SECURITY+ SY0-601 STUDY SET from Mike Myer's Book
In a DoS attack, a malicious user can send a continuous stream of rapid ping attempts, called a _______________ The host is then overloaded by having to reply to every ping, rendering it unable to process legitimate requests.
"ping of death."
Port number for LDAP (Active Directory)
389
One key security control that can be used is a port-based authentication system, such as the IEEE standard __________. This standard provides for port-based authentication and can be used on both wired and wireless networks.
802.1X
A web services provider wants to improve its security through the implementation of two-factor authentication. What would be the most likely authentication method? A. TOTP B. SIEM C. TACACS D. LDAP
A
After a few incidents where customer data was transmitted to a third party, your organization is required to create and adhere to a policy that describes the distribution, protection, and confidentiality of customer data. Which of the following policies should your organization create? A. Privacy B. Due care C. Acceptable use D. Service level agreement
A
After a user is identified and authenticated to the system, what else must be performed to enable the user to use a resource? A. Authorization B. Authentication by token C. Encryption of network access D. Biometric scan
A
Air-gapped systems and devices have no network connectivity with anything. A True B False
A
Alex has already implemented a password expiration and rotation policy that forces his organization's users to change their password every 60 days. However, he is finding that many users are simply using their same password again. Which of the following can Alex implement to improve security? A. Password history B. Password complexity C. Password lockout D. Password expiry
A
An organization's __________ must also contain information on succession planning for key employees. A. Disaster recovery plan B. Incident response plan C. Communication plan D. Lessons learned
A
Before you install any update or patch onto networked systems, install and test it on a test host in a lab environment. A True B False
A
Bobby is tasked with creating a high-security authentication system for physical access control to a military installation. Which of the following authentication systems would be most appropriate? A. Smart card and PIN B. Security badge and guard C. Biometric eye scanner D. Username and password
A
Bobby is the network administrator for a company whose users are streaming too much video and using up the company's valuable bandwidth resources. Which technology would be best for Bobby to implement to help save resources? A. Content/URL filter B. Anti-spam filter C. Protocol analyzer D. IDS
A
Cuckoo, available for Unix- and Linux-based systems, is an automated malware analysis tool that provides a sandboxed environment where an analyst can safely execute Windows, Unix, macOS, and even Android malware and receive a report regarding the behavior of the malware when executed. A True B False
A
Lauren must install and secure her organization's Internet services, including web, FTP, and e-mail servers, within the current network topology, which uses a network firewall to protect the organization's internal networks. In which security zone of the network should Lauren install these servers to isolate them from the Internet and the organization's internal networks? A. Screened subnet B. VLAN C. Internal network D. Intranet
A
On a mobile device, __________ allow(s) more performance-intensive applications to execute within their own segment to improve performance. A. Storage segmentation B. VDI C. Remote access controls D. MDM
A
System architecture diagrams should never be displayed or stored in a public area, especially if they contain system IP addresses and other information hackers can use to compromise a network. A True B False
A
To improve the integrity and authentication of your encryption systems, you have contacted a CA to generate which of the following items for you? A. Digital certificate and public/private key pair B. Public key and a private hash C. Private key and a certificate D. Secret key for the local encryption server
A
Tom wants to replace his company's "plain old telephone service" (POTS) with an integrated, network-enabled phone system. What is this type of system called? A. VoIP B. Narrowband C. Smartphone D. BYOD
A
Users must ensure that they lock and password-protect their workstation sessions whenever they are away from their desk. A True B False
A
When an employee leaves the company, his/her account should be immediately disabled. A True B False
A
Which file-manipulation command is used to print lines that match patterns? A. grep B. cat C. head D. chmod
A
Which of the following types of wireless attacks utilizes a weakness in WEP key generation and encryption to decrypt WEP encrypted data? A. IV attack B. War driving C. PSK attack D. Eavesdropping
A
You are creating a standard security baseline for all users who use company mobile phones. Which of the following is the most effective security measure to protect against unauthorized access to the mobile device? A. Enforce the use of a screen lock password. B. Enable the GPS chip. C. Install personal firewall software. D. Automatically perform a daily remote wipe.
A
You are creating an access control model that will allow you to assign specific access policies depending on which network a user is on and not necessarily on the actual identity of the specific user. Which privilege management access control model would you use? A. Rule-based access control B. Discretionary access control C. Attribute-based access control D. Mandatory access control
A
You need to create an overall policy for your organization that describes how your users can properly make use of company communications services, such as web browsing, e-mail, and File Transfer Protocol (FTP) services. Which of the following policies should you implement? A. Acceptable use policy B. Due care C. Privacy policy D. Service level agreement
A
__________ is the design of a database to remove redundancies and improve integrity through simplification of the design. A. Normalization B. Anonymization C. Masking D. Obfuscation
A
_____________ is the process of logging users' activities and behaviors, the amount of data they use, and the resources they consume.
Accounting
____________ is a type of network attack in which the ARP cache of systems on the network is modified to associate an IP address with the MAC address of the attacker's system.
Address Resolution Protocol (ARP) poisoning
An __________ is an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Advanced persistent threat (APT)
____________________ and spyware are a subset of software known as ____________________, potential threats that are not always considered security risks but are still generally considered unwelcome.
Adware (advertising software) / potentially unwanted programs (PUPs)
The ______________ methodology of SDLC is iterative in nature and utilizes teams to deliver earlier and continuously improve more rapidly than the Waterfall development method.
Agile software development
________________ prevent unauthorized applications from executing by checking each potential execution against a list of applications that have been granted execution rights.
Application approved lists (also known as allow lists and whitelists)
______________ are designed to make detection and reverse engineering difficult and time consuming, either through obfuscation or through substantial amounts of confusing code to hide the actual virus code itself. *While armored viruses are often quite good at what they are designed to do, they are significantly larger than necessary, which makes their presence easier to detect.
Armored viruses
________________ describes how an electronic signal becomes weaker over greater distances. This applies to both cable and wireless signals.
Attenuation
_________________ applies attributes to subjects and objects and allows or disallows access to objects based on their attributes.
Attribute-based access control (ABAC)
________________ is the process of validating the user's identification.
Authentication
_________________ is the act of granting permission to an object, such as a network share.
Authorization
________________ ensures that your systems and networks are always operational and providing service to users, minimizing downtime when patching or scanning. Ex: Implementation of a cold, warm, or hot site, and RAID.
Availability
A company insider decides to steal data and sell it to a competitor that is offering a large amount of cash. Which of the following terms describes the insider? A. Threat B. Threat actor C. Vulnerability D. Risk actor
B
A few systems have been infected with malware; log analysis indicates the users all visited the same legitimate website to order office supplies. What is the most likely attack the users have fallen victim to? A. Replay B. Watering hole C. ARP poisoning D. Domain kiting
B
A web server recently crashed because of a denial-of-service attack against it. Based on the order of volatility, which of the following pieces of evidence would you preserve first? A. Website data B. Screen capture of crash error message C. Printout of web access logs D. Web server configuration files
B
After creating a heat map of a specific floor of his building, Rich realizes that two of the farthest offices on his floor have very poor signal strength. Which of the following actions can Rich perform to provide the best solution to increase signal strength to that part of the building? A. Disable encryption to speed up the network B. Add another wireless access point C. Change from channel 1 to channel 6 D. Disable authentication
B
An __________ creates, maintains, and manages identity information for an organization. A. Identity manager B. Identity provider C. Identity validator D. Identity authority
B
Antivirus software may NOT be able to identify which of the following? A. Trojans B. Logic bombs C. Polymorphic viruses D. Adware
B
Apple's Face ID is an example of using what? A. VDI B. Biometrics C. Containerization D. Segmentation
B
As part of your security baselining and OS hardening, you want to make sure that you protect your organization from vulnerabilities in its operating system software. Which one of the following tasks should you perform? A. Update antivirus signature files. B. Install any patches or OS updates. C. Use an encrypted file system. D. Use a host-based intrusion detection system.
B
Barbara needs to destroy a set of sensitive printed documents. Her management tasks her to find the most secure solution, as shredding is not up to standard. Which of the following is the best option? A. Degaussing B. Pulverizing C. Washing D. Wiping
B
During a denial-of-service attack, a network administrator blocks the source IP address with the firewall, but the attack continues. What is the most likely cause of the problem? A. The denial-of-service worm has already infected the firewall locally. B. The attack is coming from multiple distributed hosts. C. A firewall can't block denial-of-service attacks. D. Antivirus software needs to be installed.
B
During testing of a web application, you discover that due to poor input validation, you can easily crash the server by entering values in the input forms much greater than the system can handle. What type of vulnerability is this? A. Session hijacking B. Buffer overflow C. Privilege escalation D. XML injection
B
During your user awareness training, which of the following actions would you advise users to take as the best security practice to help prevent malware installation from phishing messages? A. Forward suspicious messages to other users B. Do not click links in suspicious messages C. Check e-mail headers D. Reply to a message to check its legitimacy
B
Kevin, a college professor researching viruses, sets up a server within his campus lab without notifying the college's IT department. He doesn't want to lock the system down with security controls that could possibly slow his analysis. What is the best term to describe Kevin's new computer? A. Attack surface B. Shadow IT C. Noncompliance D. Impact
B
Lauren is performing a vulnerability assessment for a web server. Which of the following tools should she use to determine what active ports, protocols, and services are running? A. Wireshark B. Nmap C. Honeypot D. Banner Grabber
B
Negative company financial information was carelessly thrown in the trash bin without being shredded, and a malicious insider retrieved it and posted it on the Internet, driving the stock price down. The CEO wants to know what happened—what was the attack? A. Smishing B. Dumpster diving C. Prepending D. Identity fraud
B
New management has decided to test the security of the existing network infrastructure implemented by the current network administrators. Which of the following should be performed to provide the most objective and useful test of your security controls? A. Hire a real hacker to attack the network. B. Perform third-party penetration testing. C. Perform penetration testing by the network administrators. D. Initiate an external denial-of-service attack.
B
OCSP __________ improves upon the original OCSP efficiency by including a time-stamped, signed response with the TLS/SSL handshake. A. pinning B. stapling C. assigning D. synchronization
B
Post-incident, Alex has identified an affected host that needs to be separated from the general population of users and hosts on the network. Which of these is her best approach? A. Remediation B. Isolation C. Environment D. Capabilities
B
SAML implementations have three basic roles: the identity, the identity provider, and the __________. A. Internet provider B. service provider C. authentication provider D. authorization provider
B
Sam's manager is fed up with managing the dozens of service providers across the corporate portfolio and tasks Sam with finding the best way to provide a seamless view to the corporation's users. What is the best option? A. Security information and event management (SIEM) B. Services integration and management (SIAM) C. Microservices D. Managed service provider (MSP)
B
The __________ determines what data will be collected and how it will be used within an organization. A. Data steward B. Data controller C. Data processor D. Data protection officer
B
There is a suspicion that Tom, a systems administrator, is performing illegal activities on your company's networks. To gather evidence about his activities, which of the following principles and techniques could you employ? A. Password rotation B. Mandatory vacation C. Need-to-know D. Separation of duties
B
Which of the following IPSec protocols is used to provide authentication and integrity for an entire IP packet? A. Encapsulating Security Payload (ESP) B. Authentication Header (AH) C. Internet Key Exchange (IKE) D. Internet Security Association and Key Management Protocol (ISAKMP)
B
Which of the following is not commonly used to secure a database? A. Salting B. Synchronization C. Tokenization D. Hashing
B
Which of the following is the most dangerous type of finding because it can actually mean that a potential vulnerability goes undetected? A. False positive B. False negative C. False flag D. False scan
B
You have been tasked with contacting your CA and revoking your company's current web server certificate. Which of the following is the most likely reason to revoke the certificate? A. You renewed your certificate after it expired. B. The previous network administrator who created the certificate was fired. C. You installed a new web server. D. Your current certificate expires in less than 30 days.
B
You have sent your friend a secret, encrypted message. The key you used to encrypt the message is the same key with which your friend will decrypt the message. What type of encryption scheme is used? A. Asymmetric B. Symmetric C. RSA D. Diffie-Hellman
B
Your organization has several home users with Internet access who require remote access to your organization's network. Which of the following remote access and authentication technologies would be the most secure? A. Dial-up access to a Kerberos server B. A VPN authenticated to a RADIUS server C. Telnet access to a local password database D. Wireless access to an LDAPS server
B
Your web application currently checks authentication credentials from a user's web browser cookies before allowing a transaction to take place. However, you have had several complaints of identity theft and unauthorized purchases from users of your site. Which of the following is the mostly likely cause? A. Cross-site scripting B. Session hijacking C. Header manipulation D. Lack of encryption
B
Which of the following are advantages to employing security guards in a facility? (Choose two.) A. CCTVs can be in places where guards cannot always be. B. Guards can make split-second decisions during security incidents. C. The vast majority of facility security issues can be handled by well-trained guards. D. Guards are not susceptible to social engineering.
BC
_______________ are named as such as a loose analogy to the birthday paradox, stating that if you have 23 people in a room, the probability that two or more of them share the same birthdate (without the year) is 50 percent.
Birthday attacks
_____________ infect the boot sector or partition table of a disk which is used by the computer to determine which operating systems (OSs) are present on the system to boot.
Boot sector viruses
A __________ system is often used to control utilities, automated systems, and machinery of all sorts. A. sensor B. wearable C. SCADA D. smart meter
C
A(n) __________ tracks different types of data elements, most commonly risk factors and risk scenarios. It might also include data that describes different technical or management findings contributing to the risk, as well as threats, vulnerabilities, assets, likelihood, and impact data. A. Acceptable use policy B. Business continuity plan C. Risk register D. Risk matrix
C
According to the Diamond Model of Intrusion Analysis, which of the following is not a component of an attack? A. Victim B. Adversary C. Environment D. Capabilities
C
As a managed service provider responsible for Internet-based application services across several external clients, which of the following policies does your organization provide to clients as an agreement for service uptime? A. Code of ethics B. Privacy C. SLA D. Due care
C
As part of your application-hardening process, which of the following activities helps to prevent existing vulnerabilities in applications from being exploited? A. Exception handling B. Fuzzing C. Updating to the latest software version or patch D. Escaping
C
Bobby must ensure that power is always available, 24/7, for a critical web and database server that accepts customer orders and processes transactions. Which of the following devices should Bobby install? A. Power conditioner B. UPS C. Power generator D. Redundant power supply
C
How should lighting installed along a perimeter fence be programmed? A. To activate when someone approaches the fence B. To activate only when alarms detect an intruder C. To activate between dusk and dawn D. To be turned on 24 hours a day
C
SAN storage security often implements the concept of __________, which allows segmentation of data by classifications and restriction of that data by device. A. masking B. encryption C. zones D. tokenization
C
The __________ process in Windows 10 uses the UEFI and a trusted platform module to provide a more secure boot process, also allowing for boot attestation. A. Boot management B. Secure boot C. Measured boot D. Safe mode
C
Which of the following is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, as well as acting as a packet builder? A. nmap B. Nessus C. hping D. tcpdump
C
Which of the following is not a control function? A. Deter B. Detect C. Destroy D. Compensate
C
Which of the following is not a step of the incident response process? A. Eradication B. Preparation C. Formulation D. Lessons learned
C
Which of the following is used in Linux to analyze logs generated by journald? A. syslog B. sFlow C. journalctl D. rsyslog
C
Which of the following terms describes the level of harm that results from a threat exploiting a vulnerability? A. Attack B. Likelihood C. Impact D. Risk
C
You are tasked with setting up a single sign-on authentication system for a large enterprise network of 5000 users. Which of the following is the best option? A. Local login and password database B. Login and password with a security token C. Authenticated access to an LDAP database D. Smart card with PIN number
C
You have been contacted by your company's CEO after she received a personalized but suspicious e-mail message from the company's bank asking for detailed personal and financial information. After reviewing the message, you determine that it did not originate from the legitimate bank. Which of the following security issues does this scenario describe? A. Dumpster diving B. Phishing C. Whaling D. Vishing
C
You need to look up the details of a certificate that was revoked. Where can you find this information? A. Certificate expiry list B. Registration suspension list C. Certificate revocation list D. Registration expiry list
C
Your organization wants you to implement an encryption system that ensures that the sender and receiver of the encrypted message use different keys for encryption and decryption. Which type of encryption scheme would you use? A. Elliptical-curve B. Quantum C. Asymmetric D. Symmetric
C
Your web server is being flooded by a denial-of-service attack. Using a network analyzer, you see that IP broadcast replies are being sent back to the address of your server from multiple addresses. Which type of network attack is this? A. On-path B. Back door C. Smurf D. DNS poisoning
C
__________ is a term that is similar to jailbreaking but is Android specific. A. Segmentation B. Virtualization C. Rooting D. Wiping
C
Which of the following are control categories? (Choose all that apply.) A. Mitigation B. Recovery C. Operational D. Managerial
CD
_________________ are designed to halt a user before accessing a wireless network by trapping packets until a web browser is opened, where the portal opens for entering credentials or payment information.
Captive portals
____________ is similar to another attack, URL redirection, in that both often redirect to a malicious site that attempts to gain credentials, but URL redirection often comes in the form of a phishing email that redirects from a legitimate site to a malicious site, while clickjacking incorporates hidden, invisible, or false elements.
Clickjacking
___________________ compensate for weaknesses or inherent flaws within other controls or a lack of controls, such as regularly scheduled third-party review of logs based on an inability to enable proper separation of duties across system administrators.
Compensating controls
____________ prevents sensitive and private data from being intercepted or read by unauthorized users. Ex: Using encryption
Confidentiality
_____________________ correct back to a trusted or "known-good" state; an example is regularly tested backups limiting the time a critical database is offline.
Corrective controls
______________ is a type of attack that relies on the ability to use a user's current web browsing state, including session cookie data and login identity credentials, and trick that user into navigating to a website that contains malicious code.
Cross-site request forgery (CSRF)
______________ is a type of website application vulnerability that allows malicious users to inject malicious code into dynamic websites that rely on user input. Ex: A search engine website or user message forum that utilizes user input.
Cross-site scripting (XSS)
A security patch for your OS was released about a week after you applied the latest OS service pack. What should you do? A. Wait until the release of the next full service pack. B. Download the patch only if you experience problems with the OS. C. Do nothing—the security patch was probably included with the service pack. D. Download and install the security patch.
D
AJ's company is in the middle of budgeting for disaster recovery. He has been asked to justify the cost for offsite backup media storage. Which of the following reasons should he offer as the primary security purpose for storing backup media at an offsite storage facility? A. So that the facility can copy the data to a RAID system B. So that if the primary site is down, the offsite storage facility can reload the systems from backup C. For proper archive labeling and storage D. To prevent a disaster onsite from destroying the only copies of the backup media
D
AJ's management tasks him with determining the right reliability factor to track for the company's new engines. The management wants to know how long they can expect the engine to last before failure, with the expectation that it will then be replaced. What is the best reliability factor? A. Recovery point objective (RPO) B. Mean time to repair (MTTR) C. Mean time between failures (MTBT) D. Mean time to failure (MTTF)
D
An executive is traveling with his laptop computer to a conference. The contents of his laptop contain very confidential product information, including development specifications and product road maps. Which of the following techniques can be implemented to protect the confidentiality of the data on the laptop? A. Make sure all software is up to date. B. Password-protect the laptop BIOS. C. Move the confidential documents to a USB key. D. Encrypt the hard drive using a TPM.
D
As part of a risk analysis of a very large and extensive back-end database, you need to calculate the probability and impact of data corruption. Which of the following impact factors allows you to calculate your annualized losses due to data corruption? A. SLE B. SLA C. ARO D. ALE
D
Bobby's management has asked him to explore an alternate site solution that can be operational somewhat quickly when needed but does not require duplication of the primary network. What is the best solution? A. Hot site B. Cold site C. Mobile site D. Warm site
D
Max's organization is growing fast, and the number of clients and devices on the organization's network has doubled in size over the last year. Max has been tasked with partitioning the network. Which of the following would best help partition and secure the network? A. MAC B. NAC C. VPN D. VLAN
D
Max, a security administrator, just received a phone call to change the password for a user in the HR department. The user did not provide verification of their identity and insisted that they needed the password changed immediately to complete a critical task. What principle of effective social engineering is being used? A. Trust B. Consensus C. Intimidation D. Urgency
D
Rowan works for a company that has had a string of incidents where weak employee passwords have been hacked through brute-force methods and then used by unauthorized users to gain access to the network. Which of the following security policies would be best for Rowan to implement to prevent brute-force hacking attempts on employee passwords? A. Password rotation B. Password length and complexity restrictions C. Password expiration D. Password lockout
D
Tara is installing a wireless network in a manufacturing facility. Which of the following aspects of the wireless network should she concentrate on to prevent security issues with EMI? A. Use of WPA3 encryption B. Use of 802.11g or 802.11n C. Network name D. WAP and antenna placement
D
Threat hunting can be partially automated through the use of which tool? A. Security information and event manager (SIEM) B. Anti-malware scanner C. Vulnerability scanner D. Security orchestration, automation, and response (SOAR)
D
Tim has set up a wireless network for his small office of 50 users. Which of the following encryption protocols should he implement to ensure the highest level of encryption security? A. WAP B. WPA C. WEP 128 bit D. WPA3
D
Tom is looking for a single tool that aggregates all the different data points from the network, including network alerts, packet capture, user behavior and sentiment analyses, data inputs, log files, and physical security logs, from every host on the network. What is the best option? A. Anti-malware scanner B. Vulnerability scanner C. Port scanner D. SIEM solution
D
What is the term for "data about data" that provides a rich investigatory source? A. Analysis B. Logging C. Scanning D. Metadata
D
Which of the following encryption schemes would you use if your company wants to create an invisible watermark hidden within the images on its website to identify the images in case they are used by another company? A. One-time pad B. Elliptical-curve C. One-way hash D. Steganography
D
Which of the following is not a benefit of using an access control vestibule? A. It can serve as a single controlled entry point into a facility. B. It can assist with positive identification and authentication of individuals entering the facility. C. It can prevent unauthorized individuals from entering a secure facility. D. It can protect individual information systems from unauthorized access.
D
Which of the following is not a standard classification for private or sensitive data? A. Public B. Confidential C. Proprietary D. Consensual
D
While testing exception handling with a web application, you encounter an error that displays a full URL path to critical data files for the application. Which one of the following types of vulnerabilities would this application be susceptible to? A. Buffer overflow B. Session hijacking C. Cross-site scripting D. Directory traversal
D
You are collecting forensic evidence from a recent network intrusion, including firewall logs, access logs, and screen captures of the intruder's activity. Which of the following concepts describes the procedures for preserving the legal ownership history of evidence from the security incident? A. Damage control B. Audit trail C. Escalation D. Chain of custody
D
You have encrypted an e-mail message because you want to ensure that it is read only by the recipient. A hacker has intercepted the message. When the hacker views the message, what does he see? A. The plaintext of the e-mail B. The one-way hash of the message C. The recipient's certificate information D. Ciphertext
D
You have received a call from the legal department to halt regular operations due to pending litigation by a disgruntled former employee. What is this called? A. Data collection B. Litigation review C. Legal policy D. Legal hold
D
You suspect that your server has been compromised because it has been running slowly and is unresponsive. Using a network analyzer, you also notice that large amounts of network data are being sent out from the server. Which of the following is the most likely cause? A. The server has a rootkit installed. B. The server requires an operating system update. C. The server is infected with spyware. D. The server is part of a botnet.
D
A ________________ uses publicly accessible Domain Name System servers to conduct a DDoS on a victim server by flooding the system with the DNS response traffic.
DNS amplification attack
The __________ technique takes advantage of a DNS server's tables of IP addresses and hostnames by replacing the IP address of a host with another IP address that resolves to an attacker's system.
DNS poisoning
___________________, often referred to as mobile sandboxing, creates containers within a mobile device that separate different types of data from each another, such as corporate and personal data. This is often used in BYOD.
Data containerization
_____________________ is the concept of using security and content control features to prevent confidential, private data from leaving your organization's networks.
Data loss prevention (DLP)
_____________ obfuscates sensitive data by substituting it with a different value ("dummy" value.)
Data masking
_____________ detect and characterize events or irregularities as or after they occur, such as internal or external audits conducted on a non-notice basis.
Detective controls
_______________________ deter and discourage an event from taking place (for example, roaming security guards and cameras placed around the facilities that are continuously monitored by personnel).
Deterrent controls
The ______________ isn't an actual encryption algorithm: It's a key agreement protocol that enables users to exchange encryption keys over an insecure medium.
Diffie-Hellman Exchange (DHE)
________________ is a type of access vulnerability that enables a hacker to actually navigate the website directory tree through the URL, via ../ on a Unix system or ..\ on a Windows system, to go to the parent directory.
Directory traversal
________________ enables data creators and owners to specify which users can access certain data.
Discretionary access control (DAC)
The _____________ provides a way to translate Internet domain names into IP addresses.
Domain Name System (DNS)
_____________ guarantees that in the event of a security issue by an employee, the employee receives an impartial and fair inquiry into the incident to ensure the employee's rights are not being violated.
Due process
As part of corporate espionage, some companies hire private investigators to examine garbage dumpsters of a target company, and these investigators try to discover any proprietary and confidential information. This is called __________________.
Dumpster diving
__________ are rogue access points set up to mimic a legitimate WiFi network. An unsuspecting user could connect and make an online purchase using her banking or credit card details, which are then stolen by the hacker for the purposes of identity theft and fraud.
Evil twins
__________ is a dynamic technique that can help test input validation and error/exception handling by entering random, unexpected data into application fields to see how the software program reacts.
Fuzzing
_______________ utilize cyber means for social or political reasons. Anonymous is probably the most famous of these.
Hacktivists
_________________ involves disabling or removing services that are not required by the system.
Hardening
______________________ continuously trains on network behavior.
Heuristic-based security monitoring
___________________, also referred to as identify proofing, is the process of presenting valid credentials to the system for identification and further access.
Identification
________________________ is when a social engineer calls a helpdesk operator, who claims to be a high-level user, and demands that the operator reset the user's password immediately so that the user can complete an important task.
Impersonation
____________ refers to the security principle of starting a user out with no access rights and granting permissions to resources as required.
Implicit deny
Steps: 1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery 6) Lessons Learned
Incident Response Process
_______________ is a method of protecting information and information systems by providing confidentiality, integrity, authentication, nonrepudiation, and obfuscation.
Information assurance
_____________ provides the ability to quickly stand up virtual machines (VMs), storage devices, and other infrastructure that would otherwise require the purchase of physical devices.
Infrastructure as a Service (IaaS)
_________________ refers to the process of coding applications to accept only certain valid input for user-entered fields.
Input validation
_________ may be the most dangerous type of threat actor of them all due to being employees, contractors, or other privileged parties having the access inherent to their position.
Insiders
______________ ensures that your data is consistent and never modified by unauthorized persons or manipulated in any intentional or accidental manner. Ex: Common methods of ensuring integrity are hashing, digital signatures, and certificates.
Integrity
________________ provides improved security because no employee retains the same amount of access control for a position indefinitely. This prevents internal corruption by employees who might otherwise take advantage of their long-term position and security access.
Job rotation
___________ is a network authentication protocol, prominently used in Microsoft Windows Active Directory (AD) implementations. It uses Ticket Granting Tickets to authenticate.
Kerberos
__________________ log a user's keystrokes for various purposes, either via hardware or software means.
Keyloggers
_________________ are the high-level risk management, assessment, and mitigation plans that define your overall organization security. Ex: Common managerial controls include administrative policies, procedures, and plans and management programs.
Managerial risk controls
_______________ is the average length of time a specific component is expected to work until it fails.
Mean time between failures (MTBF)
_____________ is the length of time that a component is expected to last in regular service.
Mean time to failure (MTTF)
_________________ is the average length of time from the moment a component fails until it is repaired.
Mean time to repair (MTTR)
The __________________ is a unique "calling card" identifying a specific network card.
Media Access Control (MAC) address
_________________ are common within the government sector and relate terms of cooperation between two organizations seeking a common goal, such as a joint continuity of operations site.
Memorandums of agreement and understanding (MOA/MOU)
_______________ is the strongest form of user authentication and involves a combination of a physical item, such as a smart card, token, or biometric factor, and a nonphysical item, such as a password, passphrase, or PIN.
Multifactor authentication (MFA)
________________ combine the traditional capabilities of a firewall to block traffic at the perimeter with more active NIDS/NIPS technologies, as well as being application aware, meaning that they catalog applications approved for use within the network and examine traffic passing to and from them and can "learn" new applications as they are added to the network.
Next-generation firewalls (NGFWs)
_________________ are often utilized when an employee, or even a third-party vendor or supplier, requires access to sensitive or proprietary information, information that could provide an advantage to a competitor, or, in the case of federal agencies or contractors, harm national security.
Nondisclosure agreements (NDAs)
_______________ is the term used to describe the inability of a person to deny or repudiate an action they performed, the origin of a signature or document, or the receipt of a message or document.
Nonrepudiation
__________________ provides security through obscurity, meaning that data is modified to make it unreadable to a human or a program trying to use it. Ex: Using your credit card and they "X" out all the numbers except for the last four numbers.
Obfuscation
The ___________________ was developed as a more resource-efficient alternative to CRLs.
Online Certificate Status Protocol (OCSP)
___________________ refers to keeping the OS and applications current through regular updates and critical software patches and removing unnecessary software services from the system.
Operating system hardening
_____________ is a social engineering technique that misdirects a user to an attacker's website without the user's knowledge, usually by manipulating the Domain Name Service (DNS) on an affected server or the hosts file on a user's system. While much like phishing, where a user may click a link in a seemingly legitimate e mail message that takes him to an attacker's website, pharming differs in that it installs code on the user's computer that sends them to the malicious site, even if the URL is entered correctly or chosen from a web browser bookmark.
Pharming
________________ include physical access controls (perimeter fencing, security passes, and surveillance) and environmental controls (fire suppression and temperature controls).
Physical controls
____________ provides the framework of an operating system and associated software required to perform a function
Platform as a Service (PaaS)
_______________ changes with each infection. These types of viruses were created to confuse virus-scanning programs.
Polymorphic malware
_______________ is a technique in which a social engineer creates a story, or pretext, that employs one or more of these principles to motivate victims to act contrary to their better instincts or training.
Pretexting
__________________ is a numerical calculation of the exact cost of the loss of a specific company asset because of a disaster. ___________________ considers tangible and intangible factors in determining costs.
Quantitative risk analysis / Qualitative risk analysis
___________ are a variation on a dictionary attack that, instead of trying to guess the password, use precomputed hashes (called rainbow tables) developed by software that can process huge lists of words and spit out their hash, which is then added to the rainbow table's file.
Rainbow attacks
________________, such as a crypto-locking virus, is designed to lock users out of their system until a ransom is paid. Ex: CryptoLocker and WannaCry
Ransomware
_______________ is the maximum acceptable amount of lost data due to an outage or disaster.
Recovery point objective (RPO)
______________ is the maximum amount of time that is considered tolerable for a service or certain business function to be unavailable.
Recovery time objective (RTO)
_____________ essentially creates a denial-of-service condition, because the resources that are needed to execute actions associated with an application are entirely exhausted (hence the name), leading to either an error, performance slowdown, or a denial of service.
Resource exhaustion
______________ is the level of risk that an organization is willing to take before actions are taken to reduce risk. Understanding an organization's risk appetite will help guide solutions and countermeasure recommendations.
Risk appetite
________________ is a centrally controlled model that allows access based on the role the user holds within the organization, and access control is granted to groups of users who perform a common function.
Role-based access control (RBAC)
___________________ provides enhanced granularity when specifying access control policies and indicates specifically what can and cannot happen between a user and the resource. This type of access control policy is typically defined by an access control list (ACL), such as TCP Wrappers, which specifies a set of rules that must be followed before access is granted.
Rule-based access control
_________________ takes more work to match the efficiency and effectiveness of other types of monitoring methods such as signature- and behavior-based systems.
Rule-based security monitoring
__________ is instant messaging spam, and much like the more common e-mail spam, it occurs when a user receives an unsolicited instant message from another user, including users who are known and in the user's contact list.
SPIM (spam over instant messaging)
______________, commonly referred to as demilitarized zones (DMZs), act as a buffer between the public Internet, and an internal, private network.
Screened subnets
___________ are the lowest-common-denominator threat actor; these are delinquent teenagers sitting in their parents' basement, as the ugly stereotype goes. Often their tools are "point and click" or simple scripts and have little sophistication.
Script kiddies
______________ can occur when a user's cookie for a website, which can contain session authentication credentials for a remote server, is hijacked by another user, who then uses that cookie to gain unauthorized access. *To protect it, web applications should regenerate session keys and IDs after each successful login, as to deny access to any non-legitimate user.
Session hijacking
__________ refers to networks and systems that are managed outside of the IT organization, often without the IT organization's permission or even awareness.
Shadow IT
________________ is when an unauthorized person casually glances over the shoulder of an employee as she returns to her desk and enters her username and password into the computer.
Shoulder surfing
__________________ is defined as using and manipulating human behavior to obtain a required result. It typically involves NON-TECHNICAL methods of attempting to gain unauthorized access to a system or network.
Social engineering
_________________ allows a customer to essentially lease software, such as applications and databases, thus enabling rapid rollout to the greater user community.
Software as a Service (SaaS)
_____________________ is a targeted type of phishing attack that includes information familiar to the user and appears to be from a trusted source such as a company such as a financial service that the user has used previously, a social media site such as LinkedIn, or even a specific trusted user.
Spear phishing
In _________________, the attacker sends SQL input (normally in the form of SQL database manipulation commands) to the database via an input form.
Structured Query Language (SQL) injection
Port number for POP3
TCP 110
Port number for IMAP
TCP 143
Port number for FTP
TCP 21
Port number for SSH
TCP 22
Port number for Telnet
TCP 23
Port number for SMTP
TCP 25
Port number for HTTP
TCP 80
_____________________ is one of the simpler forms of social engineering and describes gaining physical access to an access-controlled facility or room by closely following an authorized person through the security checkpoint.
Tailgating
Steps: 1) Reconnaissance - adversary researches a target. 2) Weaponization - adversary crafts malware to be used for target. 3) Delivery - adversary launches malware against target. 4) Exploitation - adversary exploits a vulnerability to gain access. 5) Installation - adversary installs a backdoor in target environment. 6) Command and Control (C2) - malware opens a command channel. 7) Actions on objectives - adversary accomplishes the mission's goal.
The Cyber Kill Chain by Lockheed Martin
1) Something you know 2) Something you have 3) Something you are
The three Multi-Factor Authentication schemes
High-security applications such as web banking use _______________ over the now-deprecated Secure Sockets Layer (SSL) to encrypt sessions, including the transfer of information in user cookies.
Transport Layer Security (TLS)
A ____________ hides on your computer system until called upon to perform a certain task. They are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
Trojan horse program
________________ typically combines two single-factor authentication types, such as something the user knows and something the user possesses.
Two-factor authentication
A ________________ is essentially a bare-bones operating system that runs the host machine and serves to provide the single functionality of managing the VMs installed on it.
Type 1 hypervisor
A ____________ is an application that runs on top of a more conventional operating system.
Type 2 hypervisor
Port number for DNS
UDP 53
Port number for DHCP
UDP 67
__________________ is the evolution of the traditional firewall concept into an all-in-one device designed to act as a firewall, IDS, load balancer, DLP device, and filter for spam and malware.
Unified threat management (UTM)
_________________ are important tools to protect against phishing attacks. Users must be aware that financial institutions will never ask for bank account numbers and credit card details in an e-mail to a user.
User education and awareness training
_______________ is a type of phishing attack that takes place over phone systems, most commonly over VoIP (Voice over IP) lines.
Vishing
___________ are also important for highly sensitive areas of an organization, such as the main server and telecommunications room that houses the primary system and networking equipment.
Visitor logs
The _________________ of SDLC is based on a more traditional project management model in which software development proceeds through the phases of conception, initiation, analysis, design, construction, testing, production and implementation, and maintenance.
Waterfall method
_______________ are designed to infiltrate a system or network through the exploitation of a secondary system or network. Often, the attacker inserts malware into a website that he believes the target will visit and waits for the target to be exploited via the secondary site.
Watering hole attacks
______________ is a type of phishing attack that is targeted at a specific high-level user, such as an executive.
Whaling
The ________________ defines some of the infrastructure involved in requesting, processing, and issuing a certificate.
X.509 standard
An ___________ is one of the "noisiest" scans performed simply because it uses so many nonstandard flags in combination set to "on." All the enabled flags in the TCP segment are like the lights of a Christmas tree to the scanned device It can also identify operating systems based on their response to these nonstandard options.
Xmas scan
___________________ are very difficult to defend against, but in most cases, OS and software application vendors are very responsive in patching their software in the event a new vulnerability is discovered. You must always make sure your software is running the latest version with all security patches available installed.
Zero-day attacks
An __________________ is a set of established guidelines for the appropriate use of computer networks within an organization. The AUP is a written agreement, read and signed by employees, that outlines the organization's terms, conditions, and rules for Internet and internal network use.
acceptable use policy (AUP)
An ______________ is a two-tier, physical access control method with two physical barriers, such as doors, between the person and the resource that the person is trying to access, such as a secure building, i.e. mantrap.
access control vestibule
In an ________________ scheme, everyone uses TWO different but mathematically related keys for encryption and decryption purposes. The main disadvantage of asymmetric encryption is that it can be much slower than symmetric schemes.
asymmetric encryption
In __________, an unauthorized user sends unwanted messages to another Bluetooth device in range of the originating device.
bluejacking
A more serious Bluetooth vulnerability is called ____________, where an unauthorized user connects to an unprotected Bluetooth device and access any data stored on it.
bluesnarfing
A ________ is typically any type of computer system that is attached to a network whose security has been compromised and that runs malicious software completely unknown to the system users. Botnets and their bots (often called "zombie" computers) are typically used for distributed denial-of service (DDoS) attacks.
bot
A ______________ is the most basic type of password attack. In this attack's simplest form, an attacker might repeatedly attempt to guess the user's password.
brute-force attack
In a ____________, the extra characters are malicious code that causes the program or even the entire system to crash.
buffer overflow attack
A ______________ outlines your organization's most critical functions and how they'll be affected during a disaster.
business impact analysis (BIA)
A ______________________ is an organization or entity that issues and manages digital certificates and is responsible for authenticating and identifying users who participate in the PKI.
certificate authority (CA)
When a certificate is revoked, it's placed on a CA's _________, which includes certificates that have been revoked before their expiration date by the CA.
certificate revocation list (CRL)
A _________________ requires that all evidence be properly tagged with information detailing who secured and validated the evidence, how they did so, and when they did so, and when and to whom that person transferred the evidence. This ensures the information will be admissible for court proceedings.
chain of custody
A __________________ maintains that any confidential papers, sticky notes with sensitive information, cell phones, portable devices, and removable media should be always kept in locked drawers.
clean desk space policy
________________ entails using a certificate to digitally sign executables and scripts to confirm that the software was developed by the appropriate author and has not been manipulated in any way, thus providing integrity and a measure of authenticity.
code signing
A __________ merely offers an empty facility with some basic features, such as wiring and some environmental protection, but no equipment. This is the least expensive option.
cold site
A ______________ is created when two or more organizations create a mutual cloud.
community cloud
A _______________ disguises itself as a legitimate program, using the name of a legitimate program but with a different extension. For example, a virus might be named program.com to emulate a file called program.exe.
companion virus
A ___________ is a self-contained program (or set of programs) that can self-replicate and spread full copies or smaller segments of itself to other computer systems via network connections, e-mail attachments, and instant messages. *Compare this to viruses, which cannot self-replicate, but instead depend on the sharing of their host file to spread.
computer worm
To prevent legal liabilities, companies have implemented _______________ to help reduce the possibility of legal problems arising from past messaging communications and data.
data retention policies
More effective and efficient than a brute-force attack, a _______________ uses dictionaries, or lists of common words across various types of organizations, languages, and other words that might be used for passwords, as well as common substitutions, such as using the @ symbol in lieu of the letter a.
dictionary attack
A _______________ saves only files that have been changed since the last full backup. In this method, the archive bit isn't cleared, so with each differential backup, the list of files to save grows larger each day until the next full backup.
differential backup
A company practices ____________________ by ensuring that all activities that take place in the corporate facilities are conducted in a reasonably safe manner.
due care
A company practices ________________ by implementing and maintaining these security procedures consistently to protect the company's facilities, assets, and employees.
due diligence
Through social engineering, an attacker might easily lead a user to reveal her account password or to provide personal information that might reveal her password, a technique known as ____________________.
eliciting information
Even more dangerous than a false positive, a _____________ occurs when a vulnerability indeed exists but it is not detected by the scanner.
false negative
A _____________ occurs when a vulnerability scan reports a vulnerability that does not actually exist.
false positive
A _______________ is used in encryption systems to create a "fingerprint" for a message. This prevents the message from being improperly modified on its way to its destination and is used to protect the integrity of a message and is most often used with digital signatures.
hashing value
A _________ is typically some kind of urban legend or sensational false news that users pass on to others via e-mail because they feel it is of interest. While mostly harmless, some are phishing attempts that try to get the user to visit a link in the e-mail message that redirects to a malicious website. The only cure is user education as to avoid spreading these types of messages to other users.
hoax
A ____________ is a device or server used to attract and lure attackers into trying to access it, thereby removing attention from actual critical systems.
honeypot
A __________ is a facility that's ready to be operational immediately when the primary site becomes unavailable. It is the most costly.
hot site
A _________________ combines two or more different cloud deployment models (such as private and community) to perform specific tasks not easily completed through one standard solution.
hybrid cloud
With an _______________, only those files that have been modified since the previous full or incremental backup are stored. The archive bit is cleared on those files that are backed up.
incremental backup
The _____________ grants users only the access rights they need to perform their job functions. This requires giving users the least amount of access possible to prevent them from abusing more powerful access rights.
least privilege principle
A ____________ does not activate until a specific event, such as reaching a specific date or starting a program a specific number of times, is triggered.
logic bomb program
A ___________ uses the internal workings of Microsoft Word and Excel to perform malicious operations when a file containing the virus is opened, such as deleting files or opening other virus-executable programs.
macro virus
In a ______________ model, the operating system is in control of access to data. Military classification levels such as Confidential, Secret, and Top Secret are examples of MAC in which specific security access is restricted, depending on the classification of the data, the user's security clearance (or access) level, and the user's need to know.
mandatory access control (MAC)
A _______________ policy requires employees to use their vacation days at specific times of the year or to use all their vacation days allotted for a single year. This policy helps detect security issues with employees, such as fraud or other internal hacking activities, because the anomalies might surface while the user is away
mandatory vacation
Controls in the ________________ category address how the organization conducts its daily business and are designed to minimize the security risk to those business activities. This category could include, for example, companywide policies
operational risk
To enforce _____________, the password should be at least 8 characters, with 10 to 12 being preferable for a standard user account (15 for an administrator/root account), and contain a mix of uppercase and lowercase letters, numbers, and special characters. Historically best practices have required changing passwords roughly every 90 days at a minimum
password complexity
A __________________ scam is a social engineering technique that targets a large group of recipients with a generic message that attempts to trick them into either visiting a website and entering confidential personal information, responding to a text or SMS message (known as ___________), or replying to an e-mail with private information, often a username and password, or banking or credit card details.
phishing / smishing
A _____________ is available only to one organization and can be managed either internally by the organization or externally by a third party.
private cloud
In a _______________ scenario, an attacker exploits a bug within an application to bypass the application and gain elevated privileges that enable the attacker to execute system commands. *Protection against it requires that programmers use input validation and test their code for bugs and exploits
privilege escalation
A ______________ is available to the greater public, with security segmentation between users.
public cloud
A ______________ happens when an application is dependent on the steps to be performed in an appropriate order, and the steps are subsequently then executed out of order, creating a crash or other negative situation that can be exploited by an attacker.
race condition
Some of the actual authentication and identification services for certificates are managed by other organizations called ______________.
registration authorities (RAs)
A _________________ installs a backdoor that bypasses all authentication controls and allows the attacker continuous access to the client computer.
remote access Trojan (RAT)
A __________________ occurs when an unauthorized user captures network traffic and then sends the communication to its original destination, acting as the original sender
replay attack
The _______________ is the level of risk that remains after controls are put into place to mitigate or reduce risk.
residual risk
A ___________ is a living document used to track different types of data elements, most commonly risk factors and risk scenarios.
risk register
The ___________ is the amount of risk that's acceptable to an organization.
risk tolerance
A ____________ is a type of backdoor program that is inserted into application software and allows a remote user root access (administrator access) to the system on which the software is installed, without the permission or knowledge of the user.
rootkit
With ___________, the underlying machine layer theoretically is unharmed in the event of a malware outbreak or other security breach and is a common function of virtual machines.
sandboxing
The ______________ ensures that one single individual isn't tasked with high-security and high-risk responsibilities. Certain critical responsibilities are separated between several users to prevent corruption.
separation of duties
A _____________________ is an understanding among a supplier of services and the users of those services that the service in question will be available for a certain percentage of time.
service level agreement (SLA)
In a __________, your team must consult the recovery plan documentation and execute it accordingly.
simulation exercise
A __________ uses a spoof attack combined with a DDoS attack to exploit the use of IP broadcast addressing and ICMP (ping).
smurf attack
A _________ hides from antivirus software by encrypting its code. They attempt to cover their trail as they infect their way through a computer.
stealth virus
In a ______________ scheme, both parties use the same key for encryption and decryption purposes.
symmetric encryption
One common type of test is a _____________, which requires the involved parties to sit around a table and step through a scenario to discern weaknesses in the plan.
tabletop exercise
The category of ______________________ encompasses the actual technical measures used to reduce security risks in your organization, which include deep-level network and system security (firewalls, antivirus scanning, content filters, and other network security devices)
technical risk controls
A __________________ is a special, encrypted communications tunnel between one system and another.
virtual private network (VPN)
A _______ is a malicious computer program that requires user intervention (such as clicking it or copying it to media or a host) within the affected system, even if the virus program does not harm the system. They self-replicate without the knowledge of the computer user.
virus
A _____________ is a security weakness, such as the lack of a security control, that could be exploited or exposed by a threat
vulnerability
The next step up from the tabletop exercise in terms of realistic testing of a plan is a _____________ of the steps of the incident response process, but not in a real-world scenario where the tasks must be performed or equipment utilized.
walkthrough
A __________ is like a hot site but without most of the duplicate servers and computers that would be needed to facilitate an immediate switch-over.
warm site
The _______________________ can filter and monitor HTTP traffic between web applications and the Internet, helping to mitigate many common web attacks such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).
web application firewall (WAF)