CompTIA Sec+ - Total Tester
Compensating Security Controls
*Doesn't prevent* an attack, but can get you back up and running using other means. - Doesn't prevent attacks - *Restores* using other means - Re-images or restore from backup - Hot Site - Backup Power System
Continuity of Operations Planning (COOP)
- Exercises/tabletop - After-action reports - Failover - Alternate processing sites - Alternate business practices
Which methods commonly used in biometric authentication?
- Vein Patterns - Retina Scan - Facial Recognition
Auditors have been reviewing your network for the annual audit and are concerned about firewall rules. They are particularly concerned with the screened subnet you have established. What type of nodes would you place into the screened subnet? (Choose all that apply.) A. Web servers that provide content to external users B. Instant message servers that provide services to internal-only machines C. Network management servers that perform network switch configuration control D. Secure e-mail gateway
- Web servers that provide content to external users - Secure e-mail gateway A and D are correct. Screened subnets, which used to be called DMZs, are network locations used as a semi-trusted environment used to separate machines needed to provide services to untrusted networks from systems on trusted networks.
Which of the following are examples of attributes that can be utilized for authentication purposes? (Choose all that apply.) A. Something you know B. Your location C. The result of a lie detector test D. Some physical activity that you perform uniquely
- Your Location - The result of a lie detector test - Some physical activity that you perform uniquely.
Incident Response Process
1. Preparation 2. Detection and Analysis (Identification) 3. Containment 4. Eradication 5. Recovery 6. Document/Lessons learned
Cold Sites (Disaster recovery)
A "recovery" cold site is essentially data center space, with power, and network connectivity that is available when needed. In the event of a disaster, teams can move and install a business's hardware at the cold site in order to get the systems back up and running.
tcpdump command
A command-line protocol analyzer. Administrators use it to capture packets.
Logic Bomb
A computer program or part of a program that lies dormant until it is triggered by a specific logical event.
Bridge CA
A cross certification model using a central point of trust (Hybrid Trust Model)
Warm Site (Disaster recovery)
A disaster recovery option at a separate facility with computer equipment that requires installation and configuration
Hot Site (Disaster recovery)
A disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and software
Token Key
A piece of hardware for a two-factor authentication security device that may be used to authorize the use of computer services. (Think iLok device)
The incident response team is activated because the load balancing system failed after the installation of a new application. The only difference with the new application is that it required active/active load balancing. What likely caused this issue? A.The application ignored the load balancing in place. B.Active/active load balancing requires all nodes to be operational to pass traffic. C.A poor capacity plan. Because active/active load balancing is handling all traffic, any failure will cause all traffic to go through a single node, potentially overloading the system. D.Active/active applications can be easily targeted for denial of service.
A poor capacity plan. Because active/active load balancing is handling all traffic, any failure will cause all traffic to go through a single node, potentially overloading the system.
Bot
A program that can do things without the user of the computer having to give it instructions. Many bots are malware as they are installed without people's permission and can be controlled over the internet and used to send spam or steal data. Also known as web robots.
Heirarchical Trust Model
A trust model that has a single hierarchy with one master CA.
Federation
Allows users to seamlessly access data or systems across domains.
You are working on a project to implement VPNs between all remote offices that are part of the corporate network. The choices made here will be in place for at least five years. Due to its open framework, you are wanting to implement IPSec. How does the open framework affect your choice? A. It allows the integration of open and closed source software to run IPSec. B. An open framework allows researchers to find vulnerabilities in the IPSec code. C. An open framework allows the underlying cipher suites to be updated as needed. D. IPsec uses the open framework to allow all hosts to connect equally.
An open framework allows the underlying cipher suites to be updated as needed.
Risk Assessment Process
Analyzes potential risk based on statistical and mathematical models.
AV Applications
Anti-Virus Applications
Continuous Integration
As soon as the work on a task is complete, it is integrated into the whole system. After any such integration, all the unit tests in the system must pass.
Accountability
Ascribes resource usage by account for the purpose of tracking resource utilization.
A recent security audit had a finding of your VPN allowing split tunneling. The auditors preferred to require full tunneling on the VPN. What security risk are the auditors attempting to mitigate? A. Split-tunnel VPNs can avoid external e-mail filtering by sending e-mails through directly to the main corporate e-mail server. B. Attacks that come from the public network could be routed through the endpoint and potentially bypass network perimeter controls of the organization. C. The user's corporate Active Directory (AD) credentials can leak out of the split tunnel and be exposed to the Internet. D. The VPN will bypass all network intrusion detection and prevention technologies as the host is on a trusted network segment.
Attacks that come from the public network could be routed through the endpoint and potentially bypass network perimeter controls of the organization.
Which of the following is a representation of the frequency of an event in a given year? A.ALE B.ARO C.SLE D.SLA
B is correct. Annualized rate of occurrence (ARO) represents the frequency of the event measured in a standard year. A is incorrect. Annualized loss expectancy (ALE) is the product of the ARO multiplied by the SLE. C is incorrect. Single loss expectancy (SLE) is the value of a loss from a single event. D is incorrect. A service level agreement (SLA) is a negotiated agreement between a customer and a service provider.
Which of the following refers to the original bandwidth produced by a signal that is being transmitted and represents a single channel of communication? A.Broadband radio B.Baseband radio C.Narrow-band radio D.5G
Baseband radio
What is the purpose of having boot integrity? A.Boot integrity is designed to load the system only from a known-good set of drivers and OS packages. B.Boot integrity is required for the system to avoid kernel panics due to poorly written applications. C.The boot integrity system determines the order in which drivers are loaded to make sure memory registers are consistent. D.Boot integrity allows systems to boot quickly by skipping hardware checks that have already been completed on previous boots.
Boot integrity is designed to load the system only from a known-good set of drivers and OS packages.
BIA
Business impact analysis. The BIA addresses the sources of risk, impact, and mitigation.
BPA
Business partners agreement. A written agreement that details the relationship between business partners, including their obligations toward the partnership.
When does a Cloud Access Security Broker (CASB) device work? A. CASBs work with standard cloud services that exist remotely from the organization. B. CASBs only work with cloud services that are in VPCs connected as a virtual network to the organization. C. CASBs work only when placed internally at the organization to control traffic. D. CASBs work wherever the services are located, even when the CASB is also located in the cloud.
CASBs work wherever the services are located, even when the CASB is also located in the cloud.
CIS
Center for Internet Security Exists to promote and sustain best-practice solutions for cyber defense.
CA
Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
CRL
Certificate Revocation List Details certificates that have been revoked by the CA.
CPS
Certification Practice Statement (CPS) The documentation produced that shows the steps for generating maintaining and transmitting certificates. It also details why the CA can be trusted.
CASB
Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies.
Yearly audits are due, but you have recently moved about half your infrastructure onto four different cloud services. While some of these are Platform as a Service (PaaS), you have also deployed some Software as a Service (SaaS) offerings. Based on the cloud adoptions, why does your auditing need to change? A. Cloud systems have specific hardware that runs the guest machines, requiring different processes to audit them. B. Cloud systems require audits of the cloud security environment as deployed as well as the data security requirements for auditing. C. Cloud systems are protected by the cloud provider, as it is their infrastructure; therefore, they do the audits and customers do not have to. D. Cloud system audits are specifically about remote access capabilities, as they are always accessed remotely.
Cloud systems require audits of the cloud security environment as deployed as well as the data security requirements for auditing.
CVE
Common Vulnerabilities and Exposures. A dictionary of publicly known security vulnerabilities and exposures.
Access Control Vestibule
Composed of two doors closely spaced that require the user to use a card to get through one and then the other sequentially. Installing these make it nearly impossible to trail through a doorway undetected. (Prevents tailgaiting)
CIA Triad
Confidentiality, Integrity, Availability
Proprietary Data
Contains business secrets.
DoS Attack
Denial of service attack Can occur at layer 2 or 3 Can use IP Spoofing Comes from a single source
CA Runbook
Details how a system is set up and operated; it is not CA-specific.
DDoS Attack
Distributed Denial of Service Attack. Typically a virus installed on many computers (thousands) activate at the same time and flood a target with traffic to the point the server becomes overwhelmed. Comes from many different sources.
Which of the following deals with the identification, management, and preservation of digital information that is subject to legal hold? A.Data acquisition B.Direct evidence C.Hearsay rule D.E-discovery
E-discovery
Which is of the following is NOT a recognized attack vector? A.Direct access B.Firewalls C.E-mail D.Supply chain
Firewalls
CA Benchmark
Guidance for configuring and operating computer systems at a secure level that is documented and understood.
What is the largest advantage host-based firewalls have over network-based firewalls? A. Host-based firewalls can coordinate with other endpoints' host-based firewalls to perform a unified attack response. B. Host-based firewalls can control outbound traffic before it reaches the network and sets off intrusion detection alarms. C. Host-based firewalls have knowledge of the functions of the endpoint and can tune the traffic management to match. D. Host-based firewalls do not need rulesets like network-based firewalls require, due to being directly on the host and able to run heuristic traffic analysis.
Host-based firewalls have knowledge of the functions of the endpoint and can tune the traffic management to match.
After Action Report (Continuity of Operations Planning)
Identifies and documents lessons learned and corrective action items.
Threat Assessment Process
Identifies and quantifies the risks facing each asset within an enterprise.
Litigation Hold
Information under legal hold (legal and compliance data)
You are asked to implement a software development lifecycle methodology (SDLM) at your organization. What key elements do you implement to ensure security is a priority in all software produced? (Choose all that apply.) A.Input validation B.Fuzzing C.Cross-site forgery validation D.Driver compatibility testing
Input validation, Fuzzing, and Cross-site forgery validation
ISA
Interconnection security agreement. An agreement that specifies technical and security requirements for connections between two or more entities. Compare with MOU/MOA.
ISO
International Standards Organization An international standards body that's broader than just cyber defense.
Continuous Delivery
Is a natural extension of continuous integration so that new changes can be quickly released to production in a sustainable way.
Continuous Deployment
Is the process where every change that passes all stages of the production pipeline is released to production.
Root CA
Is used to certify intermediate authorities in a large PKI deployment?
Intermediate/Subordinate CA
Issues certificates for the leaf CAs.
Ephermeral Key
Keys that are used only once. This has the obvious advantage of not allowing attackers to replay a captured key to gain access to a system or data.
What is the reason behind the current need for lightweight cryptography? A. Due to the use of other network security components, the need for encryption is no longer as great as it once was, allowing for less intense algorithms. B. Lightweight cryptography is used in serial processing environments where the use of multiple lightweight cryptographic components in serial will provide more security than a single, more powerful processor used for encryption. C. Lightweight cryptography is needed in resource-constrained environments. D. With the computing power of processors today, there is no need for lightweight cryptography.
Lightweight cryptography is needed in resource-constrained environments. A good example of resource-constrained environments is the Internet of Things, which still needs encryption but where IoT devices generally have very little excess computing power.
Directory Service
Maps Network resources to their respective network addresses.
The X.509 standard outlines which of the following? (Choose all that apply.) A.Necessary fields of a certificate B.Possible values of certificate fields C.Location of the CRL D.Usage types
Necessary fields of a certificate and Possible values of certificate fields
Your manager wants to hide intranet websites from attackers by hosting the site on a high port not associated with HTTP or HTTPS. As part of this, they want to force SSL/TLS for every connection. Does SSL/TLS use/mandate a specific port? A.Yes, port 443. B.No, TLS does not mandate a specific port. C.Yes, port 3269. D.TLS use is deprecated and only SASL is now used.
No, TLS does not mandate a specific port.
OPM
Office of Personnel Management; advertises for employees, examines those who apply, and keeps registers, lists of those applicants who pass its test and are qualified for employment
PII
Personally identifiable information Data that can lead to the specific identity of a person.
Incident Response Team
Personnel designated to respond to an incident.
Physical Security Controls
Prevent physical actions/threats from occurring.
Data that if disclosed to an unauthorized party would potentially cause harm or disruption to the organization should be labelled as which of the following? A.Secret B.Legal C.Confidential D.Private
Private
Which of the following has the shortest life according to the order of volatility? A.Live networks and data flows B.Temporary filesystem/swap space C.Remotely logged data D.Routing tables, ARP cache, process tables, and kernel statistics
Routing tables, ARP cache, process tables, and kernel statistics
SLA
Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
You are in a meeting with a vendor selling antivirus products. You are interested in heuristic-based antivirus, but this vendor is heavily pushing signature-based antivirus. What is the strongest reason you might avoid this product? A.Signature antivirus can only detect threats to a specific application. B.Signature antivirus can only detect known malware. C.Signature antivirus only works on network-based threats. D.Antivirus cannot stop worms, only viruses.
Signature antivirus can only detect known malware.
Penetration Testing Attack
Simulates an attack, quite often generating a great deal of traffic and noise. These tests are performed in cooperation with the organization being examined.
Port Scanning Attack
Software attack where an attacker scans your systems to see which ports are listening. This type of attack is noisy and can usually be traced back to the originating system/person performing the attack.
PUP (potentially unwanted program)
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
Attestation
Supplying proof or evidence of a fact
SFC
System File Checker command Used to verify and repair system files.
Continuous monitoring is the term used to describe which of the following? A.The extension of testing to support the continuous process of software development in DevOps B.The DevOps manner of continually updating and improving the production code base C.Technologies/processes used to enable rapid detection of compliance issues and security risks D.The practice where every change passing all stages of the production pipeline is released to production
Technologies/processes used to enable rapid detection of compliance issues and security risks
Which of the following is not a Kerberos authentication step? A.If the client-to-server ticket is valid, service is granted to the client. B.The Key Distribution Server (KDS) checks the ticket hash and compares it to the previous ticket. C.The KDS verifies authorization and issues a client-to-server ticket. D.The user presents credentials and requests a ticket from the KDS.
The Key Distribution Server (KDS) checks the ticket hash and compares it to the previous ticket.
Persistent XSS Attack
The attack script is permanently stored on the web server or some back-end storage. This allows the script to be used against others who log in to the system.
Active Reconnaissance
The attacker engages directly with the target systems (for example, using a port scanner to map out open ports). These types of activities make "noise" on the network, can be observed, and can be traced back to their origin.
You have set up a private organizational PKI system with a Root CA and intermediate CAs using a hierarchical trust model. To get your end-user system to trust the servers, you need to have the end systems trust the Root CA and apply what to the servers? A.The self-signed certificate B.The root certificate C.The end-entity certificate only D.The certificate chain of the Root CA, intermediate CA, and leaf CA as well as the end-entity certificate.
The certificate chain of the Root CA, intermediate CA, and leaf CA as well as the end-entity certificate.
Scalability
The characteristic of a software system to process higher workloads on its current resources (scale up) or on additional resources (scale out) without interruption. (ex. how well a VDI system performs when the number of users is increased)
Elasticity
The characteristic that something is capable of change without breaking. (ex. Adding storage to a cloud platform)
Alternate Processing Sites (Continuity of Operations Planning)
The disaster recovery sites that business processes failover to until the primary location recovers.
Leaf CA
The entities that issue certificates to end-entities in the hierarchical trust model.
Nonpersistent XSS Attack
The injected attack script is not persisted or stored but rather is immediately executed and passed back via the web server.
Risk Management Process
The method of making, implementing, and monitoring decisions that minimize the adverse effects of risk on an organization.
Failover (Continuity of Operations Planning)
The process for moving from a normal operational capability to the continuity-of-operations version of the business.
DOM-based XSS Attack
The script is executed in the browser via the Document Object Model (DOM) process as opposed to the web server.
Baseline Configuration
The starting point for all future baseline assessments and is a representation of how the system is supposed to be configured.
netstat command
This displays TCP and UDP connections.
Exercises/tabletop (Continuity of Operations Planning)
This is performed to ensure all elements of the COOP are covered.
Passive Reconnaissance
This is performed using methods to gain information about targeted computers and networks without actively engaging with the target systems, thus avoiding detection. It might gain less information than other methods, but is far quieter and has little to no risk of detection.
Hybrid Trust Model
Two companies have their own internal hierarchical models and are connected through a peer-to-peer model using cross-certification.
Deterrent security control
Used to dissuade or deter attacks
ping command
Used to test network connectivity
cipher command
Used to wipe free space
Session Forging
When an attacker uses a session ID (perhaps obtained through a man-in-the-middle attack) to pretend to be another user.
netcat command
can read or write information to the network. can be used to create an open connection on a device or to access a connection on a remote machine.
Static Codes
codes that do not change over time.
Preventive security controls
stop or limit security threat from happening in the first place (anti-virus scan)
