CompTIA Security+ Study Guide 601
Class A private address range
10.0.0.0 to 10.255.255.255
Class B private address range
172.16.0.0 to 172.31.255.255
Class C private address range
192.168.0.0 to 192.168.255.255
A client and server have agreed on the use of the cipher suite ECDHE-ECDSA-AES256- GCM-SHA384 for a TLS session. What is the key strength of the symmetric encryption algorithm?
256-bit (AES).
In organizational policies, what two concepts govern change?
A change control process governs the way changes are requested and approved. A change management process governs the way that planned change is implemented and the way unplanned change is handled.
perfect forward secrecy (PFS)
A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions. uses Diffie-Hellman (D-H) key agreement to create ephemeral session keys without using the server's private key.
Open Web Application Security Project (OWASP)
A charity and community publishing a number of secure application development resources.
Asymmetric encryption
A cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) algorithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
rootkit
A class of malware that modifies system files, often at the kernel level, to conceal its presence
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
Access control lists (ACL)
A collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).
tcpreplay
A command-line utility that replays packets saved to a file back through a network adapter.
How can cryptography support high resiliency?
A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.
ISO 27001
A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.
sandbox
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.
Security as a Service (SECaaS)
A computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.
Blockchain
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
Separation of duties
A concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Which sanitization solution meets all the following requirements: compatible with both HDD and SDD media, fast operation, and leaves the media in a reusable state?
A crypto erase or Instant Secure Erase (ISE) sanitizes media by encrypting the data and then erasing the cryptographic key.
hardware Root of Trust (RoT)
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
self-signed certificate
A digital certificate that has been signed by the entity that issued it, rather than by a CA.
What is a tabletop exercise?
A discussion-based drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated.
self-encrypting drives (SED)
A disk drive where the controller can automatically encrypt data that is written to it.
Routing Information Protocol (RIP)
A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.
What is a risk register?
A document highlighting the results of risk assessments in an easily comprehensible format (such as a heat map or "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
Disaster recovery plans (DRPs)
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
What type of attack against HTTPS aims to force the server to negotiate weak ciphers?
A downgrade attack.
screened host
A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.
SMiShing
A form of phishing that uses SMS text messages to trick a victim into revealing information.
Structured Threat Information eXpression (STIX)
A framework for analyzing cybersecurity incidents.
You have configured a network vulnerability scanner for an engineering company. When running a scan, multiple sensors within an embedded systems network became unresponsive, causing a production shutdown. What alternative method of vulnerability scanning should be used for the embedded systems network?
A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).
Alternate Data Streams (ADS)
A function of the NT File System (NTFS) that enables multiple data streams for a single file name.
What type of dynamic testing tool would you use to check input validation on a web form?
A fuzzer can be used to submit known unsafe strings and randomized input to test whether they are made safe by input validation or not.
group account
A group account is a collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.
What is the difference between security group- and role-based permissions management?
A group is simply a container for several user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.
regular expression (regex)
A group of characters that describe how to execute a specific search pattern on a given text.
white hat
A hacker engaged in authorized penetration testing or other security consultancy.
gray hat hacker
A hacker who analyzes networks without seeking authorization, but without overtly malicious intent.
jump server
A hardened server that provides access to other hosts.
You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
What is the process of digitally signing a message?
A hashing function is used to create a message digest. The digest is then signed using the sender's private key. The resulting signature can be decrypted by the recipient using the sender's public key and cannot be modified by any other agency. The recipient can calculate his or her own digest of the message and compare it to the signed hash to validate that the message has not been altered.
Vishing
A human-based attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).
application programming interface (API)
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
Open Shortest Path First (OSPF)
A link-state routing protocol used on IP networks
certificate revocation list (CRL)
A list of certificates that were revoked before their expiration date.
crypto erase
A method of sanitizing a self-encrypting drive by erasing the media encryption key.
certificate chaining
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
Authentication
A method of validating a particular entity's or individual's unique credentials.
heuristics
A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.
What is containerization?
A mobile app or workspace that runs within a partitioned environment to prevent other (unauthorized) apps from interacting with it.
A threat actor gained access to a remote network over a VPN. Later, you discover footage of the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?
A mobile device management (MDM) suite can prevent use of the camera function of a smartphone.
What is EAPoL?
A network access server that support 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.
Industrial control systems (ICSs)
A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
Behavioral-based detection
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
anomaly analysis
A network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range.
Signature-based detection
A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.
Directory services
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
pass the hash (PtH)
A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
Rule-based access control
A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Center for Internet Security
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).
How does OTP protect against password guessing or sniffing attacks?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.
Border Gateway Protocol (BGP)
A path vector routing protocol used by ISPs to establish routing between one another.
What distinguishes host-based personal software firewall from a network firewall appliance?
A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. A personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.
acceptable use policy (AUP)
A policy that governs employees' use of company equipment and Internet services. ISPs may also apply _ to their customers.
What is the effect of a memory leak?
A process claims memory locations but never releases them, reducing the amount of memory available to other processes. This will damage performance, could prevent other processes from starting, and if left unchecked could crash the OS.
malicious process
A process executed without proper authorization from the system owner for the purpose of damaging or compromising the system.
Federation
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
Syslog
A protocol enabling different appliances and software applications to transmit logs or event records to a central server. comprises a PRI code, a header containing a timestamp and host name, and a message part. The PRI code is calculated from the facility and a severity level. The message part contains a tag showing the source process plus content. The format of the content is application dependent. It might use space- or comma-delimited fields or name/value pairs, such as JSON data.
infrastructure as code (IaC)
A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
You have been asked to monitor baseline API usage so that a rate limiter value can be set. What is the purpose of this?
A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious entity generates millions of spurious requests to block legitimate ones. You need to establish a baseline to ensure continued availability for legitimate users by setting the rate limit at an appropriate level.
Secure Shell (SSH)
A remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.
Common Vulnerability Scoring System (CVSS)
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
How does elasticity differ from scalability?
A scalable system is one that responds to increased workloads by adding resources without exponentially increasing costs. An elastic system is able to assign or unassign resources as needed to match either an increased workload or a decreased workload.
SSH FTP (SFTP)
A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.
authentication, authorization, and accounting (AAA)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
Compensating
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
identity and access management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
Data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
certificate authority (CA)
A server that guarantees subject identities by issuing signed digital certifcate wrappers for their public keys. is the entity responsible for issuing and guaranteeing certificates. Private CAs can be set up within an organization for internal communications.
proxy server
A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.
What type of interoperability agreement is designed to ensure specific performance standards?
A service level agreement (SLA). In addition, performance standards may also be incorporated in business partner agreements (BPAs).
Internet Protocol Security (IPSec
A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet.
indicator of compromise (IoC)
A sign that an asset or network has been attacked or is currently under attack.
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
endpoint protection platforms (EPPs)
A software agent and monitoring system that performs multiple security tasks.
Service-oriented architecture (SOA)
A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.
What is an SDK and how does it affect secure development?
A software development kit (SDK) contains tools and code examples released by a vendor to make developing applications within a particular environment (framework, programming language, OS, and so on) easier. Any element in the SDK could contain vulnerabilities that could then be transferred to the developer's code or application.
Agile development
A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.
waterfall model
A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
DLL injection
A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a_ in memory that could cause the victim application to experience instability or leak sensitive information.
pointer dereference
A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null.
Memory leaks
A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.
Race conditions
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
What is meant by a public cloud?
A solution hosted by a third-party cloud service provider (CSP) and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns.
SPIM
A spam attack that is propagated through instant messaging rather than email.
attack vector
A specific path by which a threat actor gains unauthorized access to a system.
trusted platform module (TPM)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. implemented either as part of the chipset or as an embedded function of the CPU/
IEEE 802.1X
A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.
NFC
A standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. _ is based on RFID. does not provide encryption, so eavesdropping and man-in-the-middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data.
What is a SOP?
A standard operating procedure (SOP) is a step-by-step listing of the actions that must be completed for any given task.
Remote Authentication Dial-in User Service (RADIUS)
A standard protocol used to manage remote and wireless authentication infrastructures.
Sysinternals
A suite of tools designed to assist with troubleshooting issues with Windows.
Advanced Encryption Standard (AES)
A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.
user and entity behavior analytics (UEBA)
A system that can provide automated identification of suspicious activity by user accounts and computer hosts.
Steganography
A technique for obscuring the presence of a message, often by embedding information within a file or other entity. Each record is referred to as a block and is run through a hash function. The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked.
stateful inspection
A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.
security control
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
You are assisting a customer with implementing data loss prevention (DLP) software. Of the two products left in consideration, one supports steganalysis of image data, but the other does not. What is the risk of omitting this capability?
A threat actor could conceal information within an image file and use that to bypass the DLP system. One thing to note is that attackers could find other ways to implement covertexts (audio or video, for instance) or abuse protocol coding. There are many things that steganalysis needs to be able to scan for! You might also note that steganography is not only a data exfiltration risk. It can also be used to smuggle malicious code into a host system.
A website owner wants to evaluate whether the site security mitigates risks from criminal syndicates, assuming no risk of insider threat. What type of penetration testing engagement will most closely simulate this adversary capability and resources?
A threat actor has no privileged information about the website configuration or security controls. This is simulated in a black box (or blind) pen test engagement.
Symmetric encryption
A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.
real-time operating systems (RTOS)
A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.
programmable logic controller (PLC)
A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.
stateless
A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.
Clickjacking
A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.
Domain hijacking
A type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.
supervisory control and data acquisition (SCADA)
A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
Ransomware
A type of password attack where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.
brute-force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
Corrective Control
A type of security control that acts after an incident to eliminate or minimize its impact.
Physical
A type of security control that acts against in-person intrusion attempts.
Detective Control
A type of security control that acts during an incident to identify or record that it is happening.
Deterrent
A type of security control that discourages intrusion attempts.
session hijacking
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.
stream cipher
A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.
block cipher
A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.
unified extensible firmware interface (UEFI)
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security. provides code that allows the host to boot to an OS. _ can enforce a number of boot integrity checks.
State actors
A type of threat actor that is supported by the resources of its host country's military and security services.
criminal syndicate
A type of threat actor that uses hacking and computer fraud for commercial gain.
Containerization
A type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
How does accounting provide non-repudiation?
A user's actions are logged on the system. Each user is associated with a unique computer account. As long as the user's authentication is secure and the logging system is tamper-proof, they cannot deny having performed the action.
Virtual desktop infrastructure (VDI)
A virtualization implementation that separates the personal computing environment from a user's physical computer.
arbitrary code execution
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
What is a WAF?
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.
evil twin
A wireless access point that deceives users into believing that it is a legitimate network access point.
What is a zone transfer and which reconnaissance tools can be used to test whether a server will allow one?
A zone transfer is where a domain name server (DNS) allows a client to request all the name records for a domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.
Online Certificate Status Protocol (OCSP)
Allows clients to request the status of a digital certificate, to check whether it is revoked.
EAP-TLS
An _ method that requires server-side and client-side certificates for authentication using SSL/ TLS.
Role-based access control (RBAC)
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
fat WAP
An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as
What is the difference between locked and disabled accounts?
An account enters a locked state because of a policy violation, such as an incorrect password being entered incorrectly. Lockout is usually applied for a limited duration. An account is usually disabled manually, using the account properties. A disabled account can only be re-enabled manually.
shared account
An account with no credential (guest) or one where the credential is known to multiple persons.
nondisclosure agreement (NDA)
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
HMAC-based One-time Password Algorithm (HOTP)
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
hardware security module (HSM)
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
secure web gateway (SWG)
An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.
Directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
Nonce
An arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.
Black box
An assessment methodology where the assessor is given no privileged information about the configuration of the target of assessment.
watering hole attack
An attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.
buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
SQL injection
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
Supply chain
An attack that targets the end-to-end process of manufacturing, distributing, and handling goods and services.
hybrid password attack
An attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.
How might wireless connection methods be used to compromise the security of a mobile device processing corporate data?
An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower (cellular) to perform eavesdropping or man-in-the-middle attacks. For Personal Area Network (PAN) range communications, there might be an opportunity for an attacker to run exploit code over the channel.
Advanced Persistent Threat (APT)
An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.
typosquatting
An attack—also called typosquatting—in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL they enter into a browser is taken to the attacker's website.
Open ID Connect (OIDC)
An authentication layer that sits on top of the OAuth 2.0 authorization protocol.
multifactor authentication (MFA)
An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.
single sign-on (SSO)
An authentication technology that enables a user to authenticate once and receive authorizations for multiple services. In Windows, _ is provided by the Kerberos framework.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.
Pharming
An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.
Time-based One-time Password Algorithm (TOTP)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
Data steward
An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
Data custodian
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
Initiative for Open Authentication (OATH)
An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.
script kiddie
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
clean desk policy
An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
Which two components are required to ensure power redundancy for a blackout period extending over 24 hours?
An uninterruptible power supply (UPS) is required to provide failover for the initial blackout event, before switching over to a standby generator to supply power over a longer period.
threat map
Animated map showing threat sources in near real-time.
Post-quantum
Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have accesss to significant quantum processing capability.
Why should detailed vendor and product assessments be required before allowing the use of IoT devices in the enterprise?
As systems with considerable computing and networking functionality, these devices are subject to the same sort of vulnerabilities and exploits as ordinary workstations and laptops. It is critical to assess the vendor's policies in terms of the security design for the product and support for identifying and mitigating any vulnerabilities discovered in its use.
How does RAID support fault tolerance?
Aside from RAID 0, RAID provides redundancy between a group of disks, so that if one disk were to fail, that data may be recoverable from the other disks in the array.
canonicalization attack
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
Statements on Standards for Attestation Engagements (SSAE)
Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.
Challenge Handshake Authentication Protocol (CHAP)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says she/he is.
You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?
Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information (TAXII) protocol as a means of transmitting CTI data between servers and clients.
What are the properties of a secure information processing system?
Confidentiality, Integrity, and Availability (and Non-repudiation).
Which security property is assured by symmetric encryption?
Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.
What are the risks of not having a documented IP schema?
Configuration errors are more likely, especially where complex access control lists (ACLs) and security monitoring sensor deployment is required.
VM sprawl
Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.
What steps should you take to secure an SNMPv2 service?
Configure strong community names and use access control lists to restrict management operations to known hosts.
Which life cycle process manages continuous release of code to the production environment?
Continuous deployment.
What is control risk?
Control risk arises when a security control is ineffective at mitigating the impact and/or likelihood of the risk factor it was deployed to mitigate. The control might not work as hoped, or it might become less effective over time.
What is DNS server cache poisoning?
Corrupting the records of a DNS server to point traffic destined for a legitimate domain to a malicious IP address.
What is secure staging?
Creating secure development environments for the different phases of a software development project (initial development server, test/integration server, staging [user test] server, production server).
Information Life Cycle Management
Creation/collection, Distribution/use, Retention, and Disposal
Is Cuckoo a type of malware or a security product?
Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment.
True or false? The contents of the HOSTS file are irrelevant as long as a DNS service is properly configured.
False (probably)—the contents of the HOSTS file are written to the DNS cache on startup. It is possible to edit the registry to prioritize DNS over HOSTS, though.
A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not running CentOS. What type of scanning error event is this?
False positive.
True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
True or false? A customer is limited to creating one VPC per account.
False. There are limits to the number of virtual private clouds (VPCs) that can be created, but more than one is allowed.
True or false? Serverless means running computer code on embedded systems.
False. With serverless, the provision of functions running in containers is abstracted from the underlying server hardware. The point is that as a consumer, you do not perform any server management. The servers are still present, but they are operated and maintained by the cloud service provider.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
False—Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).
True or false? A TLS VPN can only provide access to web-based network resources.
False—a Transport Layer Security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application-layer protocol type.
True or false? Only Microsoft's operating systems and applications require security patches.
False—any vendor's or open-source software or firmware can contain vulnerabilities that need patching.
True or false? Band selection has a critical impact on all aspects of the security of a wireless network?
False—band selection can affect availability and performance but does not have an impact in terms of either confidentiality or integrity.
True or false? SOAR is intended to provide wholly automated incident response solutions.
False—incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user's account details (SID) to the target application for authorization (allocation of permissions), not authentication.
True or false? It is important to publish all security alerts to all members of staff.
False—security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.
True or false? The "first responder" is whoever first reports an incident to the CIRT.
False—the first responder would be the member of the CIRT to handle the report.
True or false? Cryptography is about keeping things secret so they cannot be used as the basis of a non-repudiation system.
False—the usages are not exclusive. There are different types of cryptography and some can be used for non-repudiation. The principle is that if an encryption method (cipher and key) is known only to one person, that person cannot then deny having composed a message. This depends on the algorithm design allowing recipients to decrypt the message but not encrypt it.
True or false? While fully customizable by the customer, embedded systems are based on either the Raspberry Pi or the Arduino design.
False—these are examples of one-board computers based on the system on chip (SoC) design. They are widely used in education (and leisure). Some are used for industrial applications or for proof-of-concept designs, but most embedded systems are manufactured to specific requirements.
True or false? The account with which you register for the CSP services is not an account with root privileges.
False—this account is the root account and has full privileges. It should not be used for day-to-day administration or configuration.
subject alternative name (SAN)
Field in a digital certificate allowing a host to be identifed by multiple host names/subdomains.
You are supporting a SIEM deployment at a customer's location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow record, which is a particular combination of keys (IP endpoints and protocol/port types).
Work Recovery Time (WRT)
Following systems recovery, there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported.
You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?
For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.
What two ways can biometric technologies be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
You suspect the rogue host is modifying traffic before forwarding it, with the side effect of increasing network latency. Which tool could you use to measure latency on traffic routed from this subnet?
From a Windows host, the pathping tool can be used to measure latency along a route.
What type of bulk encryption cipher mode of operation offers the best security?
Generally, counter modes implementing Authenticated Encryption with Additional Data (AEAD). Specific examples include AES-GCM and ChaCha20-Poly1305.
Which response header provides protection against SSL stripping attacks?
HTTP Strict Transport Security (HSTS).
Which type of threat actor is primarily motivated by the desire for social change?
Hacktivist.
For which types of system will a cipher suite that exhibits high latency be problematic?
High latency is not desirable in any system really, but it will affect real-time protocols that exchange voice or video most. In network communications, latency makes the initial protocol handshake longer, meaning delay for users and possible application timeout issues.
Which cryptographic technology is most useful for sharing medical records with an analytics company?
Homomorphic encryption allows calculations to be performed while preserving privacy and confidentiality by keeping the data encrypted.
Which terms are used to discuss levels of site resiliency?
Hot, warm, and cold sites, referring to the speed with which a site can failover.
You are agreeing a proposal to run a series of team-based exercises to test security controls under different scenarios. You propose using purple team testing, but the contracting company is only familiar with the concept of red and blue teams. What is the advantage of running a purple team exercise?
In a red versus blue team, there is no contact between the teams, and no opportunity to collaborate on improving security controls. In a purple team exercise, there is regular contact and knowledge sharing between the teams throughout the progression of the exercise.
private keys
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
collision
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the key?
In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).
Data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
A recent security evaluation concluded that your company's network design is too consolidated. Hosts with wildly different functions and purposes are grouped together on the same logical area of the network. In the past, this has enabled attackers to easily compromise large swaths of network hosts. What technique(s) do you suggest will improve the security of the network's design, and why?
In general, you should start implementing some form of network segmentation to put hosts with the same security requirements within segregated zones. For example, the workstations in each business department can be grouped in their own subnets to prevent a compromise of one subnet from spreading to another. Likewise, with VLANs, you can more easily manage the logical segmentation of the network without disrupting the physical infrastructure (i.e., devices and cabling).
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
Data processor
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
Annualized Rate of Occurrence (ARO)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
risk deterrence (or reduction)
In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.
key encryption key (KEK)
In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.
Cloud Security Alliance (CSA)
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
Payment Card Industry Data Security Standard (PCI DSS)
Information security standard for organizations that process credit or bank card payments.
Personal health information (PHI)
Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.
Data in transit (or data in motion)
Information that is being transmitted between two hosts, such as over a private network or the Internet.
Data in use (or data in processing)
Information that is present in the volatile memory of a host, such as system memory or cache.
Data at rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
A company's web services are suffering performance issues because updates keep failing to run on certain systems. What type of architecture could address this issue?
Infrastructure as Code (IaC) means that provisioning is performed entirely from standard scripts and configuration data. The absence of manual configuration adjustments or ad hoc scripts to change settings is designed to eliminate configuration drift so that updates run consistently between the development and production environments.
What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?
Input validation provides some mitigation against this type of input being passed to an application via a user form. Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
sideloading
Installing an app to a mobile device without using an app store.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
Data Privacy Officer (DPO)
Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.
Describe some key considerations that should be made when hosting data or systems via a cloud solutions provider.
Integrate auditing and monitoring procedures and systems with on-premises detection, identify responsibility for implementing security controls (such as patching or backup), identify performance metrics in an SLA, and assess risks to privacy and confidentiality from breaches at the service provider.
For what type of account would interactive logon be disabled?
Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy?
It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic.
You are investigating a business email compromise (BEC) incident. The email account of a developer has been accessed remotely over webmail. Investigating the developer's workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of malware would it implement?
It is likely that the USB device implements a hardware-based keylogger. This would not necessarily require any malware to be installed or leave any trace in the file system.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control and its function is both detecting and deterring.
You've fulfilled your role in the forensic process and now you plan on handing the evidence over to an analysis team. What important process should you observe during this transition, and why?
It's important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person's custody. This is an important tool in validating the evidence's integrity.
What field provides traffic marking for a QoS system at layer 3?
Layer 3 refers to the DiffServ field in the IP header.
Application aware firewalls
Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
What is the policy that states users should be allocated the minimum sufficient permissions?
Least privilege.
Nondisclosure agreement (NDA)
Legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employer places in them.
What physical site security controls act as deterrents?
Lighting is one of the most effective deterrents. Any highly visible security control (guards, fences, dogs, barricades, CCTV, signage, and so on) will act as a deterrent.
dd command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
head
Linux utility for showing the first lines in a file.
tail
Linux utility for showing the last lines in a file.
Which network access control framework supports smart cards?
Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.
You are assisting with the preparation of security briefings on embedded systems tailored to specific implementations of embedded systems. Following the CompTIA Security+ syllabus, you have created the industry-specific advice for the following sectors—which one do you have left to do? Facilities, Industrial, Manufacturing, Energy, ???
Logistics—transportation of components for assembly or distribution of finished products.
Zigbee
Low-power wireless communications open source protocol used primarily for home automation. _ uses radio frequencies in the 2.4 GHz band and a mesh topology.
Z-Wave
Low-power wireless communications protocol used primarily for home automation. _uses radio frequencies in the high 800 to low 900 MHz and a mesh topology.
Which attack framework provides descriptions of specific TTPs?
MITRE's ATT&CK framework.
What security controls might be used to implement protected distribution of cabling?
Make conduit physically difficult to access, use alarms to detect attempts to interfere with conduit, and use shielded cabling.
Volume Shadow Copy Service (VSS)
Makes snapshot backups of files even if they are open. It is used for Windows backup and the System Restore and Previous Versions features.
remote access trojan (RAT)
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
Authority and Intimidation
Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise.
trapdoor function
Mathematical ciphers that use an operation which is simple to perform one way when all of the values are known, but is difficult to reverse.
What is measured by MTBF?
Mean Time Between Failures (MTBF) represents the expected reliability of a product over its lifetime.
stapling
Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.
Homomorphic encryption
Method that allows computation of certain fields in a dataset without decrypting it. principally used to share privacy-sensitive data sets.
A company has been using a custom-developed client-server application for customer management, accessed from remote sites over a VPN. Rapid overseas growth has led to numerous complaints from employees that the system suffers many outages and cannot cope with the increased number of users and access by client devices such as smartphones. What type of architecture could produce a solution that is more scalable?
Microservices is a suitable architecture for replacing monolithic client-server applications that do not meet the needs of geographically diverse, mobile workforces. By breaking the application up into microservice components and hosting these in cloud containers, performance can scale to demand. Web-based APIs are better suited to browser-based access on different device types.
Remote Desktop Protocol (RDP)
Microsoft's protocol for operating remote connections to a Windows machine (Terminal Services) allowing specified users to log onto the Windows computer over the network and work remotely. The protocol sends screen data from the remote host to the client and transfer mouse and keyboard input from the client to the remote host. It uses TCP port 3389.
AES Galois Counter Mode Protocol (GCMP)
Mode of operation for AES that ensures authenticated encryption.
Why might forcing users to change their password every month be counterproductive?
More users would forget their password, try to select unsecure ones, or write them down/record them in a non-secure way (like a sticky note).
Why are many network DoS attacks distributed?
Most attacks depend on overwhelming the victim. This typically requires a large number of hosts, or bots.
RSA algorithm
Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.
What type of organizational security assessment is performed using Nessus?
Nessus is an automated network vulnerability scanner that checks for software vulnerabilities and missing patches.
What low-level networking feature will facilitate a segmentation-based approach to containing intrusion events?
Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.
Is WPS a suitable authentication method for enterprise networks?
No, an enterprise network will use RADIUS authentication. WPS uses PSK and there are weaknesses in the protocol.
Does Syslog perform all the functions of a SIEM?
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.
You are discussing a security awareness training program for an SME's employees. The business owner asserts that as they do not run Microsoft Office desktop apps, there should be no need to cover document security and risks from embedded macros and scripts. Should you agree and not run this part of the program?
No. While Visual Basic for Applications (VBA) can only be used with Microsoft Office, other types of document can contain embedded scripts, such as JavaScript in PDFs. Other Office suites, such as OpenOffice and LibreOffice, use scripting languages for macros too.
Information Sharing and Analysis Centers (ISACs)
Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
Onboarding.
What range of information classifications could you implement in a data labeling project?
One set of tags could indicate the degree of confidentiality (public, confidential/secret, or critical/top secret). Another tagging schema could distinguish proprietary from private/sensitive personal data.
What use might a proximity reader be for site security?
One type of proximity reader allows a lock to be operated by a contactless smart card. Proximity sensors can also be used to track objects via RFID tags.
What countermeasures can you use against the threat of malicious firmware code?
Only use reputable suppliers for peripheral devices and strictly controlled sources for firmware updates. Consider use of a sheep dip sandboxed system to observe a device before allowing it to be attached to a host in the enterprise network. Use execution control software to allow only approved USB vendors.
As a security solutions provider, you are compiling a checklist for your customers to assess potential weak configuration vulnerabilities, based on the CompTIA Security+ syllabus. From the headings you have added so far, which is missing and what vulnerability does it relate to? Default settings, Unsecured root accounts, Open ports and services, Unsecure protocols, Weak encryption, Errors.
Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage.
Your CEO wants to know if the company's threat intelligence platform makes effective use of OSINT. What is OSINT?
Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.
What tools are used for OSINT?
Open-source intelligence is a reconnaissance activity to gather information about the target from any public source. The basic tool is web searches/queries plus sites that scan/scrape/monitor vulnerabilities in Internet-facing services and devices. There are also specialist OSINT tools, such as theHarvester, that aggregate data from queries for different resources.
real-time Transport Protocol (RTP)
Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).
Service level agreement (SLA)
Operating procedures and standards for a service contract.
What container would you use if you want to apply a different security policy to a subset of objects within the same domain?
Organization Unit (OU).
What coding practice provides specific mitigation against XSS?
Output encoding ensures that strings are made safe for the context they are being passed to, such as when a JavaScript variable provides output to render as HTML. Safe means that the string does not contain unauthorized syntax elements, such as script tags.
In what scenario would PAP be considered a secure authentication method?
PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).
What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?
PKCS #12 / .PFX / .P12.
password crackers
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases.
What steps should be taken to enroll a new employee on a domain network?
Perform checks to confirm the user's identity, issue authentication credentials securely, assign appropriate permissions/privileges to the account, and ensure accounting mechanisms to audit the user's activity.
What mechanism provides the most reliable means of associating a client with a particular server node when using load balancing?
Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism.
In the context of penetration testing, what is persistence?
Persistence refers to the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
Simultaneous Authentication of Equals (SAE)
Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.
What is meant by PII?
Personally identifiable information is any data that could be used to identify, contact, or locate an individual.
biometric authentication
Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition.
Deming Cycle
Plan, Do, Check, Act
Vendor management
Policies and procedures to identify vulnerabilities and ensure security of the supply chain.
Privileged access management (PAM)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
quality assurance (QA)
Policies, procedures, and tools designed to ensure defect-free development and delivery.
Which port(s) and security methods should be used by a mail client to submit messages for delivery by an SMTP server?
Port 587 with STARTTLS (explicit TLS) or port 465 with implicit TLS.
Other than cost, which factor primarily constrains embedded systems in terms of compute and networking?
Power—many embedded systems must operate on battery power, and changing the batteries is an onerous task, so power-hungry systems like processing and high bandwidth or long-range networking are constrained.
What are the six phases of the incident response life cycle?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
incident response life cycle
Preparation, Identification, Containment, Eradication, Recovery, and lessons learned
What should be the first action at a crime scene during a forensic investigation?
Preserve the crime scene by recording everything as is, preferably on video.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?
Preventive and corrective.
E-discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
end of life (EOL)
Product life cycle phase where sales are discontinued and support options reduced over time.
end of service life (EOSL)
Product life cycle phase where support is no longer available from the vendor. products no longer receive security updates and so represent a critical vulnerability if any remain in active use.
code of conduct
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
fault tolerant
Protection against system failure by providing extra (redundant) capacity.
Simple Network Management Protocol (SNMP)
Protocol for monitoring and managing network devices. _ works over UDP ports 161 and 162 by default.
functions of a CA are as follows:
Provide a range of certificate services useful to the community of users serviced by the CA. Ensure the validity of certificates and the identity of those applying for them (registration). Establish trust in the CA by users and government and regulatory authorities and enterprises, such as financial institutions. Manage the servers (repositories) that store and administer the certificates. Perform key and certificate lifecycle management, notably revoking invalid certificates.
Fog computing
Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.
General Data Protection Regulation (GDPR)
Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.
Open source intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
What is the main advantage of IKE v2 over IKE v1?
Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account authentication method, such as Extensible Authentication Protocol (EAP).
You are providing security advice and training to a customer's technical team. One asks how they can identify when a buffer overflow occurs. What is your answer?
Real-time detection of a buffer overflow is difficult, and is typically only achieved by security monitoring software (antivirus, endpoint detection and response, or user and entity behavior analytics) or by observing the host closely within a sandbox. An unsuccessful attempt is likely to cause the process to crash with an error message. If the attempt is successful, the process is likely to show anomalous behavior, such as starting another process, opening network connections or writing to AutoRun keys in the registry. These indicators can be recorded using logging and system monitoring tools.
Eradication of malware
Reconstitution of affected systems, Reaudit security controls, Ensure that affected parties are notified and provided with the means to remediate their own systems.
Virtual Network Computing (VNC)
Remote access tool and protocol. VNC is the basis of macOS screen sharing.
An employee's car was recently broken into, and the thief stole a company tablet that held a great deal of sensitive data. You've already taken the precaution of securing plenty of backups of that data. What should you do to be absolutely certain that the data doesn't fall into the wrong hands?
Remotely wipe the device, also referred to as a kill switch.
You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.
Removable media and supply chain.
dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
bug bounty
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
Inherent risk
Risk that an event will pose if no controls are put in place to mitigate it.
What type of risk mitigation option is offered by purchasing insurance?
Risk transference.
Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?
Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.
What are the two main options for mobile camera surveillance?
Robot sentries and drone/UAV-mounted cameras.
What type of files most need to be audited to perform third-party credential management?
SSH and API keys are often unsecurely embedded in computer code or uploaded mistakenly to repositories alongside code. Also, managing shared credentials can be difficult, and many sites resort to storing them in a shared spreadsheet.
Common Vulnerabilities and Exposures (CVE)
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
Company policy requires that you ensure your smartphone is secured from unauthorized access in case it is lost or stolen. To prevent someone from accessing data on the device immediately after it has been turned on, what security control should be used?
Screen lock.
What security protocol does SFTP use to protect the connection and which port does an SFTP server listen on by default?
Secure Shell (SSH) over TCP port 22.
You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider and which would you choose as most suitable?
Security Association Markup Language (SAML) and Oauth + OpenID Connect (OIDC). OAuth with OIDC as an authentication layer offers better support for native mobile apps so is probably the best choice.
Zero trust
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.
What is the purpose of SIEM?
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
X.509 standard
Serial number Signature algorithm Issuer Valid from/to Subject Public key Extensions Subject alternative name (SAN)
Public Key Cryptography Standards (PKCS)
Series of standards defining the use of certificate authorities and digital certificates.
You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?
Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.
What risk type arises from shadow IT?
Shadow IT is the deployment of hardware, software, or cloud services without the sanction of the system owner (typically the IT department). The system owner will typically be liable for software compliance/licensing risks.
What type of organizational policies ensure that at least two people have oversight of a critical business process?
Shared authority, job rotation, and mandatory enforced vacation/holidays.
2-step verification or out-of-band mechanisms
Short Message Service (SMS), Phone call, Push notification, and Email
threat data feed
Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.
WPA3
Simultaneous Authentication of Equals (SAE) Enhanced Open—enables encryption for the open authentication method. Updated cryptographic protocols—replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Management protection frames—mandates use of these to protect against key recovery attacks.
What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of Occurrence).
What factor is most likely to reduce a system's resiliency?
Single points of failure.
Impersonation
Social engineering attack where an attacker pretends to be someone they are not.
credential harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
antivirus (A-V)
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
Closed/proprietary
Software code or security research that remains in the ownership of the developer and may only be used under permitted licence conditions.
data historian
Software that aggregates and catalogs data from multiple sources within an industrial control system.
What is a Type II hypervisor?
Software that manages virtual machines that has been installed to a guest OS. This is in contrast to a Type I (or "bare metal") hypervisor, which interfaces directly with the host hardware.
nslookup/dig
Software tool for querying DNS server records.
Sn1per
Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.
What is SDV?
Software-defined visibility (SDV) gives API-based access to network infrastructure and hosts so that configuration and state data can be reported in near real time. This facilitates greater automation in models and technologies such as zero trust, inspection of east/west data center traffic, and use of security orchestration and automated response (SOAR) tools.
What is a dissolvable agent?
Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host's memory and CPU but not installed to a local disk.
Familiarity/Liking
Some people have the sort of natural charisma that allows them to persuade others to do as they request. One of the basic tools of a social engineer is simply to be affable and likable, and to present the requests they make as completely reasonable and unobjectionable.
deauthentication attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
Open Authorization (OAuth)
Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
Wi-Fi Protected Access (WPA)
Standards for authenticating and encrypting access to Wi-Fi networks.
Which three types of threat actor are most likely to have high levels of funding?
State actors, criminal syndicates, and competitors.
Why is subnetting useful in secure network design?
Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.
exploitation framework
Suite of tools designed to automate delivery of exploits against common software and firmware vulnerabilities.
IKE v2
Support for EAP authentication methods, allowing, for example, user authentication against a RADIUS server. Simplified connection set up—IKE v2 specifies a single 4-message setup mode, reducing bandwidth without compromising security. Reliability—IKE v2 allows NAT traversal and MOBIKE multihoming. Multihoming means that a client such as a smartphone with multiple interfaces (such as Wi-Fi and cellular) can keep the IPSec connection alive when switching between them.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate.
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996.
You are discussing a redesign of network architecture with a client, and they want to know what the difference between an extranet and Internet is. How can you explain it?
The Internet is an external zone where none of the hosts accessing your services can be assumed trusted or authenticated. An extranet is a zone allowing controlled access to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted because they are not under the administrative control of the organization (as they are owned by suppliers, customers, business partners, contractors, and so on).
A log shows that a PowerShell IEX process attempted to create a thread in the target image c:\Windows\System32\lsass.exe. What is the aim of this attack?
The Local Security Authority Subsystem Service (LSASS) enforces security policies, including authentication and password changes. Consequently, it holds hashes of user passwords in memory. Attacks on lsass.exe are typically credential dumping to steal those hashes.
Your log shows that the Notepad process on a workstation running as the local administrator account has started an unknown process on an application server running as the SYSTEM account. What type of attack(s) are represented in this intrusion event?
The Notepad process has been compromised, possibly using buffer overflow or a DLL/process injection attack. The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.
What is Microsoft's TLS VPN solution?
The Secure Sockets Tunneling Protocol (SSTP).
What are the advantages of SASL over LDAPS?
The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.
What use is made of a TPM for NAC attestation?
The Trusted Platform Module (TPM) is a tamper-proof (at least in theory) cryptographic module embedded in the CPU or chipset. This can provide a means to sign the report of the system configuration so that a network access control (NAC) policy enforcer can trust it.
Protocol analysis
The act of examining protocol usage statistics over a network link.
What is meant by scheduling in the context of load balancing?
The algorithm and metrics that determine which node a load balancer picks to handle a request.
Single Loss Expectancy (SLE)
The amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF)
Annualized Loss Expectancy (ALE)
The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annualized Rate of Occurrence (ARO)
You are preparing a white paper on configuration management essentials for your customers. You have the following headings already: Diagrams, Standard naming conventions, Internet protocol (IP) schema. If you are basing your paper on the ComptTIA Security+ objectives, which other topic should you cover?
The configuration baseline is an essential concept as it allows unauthorized change to be detected more easily and planned change to be managed more easily.
security information and event management (SIEM)
The core function of an _ tool is to aggregate traffic data and logs. In addition to logs from Windows and Linux-based hosts, this could include switches, routers, firewalls, IDS sensors, vulnerability scanners, malware scanners, data loss prevention (DLP) systems, and databases.
Which information resource is required to complete usage auditing?
Usage events must be recorded in a log. Choosing which events to log will be guided by an audit policy.
You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack. What command line tool(s) can you use from a Windows client PC in the same subnet to check the interface properties of the default gateway?
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.
Session Initiation Protocol (SIP)
Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.
You are planning a security awareness program for a manufacturer. Is a pamphlet likely to be sufficient in terms of resources?
Using a diversity of training techniques will boost engagement and retention. Practical tasks, such as phishing simulations, will give attendees more direct experience. Workshops or computer-based training will make it easier to assess whether the training has been completed.
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?
Using a key stretching password storage library, such as PBKDF2, improves resistance to brute-force cracking methods. You might also mention that you could use policies to make users choose longer, non-trivial passwords.
remotely triggered blackhole (RTBH)
Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.
HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
Memorandum of understanding (MOU)
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
theHarvester
Utility for gathering results from open source intelligence queries. It works by scanning multiple public data sources to gather emails, names, subdomains, IPs, URLs and other relevant data.
Netcat
Utility for reading and writing raw data over a network connection.
netstat
Utility to show network information on a machine running TCP/IP, notably active connections and the routing table.
What is the risk from a VM escaping attack?
VM escaping refers to attacking other guest OSes or the hypervisor or host from within a virtual machine. Attacks may be to steal information, perform Denial of Service (DoS), infect the system with malware, and so on.
Full tunnel
VPN configuration where all traffic is routed via the VPN gateway. Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.
Split tunnel
VPN configuration where only traffic for the private network is routed via the VPN gateway. the client accesses the Internet directly using its "native" IP configuration and DNS servers.
Layer 2 Tunneling Protocol (L2TP)
VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.
How can DLL injection be exploited to hide the presence of malware?
Various OS system functions allow one process to manipulate another and force it to load a dynamic link library (DLL). This means that the malware code can be migrated from one process to another, evading detection.
You are preparing some briefing notes on diversity strategies for cybersecurity resilience for the executive team. You have prepared sections on Technologies, Crypto, and Controls so far. What other topic do you need to cover?
Vendor diversity.
You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network. What configuration check should you make in the vulnerability scanning software before running the scan?
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.
Nmap Security Scanner
Versatile port scanner used for topology, host, service, and OS discovery and enumeration.
What feature is essential for managing code iterations within the provisioning and deprovisioning processes?
Version control is an ID system for each iteration of a software product.
(SRTP)
Version of RTP secured using TLS.
footprinting
The phase in an attack or penetration test in which the attacker or tester gathers information about the target before attacking it.
attack surface
The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
Job rotation
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.
Threat
The potential for an entity to exercise a vulnerability (that is, to breach security).
time of check to time of use (TOCTTOU)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
service discovery
The practice of using network scans to discover open TCP and UDP ports, plus information about the servers operating them.
Mandatory vacation
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
Identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
pseudo RNG (PRNG)
The process by which an algorithm produces numbers that approximate randomness without being truly random.
data exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
Onboarding
The process of bringing in a new employee, contractor, or supplier.
Authorization
The process of determining what rights and privileges a particular entity has.
shim
The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.
offboarding
The process of ensuring that all HR and other requirements are covered when an employee leaves an organization. Account management, Company assets, and Personal assets.
cyber threat intelligence (CTI)
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
Refactoring
The process of restructuring application code in such a way that the same functionality is provided by different programming methods. _ is often used to improve an application's design without affecting the external behavior of the application, or to enable it to handle particular situations.
Configuration management
The process through which an organization's information systems components are kept in a controlled state that meets the organization's requirements, including those for security and compliance.
software development life cycle (SDLC)
The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.
high availability
The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.
mean time between failures (MTBF)
The rating on a device or component that predicts the expected time between failures.
When using S/MIME, which key is used to encrypt a message?
The recipient's public key (principally). The public key is used to encrypt a symmetric session key and (for performance reasons) the session key does the actual data encoding. The session key and, therefore, the message text can then only be recovered by the recipient, who uses the linked private key to decrypt it.
In a digital envelope, which key encrypts the session key?
The recipient's public key (typically from the server's key pair).
Chain of custody
The record of evidence history from collection, to presentation in court, to disposal.
Risk mitigation (or remediation)
The response of reducing risk to fit within an organization's risk appetite.
How does VDI work as a mobile deployment model?
Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed.
You are recommending that a business owner invest in patch management controls for PCs and laptops. What is the main risk from weak patch management procedures on such devices?
Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.
Horizontal privilege escalation
When a user accesses or modifies specific resources that they are not entitled to.
Vertical privilege escalation
When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.
What factors determine the selection of security controls in terms of an overall budget?
The risk (as determined by impact and likelihood) compared to the cost of the control. This metric can be calculated as Return on Security Investment (ROSI).
Non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
What bit of information confirms the identity of an SSH server to a client?
The server's public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a Certificate Authority.
You are reviewing security and privacy issues relating to a membership database for a hobbyist site with a global audience. The site currently collects account details with no further information. What should be added to be in compliance with data protection regulations?
The site should add a privacy notice explaining the purposes the personal information is collected and used for. The form should provide a means for the user to give explicit and informed consent to this privacy notice.
Antivirus software has reported the presence of malware but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?
The string identifying the malware. You can use this to reference the malware on the A-V vendor's site and, hopefully, obtain manual removal and prevention advice.
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.
What cryptographic information is stored in a digital certificate?
The subject's public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
continuous monitoring
The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.
Why might a file time stamp not show the time at which a crime was committed?
The time stamp may record the Universal Coordinated Time rather than the local time. An offset would need to be applied (and it might need to be demonstrated that the computer's time zone was correctly set).
privilege access management
The use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.
virtual desktop environment (VDE)
The user desktop and software applications provisioned as an instance under VDI.
How does VSS assist a backup solution?
The volume shadow copy service creates snapshots for the backup software to use, avoiding problems with file locks and uncompleted database transactions.
Which tools can you use to restrict the use of PowerShell on Windows 10 clients?
There are various group policy-based mechanisms, but for Windows 10, the Windows Defender Application Control (WDAC) framework provides the most powerful toolset for execution control policies.
You have been asked to produce a summary of pros and cons for the products Chef and Puppet. What type of virtualization or cloud computing technology do these support?
These are orchestration tools. Orchestration facilitates "automation of automation," ensuring that scripts and API calls are made in the right order and at the right time to support an overall workflow.
Other than endpoint protection software, what resource can provide indicators of pass the hash attacks?
These attacks are revealed by use of certain modes of NTLM authentication within the security (audit) log of the source and target hosts. These indicators can be prone to false positives, however, as many services use NTLM authentication legitimately.
What policy describes preventing any type of unauthorized computing, network, or storage connection to a protected host?
This can be described as an air gap or secure area demilitarized zone (DMZ).
What term relates to assessment techniques that avoid alerting threat actors?
This can be referred to as maneuver.
You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware. You can find no evidence of any further intrusion on the network. What is the likely motive of the threat actor?
This could be an offline tainted data attack against the endpoint software's identification engine.
Which security attribute is ensured by monitoring API latency and correcting any problems quickly?
This ensures the availability of services.
What type of operation is being performed by the following command? openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem
This generates a new RSA key pair plus a certificate signing request.
A purchasing manager is browsing a list of products on a vendor's website when a window opens claiming that anti-malware software has detected several thousand files on his computer that are infected with viruses. Instructions in the official-looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this, or is it a false alarm?
This is a social engineering attempt utilizing a watering hole attack and/or malvertising.
What is a pre-shared key?
This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS, for instance) is not available. The system depends on the strength of the passphrase used for the key.
What feature allows you to filter traffic arriving at an instance?
This is accomplished by assigning the instance to a security group with the relevant policy configured.
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day's consultancy to patch the vulnerability. How should you categorize this threat?
This is either gray hat (semi-authorized) hacking or black hat (non-authorized) hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat.
The help desk takes a call and the caller states that she cannot connect to the e-commerce website to check her order status. She would also like a user name and password. The user gives a valid customer company name but is not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt, or is it a false alarm?
This is likely to be a social engineering attempt. The help desk should not give out any information or add an account without confirming the caller's identity.
You are troubleshooting a user's workstation. At the computer, an app window displays on the screen claiming that all of your files are encrypted. The app window demands that you make an anonymous payment if you ever want to recover your data. What type of malware has infected the computer?
This is some type of ransomware, but it will take more investigation whether it is actually crypto-malware or not.
What type of network requires the design to account for east-west traffic?
This is typical of a data center or server farm, where a single external request causes multiple cascading requests between servers within the data center. This is a problem for a perimeter security model, as funneling this traffic up to a firewall and then back to a server creates a performance bottleneck.
You take an incident report from a user trying to access a REPORT.docx file on a SharePoint site. The file has been replaced by a REPORT.docx.QUARANTINE.txt file containing a policy violation notice. What is the most likely cause?
This is typical of a data loss prevention (DLP) policy replacing a file involved in a policy violation with a tombstone file.
Where would you expect to find "hot and cold" aisles and what is their purpose?
This layout is used in a data center or large server room. The layout is the best way to maintain a stable temperature and reduce loss of availability due to thermal problems.
What type of tool could you use to fingerprint the host acting as the default gateway?
This requires a tool that performs fingerprinting—service and version detection—by examining responses to network probes and comparing them to known responses from common platforms. Nmap is very widely used for this task, or you could use hping or Netcat.
In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?
This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.
Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?
This task is suited to data loss prevention (DLP), which can block the transfer of tagged content over unauthorized channels.
Why might enforcement policies be used to prevent USB tethering when a smartphone is brought to the workplace?
This would allow a PC or laptop to connect to the Internet via the smartphone's cellular data connection. This could be used to evade network security mechanisms, such as data loss prevention or content filtering.
What type of cloud solution would be used to implement a SAN?
This would usually be described as Infrastructure as a Service (IaaS).
You are reviewing access logs on a web server and notice repeated requests for URLs containing the strings %3C and %3E. Is this an event that should be investigated further, and why?
Those strings represent percent encoding for HTML tag delimiters (< and >). This could be an XSS attempt to inject a script so should be investigated.
Automated Indicator Sharing (AIS)
Threat intelligence data feed operated by the DHS.
TTPs
Threat research is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures
Why might a company invest in device control software that prevents the use of recording devices within company premises?
To hinder physical reconnaissance and espionage.
What is the purpose of directory services?
To store information about network resources and users in a format that can be accessed and updated using standard queries.
pairwise master key (PMK)
When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2's 4-way handshake to derive various session keys.
You are preparing a solution overview on privacy enhancing technologies based on CompTIA Security+ syllabus objectives. You have completed notes under the following headings—which other report section do you need? Data minimization, Anonymization, Pseudo-anonymization, Data masking, Aggregation/Banding
Tokenization—replacing data with a randomly-generated token from a separate token server or vault. This allows reconstruction of the original data if combined with the token vault.
Rainbow table
Tool for speeding up attacks against Windows passwords by precomputing possible hashes.
Accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted
Capture the Flag (CTF)
Training event where learners must identify a token within a live network environment.
What IPSec mode would you use for data confidentiality on a private network?
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality.
True or false? A maliciously designed USB battery charger could be used to exploit a mobile device on connection.
True (in theory)—though the vector is known to the mobile OS and handset vendors so the exploit is unlikely to be able to run without user authorization.
True or false? A virtual IP is a means by which two appliances can be put in a fault tolerant configuration to respond to requests for the same IP address?
True.
True or false? DNSSEC depends on a chain of trust from the root servers down.
True.
True or false? RTO expresses the amount of time required to identify and resolve a problem within a single system or asset.
True.
True or false? Static NAT means mapping a single public/external IP address to a single private/internal IP address.
True.
True or false? The following string is an example of a distinguished name: CN=ad, DC=classroom,DC=com
True.
True or false? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.
True.
e or false? To ensure evidence integrity, you must make a hash of the media before making an image.
True.
True or false? Backup media can be onsite, but offline.
True. As a security precaution, backup media can be taken offline at the completion of a job to mitigate the risk of malware corrupting the backup.
True or False? Perfect forward secrecy (PFS) ensures that a compromise of a server's private key will not also put copies of traffic sent to that server in the past at risk of decryption.
True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.
rue or false? When implementing smart card logon, the user's private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.
National Institute of Standards and Technology (NIST)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
Why does Diffie-Hellman underpin perfect forward secrecy (PFS)?
Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other pre-agreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server's private key, and that it is easy to generate ephemeral keys that are different for each session.
What configuration change could you make to prevent misuse of a developer account?
Disable the account.
Well-known tools used for packet injection
Dsniff, Ettercap, Scapy, and hping
public key
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
What port security feature mitigates ARP poisoning?
Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.
You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?
EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.
What are the properties of a public/private key pair?
Each key can reverse the cryptographic operation performed by its pair but cannot reverse an operation performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.
What mechanism informs clients about suspended or revoked keys?
Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.
Why should an organization design role-based training programs?
Employees have different levels of technical knowledge and different work priorities. This means that a "one size fits all" approach to security training is impractical.
Your company manages marketing data and private information for many high-profile clients. You are hosting an open day for prospective employees. With the possibility of social engineering attacks in mind, what precautions should employees take when the guests are being shown around the office?
Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.
order of restoration
Enable and test power delivery systems (grid power, power distribution units (PDUs), UPS, secondary generators, and so on). Enable and test switch infrastructure, then routing appliances and systems. Enable and test network security appliances (firewalls, IDS, proxies). Enable and test critical network servers (DHCP, DNS, NTP, and directory services). Enable and test back-end and middleware (databases and business logic). Verify data integrity. Enable and test front-end applications. Enable client workstations and devices and client browser access.
How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port?
Enable the appropriate guards (portfast and BPDU Guard) on access ports.
Which protocol protects the contents of a VoIP conversation from eavesdropping?
Encrypted VoIP data is carried over the Secure Real time Transport Protocol (SRTP).
What is the name of the policy that prevents users from choosing old passwords again?
Enforce password history.
Business continuity plan (BCP)
Ensures that mission essential functions demonstrate high availability and fault tolerance so that an organization ought to continue day-to-day operations in the event of an event that causes at least one critical host, system, or network to fail. A policy that describes and ratifies the organization's overall business continuity strategy.
Why is a rooted or jailbroken device a threat to enterprise security?
Enterprise Mobility Management (EMM) solutions depend on the device user not being able to override their settings or change the effect of the software. A rooted or jailbroken device means that the user could subvert the access controls.
cloud access security broker (CASB)
Enterprise management software designed to mediate access to cloud services by users across all types of devices.
What is a cloud access security broker (CASB)?
Enterprise management software mediating access to cloud services by users to enforce information and access policies and audit usage.
What is the relevance of entropy to cryptographic functions?
Entropy is a measure of how disordered something is. A disordered ciphertext is desirable, because remaining features of order from the plaintext make the ciphertext vulnerable to analysis. Identical plaintexts need to be initialized with random or counter values when encrypted by the same key, and the cryptosystem needs a source of randomness to generate strong keys.
Measurement systems analysis (MSA)
Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.
John is given a laptop for official use and is on a business trip. When he arrives at his hotel, he turns on his laptop and finds a wireless access point with the name of the hotel, which he connects to for sending official communications. He may become a victim of which wireless threat?
Evil twin.
How could a deception-based cybersecurity resilience strategy return fake telemetry to a threat actor?
Fake telemetry means that when a threat actor runs port or host discovery scans, a spoof response is returned. This could lead the threat actor to waste time probing the port or host IP address trying to develop an attack vector that does not actually exist.
command injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
What is a persistent XSS attack?
Where the attacker inserts malicious code into the back-end database used to serve content to the trusted site.
What is an amplification attack?
Where the attacker spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
What security posture assessment could a pen tester make using Netcat?
Whether it is possible to open a network connection to a remote host over a given port.
You are recommending different antivirus products to the CEO of small travel services firm. The CEO is confused, because they had heard that Trojans represent the biggest threat to computer security these days. What explanation can you give?
While antivirus (A-V) remains a popular marketing description, all current security products worthy of consideration will try to provide protection against a full range of malware and potentially unwanted program (PUP) threats.
Recently, attackers were able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and delete important files. What account vulnerability enabled this attack?
While it's possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee's account wasn't disabled. Since the account was no longer being used, it should not have been left active for a malicious user to exploit.
You are advising a business owner on security for a PC running Windows XP. The PC runs process management software that the owner cannot run on Windows 10. What are the risks arising from this, and how can they be mitigated?
Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.
pathping
Windows utility for measuring latency and packet loss along a route.
A system integrator is offering a turnkey solution for customer contact data storage and engagement analytics using several cloud services. Does this solution present any supply chain risks beyond those of the system integrator's consulting company?
Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing customer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.
A user's computer is performing extremely slowly. Upon investigating, you find that a process named n0tepad.exe is utilizing the CPU at rates of 80-90%. This is accompanied by continual small disk reads and writes to a temporary folder. Should you suspect malware infection and is any particular class of indicated?
Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to conclusively determine the type without more investigation, but you might initially suspect a crypto-miner/crypto-jacker.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes—malware is a likely cause that you should investigate.
What methods can be used to implement location-based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
If you suspect a process of being used for data exfiltration but the process is not identified as malware by A-V software, what types of analysis tools will be most useful?
You can use a sandbox with monitoring tools to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.
You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on the server, which tool could you use to check which process is using a given TCP port?
You can use the netstat command to do this.
The network manager is recommending the use of "thin" access points to implement the wireless network. What additional appliance or software is required and what security advantages should this have?
You need a wireless controller to configure and manage the access points. This makes each access point more tamper-proof as there is no local administration interface. Configuration errors should also be easier to identify.
You need to correlate intrusion detection data with web server log files. What component must you deploy to collect IDS alerts in a SIEM?
You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.
What areas of a business or workflow must you examine to assess multiparty risk?
You need to examine supply chain dependencies to identify how problems with one or more suppliers would impact your business. You also need to examine customer relationships to determine what liabilities you have in the event of an incident impacting your ability to supply a product or service and what impact disruption of important customer accounts would have, should cyber incidents disrupt their business.
Enhanced Interior Gateway Routing Protocol (EIGRP)
_ is a distance vector-based routing protocol using a metric composed of several administrator weighted elements including reliability, bandwidth, delay, and load. _ , the version now in use, supports classless addressing and more efficient route selection.
ertificate signing request (CSR)
a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.
Disaster recovery plan
a _ can be seen as a special class of incident where the organization's primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. _ recovery will involve a wider range of stakeholders than less serious incidents.
Diamond Model
a framework to analyze an intrusion event (E) by exploring the relationships between four core features: adversary, capability, infrastructure, and victim. These four features are represented by the four vertices. Each event may also be described by meta-features, such as date/time, kill chain phase, result, and so on. Each feature is also assigned a confidence level (C), indicating data accuracy or the reliability of a conclusion or assumption assigned to the value by analysis.
session affinity
a layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request.
SOC2 Type 3 report
a less detailed report certifying compliance with SOC2. SOC3 reports can be freely distributed
Snapshot
a live acquisition image of a persistent disk. While this may have less validity than an image taken from a device using a write blocker, it may be the only means of acquiring data from a virtual machine or cloud process.
influence campaign
a major program launched by an adversary with a high level of capability, such as a nation-state actor, terrorist group, or hacktivist group. The goal of an influence campaign is to shift public opinion on some topic. Most high-profile influence campaigns that have been detected target election activity, but actors may use such campaigns to pursue a number of goals.
Kerberos
a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft's Active Directory (AD) service.
Network operating system (NOS) firewall
a software-based firewall running under a network server OS, such as Windows or Linux. The server would function as a gateway or proxy for a network segment.
Extensible Configuration Checklist Description Format (XCCDF)
an XML schema for developing and auditing best-practice configuration checklists and rules. Previously, best-practice guides might have been written in prose for system administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validated using compatible software.
Protected Extensible Authentication Protocol (PEAP)
an encrypted tunnel is established between the supplicant and authentication server, but _ only requires a server-side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password-guessing/dictionary, and on-path attacks. The user authentication method (also referred to as the "inner" method) can use either MS-CHAPv2 or EAP-GTC. The Generic Token Card (GTC) method transfers a token for authentication against a network directory or using a one-time password mechanism.
Retinal scan
an infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. _ scanning is therefore one of the most accurate forms of biometrics. _ patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.
hping
an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.
Password Authentication Protocol (PAP)
an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. It is also used as the basic authentication mechanism in HTTP. It relies on clear text password exchange and is therefore obsolete for most purposes, except through an encrypted tunnel.
Cipher Block Chaining (CBC)
applies an initialization vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext. The output of the first ciphertext block is then combined with the next plaintext block using an XOR operation.
Firewalls
apply an access control list (ACL) to filter traffic passing in or out of a network segment. _ can work at layer 3 of the OSI model or higher.
data custodian
apply the security settings to the data in compliance with the classification level dictated by the data owner.
Layer 7 load balancer (content switch)
as web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this.
SOC2 Type 2 report
assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. _ reports are highly detailed and designed to be restricted. They should only be shared with the auditor and regulators and with important partners under non-disclosure agreement (NDA) terms
server-side request forgery (SSRF)
auses the server application to process an arbitrary request that targets another service, either on the same host or a different one. exploits both the lack of authentication between the internal servers and services (implicit trust) and weak input validation, allowing the attacker to submit unsanitized requests or API parameters..
Scarcity and Urgency
creating a false sense of scarcity or urgency can disturb people's ordinary decision-making process.
Jitter
defined as being a variation in the delay, or an inconsistent rate of packet delivery.
Secure boot
designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader and kernel using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader or kernel that has been changed by malware (or an OS installed without authorization) from being used.
What mechanism does HPKP implement?
ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
IKE Phase I
establishes the identity of the two hosts and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating hosts are commonly used: Digital certificates—the hosts use certificates issued by a mutually trusted certificate authority to identify one another. Pre-shared key (group authentication)—the same passphrase is configured on both hosts.
Routers
forward packets around an internetwork, making forwarding decisions based on IP addresses. _ work at layer 3 of the OSI model. _ can apply logical IP subnet addresses to segments within a network.
What is the principal use of grep in relation to log files?
grep is used to search the content of files.
DNS Security Extensions (DNSSEC)
help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. With DNSSEC enabled, the authoritative server for the zone creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.
crypto-mining
hijacks the resources of the host to perform cryptocurrency mining
Continuity of Operation Planning (COOP)
his terminology is used for government facilities, but is functionally similar to business continuity planning. In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.
Domain Name System (DNS) servers
host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses. _ works at layer 7 of the OSI model. Name resolution is a critical service in network design. Abuse of name resolution is a common attack vector.
Hosted Private
hosted by a third-party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive.
Remote sign-in
if the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.
Host-based firewall (or personal firewall)
implemented as a software application running on a single host designed to protect that host only. As well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network.
Code-Red worm
infect early versions of Microsoft's IIS web server software via a buffer overflow vulnerability. It then scanned randomly generated IP ranges to try to infect other vulnerable IIS servers
transparent (or forced or intercepting) proxy
intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.
grep
invokes simple string matching or regex syntax to search text files for specific strings. This enables you to search the entire contents of a text file for a specific pattern within each line and display that pattern on the screen or dump it to another file.
curl
is a command line client for performing data transfers over many types of protocol. This tool can be used to submit HTTP GET, POST, and PUT requests as part of web application vulnerability testing. curl supports many other data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.
Software as a service (SaaS)
is a different model of provisioning _ applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement (on-demand). Virtual infrastructure allows developers to provision on-demand applications much more quickly than previously. The applications can be developed and tested in the cloud without the need to test and deploy on client computers. Examples include Microsoft Office 365 (microsoft.com/en-us/microsoft-365/enterprise), Salesforce (salesforce.com), and Google G Suite (gsuite.google.com).
Data exposure
is a fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls. Applications must only transmit such data between authenticated hosts, using cryptography to protect the session.
Federal Information Security Management Act (FISMA)
is a law applying to all federal agencies. It requires every agency to develop, document, and implement an information security and protection program.
Spanning Tree Protocol (STP)
is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming. A switching protocol that prevents network loops by dynamically disabling links as needed.
Infrastructure as a service (IaaS)
is a means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the service provider's data center. Examples include Amazon Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft Azure Virtual Machines (azure.microsoft.com/services/virtual-machines), Oracle Cloud (oracle.com/cloud), and OpenStack (openstack.org).
Fuzzing
is a means of testing that an application's input validation routines work well. _ means that the test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application. This is a form of "stress testing" that can reveal how robust the application is. There are generally three types of _ , representing different ways of injecting manipulated input into the application: Application UI—identify input streams accepted by the application, such as input boxes, command line switches, or import/export functions. Protocol—transmit manipulated packets to the application, perhaps using unexpected values in the headers or payload. File format—attempt to open files whose format has been manipulated, perhaps manipulating specific features of the file.
Control risk
is a measure of how much less effective a security control has become over time.
pluggable authentication module (PAM)
is a package for enabling different authentication providers, such as smart-card login. can also be used to implement authentication to network servers.
Unreachable code
is a part of application source code that can never be executed. For example, there may be a routine within a logic statement (If ... Then) that can never be called because the conditions that would call it can never be met.
digital certificate
is a public assertion of identity, validated by a certificate authority (CA). As well as asserting identity, certificates can be issued for different purposes, such as protecting web server communications or signing messages. Issuing certificates is likely to be an important part of your day-to-day role as a security administrator. based on the X.509 standard
Digital Signature Algorithm (DSA)
is a slightly different format for achieving the same sort of goal. DSA uses elliptic curve cryptography (ECC) rather than the RSA cipher.
Risk appetite
is a strategic assessment of what level of residual risk is tolerable.
NXlog
is an open-source log normalization tool. One principal use for it is to collect Windows logs, which use an XML-based format, and normalize them to a syslog format.
Dead code
is executed but has no effect on the program flow. For example, there may be code to perform a calculation, but the result is never stored as a variable or used to evaluate a condition.
Static code analysis
is performed against the application code before it is packaged as an executable process. The analysis software must support the programming language used by the source code. The software will scan the source code for signatures of known issues, such as OWASP Top 10 Most Critical Web Application Security Risks or injection vulnerabilities generally. NIST maintains a list of source code analyzers and their key features
Acquisition
is the process of obtaining a forensically clean copy of data from a device held as evidence. If the computer system or device is not owned by the organization, there is the question of whether search or seizure is legally valid.
Deprovisioning
is the process of removing an application from packages or instances. This might be necessary if software has to be completely rewritten or no longer satisfies its purpose. As well as removing the application itself, it is also important to make appropriate environment changes to remove any configurations (such as open firewall ports) that were made just to support that application.
Due care
less about the research you put in ahead of time and more about the ongoing actions you perform for whatever assets you're responsible for. For example, maintaining the safety standards of your property over time or making reasonable business decisions for a company you manage for others are examples of due care. If something goes wrong anyway, due care allows you to establish that you worked in good faith to protect the company and its assets from harm.
Iris scan
matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker. _ scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. _ scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an _ scanner could be fooled by a high-resolution photo of someone's eye.
Typing
matches the speed and pattern of a user's input of a passphrase.
M-of-N control
meaning that of N number of administrators permitted to access the system, M must be present for access to be granted. M must be greater than 1, and N must be greater than M. For example, when M = 2 and N = 4, any two of four administrators must be present. Staff authorized to perform key management must be carefully vetted, and due care should be taken if these employees leave the business.
Transference (or sharing) Risk
means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities.
Normalization
means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This ensures that the string is in a format that can be processed correctly by the input validation routines.
Risk acceptance
means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.
Full disk encryption (FDE)
means that the entire contents of the drive (or volume), including system files and folders, are encrypted. OS ACL-based security measures are quite simple to circumvent if an adversary can attach the drive to a different host OS. Drive encryption allays this security concern by making the contents of the drive accessible only in combination with the correct encryption key. Disk encryption can be applied to both hard disk drives (HDDs) and solid state drives (SSDs).
Risk Avoidance
means that you stop doing the activity that is risk-bearing
Behavioral threat research
narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
dnsenum
packages a number of tests into a single query, as well as hosting information and name records, _ can try to work out the IP address ranges that are in use.
Vendor websites
proprietary threat intelligence is not always provided at cost. All types of security, hardware, and software vendors make huge amounts of threat research available via their websites as a general benefit to their customers. One example is Microsoft's Security Intelligence blog
Authentication Header (AH)
protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality. Also, the inclusion of IP header fields in the ICV means that the check will fail across NAT gateways, where the IP address is rewritten. Consequently, AH is not often used.
Wireless access points
provide a bridge between a cabled network and wireless clients, or stations. _ work at layer 2 of the OSI model.
Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT)
provides a means for multiple private IP addresses to be mapped onto a single public address. For example, say two hosts (192.168.0.101 and 192.168.0.102) initiate a web connection at the same time. The NAPT service creates two new port mappings for these requests (192.168.0.101:61101 and 192.168.0.102:61102). It then substitutes the private IPs for the public IP and forwards the requests to the public Internet. It performs a reverse mapping on any traffic returned using those ports, inserting the original IP address and port number, and forwards the packets to the internal hosts.
Encapsulation Security Payload (ESP)
provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.
reverse proxy
provides for protocol-specific inbound traffic. For security purposes, you might not want external hosts to be able to connect directly to application servers, such as web, email, and VoIP servers. Instead, you can deploy a _ on the network edge and configure it to listen for client requests from a public network (the Internet).
Platform as a service (PaaS)
provides resources somewhere between SaaS and IaaS. A typical _ solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure.microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/appengine).
Domain Validation (DV)
proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.
Geofencing
refers to accepting or rejecting access requests based on location.
Geotagging
refers to the addition of location metadata to files or devices. This is often used for asset management to ensure devices are kept with the proper location.
Legal hold
refers to the fact that information that may be relevant to a court case must be preserved
Bluesnarfing
refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.
Voice recognition
relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. _ is also subject to impersonation.
UDP scans (-sU)
scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
Mobile device management (MDM)
sets device policies for authentication, feature use (camera and microphone), and connectivity. MDM can also allow device resets and remote wipes.
Signature recognition
signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature
Application firewall
software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall.
Port 465
some providers and mail clients use this port for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation.
bluejacking
sort of spam where someone sends you an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware
Extended Validation (EV)
subjecting to a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed. EV standards are maintained by the CA/Browser forum (cabforum.org). An EV certificate cannot be issued for a wildcard domain.
Key stretching
takes a key that's generated from a user password and repeatedly converts it to a longer and more random key. The initial key may be put through thousands of rounds of hashing. This might not be difficult for the attacker to replicate so it doesn't actually make the key stronger, but it slows the attack down, as the attacker has to do all this extra processing for each possible key value.
Windows network sign-in
the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.
Authenticated Encryption with Additional Data (AEAD)
the associated data allows the receiver to use the message header to ensure the payload has not been replayed from a different communication stream.
Scalability
the capacity to increase resources to meet demand within similar cost ratios. This means that if service demand doubles, costs do not more than double.
Risk
the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability.
Script and macro viruses
the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.
public key infrastructure (PKI)
the process of issuing and verifying certificates is called
LDAP Secure (LDAPS)
the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.
File encryption
the user is allocated an asymmetric cipher key pair. The private key is written to secure storage—often a trusted platform module (TPM)—and is only available when the user has authenticated to his or her account. The public key is used to encrypt a randomly generated AES cipher key. When the user tries to encrypt or decrypt files, the AES cipher key is decrypted using the private key to make it available for the encryption or decryption operation.
Boot
the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media, and executes as a memory resident process when the OS starts or the media is attached to the computer.
Non-resident/file infector
the virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.
Network traffic analysis (NTA)
these products are closer to IDS and NBAD in that they apply analysis techniques only to network streams, rather than multiple network and log data sources.
User and entity behavior analytics (UEBA)
these products scan indicators from multiple intrusion detection and log sources to identify anomalies. They are often integrated with security information and event management (SIEM) platforms.
SMTPS
this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.
Passive test access point (TAP)
this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load.
Adware
this is a class of PUP/grayware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor's pages at startup, adding bookmarks, and so on. _may be installed as a program or as a browser extension/plug-in.
Active TAP
this is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive tap to monitor and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with internal batteries or connect it to a UPS.
Spyware
this is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another _ technique is perform DNS redirection to pharming sites.
Hypervisor-based
this means that filtering functionality is built into the hypervisor or cloud provisioning tool. You can use the cloud's web app or application programming interface (API) to write access control lists (ACLs) for traffic arriving or leaving a virtual host or virtual network.
SPAN (switched port analyzer)/mirror port
this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load.
Tunnel mode
this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.
Transport mode
this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header.
Virtual appliance
this refers to deploying a vendor firewall appliance instance using virtualization, in the same way you might deploy a Windows or Linux guest OS.
Multiple context
this refers to multiple virtual firewall instances running on a hardware firewall appliance. Each context has a separate interface and can perform a distinct filtering role.
Transport encryption
this uses either digital envelopes or perfect forward secrecy. For HTTPS, a web server is allocated a key pair and stores the private key securely. The public key is distributed to clients via a digital certificate. The client and server use the key pair to exchange or agree on one or more AES cipher keys to use as session keys.
Latency
time it takes for a transmission to reach the recipient, measured in milliseconds (ms)
load balancer persistence
typically works by setting a cookie, either on the node or injected by the load balancer. This can be more reliable than source IP affinity, but requires the browser to accept the cookie.
Explicit TLS (FTPES)
use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
Port 587
used by mail clients (Message Submission Agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.
Port 25
used for message relay (between SMTP servers or Message Transfer Agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.
Bridge Protocol Data Units (BPDUs)
used to communicate information about the topology and are not expected on access ports, so _ Guard protects against misconfiguration or a possible malicious attack.
Syslog-ng
uses a different configuration file syntax, but can also use TCP/secure communications and more advanced options for message filtering.
WPA2
uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Destination NAT/port forwarding
uses the router's public address to publish a web service, but forwards incoming requests to a different IP. Port forwarding means that the router takes requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a designated host and port in the DMZ or LAN.
Rsyslog
uses the same configuration file syntax, but can work over TCP and use a secure connection. Rsyslog can use more types of filter expressions in its configuration file to customize message handling.
Memory resident
when the host file is executed, the virus creates a new process for itself in memory. The malicious process remains in memory, even if the host process is terminated.
data breach event
where confidential data is read or transferred without authorization. A privacy _ is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. A _ can also be described as a data leak. A data breach can be intentional/malicious or unintentional/accidental.
logger command
writes input to the local system log or to a remote syslog server
A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance or server is producing these logs?
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell.
In what two ways can an IP address be used for context-based authentication?
An IP address can represent a logical location (subnet) on a private network. Most types of public IP address can be linked to a geographical location, based on information published by the registrant that manages that block of IP address space.
Attribute-based access control (ABAC)
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
White box
An assessment methodology that simulates an inside attacker that knows everything about the target.
Gray box
An assessment methodology that simulates an inside attacker who knows something about a target, but not everything.
Elliptic curve cryptography (ECC)
An asymmetric encryption algorithm that leverages the algebraic structures of elliptic curves over finite fields to derive public/private key pairs.
integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.
replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.
Whaling
An email-based or web-based form of phishing which targets senior executives or wealthy individuals.
Spear phishing
An email-based or web-based form of phishing which targets specific individuals.
Non-intrusive (or passive) scanning
An enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.
Hacktivists
An threat actor that is motivated by a social issue or political cause.
black hat
An unauthorized hacker operating with malicious intent.
Escrow
In key management, the storage of a backup key with a third party.
Data controller
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
human-machine interfaces (HMIs)
Input and output controls on a PLC to allow a user to configure and monitor the system.
hich type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
What format is often used to write permissions statements for cloud resource policies?
JavaScript Object Notation (JSON).
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?
Layer 2 Tunneling Protocol (L2TP).
cipher suite
Lists of cryptographic algorithms that a server and client can use to negotiate a secure connection.
virtual LANs (VLANs)
Logically separate network, created by using switching technology. Even though hosts on two _ may be physically connected to the same cabling, local traffic is isolated to each _ so they must use a router to communicate.
Which software tool is most appropriate for forwarding Windows event logs to a Syslog-compatible server?
NXlog is designed as a multi-platform logging system.
You must recover the contents of the ARP cache as vital evidence of a man-in-the-middle attack. Should you shut down the PC and image the hard drive to preserve it?
No, the ARP cache is stored in memory and will be discarded when the computer is powered off. You can either dump the system memory or run the arp utility and make a screenshot. In either case, make sure that you record the process and explain your actions.
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using search tools.
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
Non-repudiation.
thin WAP
Requires a wireless controller in order to function is known
Packet analysis
The act of examining protocol headers and payloads within individual network packets or frames.
How does a replay attack work in the context of session hijacking?
The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.
code review
The process of peer review of uncompiled source code by other developers.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer's backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
True or false? Nation state actors primarily only pose a risk to other states.
False—nation state actors have targeted commercial interests for theft, espionage, and extortion.
nternet Key Exchange (IKE)
Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.
Extensible Authentication Protocol (EAP)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
Why are exercises an important part of creating a disaster recovery plan?
Full-scale or functional exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan.
Data minimization
In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
A security operations center (SOC).
Microservice
A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.
What use is a TPM when implementing full disk encryption?
A trusted platform module provides a secure mechanism for creating and storing the key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick.
file integrity monitoring (FIM)
A type of software that reviews system files to ensure that they have not been tampered with.
remote code execution
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
Vulnerability
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
wireless controllers
A device that provides wireless LAN management for multiple APs.
What type of scheduled Windows backup job does not clear the archive attribute?
A differential backup. This type of backup selects all new and modified data since the previous full backup. You could also mention copy backups, though these are usually ad hoc rather than scheduled.
What physical security device could you use to ensure the safety of onsite backup tapes?
A fireproof safe or vault.
web application firewall (WAF)
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
Service accounts
A host or network account that is designed to run a background service, rather than to log on interactively.
Your company has been the victim of several successful phishing attempts over the past year. Attackers managed to steal credentials from these attacks and used them to compromise key systems. What vulnerability contributed to the success of these social engineers, and why?
A lack of proper user training directly contributes to the success of social engineering attempts. Attackers can easily trick users when those users are unfamiliar with the characteristics and ramifications of such deception.
Gramm-Leach-Bliley Act (GLBA)
A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.
Sarbanes-Oxley Act (SOX)
A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization's financial and business operations.
California Consumer Privacy Act (CCPA)
A law that allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.
wired equivalent privacy (WEP)
A legacy mechanism for encrypting data sent over a wireless connection.
Why might a PIN be a particularly weak type of something you know authentication?
A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.
Hoaxes
A malicious communication that tricks the user into performing undesired actions, such as deleting important system files in an attempt to remove a virus, or sending money or important information.
client-side or cross-site request forgery (CSRF or XSRF)
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
Radio Frequency ID (RFID)
A means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.
Entropy
A measure of disorder. Cryptographic systems should exhibit high _ to better resist brute force attacks.
structured exception handler (SEH)
A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.
Temporal Key Integrity Protocol (TKIP)
A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.
What type of interoperability agreement would be appropriate at the outset of two companies agreeing to work with one another?
A memorandum of understanding (MOU).
digital signature
A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity. using RSA encryption
true random number generator (TRNG)
A method of generating random values by sampling physical phenomena that has a high rate of entropy.
zero-filling
A method of sanitizing a drive by setting all bits to zero.
DNS poisoning
A network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.
ARP poisoning
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.
Metasploit
A platform for launching modularized attacks against known software vulnerabilities.
System on chip (SoC)
A processor that integrates the platform functionality of multiple logical controllers onto a single chip.
Trusted Automated eXchange of Indicator Information (TAXII)
A protocol for supplying codified information to automate incident detection and analysis.
Network address translation (NAT)
A routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.
Implicit TLS (FTPS)
negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.
Static and dynamic source NAT
perform 1:1 mappings between private ("inside local") network address and public ("inside global") addresses. These mappings can be static or dynamically assigned.
Active scanning
probing the device's configuration using some sort of network connection with the target. Active scanning consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. Agent-based scanning is also an active technique.
measured boot
process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed. This does not usually prevent boot, but it will record the presence of unsigned kernel-level code.
message authentication code (MAC)
provides an authentication and integrity mechanism by hashing a combination of the message output and a shared secret key. The recipient can perform the same process using his or her copy of the secret key to verify the data. This type of authenticated encryption scheme is specified in a cipher suite as separate functions, such as "AES CBC with HMAC-SHA."
Consensus/Social Proof
refers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act.
Elasticity
refers to the system's ability to handle these changes on demand in real time.
Mobile application management (MAM)
sets policies for apps that can process corporate data, and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace.
Cryptanalysis
The science, art, and practice of breaking codes and ciphers.
You are developing new detection rules for a network security scanner. Which tool will be of use in testing whether the rules match a malicious traffic sample successfully?
The tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.
What is the process of sideloading?
The user installs an app directly onto the device rather than from an official app store.
What is the risk of not following a tested order of restoration when recovering a site from a major incident?
There may be unmet dependencies between systems that are started in the wrong order. This could lead to boot failures and possibly data corruption.
You are writing a shell script to display the last 5 lines of a log file at /var/log/audit in a dashboard. What is the Linux command to do this?
tail /var/log/audit -n 5
Windows local sign-in
the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
non-transparent proxy
the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.
Data exfiltration
the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media.
STARTTLS
this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS.
TCP SYN (-sS)
this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.
Managed Security Services Provider (MSSP)
Third-party provision of security configuration and monitoring as an outsourced service.
Community
this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.
mtr
Utility combining the ping and traceroute commands.
tcpdump
a command line packet capture utility for Linux, The utility will then display captured packets until halted manually
Public (or multi-tenant)
a service offered over the Internet by cloud service providers (CSPs) to cloud consumers. With this model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge. As a shared resource, there are risks regarding performance and security. Multi-cloud architectures are where an organization uses services from multiple CSPs.
Open Vulnerability and Assessment Language (OVAL)
an XML schema for describing system security state and querying vulnerability reports and information.
Counter mode
applies an IV plus an incrementing counter value to the key to generate a keystream. The keystream is then XOR'ed to the data in the plaintext blocks. Each block can be processed individually and consequently in parallel, improving performance. do not need to use padding. Any unused space in the last block is simply discarded.
SOC2 Type I report
assesses the system design
Management Frame Protection (MFP/802.11w)
disassociation packets and deauthentication attack can be mitigated if the wireless infrastructure supports
Load balancers
distribute traffic between network segments or servers to optimize performance. _ can work at layer 4 of the OSI model or higher.
Cuckoo
is packaged software that aims to provide a turnkey sandbox solution
Business impact analysis (BIA)
is the process of assessing what losses might occur for a range of threat scenarios.
IKE Phase II
uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session.
Rules of engagement
Agreeing scope, operational parameters, and reporting requirements for a penetration test.
Operational
A category of security control that is implemented by people.
shadow IT
Computer hardware, software, or services used on a private network without authorization from the system owner.
Internet of Things (IoT)
Devices that can report state and configuration data and be remotely managed over IP networks.
EAP over Wireless (EAPoW)
allow an access point to forward authentication data without allowing any other type of network access.
Layer 4 load balancer
basic load balancers make forwarding decisions on IP address and TCP/UDP port values, working at the transport layer of the OSI model.
Business partnership agreement (BPA)
Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.
What is a hardened configuration?
A basic principle of security is to run only services that are needed. A hardened system is configured to perform a role as client or application server with the minimal possible attack surface, in terms of interfaces, ports, services, storage, system/registry permissions, lack of security controls, and vulnerabilities.
Least privilege
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
sinkhole
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
What addressing component must be installed or configured for NB-IoT?
A LTE-based cellular radio, such as narrowband-IoT, uses a subscriber identity module (SIM) card as an identifier. This can either be installed as a plug-in card or configured as an eSIM chip on the system board or feature in a SoC design
What type of data source(s) would you look for evidence of a suspicious MTA in?
A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or the Internet header metadata of an email message.
Security Content Automation Protocol (SCAP)
A NIST framework that outlines various accepted practices for automating vulnerability scanning.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
You are writing a security awareness blog for company CEOs subscribed to your threat platform. Why are backdoors and Trojans different ways of classifying and identifying malware risks?
A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor and a backdoor can be established by exploits other than using Trojans. The term remote access trojan (RAT) is used for the specific combination of Trojan and backdoor.
What physical security system provides mitigation against juice-jacking?
A USB data blocker can be attached to the end of a cable to prevent a charging port from trying to make a data connection.
What is a VDE?
A Virtual Desktop Environment (VDE) is the workspace presented when accessing an instance in a virtual desktop infrastructure (VDI) solution. VDI is the whole solution (host server and virtualization platform, connection protocols, connection/session broker, and client access devices).
mission essential function (MEF)
A business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.
What type of forensic data is recovered using a carving tool?
A carving tool allows close inspection of an image to locate artifacts. Artifacts are data objects and structures that are not obvious from examination by ordinary file browsing tools, such as alternate data streams, cache entries, and deleted file remnants.
Managerial
A category of security control that gives oversight of the information system.
Technical
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.
If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?
A cybersecurity framework and/or benchmark and secure configuration guides.
What vulnerabilities might default error messages reveal?
A default error message might reveal platform information and the workings of the code to an attacker.
Tokenization
A deidentification method where a unique token is substituted for real data.
Data masking
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
What is a RADIUS client?
A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.
Smart-card authentication
A device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.
Discretionary access control (DAC)
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource's owner (or owners).
Mandatory access control (MAC)
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
out-of-band (OOB)
Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.
You are consulting with a medium-size company about endpoint security solutions. What advantages does a cloud-based analytics platform have over an on-premises solution that relies on signature updates?
Advanced persistent threat (APT) malware can use many techniques to evade signature-based detection. A cloud analytics platform, backed by machine learning, can apply more effective behavioral-based monitoring and alerting.
software-defined networking (SDN)
APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.
Gait analysis
Biometric mechanism that identifies a subject based on movement pattern.
Reputational threat intelligence
Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.
What is usually the purpose of the default rule on a firewall?
Block any traffic not specifically allowed (implicit deny).
Chuck, a sales executive, is attending meetings at a professional conference that is also being attended by representatives of other companies in his field. At the conference, he uses his smartphone with a Bluetooth headset to stay in touch with clients. A few days after the conference, he finds that competitors' sales representatives are getting in touch with his key contacts and influencing them by revealing what he thought was private information from his email and calendar. Chuck is a victim of which wireless threat?
Bluesnarfing.
What type of deployment model(s) allow users to select the mobile device make and model?
Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD).
registration authorities (RAs)
In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.
Password spraying
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
How can an enterprise DMZ be implemented?
By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).
You are advising a customer on backup and disaster recovery solutions. The customer is confused between data breaches and data loss and whether the backup solution will protect against both. What explanation can you give?
Backup solutions mitigate risks from data loss, where files or information is deleted, corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen (exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.
Privacy-enhanced Electronic Mail (PEM)
Base64 encoding scheme used to store certificate and key data as ASCII text.
Considering that cryptographic hashing is one-way and the digest cannot be reversed, what makes hashing a useful security technique?
Because two parties can hash the same data and compare checksums to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.
What is the principal risk of deploying an intrusion prevention system with behavior-based detection?
Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious. With automatic prevention, this will block many legitimate users and hosts from the network, causing availability and support issues.
False Acceptance Rate (FAR)
Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
False Rejection Rate (FRR)
Biometric assessment metric that measures the number of valid subjects who are denied access.
Crossover Error Rate (CER)
Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company's industry sector and wants you to scan their systems for any sign that they have been targeted already. What are the additional challenges of meeting this request, given the lack of investment?
Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.
Hashcat
Command-line tool used to perform brute force and dictionary attacks against password hashes.
Key Distribution Center (KDC)
Component of Kerberos that authenticates users and issues tickets (tokens).
building automation system (BAS)
Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.
default account
Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.
What type of physical destruction media sanitization method is not suitable for USB thumb drives?
Degaussing is ineffective against all types of flash media, including thumb drives, SSDs, hybrid drives, and memory cards.
What vulnerabilities does a rogue DHCP server expose users to?
Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance).
east-west traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).
Why is it vital to ensure the security of an organization's DNS service?
DNS resolves domain names. If it were to be corrupted, users could be directed to spoofed websites. Disrupting DNS can also perform denial of service.
You are preparing a briefing paper for customers on the organizational consequences of data and privacy breaches. You have completed sections for reputation damage, identity theft, and IP theft. Following the CompTIA Security+ objectives, what other section should you add?
Data and privacy breaches can lead legislators or regulators to impose fines. In some cases, these fines can be substantial (calculated as a percentage of turnover).
To what data state does a trusted execution environment apply data protection?
Data in processing/data in use.
carving
Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space. These fragments might represent deleted or overwritten files. The process of recovering them is referred to as
Personally identifiable information (PII)
Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).
Why should an Internet service provider (ISP) be informed before pen testing on a hosted website takes place?
ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.
Third-party CA services
IdenTrust, Digicert, Sectigo/Comodo, GoDaddy, and GlobalSign
fingerprinting
Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.
Your CEO calls to request market research data immediately be forwarded to her personal email address. You recognize her voice, but a proper request form has not been filled out and use of third-party email is prohibited. She states that normally she would fill out the form and should not be an exception, but she urgently needs the data to prepare for a round table at a conference she is attending. What type of social engineering techniques could this use, or is it a false alarm?
If social engineering, this is spear phishing (the attack uses specific detail) over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low-value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.
MS-CHAPv2
Implementation of CHAP created by Microsoft for use in its products.
Password-Based Key Derivation Function 2 (PBKDF2)
Implementation of key stretching to make potentially weak input used to derive a cryptographic key, such as short passwords, less susceptible to brute force attacks.
Switches
In Ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.
Ticket Granting Ticket (TGT)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
offline CA
In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.
online CA
In PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.
root certificate
In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure.
Post Office Protocol v3 (POP3)
TCP port 110 protocol that enables a client to access email messages stored in a mailbox on a remote server. The server usually deletes messages once the client has downloaded them.
Internet Message Access Protocol v4 (IMAP4)
TCP/IP application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port number 143. supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server.
Why might an ARP poisoning tool be of use to a threat actor performing network reconnaissance?
The attacker could trick computers into sending traffic through the attacker's computer (performing a MitM/on-path attack) and, therefore, examine traffic that would not normally be accessible to him (on a switched network).
How does a clickjacking attack work?
The attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing.
How might an attacker exploit a web application to perform a shell injection attack?
The attacker needs to find a vulnerable input method, such as a form control or URL or script parser, that will allow the execution of OS shell commands.
Mean time to failure (MTTF)
The average time a device or component is expected to be in operation.
Mean time to repair (MTTR)
The average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
Distinguished Encoding Rules (DER)
The binary format used to structure the information in a digital certificate.
Address Resolution Protocol (ARP)
The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company's staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
The cloud vendor is acting as the identity provider.
You have been asked to investigate a web server for possible intrusion. You identify a script with the following code. What language is the code in and does it seem likely to be malicious? import os, sockets, syslog def r_conn(ip) s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(("logging.trusted.foo",514))
The code is written in Python. It uses various modules with default library code to interact with the OS and network, and also the syslog logging platform. The first lines of code define a function to connect to a host over port 514 (syslog). SOCK_DGRAM is a UDP connection, which is standard for syslog. Most likely the script is for remote logging and unlikely to be malicious, especially if trusted.foo is a known domain.
How does a specially configured compiler inhibit attacks through software diversity?
The compiler can apply obfuscation routines to make the code difficult for a threat actor to reverse engineer and analyze for vulnerabilities.
What is the difference between the role of data steward and the role of data custodian?
The data steward role is concerned with the quality of data (format, labeling, normalization, and so on). The data custodian role focuses on the system hosting the data assets and its access control mechanisms.
Which command line tool allows image creation from disk media on any Linux host?
The dd tool is installed on all Linux distributions.
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
The disk (or other storage) could be attached to a foreign system and the administrator could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user's decryption key to read the data.
You are discussing execution and validation security for DOM scripting with the web team. A junior team member wants to know if this relates to client-side or server-side code. What is your response?
The document object model (DOM) is the means by which a script (JavaScript) can change the way a page is rendered. As this change is rendered by the browser, it is client-side code.
What is the significance of the fact that digital evidence is latent?
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
Availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
How might an integer overflow be used as part of a buffer overflow?
The integer value could be used to allocate less memory than a process expects, making a buffer overflow easier to achieve.
Which property of a plaintext password is most effective at defeating a brute-force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).
Nessus
The list of services and version information that a host is running can be cross-checked against lists of known software vulnerabilities.
Maximum tolerable downtime (MTD)
The longest period of time a business can be inoperable without causing irrevocable business failure.
Recovery Point Objective (RPO)
The longest period of time that an organization can tolerate lost data being unrecoverable.
How does MTD relate to availability?
The maximum tolerable downtime (MTD) metric expresses the availability requirement for a particular business function.
code signing
The method of using a digital signature to ensure the source and integrity of programming code.
You are advising a company about backup requirements for a few dozen application servers hosting tens of terabytes of data. The company requires online availability of short-term backups, plus offsite security media and long-term archive storage. The company cannot use a cloud solution. What type of on-premises storage solution is best suited to the requirement?
The offsite and archive requirements are best met by a tape solution, but the online requirement may need a RAID array, depending on speed. The requirement is probably not large enough to demand a storage area network (SAN), but could be provisioned as part of one.
Port range (-p)
by default, Nmap scans 1000 commonly used ports, as listed in its configuration file. Use the -p argument to specify a port range.
EAP-Tunneled TLS (EAP-TTLS)
can use any inner authentication protocol (PAP or CHAP, for instance)
chosen ciphertext attack
ciphertexts are vulnerable to arbitrary data being inserted or modified to break the encryption scheme
Private
cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With _ cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.
Threat data
computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack
Boot attestation
is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server. The boot log can be analyzed for signs of compromise, such as the presence of unsigned drivers. The host can be prevented from accessing the network if it does not meet the required health policy or if no attestation report is received.
residual risk
is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.
Exposure Factor (EF)
is the percentage of the asset value that would be lost.
Recovery time objective (RTO)
is the period following a disaster that an individual IT system may remain offline.
Continuous integration (CI)
is the principle that developers should commit and test updates often—every day or sometimes even more frequently. This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another.
Provisioning
is the process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure. An enterprise provisioning manager might assemble multiple applications in a package. Alternatively, the OS and applications might be defined as a single instance for deployment on a virtualized platform.
