backups, though these are usually ad hoc rather than scheduled.
server certificate
A digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.
You have configured a network vulnerability scanner for an engineering company. When running a scan, multiple sensors within an embedded systems network became unresponsive, causing a production shutdown. What alternative method of vulnerability scanning should be used for the embedded systems network?
A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).
ADS (alternate data stream)
A function of the NT File System (NTFS) that enables multiple data streams for a single file name.
What type of dynamic testing tool would you use to check input validation on a web form?
A fuzzer can be used to submit known unsafe strings and randomized input to test whether they are made safe by input validation or not.
NAC (network access control)
A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
VoIP (Voice over Internet Protocol)
A generic name for protocols that carry voice traffic over data networks.
risk matrix/heat map
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.
group account
A group account is a collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.
IRC (internet relay chat)
A group communications protocol that enables users to chat, send private messages, and share files.
What is the difference between security group- and role-based permissions management?
A group is simply a container for several user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.
regex (regular expression)
A group of characters that describe how to execute a specific search pattern on a given text.
VM (virtual machine)
A guest operating system installed on a host computer using virtualization software (a hypervisor), such as Microsoft Hyper-V or VMware.
TAP (test access port)
A hardware device inserted into a cable to copy frames for analysis.
router firewall
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
RNG (random number generator)
A hardware or software component that can create values that are evenly spread over all possible values, each value being independent of any other generated values.
You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
What is the process of digitally signing a message?
A hashing function is used to create a message digest. The digest is then signed using the sender's private key. The resulting signature can be decrypted by the recipient using the sender's public key and cannot be modified by any other agency. The recipient can calculate his or her own digest of the message and compare it to the signed hash to validate that the message has not been altered.
InfiniBand
A high-speed switching fabric used in SANs and data center networks.
service account
A host or network account that is designed to run a background service, rather than to log on interactively.
honeypot
A host, network (honeynet), or file (honeyfile) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.
vishing
A human-based attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.
Your company has been the victim of several successful phishing attempts over the past year. Attackers managed to steal credentials from these attacks and used them to compromise key systems. What vulnerability contributed to the success of these social engineers, and why?
A lack of proper user training directly contributes to the success of social engineering attempts. Attackers can easily trick users when those users are unfamiliar with the characteristics and ramifications of such deception.
VLAN (virtual local area network)
A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
Why might a PIN be a particularly weak type of something you know authentication?
A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.
hoax
A malicious communication that tricks the user into performing undesired actions, such as deleting important system files in an attempt to remove a virus, or sending money or important information.
logic bomb
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
XSS (cross-site scripting)
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
RFID (Radio Frequency ID)
A means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.
M-of-N control
A means of limiting access to critical encryption keys such as the private key of a root CA. At least M of the total number (N) of authorized individuals must be present to access the key.
entropy
A measure of disorder. Cryptographic systems should exhibit high entropy to better resist brute force attacks.
SEH (structured exception handler)
A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.
TKIP (Temporal Key Integrity Protocol)
A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.
What type of interoperability agreement would be appropriate at the outset of two companies agreeing to work with one another?
A memorandum of understanding (MOU).
digital signature
A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity.
cloud computing
A method of computing that involves realtime communication over large distributed networks to provide the resources, software, data, and media needs of a user, business, or organization.
shielding
A method of counteracting signal leakage from network media (and thus eavesdropping); it can be applied to a variety of items, from a twisted-pair cable up to an entire room or building.
TRNG (true random number generator)
A method of generating random values by sampling physical phenomena that has a high rate of entropy.
LDAPS (Lightweight Directory Access Protocol Secure)
A method of implementing LDAP using SSL/TLS encryption.
packet crafting
A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.
SE (secure erase)
A method of sanitizing a drive using the ATA command set.
CE (cryptographic erase)
A method of sanitizing a self-encrypting drive by erasing the media encryption key.
authentication
A method of validating a particular entity's or individual's unique credentials.
heuristic analysis
A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.
Metasploit Framework
A platform for launching modularized attacks against known software vulnerabilities.
Point-to-Point/Point-to Multipoint Topology
A point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes.
AUP (acceptable use policy)
A policy that governs employees' use of company equipment and Internet services. ISPs may also apply AUPs to their customers. Also referred to as fair use policy.
EAPoL (Extensible Authentication Protocol over LAN)
A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.
segment
A portion of a network where all attached hosts can communicate freely with one another.
cold site
A predetermined alternate location where a network can be rebuilt after a disaster.
intranet
A private network that is only accessible by the organization's own personnel.
What is the effect of a memory leak?
A process claims memory locations but never releases them, reducing the amount of memory available to other processes. This will damage performance, could prevent other processes from starting, and if left unchecked could crash the OS.
SoC (system-on-chip)
A processor that integrates the platform functionality of multiple logical controllers onto a single chip.
SQL (Structured Query Language)
A programming and query language common to many largescale database systems.
syslog
A protocol enabling different appliances and software applications to transmit logs or event records to a central server.
SSTP (Secure Socket Tunneling Protocol)
A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.
FTP (File Transfer Protocol)
A protocol used to transfer files between network hosts. Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES) and T(rivial)FTP. FTP utilizes ports 20 and 21.
IaC (infrastructure as code)
A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
You have been asked to monitor baseline API usage so that a rate limiter value can be set. What is the purpose of this?
A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious entity generates millions of spurious requests to block legitimate ones. You need to establish a baseline to ensure continued availability for legitimate users by setting the rate limit at an appropriate level.
Internet header
A record of the email servers involved in transferring an email message from a sender to a recipient.
qualitative analysis
A risk analysis method that uses opinions and reasoning to measure the likelihood and impact of risk.
CVSS (Common Vulnerability Scoring System)
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
normalization
A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.
NAT (network address translation)
A routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.
How does elasticity differ from scalability?
A scalable system is one that responds to increased workloads by adding resources without exponentially increasing costs. An elastic system is able to assign or unassign resources as needed to match either an increased workload or a decreased workload.
session affinity
A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Sometimes referred to as source IP affinity.
mantrap
A secure entry system with two gateways, only one of which is open at any one time.
vault
A secure room with walls and gateway hardened against physical assault.
VPN (virtual private network)
A secure tunnel created between two endpoints connected via an unsecure network (typically the Internet).
SFTP (Secure File Transfer Protocol)
A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.
AAA (authentication, authorization, and accounting)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
allow-listing
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on an allow list.
IAM (identity and access management)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
DNSSEC (Domain Name System Security Extensions)
A security protocol that provides authentication of DNS data and upholds DNS data integrity.
TLS (Transport Layer Security)
A security protocol that uses certificates for authentication and encryption to protect web communication.
transparent proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
broken authentication
A software vulnerability where the authentication mechanism allows an attacker to gain entry, such as displaying cleartext credentials, using weak session tokens, or permitting brute force login requests.
IPSec (Internet Protocol Security)
A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet.
account policies
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
cryptographic primitive
A single hash function, symmetric cipher, or asymmetric cipher.
EDR (endpoint detection and response)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
IDS (intrusion detection system)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
content filter
A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).
host-based firewall
A software application running on a single host and designed to protect only that host. Also referred to as a personal firewall.
microservices
A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.
SOA (service-oriented architecture)
A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.
What is an SDK and how does it affect secure development?
A software development kit (SDK) contains tools and code examples released by a vendor to make developing applications within a particular environment (framework, programming language, OS, and so on) easier. Any element in the SDK could contain vulnerabilities that could then be transferred to the developer's code or application.
Agile model
A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.
waterfall model
A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
firewall
A software or hardware device that protects a system or network by blocking unwanted network traffic.
DLL injection
A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a Dynamic Link Library (DLL) in memory that could cause the victim application to experience instability or leak sensitive information.
pointer dereferencing
A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null.
race condition
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
stream cipher
A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.
BPDU guard (Bridge Protocol Data Unit guard)
A switch port security feature that disables a port. It is configured on access ports where any BPDU frames are likely to be malicious. Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.
STP (Spanning Tree Protocol)
A switching protocol that prevents network loops by dynamically disabling links as needed.
AES (Advanced Encryption Standard)
A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.
RC4 (Rivest Cipher #4)
A symmetric stream cipher generally considered obsolete, as it does not support large key sizes and is vulnerable to several attacks.
vulnerability feed
A synchronizable list of data and scripts used to check for vulnerabilities. Also referred to as plug-ins or network vulnerability tests (NVTs).
SMS (Short Message Service)
A system for sending text messages between cell phones.
XML (eXtensible Markup Language)
A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.
UEBA (user and entity behavior analytics)
A system that can provide automated identification of suspicious activity by user accounts and computer hosts.
NIDS (network intrusion detection system)
A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
BIA (business impact analysis)
A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
steganography
A technique for obscuring the presence of a message, often by embedding information within a file or other entity.
failover
A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.
obfuscation
A technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.
key stretching
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against bruteforce attacks.
due process
A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
penetration testing
A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system. Also referred to as pentesting, or pentest.
asset
A thing of economic value. For accounting purposes, assets are classified in different ways, such as tangible and intangible or short term and long term. Asset management means identifying each asset and recording its location, attributes, and value in a database.
You are assisting a customer with implementing data loss prevention (DLP) software. Of the two products left in consideration, one supports steganalysis of image data, but the other does not. What is the risk of omitting this capability?
A threat actor could conceal information within an image file and use that to bypass the DLP system. One thing to note is that attackers could find other ways to implement covertexts (audio or video, for instance) or abuse protocol coding. There are many things that steganalysis needs to be able to scan for! You might also note that steganography is not only a data exfiltration risk. It can also be used to smuggle malicious code into a host system.
block cipher
A type of symmetric encryption that encrypts data one block at a time. It is usually more secure, but is also slower, than stream ciphers.
A website owner wants to evaluate whether the site security mitigates risks from criminal syndicates, assuming no risk of insider threat. What type of penetration testing engagement will most closely simulate this adversary capability and resources?
A threat actor has no privileged information about the website configuration or security controls. This is simulated in a black box (or blind) pen test engagement.
What use is a TPM when implementing full disk encryption?
A trusted platform module provides a secure mechanism for creating and storing the key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick.
symmetric encryption
A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.
FTPS
A type of FTP using TLS for confidentiality.
HIDS (host-based intrusion detection system)
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state.
RTOS (real-time operating system)
A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.
mirroring
A type of RAID that using two hard disks, providing the simplest way of protecting a single disk against failure. Data is written to both disks and can be read from either disk.
covert channel
A type of attack that subverts network security systems and policies to transfer data without authorization or detection.
masked attack
A type of brute-force password cracking that uses placeholders for predictable values based on typical user behavior when it comes to designing passwords.
PLC (programmable logic controller)
A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.
phishing
A type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.
stateless
A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.
turnstile
A type of gateway that only allows one person through at a time.
clickjacking
A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.
domain hijacking
A type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.
SCADA (Supervisory Control and Data Acquisition)
A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.
worm
A type of malware that replicates in system memory and can spread over network connections rather than infecting files.
ransomware
A type of malware that tries to extort money from the victim..
air gap
A type of network isolation that physically separates a network from all other networks.
FIM (file integrity monitoring)
A type of software that reviews system files to ensure that they have not been tampered with.
session hijacking
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.
load balancer
A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
VDI (virtual desktop infrastructure)
A virtualization implementation that separates the personal computing environment from a user's physical computer.
zero-day
A vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.
arbitrary code execution
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
remote code execution
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
vulnerability
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
What is a WAF?
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.
file inclusion
A web application vulnerability that allows an attacker either to download a file from an aribtrary location on the host file system or to upload an executable or script file to open a backdoor.
captive portal
A web page or website to which a client is redirected before being granted full network access.
Wireshark
A widely-used packet analyzer.
visualization
A widget showing records or metrics in a visual format, such as a graph or table.
Faraday cage
A wire mesh container that blocks external electromagnetic fields from entering into the container.
evil twin
A wireless access point that deceives users into believing that it is a legitimate network access point.
bluesnarfing
A wireless attack where an attacker gains access to unauthorized information on a device using a Bluetooth connection.
IV attack (Initialization Vector Attack)
A wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.
Internet Zone
A zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.
PDU (power distribution unit)
Advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.
NGFW (next generation firewall)
Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also referred to as layer 7 firewall.
routing protocols
Allows a router to perform dynamic updates to its routing table based on route data exchanged with other routers.
OCSP (online certificate status protocol)
Allows clients to request the status of a digital certificate, to check whether it is revoked.
TACACS+ (Terminal Access Controller Access Control System Plus)
An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.
EAP-TTLS (EAP Tunneled Transport Layer Security)
An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
An EAP method that is expected to address the shortcomings of LEAP.
EAP-TLS (EAP Transport Layer Security)
An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.
IPS (intrusion prevention system)
An IDS that can actively block attacks.
exception handling
An application vulnerability that is defined by how an application responds to unexpected errors that can lead to holes in the security of an app.
In what two ways can an IP address be used for context-based authentication?
An IP address can represent a logical location (subnet) on a private network. Most types of public IP address can be linked to a geographical location, based on information published by the registrant that manages that block of IP address space.
ITIL (IT Infrastructure Library)
An IT best practice framework, emphasizing the alignment of IT Service Management (ITSM) with business needs. ITIL was first developed in 1989 by the UK government and the ITIL v3 2011 edition is now marketed by AXELOS.
certificate
An X.509 digital certificate is issued by a Certificate Authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
digital certificate
An X.509 digital certificate is issued by a Certificate Authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
SAML (Security Assertion Markup Language)
An XML-based data format used to exchange authentication information between a client and a service.
SOAP (Simple Object Access Protocol)
An XML-based web services protocol that is used to exchange messages.
RBAC (role-based access control)
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
context-aware authentication
An access control scheme that verifies an object's identity based on various environmental factors, like time, location, and behavior.
ABAC (attribute-based access control)
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
thin AP
An access point that requires a wireless controller in order to function.
What is the difference between locked and disabled accounts?
An account enters a locked state because of a policy violation, such as an incorrect password being entered incorrectly. Lockout is usually applied for a limited duration. An account is usually disabled manually, using the account properties. A disabled account can only be re-enabled manually.
shared account
An account with no credential (guest) or one where the credential is known to multiple persons.
UAV (unmanned aerial vehicle)
An aircraft or drone that does not require an onboard human pilot.
HOTP (HMAC-based One-time Password)
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
LLR (lessons learned report)
An analysis of events that can provide insight into how to improve response processes in the future. Also called an after action report (AAR).
HSM (hardware security module)
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
SWG (secure web gateway)
An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
LDAP injection
An application attack that targets webbased applications by fabricating LDAP statements that are typically created by user input.
typosquatting
An attack—also called URL hijacking—in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL they enter into a browser is taken to the attacker's website.
OICD (OpenID Connect)
An authentication layer that sits on top of the OAuth 2.0 authorization protocol.
MFA (multifactor authentication)
An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.
SSO (single sign-on)
An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
runbook
An automated version of a playbook that leaves clearly defined interaction points for human analysis.
S/MIME (Secure/Multipurpose Internet Mail Extensions)
An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.
counter mode
An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CTM (counter mode) and CM (counter mode).
CCMP (counter mode with cipher block chaining message authentication code protocol)
An encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol.
passive scan
An enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.
vulnerability assessment
An evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system.
pharming
An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.
data custodian
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
privacy officer
An individual who is responsible for overseeing the proper handling of PII.
OATH (Initiative for Open Authentication)
An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.
clean desk policy
An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
classification
An organizational scheme for identifying the relative security level of a data resource or documentation.
Which two components are required to ensure power redundancy for a blackout period extending over 24 hours?
An uninterruptible power supply (UPS) is required to provide failover for the initial blackout event, before switching over to a standby generator to supply power over a longer period.
TTP (tactics, techniques, and procedures)
Analysis of historical cyber-attacks and adversary actions.
protocol analysis
Analysis of per-protocol utilization statistics in a packet capture or network traffic sampling.
packet analysis
Analysis of the headers and payload data of one or more frames in captured network traffic.
post-quantum
Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have accesss to significant quantum processing capability.
algorithm
Any defined method of performing a process, but in encryption, the term specifically refers to the technique used to encrypt a message. Also referred to as Cipher
MFD / MFP (Multifunction Device/Multifunction Printer)
Any device that performs more than one function, but typically print devices that can also scan and fax.
ISA (interconnection security agreement)
Any federal agency interconnecting its IT system to a third-party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.
key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Why should detailed vendor and product assessments be required before allowing the use of IoT devices in the enterprise?
As systems with considerable computing and networking functionality, these devices are subject to the same sort of vulnerabilities and exploits as ordinary workstations and laptops. It is critical to assess the vendor's policies in terms of the security design for the product and support for identifying and mitigating any vulnerabilities discovered in its use.
OSI reference model (Open Systems Interconnection reference model)
Assigns network and hardware components and functions at seven discrete layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.
XML injection
Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.
network monitoring
Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says she/he is.
replication
Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).
Which protocol protects the contents of a VoIP conversation from eavesdropping?
Encrypted VoIP data is carried over the Secure Real-time Transport Protocol (SRTP).
deidentification
In data protection, methods and technologies that remove identifying information from data before it is distributed.
What is the principal risk of deploying an intrusion prevention system with behavior-based detection?
Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious. With automatic prevention, this will block many legitimate users and hosts from the network, causing availability and support issues.
FRR (false rejection rate)
Biometric assessment metric that measures the number of valid subjects who are denied access.
crossover error rate
Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
What is usually the purpose of the default rule on a firewall?
Block any traffic not specifically allowed (implicit deny).
Chuck, a sales executive, is attending meetings at a professional conference that is also being attended by representatives of other companies in his field. At the conference, he uses his smartphone with a Bluetooth headset to stay in touch with clients. A few days after the conference, he finds that competitors' sales representatives are getting in touch with his key contacts and influencing them by revealing what he thought was private information from his email and calendar. Chuck is a victim of which wireless threat?
Bluesnarfing
password spraying
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
credential stuffing
Brute force attack in which stolen user account names and passwords are tested against multiple websites.
HVAC (heating, ventilation, air conditioning)
Building control systems maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.
port mirroring
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch. Also referred to as switched port analyzer (SPAN).
virus
Code designed to infect computer files (or disks) when it is activated.
dead code
Code in an application that is redundant because it will never be called within the logic of the program flow.
compiled code
Code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.
error handling
Coding methods to anticipate and deal with exceptions thrown during execution of a process.
SDK (software development kit)
Coding resources provided by a vendor to assist with development projects that use their platform or API.
insecure object reference
Coding vulnerability where unvalidated input is used to select a resource object, such as a file or database.
imaging
Copying the structure and contents of a physical disk device or logical volume to a single file, using a tool such as dd.
provenance
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
What configuration change could you make to prevent misuse of a developer account?
Change the password.
LEAP (Lightweight Extensible Authentication Protocol)
Cisco Systems' proprietary EAP implementation.
cloud deployment model
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
cloud service model
Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on.
PAN (personal area network)
Close range networking (usually based on Bluetooth or NFC) allowing communications between personal devices, such as smartphones, laptops, and printers/peripheral devices.
A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company's industry sector and wants you to scan their systems for any sign that they have been targeted already. What are the additional challenges of meeting this request, given the lack of investment?
Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.
route
Command utility to configure and manage the routing table on a Windows or Linux host.
hashcat
Command-line tool used to perform brute force and dictionary attacks against password hashes.
ping command
Command-line utility for testing an IP packet transmission.
echo
Command-line utility used to display messages and turn command echoing on or off.
acquisition
Computer forensics procedures and tools for collecting and validating digital evidence.
shadow IT
Computer hardware, software, or services used on a private network without authorization from the system owner.
wearable technology
Computing devices integrated into wearable items, such as bands, watches, and glasses. Most are focused on providing information and contact management via the Internet and many incorporate health and fitness monitoring. Some examples include Fitness Monitor, Smart Glasses, and Smart Watch.
Which security property is assured by symmetric encryption?
Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.
What are the risks of not having a documented IP schema?
Configuration errors are more likely, especially where complex access control lists (ACLs) and security monitoring sensor deployment is required.
VM sprawl (virtual machine sprawl)
Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.
What steps should you take to secure an SNMPv2 service?
Configure strong community names and use access control lists to restrict management operations to known hosts.
Which life cycle process manages continuous release of code to the production environment?
Continuous deployment.
What is control risk?
Control risk arises when a security control is ineffective at mitigating the impact and/or likelihood of the risk factor it was deployed to mitigate. The control might not work as hoped, or it might become less effective over time.
physical access controls
Controls that restrict, detect, and monitor access to specific physical areas or assets through measures such as physical barriers, physical tokens, or biometric access controls.
What is DNS server cache poisoning?
Corrupting the records of a DNS server to point traffic destined for a legitimate domain to a malicious IP address.
What is secure staging?
Creating secure development environments for the different phases of a software development project (initial development server, test/integration server, staging [user test] server, production server).
east-west traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).
IPFIX (IP Flow Information Export)
Standards-based version of the Netflow framework.
PII (personally identifiable information)
Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).
You are preparing a briefing paper for customers on the organizational consequences of data and privacy breaches. You have completed sections for reputation damage, identity theft, and IP theft. Following the CompTIA Security+ objectives, what other section should you add?
Data and privacy breaches can lead legislators or regulators to impose fines. In some cases, these fines can be substantial (calculated as a percentage of turnover).
financial information
Data held about bank and investment accounts, plus information such as payroll and tax returns.
To what data state does a trusted execution environment apply data protection?
Data in processing/data in use.
cable lock
Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.
sentiment analysis
Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements.
tracert/traceroute command
Diagnostic utilities that trace the route taken by a packet as it "hops" to the destination host on a remote network. tracert is the Windows implementation, while traceroute runs on Linux.
macro
Document scripting engine that allows recording or coding of automated actions.
card cloning
Duplicating a smart card by reading (or skimming) the confidential data stored on it. Also known as skimming.
You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?
EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.
A company that manages marketing data and private information for many high-profile clients hosts a public event for prospective employees. With the possibility of social engineering attacks in mind, what precautions should employees take when the guests are being shown around the office?
Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.
How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port?
Enable the appropriate guards (portfast and BPDU Guard) on access ports.
FDE (full disk encryption)
Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself.
MAM (mobile application management)
Enterprise management function that enables control over apps and storage for mobile devices and other endpoints.
CASB (cloud access security broker)
Enterprise management software designed to mediate access to cloud services by users across all types of devices.
What is a cloud access security broker (CASB)?
Enterprise management software mediating access to cloud services by users to enforce information and access policies and audit usage.
CYOD (choose your own device)
Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.
COBO (corporate owned, business only)
Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.
COPE (corporate owned, personally enabled)
Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.
UEM (unified endpoint management)
Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.
What is the relevance of entropy to cryptographic functions?
Entropy is a measure of how disordered something is. A disordered ciphertext is desirable, because remaining features of order from the plaintext make the ciphertext vulnerable to analysis. Identical plaintexts need to be initialized with random or counter values when encrypted by the same key, and the cryptosystem needs a source of randomness to generate strong keys.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer's backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
True or false? The contents of the HOSTS file are irrelevant as long as a DNS service is properly configured.
False (probably)—the contents of the HOSTS file are written to the DNS cache on startup. It is possible to edit the registry to prioritize DNS over HOSTS, though.
True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
True or false? A customer is limited to creating one VPC per account.
False. There are limits to the number of virtual private clouds (VPCs) that can be created, but more than one is allowed.
True or false? The account with which you register for the CSP services is not an account with root privileges.
False. This account is the root account and has full privileges. It should not be used for day-to-day administration or configuration.
True or false? Serverless means running computer code on embedded systems.
False. With serverless, the provision of functions running in containers is abstracted from the underlying server hardware. The point is that as a consumer, you do not perform any server management. The servers are still present, but they are operated and maintained by the cloud service provider.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
False—Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).
True or false? A TLS VPN can only provide access to web-based network resources.
False—a Transport Layer Security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application-layer protocol type.
True or false? Only Microsoft's operating systems and applications require security patches.
False—any vendor's or open-source software or firmware can contain vulnerabilities that need patching.
True or false? Band selection has a critical impact on all aspects of the security of a wireless network?
False—band selection can affect availability and performance but does not have an impact in terms of either confidentiality or integrity.
True or false? SOAR is intended to provide wholly automated incident response solutions.
False—incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user's account details (SID) to the target application for authorization (allocation of permissions), not authentication.
True or false? The "first responder" is whoever first reports an incident to the CIRT.
False—the first responder would be the member of the CIRT to handle the report.
True or false? Cryptography is about keeping things secret so they cannot be used as the basis of a non-repudiation system.q
False—the usages are not exclusive. There are different types of cryptography and some can be used for non-repudiation. The principle is that if an encryption method (cipher and key) is known only to one person, that person cannot then deny having composed a message. This depends on the algorithm design allowing recipients to decrypt the message but not encrypt it.
True or false? While fully customizable by the customer, embedded systems are based on either the Raspberry Pi or the Arduino design.
False—these are examples of one-board computers based on the system on chip (SoC) design. They are widely used in education (and leisure). Some are used for industrial applications or for proof-of-concept designs, but most embedded systems are manufactured to specific requirements.
data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
P7B
File format for transmitting a chain of digital certificates, using PKCS#7.
fire suppression
Fire detection and suppression systems are mandatory in most public and private commercial premises. Water-based fire suppression is a risk to computer systems, both in the event of fire and through the risk of flood. Alternatives include dry pipe and gas-based systems.
You are supporting a SIEM deployment at a customer's location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow label, which is a particular combination of keys (IP endpoints and protocol/port types).
PKI (public key infrastructure)
Framework of certificate authorities, digial certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
What type of bulk encryption cipher mode of operation offers the best security?
Generally, counter modes implementing Authenticated Encryption with Additional Data (AEAD). Specific examples include AES-GCM and ChaCha20-Poly1305.
What mechanism does HPKP implement?
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
Which response header provides protection against SSL stripping attacks?
HTTP Strict Transport Security (HSTS).
vulnerability scanner
Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.
USB data blocker (Universal Serial Bus data blocker)
Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.
For which types of system will a cipher suite that exhibits high latency be problematic?
High latency is not desirable in any system really, but it will affect real-time protocols that exchange voice or video most. In network communications, latency makes the initial protocol handshake longer, meaning delay for users and possible application timeout issues.
FC (Fibre Channel)
High speed network communications protocol used to implement SANs.
Python
High-level programming language that is widely used for automation.
Which cryptographic technology is most useful for sharing medical records with an analytics company?
Homomorphic encryption allows calculations to be performed while preserving privacy and confidentiality by keeping the data encrypted.
Which terms are used to discuss levels of site resiliency?
Hot, warm, and cold sites, referring to the speed with which a site can failover.
loop protection
If broadcast traffic is allowed to continually loop around a network, the number of broadcast packets increases exponentially, crashing the network. Loop protection in switches (such as Spanning Tree Protocol), and in routers (Time To Live for instance) is designed to prevent this.
mode of operation
Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.
PBKDF2 (Password-Based Key Derivation Function #2)
Implementation of key stretching to make potentially weak input used to derive a cryptographic key, such as short passwords, less susceptible to brute force attacks.
ECDSA (Elliptic Curve Digital Signature Algorithm)
Implementation of the DSA cipher that uses the ECC algorithm.
data minimization
In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.
purpose limitation
In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.
timeline
In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.
supplicant
In EAP architecture, the device requesting access to the network.
risk-based framework
In ESA, a framework that uses risk assessment to prioritize security control selection and investment.
switch
In Ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.
TGT (ticket granting ticket)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
offline CA (offline certificate authority)
In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.
online CA (online certificate authority)
In PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.
root CA (root certificate authority)
In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure.
RA (recovery agent)
In PKI, an account or combination of accounts that can copy a cryptographic key from backup or escrow and restore it to a subject host or user.
RA (registration authority)
In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.
heat map
In a Wi-Fi site survey, a diagram showing signal strength at different locations.
IdP (identity provider)
In a federated network, the service that holds the user account and performs authentication.
tuples
In a firewall rule, a related set of parameters that describe the rule and the traffic it is designed to allow or block.
You are agreeing a proposal to run a series of team-based exercises to test security controls under different scenarios. You propose using purple team testing, but the contracting company is only familiar with the concept of red and blue teams. What is the advantage of running a purple team exercise?
In a red versus blue team, there is no contact between the teams, and no opportunity to collaborate on improving security controls. In a purple team exercise, there is regular contact and knowledge sharing between the teams throughout the progression of the exercise.
server-side
In a web application, input data that is executed or validated as part of a script or process running on the server.
idempotence
In an IaC architecture, the property that an automation or orchestration action always produces the same result, regardless of the component's previous state.
private key
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
compute
In cloud architecture, the resources that provide processing functionality and services, often in the context of an isolated container or VM.
transit gateway
In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways.
ephemeral
In cryptography, a key that is used within the context of a single session only.
key
In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.
collision
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the key?
In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).
persistence
In cybersecurity, the ability of a threat actor to maintain covert access to a target host or network.
persistence (load balancing)
In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
zone
In networking infrastructure, an area of a network where the security configuration is the same for all hosts within it. In physical security, an area separated by barriers that control entry and exit points.
ARO (annual rate of occurrence)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
likelihood
In risk calculation, the chance of a threat being realized, expressed as a percentage.
magnitude
In risk calculation, the cost of a security incident or disaster scenario. Also referred to as impact.
EF (exposure factor)
In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.
risk avoidance
In risk mitigation, the practice of ceasing activity that presents risk.
risk deterrence
In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Also referred to as risk reduction.
risk transference
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
false negative
In security scanning, a case that is not reported when it should be.
false positive
In security scanning, a case that is reported when it should not be.
staging
In software development, a user acceptance testing environment that is a copy of the production environment.
KEK (key encryption key)
In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.
escalation
In the context of incident response and breach reporting, escalation is the process of involving expert and senior staff to assist in problem management.
reflected DoS attack
In this attack, a forged source IP address is used when sending requests to a large number of computers. This causes those systems to send a reply to the target system, causing a DoS condition.
persistence (threat)
In threat analysis, the ability of a threat actor to maintain access of a host through system shut down, reboot, or log off events.
maneuver
In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.
abnormal process behavior
Indicators that a legitimate process has been corrupted with malicious code for the purpose of damaging or compromising the system.
state table
Information about sessions between hosts that is gathered by a stateful firewall.
proprietary information
Information created by an organization, typically about the products or services that it makes or provides.
metadata
Information stored or recorded as a property of an object, state of a system, or transaction.
PHI (protected/personal health information)
Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.
data in transit
Information that is being transmitted between two hosts, such as over a private network or the Internet. Also referred to as data in motion.
data in processing
Information that is present in the volatile memory of a host, such as system memory or cache.
data at rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
A company's web services are suffering performance issues because updates keep failing to run on certain systems. What type of architecture could address this issue?
Infrastructure as Code (IaC) means that provisioning is performed entirely from standard scripts and configuration data. The absence of manual configuration adjustments or ad hoc scripts to change settings is designed to eliminate configuration drift so that updates run consistently between the development and production environments.
HMI (human-machine interface)
Input and output controls on a PLC to allow a user to configure and monitor the system.
What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?
Input validation provides some mitigation against this type of input being passed to an application via a user form. Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
CCTV (closed-circuit television)
Installation of video cameras to supply security monitoring data to a centralized management station.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
DPO (data privacy officer)
Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.
Describe some key considerations that should be made when hosting data or systems via a cloud solutions provider.
Integrate auditing and monitoring procedures and systems with on-premises detection, identify responsibility for implementing security controls (such as patching or backup), identify performance metrics in an SLA, and assess risks to privacy and confidentiality from breaches at the service provider.
For what type of account would interactive logon be disabled?
Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy?
It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
What field provides traffic marking for a QoS system at layer 3?
Layer 3 refers to the DiffServ field in the IP header.
What physical site security controls act as deterrents?
Lighting is one of the most effective deterrents. Any highly visible security control (guards, fences, dogs, barricades, CCTV, signage, and so on) will act as a deterrent.
chmod
Linux command for managing file permissions.
grep command
Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.
dd command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
cat command
Linux command to view and combine (concatenate) files.
memdump command
Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file.
head command
Linux utility for showing the first lines in a file.
Z-Wave
Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology.
Which attack framework provides descriptions of specific TTPs?
MITRE's ATT&CK framework.
What security controls might be used to implement protected distribution of cabling?
Make conduit physically difficult to access, use alarms to detect attempts to interfere with conduit, and use shielded cabling.
VSS (volume snapshot service (shadow copy))
Makes snapshot backups of files even if they are open. It is used for Windows backup and the System Restore and Previous Versions features.
commodity malware
Malicious software applications that are widely available for sale or easily obtainable and usable.
keylogger
Malicious software or hardware that can record user keystrokes.
RAT (remote access Trojan)
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
PAT (port address translation)
Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications. Also referred to as network address port translation (NAPT) and as NAT overloading.
trapdoor functions
Mathematical ciphers that use an operation which is simple to perform one way when all of the values are known, but is difficult to reverse.
GPS (Global Positioning System)
Means of determining a receiver's position on the Earth based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites.
percent encoding
Mechanism for encoding characters as hexadecimal values delimited by the percent sign.
push notification
Mechanism to send text messages to a browser or mobile device.
stapling
Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.
A company has been using a custom-developed client-server application for customer management, accessed from remote sites over a VPN. Rapid overseas growth has led to numerous complaints from employees that the system suffers many outages and cannot cope with the increased number of users and access by client devices such as smartphones. What type of architecture could produce a solution that is more scalable?
Microservices is a suitable architecture for replacing monolithic client-server applications that do not meet the needs of geographically diverse, mobile workforces. By breaking the application up into microservice components and hosting these in cloud containers, performance can scale to demand. Web-based APIs are better suited to browser-based access on different device types.
RDP (Remote Desktop Protocol)
Microsoft's protocol for operating remote connections to a Windows machine (Terminal Services), allowing specified users to log onto the Windows computer over the network and work remotely. The protocol sends screen data from the remote host to the client and transfer mouse and keyboard input from the client to the remote host. It uses TCP port 3389.
password sniffing
Monitoring network transmissions for user credentials sent as cleartext or as cryptographic hashes.
Why might forcing users to change their password every month be counterproductive?
More users would forget their password, try to select unsecure ones, or write them down/record them in a non-secure way (like a sticky note).
Why are many network DoS attacks distributed?
Most attacks depend on overwhelming the victim. This typically requires a large number of hosts, or bots.
Which software tool is most appropriate for forwarding Windows event logs to a Syslog-compatible server?
NXlog is designed as a multi-platform logging system.
RSA (Rivest Shamir Adelman)
Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.
What low-level networking feature will facilitate a segmentation-based approach to containing intrusion events?
Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.
Is WPS a suitable authentication method for enterprise networks?
No, an enterprise network will use RADIUS authentication. WPS uses PSK and there are weaknesses in the protocol.
Does Syslog perform all the functions of a SIEM?
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.
You must recover the contents of the ARP cache as vital evidence of a man-in-the-middle attack. Should you shut down the PC and image the hard drive to preserve it?
No, the ARP cache is stored in memory and will be discarded when the computer is powered off. You can either dump the system memory or run the arp utility and make a screenshot. In either case, make sure that you record the process and explain your actions.
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using search tools.
What countermeasures can you use against the threat of malicious firmware code?
Only use reputable suppliers for peripheral devices and strictly controlled sources for firmware updates. Consider use of a sheep dip sandboxed system to observe a device before allowing it to be attached to a host in the enterprise network. Use execution control software to allow only approved USB vendors.
As a security solutions provider, you are compiling a checklist for your customers to assess potential weak configuration vulnerabilities, based on the CompTIA Security+ syllabus. From the headings you have added so far, which is missing and what vulnerability does it relate to? Default settings, Unsecured root accounts, Open ports and services, Unsecure protocols, Weak encryption, Errors.
Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage.
What tools are used for OSINT?
Open-source intelligence is a reconnaissance activity to gather information about the target from any public source. The basic tool is web searches/queries plus sites that scan/scrape/monitor vulnerabilities in Internet-facing services and devices. There are also specialist OSINT tools, such as theHarvester, that aggregate data from queries for different resources.
Arduino
Open-source platform producing progammable circuit boards for education and industrial prototyping.
Raspberry Pi
Open-source platform producing progammable circuit boards for education and industrial prototyping.
RTP (Real-time Transport Protocol)
Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).
SLA (service level agreement)
Operating procedures and standards for a service contract.
What container would you use if you want to apply a different security policy to a subset of objects within the same domain?
Organization Unit (OU).
What coding practice provides specific mitigation against XSS?
Output encoding ensures that strings are made safe for the context they are being passed to, such as when a JavaScript variable provides output to render as HTML. Safe means that the string does not contain unauthorized syntax elements, such as script tags.
multipath
Overprovisioning controllers and cabling so that a host has failover connections to storage media.
redundancy
Overprovisioning resources at the component, host, and/or site level so that there is failover to a working instance in the event of a problem.
In what scenario would PAP be considered a secure authentication method?
PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).
password cracking
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases.
What mechanism provides the most reliable means of associating a client with a particular server node when using load balancing?
Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism.
SAE (Simultaneous Authentication of Equals)
Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.
What is meant by PII?
Personally identifiable information is any data that could be used to identify, contact, or locate an individual.
biometric authentication
Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition.
RCS (rich communication services)
Platform-independent advanced messaging functionality designed to replace SMS and MMS.
vendor management
Policies and procedures to identify vulnerabilities and ensure security of the supply chain.
time of day restrictions
Policies or configuration settings that limit a user's access to resources.
PAM (privileged access management)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
QA (quality assurance)
Policies, procedures, and tools designed to ensure defect-free development and delivery.
IR (incident response)
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection/analysis, containment, eradication/recovery, and post-incident stages.
fault tolerance
Protection against system failure by providing extra (redundant) capacity. Generally, fault tolerant systems identify and eliminate single points of failure. Also referred to as redundancy.
SNMP (Simple Network Management Protocol)
Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.
MAC (Message Authentication Code)
Proving the integrity and authenticity of a message by combining its hash with a shared secret.
NFV (network functions virtualization)
Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.
You are providing security advice and training to a customer's technical team. One asks how they can identify when a buffer overflow occurs. What is your answer?
Real-time detection of a buffer overflow is difficult, and is typically only achieved by security monitoring software (antivirus, endpoint detection and response, or user and entity behavior analytics) or by observing the host closely within a sandbox. An unsuccessful attempt is likely to cause the process to crash with an error message. If the attempt is successful, the process is likely to show anomalous behavior, such as starting another process, opening network connections or writing to AutoRun keys in the registry. These indicators can be recorded using logging and system monitoring tools.
packet sniffing
Recording data from frames as they pass over network media, using methods such as a mirror port or tap device.
VNC (Virtual Network Computing)
Remote access tool and protocol. VNC is the basis of macOS screen sharing.
An employee's car was recently broken into, and the thief stole a company tablet that held a great deal of sensitive data. You've already taken the precaution of securing plenty of backups of that data. What should you do to be absolutely certain that the data doesn't fall into the wrong hands?
Remotely wipe the device, also referred to as a kill switch.
What is the purpose of SIEM?
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
bluejacking
Sending an unsolicited message or picture message using a Bluetooth connection.
PKCS (public key cryptography standards)
Series of standards defining the use of certificate authorities and digital certificates.
You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?
Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.
configuration baseline
Settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on).
What risk type arises from shadow IT?
Shadow IT is the deployment of hardware, software, or cloud services without the sanction of the system owner (typically the IT department). The system owner will typically be liable for software compliance/licensing risks.
What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of Occurrence).
tailgating
Social engineering technique to gain access to a building by following someone who is unaware of their presence.
credential harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
ARP (Address Resolution Protocol)
The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.
A-V (antivirus scanner)
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
IPAM (IP address management)
Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.
application firewall
Software designed to run on a server to protect a particular application such as a web server or SQL server.
continuous delivery
Software development method in which app and platform requirements are frequently tested and validated for immediate availability.
continuous deployment
Software development method in which app and platform updates are commited to production rapidly.
continuous integration
Software development method in which code updates are tested and commited to a development or build server/code repository rapidly.
nxlog
Software optimized for multi-platform log collection and aggregation.
data historian
Software that aggregates and catalogs data from multiple sources within an industrial control system.`
remote wipe
Software that allows deletion of data and settings on a mobile device to be initiated from a remote server. Sometimes referred to as a kill switch.
network mapping
Software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on.
PUP (potentially unwanted program)
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
What is a Type II hypervisor?
Software that manages virtual machines that has been installed to a guest OS. This is in contrast to a Type I (or "bare metal") hypervisor, which interfaces directly with the host hardware.
adware
Software that records information about a PC and its user. Adware is used to describe software that the user has acknowledged can record information about their habits.
spyware
Software that records information about a PC and its users, often installed without the user's consent.
What is SDV?
Software-defined visibility (SDV) gives API-based access to network infrastructure and hosts so that configuration and state data can be reported in near real time. This facilitates greater automation in models and technologies such as zero trust, inspection of east/west data center traffic, and use of security orchestration and automated response (SOAR) tools.
What is a dissolvable agent?
Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host's memory and CPU but not installed to a local disk.
IRP (incident response plan)
Specific procedures that must be performed if a certain type of event is detected or reported.
RAID (redundant array of independent/ inexpensive disks)
Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.
deauthentication/disassociation
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
white team
Staff administering, evaluating, and supervising a penetration test or incident response exercise.
OAuth (Open Authorization)
Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
PCAP (packet capture)
Standard format for recording packet captures to a file.
WPA (Wi-Fi Protected Access)
Standards for authenticating and encrypting access to Wi-Fi networks. Versions include WPA2 and WPA3.
Opal
Standards for implementing device encryption on storage devices.
Why is subnetting useful in secure network design?
Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.
baseband radio
The chip and firmware in a smartphone that acts as a cellular modem.
QoS (quality of service)
Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).
NTP (Network Time Protocol)
TCP/IP application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.
IMAP (Internet Message Access Protocol)
TCP/IP application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port number 143.
DTLS (datagram transport layer security)
TLS is usually used with TCP-based application protocols. DTLS refers to UDP secured with TLS. This is often used for VPNs.
tape
Tape media provides robust, high-speed, high-capacity backup storage. Tape drives and autoloader libraries can be connected to the SATA and SAS buses or accessed via a SAN.
DNS sinkhole
Temporary DNS record that redirects malicious traffic to a controlled IP address.
cookie
Text file used to store information about a user when they visit a website. Some sites use cookies to support user sessions.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate.
red team
The "hostile" or attacking team in a penetration test or incident response exercise.
DiffServ
The Differentiated Services Code Point (DSCP) field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.
You are discussing a redesign of network architecture with a client, and they want to know what the difference between an extranet and Internet is. How can you explain it?
The Internet is an external zone where none of the hosts accessing your services can be assumed trusted or authenticated. An extranet is a zone allowing controlled access to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted because they are not under the administrative control of the organization (as they are owned by suppliers, customers, business partners, contractors, and so on).
A log shows that a PowerShell IEX process attempted to create a thread in the target image c:\Windows\System32\lsass.exe. What is the aim of this attack?
The Local Security Authority Subsystem Service (LSASS) enforces security policies, including authentication and password changes. Consequently, it holds hashes of user passwords in memory. Attacks on lsass.exe are typically credential dumping to steal those hashes.
Your log shows that the Notepad process on a workstation running as the local administrator account has started an unknown process on an application server running as the SYSTEM account. What type of attack(s) are represented in this intrusion event?
The Notepad process has been compromised, possibly using buffer overflow or a DLL/process injection attack. The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.
What is Microsoft's TLS VPN solution?
The Secure Sockets Tunneling Protocol (SSTP).
What are the advantages of SASL over LDAPS?
The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.
Autopsy
The Sleuth Kit is an open source collection of command-line and programming libraries for disk imaging and file analysis. Autopsy is a graphical front-end for these tools and also provides a case management/workflow tool.
What use is made of a TPM for NAC attestation?
The Trusted Platform Module (TPM) is a tamper-proof (at least in theory) cryptographic module embedded in the CPU or chipset. This can provide a means to sign the report of the system configuration so that a network access control (NAC) policy enforcer can trust it.
packet trace analysis
The act of examining data packet communications to reveal insights without digging into packet content, such as when the packet contents are encrypted. Clues derived from packet trace analysis might help an intruder, but they are also quite useful for defensive monitoring and security intelligence analysis. Also referred to as traffic flow analysis.
What is meant by scheduling in the context of load balancing?
The algorithm and metrics that determine which node a load balancer picks to handle a request.
SLE (single loss expectancy)
The amount that would be lost in a single occurrence of a particular risk factor.
How does a replay attack work in the context of session hijacking?
The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.
Why might an ARP poisoning tool be of use to a threat actor performing network reconnaissance?
The attacker could trick computers into sending traffic through the attacker's computer (performing a MitM/on-path attack) and, therefore, examine traffic that would not normally be accessible to him (on a switched network).
How does a clickjacking attack work?
The attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing.
How might an attacker exploit a web application to perform a shell injection attack?
The attacker needs to find a vulnerable input method, such as a form control or URL or script parser, that will allow the execution of OS shell commands.
orchestration
The automation of multiple steps in a deployment process.
MTTF (mean time to failure)
The average time a device or component is expected to be in operation.
MTTR (mean time to repair/replace/recover)
The average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
DER (distinguished encoding rules)
The binary format used to structure the information in a digital certificate.
cryptanalysis
The science, art, and practice of breaking codes and ciphers.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company's staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
The cloud vendor is acting as the identity provider.
You have been asked to investigate a web server for possible intrusion. You identify a script with the following code. What language is the code in and does it seem likely to be malicious? import os, sockets, syslog def r_conn(ip) s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(("logging.trusted.foo",514)) ...
The code is written in Python. It uses various modules with default library code to interact with the OS and network, and also the syslog logging platform. The first lines of code define a function to connect to a host over port 514 (syslog). SOCK_DGRAM is a UDP connection, which is standard for syslog. Most likely the script is for remote logging and unlikely to be malicious, especially if trusted.foo is a known domain.
ERM (enterprise risk management)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
You are preparing a white paper on configuration management essentials for your customers. You have the following headings already: Diagrams, Standard naming conventions, Internet protocol (IP) schema. If you are basing your paper on the ComptTIA Security+ objectives, which other topic should you cover?
The configuration baseline is an essential concept as it allows unauthorized change to be detected more easily and planned change to be managed more easily.
What is the difference between the role of data steward and the role of data custodian?
The data steward role is concerned with the quality of data (format, labeling, normalization, and so on). The data custodian role focuses on the system hosting the data assets and its access control mechanisms.
Which command line tool allows image creation from disk media on any Linux host?
The dd tool is installed on all Linux distributions.
blue team
The defensive team in a penetration test or incident response exercise.
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
The disk (or other storage) could be attached to a foreign system and the administrator could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user's decryption key to read the data.
You are discussing execution and validation security for DOM scripting with the web team. A junior team member wants to know if this relates to client-side or server-side code. What is your response?
The document object model (DOM) is the means by which a script (JavaScript) can change the way a page is rendered. As this change is rendered by the browser, it is client-side code.
supply chain
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
What is the significance of the fact that digital evidence is latent?
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
first responder
The first experienced person or team to arrive at the scene of an incident.
geolocation
The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
How might an integer overflow be used as part of a buffer overflow?
The integer value could be used to allocate less memory than a process expects, making a buffer overflow easier to achieve.
identity fraud
The invention of fake personal information or the theft and misuse of an individual's personal information.
Which property of a plaintext password is most effective at defeating a brute-force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).
RTO (recovery time objective)
The length of time it takes after an event to resume normal business operations and activities.
MTD (maximum tolerable downtime)
The longest period of time a business can be inoperable without causing irrevocable business failure.
RPO (recovery point objective)
The longest period of time that an organization can tolerate lost data being unrecoverable.
How does MTD relate to availability?
The maximum tolerable downtime (MTD) metric expresses the availability requirement for a particular business function.
You are advising a company about backup requirements for a few dozen application servers hosting tens of terabytes of data. The company requires online availability of short-term backups, plus offsite security media and long-term archive storage. The company cannot use a cloud solution. What type of on-premises storage solution is best suited to the requirement?
The offsite and archive requirements are best met by a tape solution, but the online requirement may need a RAID array, depending on speed. The requirement is probably not large enough to demand a storage area network (SAN), but could be provisioned as part of one.
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
order of volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
checksum
The output of a hash function.
data governance
The overall management of the availability, usability, and security of the information used in an organization.
baseline
The point from which something varies. A configuration baseline is the original or recommended settings for a device while a performance baseline is the originally measured throughput.
job rotation
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.
threat
The potential for an entity to exercise a vulnerability (that is, to breach security).
TOCTTOU (time of check to time of use)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
geofencing
The practice of creating a virtual boundary based on real-world geography.
privilege escalation
The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.
active defense
The practice of responding to a threat by destroying or deceiving a threat actor's capabilities.
war driving
The practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them (if they are open/unsecured) or trying to break into them (using WEP and WPA cracking tools).
service discovery
The practice of using network scans to discover open TCP and UDP ports, plus information about the servers operating them.
MDM (mobile device management)
The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.
hardening
The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.
code review
The process of peer review of uncompiled source code by other developers.
static code analysis
The process of reviewing uncompiled source code either manually or using automated tools.
sanitization
The process of thorough and completely removing data from a storage medium so that file remanants cannot be recovered.
configuration management
The process through which an organization's information systems components are kept in a controlled state that meets the organization's requirements, including those for security and compliance.
change management
The process through which changes to the configuration of information systems are implemented, as part of the organization's overall configuration management efforts.
SDLC (software development life cycle)
The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.
elasticity
The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.
scalability
The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
non-persistence
The property by which a computing environment is discarded once it has finished its assigned task.
HA (high availability)
The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.
HTTP/HTTPS (HyperText Transfer Protocol/HTTP Secure)
The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS(ecure) provides for encrypted transfers, using SSL/TLS and port 443.
SMTP (Simple Mail Transfer Protocol)
The protocol used to send mail between hosts on the Internet. Messages are sent over TCP port 25.
When using S/MIME, which key is used to encrypt a message?
The recipient's public key (principally). The public key is used to encrypt a symmetric session key and (for performance reasons) the session key does the actual data encoding. The session key and, therefore, the message text can then only be recovered by the recipient, who uses the linked private key to decrypt it.
In a digital envelope, which key encrypts the session key?
The recipient's public key (typically from the server's key pair).
risk acceptance
The response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.
risk mitigation
The response of reducing risk to fit within an organization's risk appetite.
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.
remediation
The result of a device not meeting a security profile or health policy, including gaining access to a guest or quarantine network.
What factors determine the selection of security controls in terms of an overall budget?
The risk (as determined by impact and likelihood) compared to the cost of the control. This metric can be calculated as Return on Security Investment (ROSI).
cryptography
The science and practice of altering data to make it unintelligible to unauthorized parties.
You are reviewing security and privacy issues relating to a membership database for a hobbyist site with a global audience. The site currently collects account details with no further information. What should be added to be in compliance with data protection regulations?
The site should add a privacy notice explaining the purposes the personal information is collected and used for. The form should provide a means for the user to give explicit and informed consent to this privacy notice.
dumpster diving
The social engineering technique of discovering things about an organization (or person) based on what it throws away.
account expiration
The specified amount of time when an account expires to eliminate the possibility that it will be forgotten about and act as possible system backdoors.
Antivirus software has reported the presence of malware but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?
The string identifying the malware. You can use this to reference the malware on the A-V vendor's site and, hopefully, obtain manual removal and prevention advice.
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.
What cryptographic information is stored in a digital certificate?
The subject's public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
MAC Address Table
The table on a switch keeping track of MAC addresses associated with each port. As the switch uses a type of memory called Content Addressable Memory (CAM), this is sometimes called the CAM table.
continuous monitoring
The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. Also referred to as continuous security monitoring (CSM).
latency
The time it takes for a signal to reach the recipient. A video application can support a latency of about 80 ms, while typical latency on the Internet can reach 1000 ms at peak times. Latency is a particular problem for 2-way applications, such as VoIP (telephone) and online conferencing.
Why might a file time stamp not show the time at which a crime was committed?
The time stamp may record the Universal Coordinated Time rather than the local time. An offset would need to be applied (and it might need to be demonstrated that the computer's time zone was correctly set).
ALE (annual loss expectancy)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
privilege access management
The use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based entitlement.
VDE (virtual desktop environment)
The user desktop and software applications provisioned as an instance under VDI.
What is the process of sideloading?
The user installs an app directly onto the device rather than from an official app store.
SID (security identifier)
The value assigned to an account by Windows and that is used by the operating system to identify that account.
How does VSS assist a backup solution?
The volume shadow copy service creates snapshots for the backup software to use, avoiding problems with file locks and uncompleted database transactions.
Which tools can you use to restrict the use of PowerShell on Windows 10 clients?
There are various group policy-based mechanisms, but for Windows 10, the Windows Defender Application Control (WDAC) framework provides the most powerful toolset for execution control policies.
What is the risk of not following a tested order of restoration when recovering a site from a major incident?
There may be unmet dependencies between systems that are started in the wrong order. This could lead to boot failures and possibly data corruption.
You have been asked to produce a summary of pros and cons for the products Chef and Puppet. What type of virtualization or cloud computing technology do these support?
These are orchestration tools. Orchestration facilitates "automation of automation," ensuring that scripts and API calls are made in the right order and at the right time to support an overall workflow.
Other than endpoint protection software, what resource can provide indicators of pass the hash attacks?
These attacks are revealed by use of certain modes of NTLM authentication within the security (audit) log of the source and target hosts. These indicators can be prone to false positives, however, as many services use NTLM authentication legitimately.
MSSP (managed security service provider)
Third-party provision of security configuration and monitoring as an outsourced service.
Users at an organization frequent a site where browsing a list of products for purchase is possible. Lately, when visiting the site, an unrecognized window opens claiming that anti-malware software has detected files infected with viruses. Instructions in the window indicate the user should click a link to install software that will remove these infections. What type of attack has occurred?
This a watering hole attack, which is an attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.
What security measure describes the isolation of a device from connecting to another device or network to prevent any type of unauthorized computing, network, or storage connection to a protected host?
This can be described as air gapping.
What term relates to assessment techniques that avoid alerting threat actors?
This can be referred to as maneuver.
Your CEO calls to request market research data immediately be forwarded to her personal email address. You recognize her voice, but a proper request form has not been filled out, and use of third-party email is prohibited. She states that, normally, she would fill out the form and should not be an exception, but she urgently needs the data to prepare for a round table at a conference she is attending. What type of social engineering techniques could this use, or is it a false alarm?
This could be a social engineering use case where impersonation has occurred. A combination of spear phishing (attack using specific details) and vishing (attack over a voice channel) attacks were used by the impersonator. A type of voice mimicry technology may have been used to sound like the real CEO. A safe approach would be to contact the CEO back on a known mobile number to confirm the request.
You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware. You can find no evidence of any further intrusion on the network. What is the likely motive of the threat actor?
This could be an offline tainted data attack against the endpoint software's identification engine.
Which security attribute is ensured by monitoring API latency and correcting any problems quickly?
This ensures the availability of services.
What type of operation is being performed by the following command? openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem
This generates a new RSA key pair plus a certificate signing request.
What is a pre-shared key?
This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS, for instance) is not available. The system depends on the strength of the passphrase used for the key.
What feature allows you to filter traffic arriving at an instance?
This is accomplished by assigning the instance to a security group with the relevant policy configured.
The help desk takes a call and the caller states that she cannot connect to the e-commerce website to check her order status. She would also like a user name and password. The user gives a valid customer company name but is not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt, or is it a false alarm?
This is likely to be a social engineering attempt. The help desk should not give out any information or add an account without confirming the caller's identity.
You are troubleshooting a user's workstation. At the computer, an app window displays on the screen claiming that all of your files are encrypted. The app window demands that you make an anonymous payment if you ever want to recover your data. What type of malware has infected the computer?
This is some type of ransomware, but it will take more investigation whether it is actually crypto-malware or not.
What type of network requires the design to account for east-west traffic?
This is typical of a data center or server farm, where a single external request causes multiple cascading requests between servers within the data center. This is a problem for a perimeter security model, as funneling this traffic up to a firewall and then back to a server creates a performance bottleneck.
You take an incident report from a user trying to access a REPORT.docx file on a SharePoint site. The file has been replaced by a REPORT.docx.QUARANTINE.txt file containing a policy violation notice. What is the most likely cause?
This is typical of a data loss prevention (DLP) policy replacing a file involved in a policy violation with a tombstone file.
Where would you expect to find "hot and cold" aisles and what is their purpose?
This layout is used in a data center or large server room. The layout is the best way to maintain a stable temperature and reduce loss of availability due to thermal problems.
Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?
This task is suited to data loss prevention (DLP), which can block the transfer of tagged content over unauthorized channels.
Why might enforcement policies be used to prevent USB tethering when a smartphone is brought to the workplace?
This would allow a PC or laptop to connect to the Internet via the smartphone's cellular data connection. This could be used to evade network security mechanisms, such as data loss prevention or content filtering.
You are reviewing access logs on a web server and notice repeated requests for URLs containing the strings %3C and %3E. Is this an event that should be investigated further, and why?
Those strings represent percent encoding for HTML tag delimiters (< and >). This could be an XSS attempt to inject a script so should be investigated.
Why might a company invest in device control software that prevents the use of recording devices within company premises?
To hinder physical reconnaissance and espionage.
What is the purpose of directory services?
To store information about network resources and users in a format that can be accessed and updated using standard queries.
You are preparing a solution overview on privacy enhancing technologies based on CompTIA Security+ syllabus objectives. You have completed notes under the following headings—which other report section do you need? Data minimization, Anonymization, Pseudo-anonymization, Data masking, Aggregation/Banding
Tokenization—replacing data with a randomly generated token from a separate token server or vault. This allows reconstruction of the original data if combined with the token vault.
rainbow table
Tool for speeding up attacks against Windows passwords by precomputing possible hashes.
broadcast storm
Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.
CBT (computer-based training)
Training and education programs delivered using computer devices and e-learning instructional models and design.
capture the flag
Training event where learners must identify a token within a live network environment.
What IPSec mode would you use for data confidentiality on a private network?
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality.
True or false? A maliciously designed USB battery charger could be used to exploit a mobile device on connection.
True (in theory)—though the vector is known to the mobile OS and handset vendors so the exploit is unlikely to be able to run without user authorization.
True or false? A virtual IP is a means by which two appliances can be put in a fault tolerant configuration to respond to requests for the same IP address?
True.
True or false? DNSSEC depends on a chain of trust from the root servers down.
True.
True or false? RTO expresses the amount of time required to identify and resolve a problem within a single system or asset.
True.
True or false? Static NAT means mapping a single public/external IP address to a single private/internal IP address.
True.
True or false? The following string is an example of a distinguished name: CN=ad, DC=classroom,DC=com
True.
True or false? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.
True.
True or false? Backup media can be onsite, but offline.
True. As a security precaution, backup media can be taken offline at the completion of a job to mitigate the risk of malware corrupting the backup.
True or False? Perfect forward secrecy (PFS) ensures that a compromise of a server's private key will not also put copies of traffic sent to that server in the past at risk of decryption.
True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.
True or false? When implementing smart card logon, the user's private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
CISO (Chief Information Security Officer)
Typically the job title of the person with overall responsibility for information assurance and systems security. Sometimes referred to as Chief Information Officer (CIO).
HIPAA (Health Insurance Portability and Accountability Act)
U.S. federal law that protects the storage, reading, modification, and transmission of personal health care data.
OTG (on the go)
USB specification allowing a mobile device to act as a host when a device such as an external drive or keyboard is attached.
cleartext
Unencrypted data that is meant to be encrypted before it is transmitted, or the result of decryption of encrypted data. Also referred to as plaintext.
You are recommending that a business owner invest in patch management controls for PCs and laptops. What is the main risk from weak patch management procedures on such devices?
Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.
horizontal privilege escalation
When a user accesses or modifies specific resources that they are not entitled to.
vertical privilege escalation
When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.
enumeration
When an attacker tries to get a list of resources on the network, host, or system as a whole to identify potential targets for further attack
DOM-based attack (Document Object Model)
When attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client.
data breach
When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.
command injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
What is a persistent XSS attack?
Where the attacker inserts malicious code into the back-end database used to serve content to the trusted site.
What is an amplification attack?
Where the attacker spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
You are recommending different antivirus products to the CEO of small travel services firm. The CEO is confused, because they had heard that Trojans represent the biggest threat to computer security these days. What explanation can you give?
While antivirus (A-V) remains a popular marketing description, all current security products worthy of consideration will try to provide protection against a full range of malware and potentially unwanted program (PUP) threats.
Recently, attackers were able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and delete important files. What account vulnerability enabled this attack?
While it's possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee's account wasn't disabled. Since the account was no longer being used, it should not have been left active for a malicious user to exploit.
You are advising a business owner on security for a PC running Windows XP. The PC runs process management software that the owner cannot run on Windows 10. What are the risks arising from this, and how can they be mitigated?
Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.
pathping command
Windows utility for measuring latency and packet loss along a route.
A system integrator is offering a turnkey solution for customer contact data storage and engagement analytics using several cloud services. Does this solution present any supply chain risks beyond those of the system integrator's consulting company?
Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing customer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.
A user's computer is performing extremely slowly. Upon investigating, you find that a process named n0tepad.exe is utilizing the CPU at rates of 80-90%. This is accompanied by continual small disk reads and writes to a temporary folder. Should you suspect malware infection and is any particular class of indicated?
Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to conclusively determine the type without more investigation, but you might initially suspect a crypto-miner/crypto-jacker.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes—malware is a likely cause that you should investigate.
You are investigating a business email compromise (BEC) incident. The email account of a developer has been accessed remotely over webmail. Investigating the developer's workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of malware would it implement?
You are investigating a business email compromise (BEC) incident. The email account of a developer has been accessed remotely over webmail. Investigating the developer's workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of malware would it implement?
What methods can be used to implement location-based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
`If you suspect a process of being used for data exfiltration but the process is not identified as malware by A-V software, what types of analysis tools will be most useful?
You can use a sandbox with monitoring tools to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.
The network manager is recommending the use of "thin" access points to implement the wireless network. What additional appliance or software is required and what security advantages should this have?
You need a wireless controller to configure and manage the access points. This makes each access point more tamper-proof as there is no local administration interface. Configuration errors should also be easier to identify.
You need to correlate intrusion detection data with web server log files. What component must you deploy to collect IDS alerts in a SIEM?
You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.
What areas of a business or workflow must you examine to assess multiparty risk?
You need to examine supply chain dependencies to identify how problems with one or more suppliers would impact your business. You also need to examine customer relationships to determine what liabilities you have in the event of an incident impacting your ability to supply a product or service and what impact disruption of important customer accounts would have, should cyber incidents disrupt their business.
What is the principal use of grep in relation to log files?
grep is used to search the content of files.
jump server
jump server
risk
likelihood
DSA (Digital Signature Algorithm)
public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
You are writing a shell script to display the last 5 lines of a log file at /var/log/audit in a dashboard. What is the Linux command to do this?
tail /var/log/audit -n 5
technical control
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.
OWASP (Open Web Application Security Project)
A charity and community publishing a number of secure application development resources.
DevSecOps
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
ML (machine learning)
A component of AI that enables a machine to develop strategies for solving a task given a labeled data set where features have been manually identified but without further explicit instructions.
ISO/IEC 27K (International Organization for Standardization 27000 Series)
A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.
black hat
A hacker operating with malicious intent.
gray hat
A hacker who analyzes networks without seeking authorization, but without overtly malicious intent.
security control
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
physical control
A type of security control that acts against in-person intrusion attempts.
detective control
A type of security control that acts during an incident to identify or record that it is happening.
deterrent control
A type of security control that discourages intrusion attempts.
state actor
A type of threat actor that is supported by the resources of its host country's military and security services. Also referred to as a nation state actor.
What is a zone transfer and which reconnaissance tools can be used to test whether a server will allow one?
A zone transfer is where a domain name server (DNS) allows a client to request all the name records for a domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.
APT (advanced persistent threat)
An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.
threat map
Animated map showing threat sources in near real-time.
You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?
Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information (TAXII) protocol as a means of transmitting CTI data between servers and clients.
A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.
True or false? Nation state actors primarily only pose a risk to other states.
False—nation state actors have targeted commercial interests for theft, espionage, and extortion.
You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?
For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.
You suspect the rogue host is modifying traffic before forwarding it, with the side effect of increasing network latency. Which tool could you use to measure latency on traffic routed from this subnet?
From a Windows host, the pathping tool can be used to measure latency along a route.
Cloud Security Alliance
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
PCI DSS (Payment Card Industry Data Security Standard)
Information security standard for organizations that process credit or bank card payments.
closed-source intelligence
Information that is obtained through private sources and disseminated through paid-for subscription or membership services.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control and its function is both detecting and deterring.
What type of organizational security assessment is performed using Nessus?
Nessus is an automated network vulnerability scanner that checks for software vulnerabilities and missing patches.
GDPR (General Data Protection Regulation)
Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.
Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?
Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.
Which three types of threat actor are most likely to have high levels of funding?
State actors, criminal syndicates, and competitors.
CSIRT (Computer Security Incident Response Team)
Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing for instance).
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.
availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
SOC (security operations center)
The location where security professionals monitor and protect critical information assets in an organization.
You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on the server, which tool could you use to check which process is using a given TCP port?
The netstat command can assist, however, use the more favorable ss command-line utility tool that is faster and more human-readable.
threat actor
The person or entity responsible for an event that has been identified as a security incident or as a risk.
footprinting
The phase in an attack or penetration test in which the attacker or tester gathers information about the target before attacking it.
attack surface
The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
AI (artificial intelligence)
The science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention.
You are developing new detection rules for a network security scanner. Which tool will be of use in testing whether the rules match a malicious traffic sample successfully?
The tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.
CIA triad
The three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
What security posture assessment could a pen tester make using Netcat?
Whether it is possible to open a network connection to a remote host over a given port.