deck 0 Flashcards

Question

authentication

Answer 1

The process of validating a particular entity or individual's identity

Answer 2

The process of determining what rights and privileges a particular entity has after the entity has been authenticated.

Answer 3

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need

Answer 4

A social engineering attack in which an attacker plants physical media in an area where someone will find it and then promptly use it.

Answer 5

The physical (non-virtual) hardware of a host.

Answer 6

(building automation system) A system that monitors and controls various operational resources in a building, including lighting systems, power systems, ventilation, alarms, plumbing, and miscellaneous physical security systems

Answer 7

A component in a mobile device that handles radio frequency communication other than that which uses Wi-Fi and Bluetooth

Answer 8

(business continuity planning) The process of defining how normal day-to-day business will be maintained in the event of a business disruption or crisis

Answer 9

A key derivation function based on the Blowfish cipher algorithm.

Answer 10

The process of identifying the way in which an entity acts, and then reviewing future behavior to see if it deviates from the norm.

Answer 11

(Border Gateway Protocol) A network protocol that exchanges routing and reachability information between edge routers across the Internet.

Answer 12

(business impact analysis) A document that identifies present organizational risks and determines the impact to ongoing, business- critical operations if such risks actualize.

Answer 13

Data collections that are so large and complex that they are difficult for traditional database tools to manage.

Answer 14

(Basic Input/Output System) A firmware interface that initializes hardware for an operating system boot.

Answer 15

The first and most prominent cryptocurrency.

Answer 16

The process of performing mathematical operations to discover new blocks in the bitcoin blockchain.

Answer 17

A penetration test in which the tester is given little to no information regarding the systems or network being tested.

Answer 18

A network security technique that drops traffic before it reaches its intended destination, and without alerting the source of this.

Answer 19

A type of symmetric encryption algorithm that encrypts data one block at a time, often in 64- bit blocks. It is usually more secure, but is also slower, than stream ciphers.

Answer 20

Technology that encrypts blocks of stored data in fixed sizes.

Answer 21

A concept in which an expanding list of transactional records is secured using cryptography.

Answer 22

A wireless attack where an attacker sends unwanted Bluetooth signals from a smartphone, mobile phone, tablet, or laptop to other Bluetooth-enabled devices.

Answer 23

A wireless attack where an attacker gains access to unauthorized information on a wireless device by using a Bluetooth connection.

Answer 24

A short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.

Answer 25

(business partnership agreement) An agreement that defines how a business partnership will be conducted

Answer 26

The devaluation of a company's image after the company fails to meet customer expectations, especially if it mishandles personal information.

Answer 27

A vulnerability that occurs when an application copies data into an allocated memory buffer that is not large enough to accommodate it.

Answer 28

(bring your own device) An emerging phenomenon in which employees use their personal mobile devices in the workplace.

Answer 29

(certificate authority) A server that can issue digital certificates and the associated public/ private key pairs

Answer 30

In programming, a technique used to alert an app to the possible overwriting of a buffer and a resulting overflow condition

Answer 31

(cloud access security broker) A security gateway provided by SECaaS vendors that sits between the organization's on-premises network and the cloud network, ensuring that traffic both ways complies with policy.

Answer 32

(cost–benefit analysis) The process of weighing the benefit of using a solution against the cost to implement, use, and maintain it.

Answer 33

(Common Criteria) A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system.

Answer 34

(computer emergency response team) A team of security professionals that provide incident response services to the private and public sectors.

Answer 35

A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

Answer 36

An authentication method in which identity is verified through the use of digital certificates.

Answer 37

The record of evidence handling from collection, to presentation in court, to disposal.

Answer 38

The process by which some mechanism watches a system for any alterations to a configured baseline, and then logs, audits, and alerts the proper personnel to this change.

Answer 39

(Challenge Handshake Authentication Protocol) An encrypted remote access authentication method.

Answer 40

(confidentiality, integrity, availability) The three basic principles of security control and management. Also known as the information security triad or triple.

Answer 41

(Center for Internet Security) A non-profit organization that provides security resources and information to various industries

Answer 42

A web application attack in which an attacker tricks a client into clicking on a web page link that is different from where they had intended to go.

Answer 43

The set of activities performed within a browser or on a client computer as part of the interaction with the web application and data set for the application that are resident on the server.

Answer 44

(configuration management database) A database that contains information on each component within an enterprise's IT environment.

Answer 45

(content management system) A system that enables an enterprise to integrate documentation and other content into a centralized, easy-to-use solution

Answer 46

(Control Objectives for Information and Related Technologies version 5) A framework for IT management and governance created by ISACA.

Answer 47

An examination of the source code of an application to identify potential vulnerabilities.

Answer 48

A form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with.

Answer 49

An attack in which an attacker with physical access to a computer with an encrypted disk tries to retrieve encryption keys after starting the computer from its off state.

Answer 50

A goal of strong hash functions that states that it should not be possible to produce two different plaintext input values that have the same resulting hash.

Answer 51

A method of simulating a threat scenario where personnel are divided into teams assigned a certain color, where each color has a specific meaning and defines the role that an individual tester will play during the simulation.

Answer 52

The fundamental security goal of keeping information and communications private and protected from unauthorized access.

Answer 53

The process of preventing configurations from being altered.

Answer 54

A method of virtualization that runs isolated systems inside individual containers on a host operating system.

Answer 55

A technique that restricts what types of content a user is allowed to access.

Answer 56

An authentication method in which identity is verified based on various characteristics about the entity's environment.

Answer 57

The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

Answer 58

An attack in which an attacker takes over a session cookie by injecting malicious code into it.

Answer 59

An attack in which an attacker modifies the contents of a cookie to exploit web app vulnerabilities

Answer 60

(continuity of operations plan) The collection of processes that outlines how an organization will maintain operations if a major adverse event were to occur. Similar to a business continuity plan (BCP).

Answer 61

(corporate-owned, personally enabled) A mobile deployment model in which the organization chooses which devices they want employees to work with, while still allowing the employee some freedom to use the device for personal activities.

Answer 62

(Committee of Sponsoring Organizations of the Treadway Commission) An industry standard that provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics.

Answer 63

Resources that, if damaged or destroyed, would cause significant negative impact to the economy, public health and safety, or security of a society.

Answer 64

(certificate revocation list) A list of certificates that were revoked before their expiration date.

Answer 65

(customer relationship management) The process of enabling an organization to more easily work with customers and data about customers.

Answer 66

The act of outsourcing work and services to a group of people, such as an online community, who aren't internal employees of the organization.

Answer 67

An alternative digital currency that is secured through cryptography, typically by using a blockchain.

Answer 68

Any software or hardware solution that implements one or more cryptographic concepts, such as different encryption and decryption algorithms.

Answer 69

(cybersecurity incident response team) A collection of personnel who work together to identify and manage information security incidents.

Answer 70

(Cryptographic Service Provider) A cryptographic module that implements Microsoft's CryptoAPI.

Answer 71

(Common Vulnerabilities and Exposures) A dictionary of vulnerabilities maintained by the MITRE Corporation

Answer 72

(Common Vulnerability Scoring System) A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Answer 73

(choose your own device) A mobile deployment model in which the employee is essentially responsible for their device and may even be considered the owner of the device.

Answer 74

(database activity monitor) A database security utility that runs independently from the database and serves to monitor and report on activities.

Answer 75

The technique of mining various sources to collate information on individuals or organizations

Answer 76

A method of securing data while it is stored and not being actively used

Answer 77

A security incident that involves the unauthorized access of data stored in a secure location.

Answer 78

A method of securing data as it is exchanged between parties.

Answer 79

A method of securing data that is currently being processed or temporarily stored in volatile memory.

Answer 80

The technique of separating access and control of data from other users and services in the same system or environment.

Answer 81

A concept in data management in which an individual (the owner) is ultimately responsible for that data.

Answer 82

Leftover information on a storage medium even after basic attempts have been made to remove that data.

Answer 83

The sociopolitical outlook of a nation concerning computing technology and information.

Answer 84

Technology that encrypts the data stored in a database.

Answer 85

A standard that is accepted by the industry as a result of its early dominance in a marketplace that had previously seen a lack of standards.

Answer 86

A standard that has been confirmed by the appropriate standardizing bodies and is considered "official."

Answer 87

The process of shifting, reducing, or removing some of the enterprise's boundaries to facilitate interactions with the world outside of its domain.

Answer 88

A type of machine learning that constructs knowledge as a hierarchy of layers, where complex classes of knowledge are defined in relation to simpler classes of knowledge in order to make more informed determinations about an environment.

Answer 89

A map of the physical or logical arrangement of all nodes in a system, typically a network (that is, its topology).

Answer 90

A framework for defining how a particular system will be put to use in an organization

Answer 91

The practice of combining and integrating software development and systems operations.

Answer 92

An authentication protocol that improves on RADIUS through failover and per-packet confidentiality.

Answer 93

An electronic document that associates credentials with a public key.

Answer 94

A message digest that has been encrypted again with a user's private key.

Answer 95

A digital rights management (DRM) mechanism that uses steganographic techniques to embed data within media to enforce copyright protection.

Answer 96

In programming, a reference to the actual name of a system object that the application uses.

Answer 97

A centralized authentication system used to provide a consistent and scalable mechanism to control access to applications, services, and systems.

Answer 98

(data loss/leak prevention) A software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.

Answer 99

(demilitarized zone) A small section of a private network that is located behind one firewall or between two firewalls and made available for public access.

Answer 100

(Domain Name System) A type of directory service that presents a hierarchical naming system for entities connected to a network.

Answer 101

(Domain Name System Security Extension) A set of specifications to provide an added level of security to DNS.

Answer 102

(Document Object Model-based attack) A cross-site scripting (XSS) attack in which an attacker takes advantage of a web app's client- side implementation of JavaScript to execute their attack solely on the client.

Answer 103

(deep packet inspection) Technology that provides a view of the entire contents of a network packet's payload

Answer 104

(digital rights management) Technology that attempts to control how digital content can and cannot be used after it is published.

Answer 105

A social engineering attack in which an attacker reclaims important information by inspecting the contents of trash containers.

Answer 106

(electronic discovery) The process of identification, collection, analysis, and retention of electronic data for the discovery phase of litigation.

Answer 107

(Evaluation Assurance Level) A rating from 1 to 7 that states the level of secure features offered by an operating system as defined by the Common Criteria (CC)

Answer 108

(Extensible Authentication Protocol) A wireless authentication framework with various methods that define parameters used in authentication.

Answer 109

(elliptic curve cryptography) An asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields

Answer 110

(endpoint detection and response) Technology that enables security professionals to gain greater insights into advanced security threats that target endpoints or use endpoints as a vector in a larger attack.

Answer 111

(Encrypting File System) Microsoft Windows file encryption technology that targets files and folders on an NTFS file system architecture.

Answer 112

Technology that can actively change the logic of a computer chip at will to mitigate performance issues and prevent downgrading of firmware.

Answer 113

Any host that is exposed to another host in a communication channel.

Answer 114

The ability for an enterprise to adapt to changes that affect business operations, as well as its ability to evolve and meet future challenges with greater preparedness.

Answer 115

(enterprise risk management) The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

Answer 116

(enterprise resource planning) The process that enables an organization to monitor the day-to- day business operations of the enterprise and report on the status of various resources and activities

Answer 117

(enterprise security architecture) A framework for defining the baseline, goals, and methods used to secure a business

Answer 118

(enterprise service bus) Middleware software that enables integration and communication between applications throughout the enterprise

Answer 119

The technique by which an application responds to unexpected errors.

Answer 120

A tool that provides a consistent and reliable environment to create and execute exploit code against a target.

Answer 121

(full disk encryption) Technology that encrypts an entire storage drive at the hardware level.

Answer 122

(file integrity monitoring) The technique of evaluating operating system files and other data files to ensure that they have not been tampered with.

Answer 123

The reconnaissance technique of determining the type of operating system and services a target uses by studying the types of packets and the characteristics of these packets during a communication session.

Answer 124

(Federal Information Processing Standards) Computer-based standards developed by the U.S. government that apply to non-military government organizations and contractors.

Answer 125

(Federal Information Security Management Act) A law enacted in 2002 that includes several provisions that require federal organizations to more clearly document and assess information systems security.

Answer 126

A tool that sends an application random input data to see if it will crash or expose a vulnerability.

Answer 127

An app security testing method that identifies vulnerabilities and weaknesses in applications by sending the application a range of random or unusual input data and noting any failures and crashes that result.

Answer 128

The process of identifying the difference between the current state of an environment and the desired state of that environment, and identifying the steps required to close that gap.

Answer 129

Technology that creates a virtual boundary that can enable or disable functionality for a device if it is located in a particular area.

Answer 130

The process of actively adding geographical identification metadata to an app or its data.

Answer 131

(Gramm-Leach-Bliley Act) A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.

Answer 132

Processes that enable an organization to make the best possible decisions with respect to governance.

Answer 133

(GNU Privacy Guard) A free, open source version of PGP that provides the equivalent encryption and authentication services.

Answer 134

(governance, risk management, and compliance) A solution for monitoring these three security concepts as they are implemented in an enterprise.

Answer 135

(hyperconverged infrastructure) A converged infrastructure that virtualizes all IT components instead of relying on physical systems.

Answer 136

The process of identifying the way in which an entity acts in a specific environment and making decisions about the nature of the entity based on this.

Answer 137

A form of encryption that protects data in use by enabling ciphertext input to produce a processing output that is the same as if the input had been in plaintext.

Answer 138

An attack in which an attacker accesses or modifies specific resources that they are not entitled to, such as another user's private information.

Answer 139

(hardware security module) A physical device that provides root of trust capabilities.

Answer 140

(interoperability agreement) The general term for any document that outlines a business partnership or collaboration in which all entities exchange some resources while working together.

Answer 141

(Infrastructure as a Service) A cloud service model in which the cloud service provides access to any or all infrastructure needs a client may have.

Answer 142

(industrial control system) Any system that enables users to control industrial and critical infrastructure assets.

Answer 143

The practice of linking a single identity across multiple disparate identity management systems.

Answer 144

The process of verifying that identity characteristics and credentials are accurate and unique to the individual

Answer 145

The technique of replicating an authenticated identity through various processes in a system.

Answer 146

(Internet Engineering Task Force) An organization that develops Internet standards and publishes the Request for Comments (RFC).

Answer 147

(Integrity Measurement Architecture) An open source Linux subsystem and TPM-based method of verifying trusted computing.

Answer 148

(inline network encryptor) A device that ensures the confidentiality and integrity of data in transit between networks and network segments.

Answer 149

The concept of protecting information's confidentiality, integrity, availability, authenticity, and non-repudiation.

Answer 150

(Infrared Data Association) A set of protocols for wireless communication using infrared signals.

Answer 151

(interconnection security agreement) A type of business agreement that is geared toward the information systems of partnered entities to ensure that the use of inter-organizational technology meets a certain security standard.

Answer 152

(Intra-Site Automatic Tunnel Addressing Protocol) An IPv6 transition mechanism that transmits IPv6 packets between dual-stack nodes on top of an IPv4 network.

Answer 153

(International Organization for Standardization) An organization with global reach that promotes standards for many different industries.

Answer 154

(International Organization for Standardization/International Electrotechnical Commission 27001) A standard model for information systems management practices.

Answer 155

(information technology governance) A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies and creating value for the business.

Answer 156

(Information Technology Infrastructure Library) A comprehensive IT management structure derived from recommendations originally developed by the United Kingdom Government's Central Computer and Telecommunications Agency (CCTA).

Answer 157

A method for backing up private keys to protect them while allowing trusted third parties to access the keys under certain conditions.

Answer 158

(key performance indicator) A quantifiable metric used to determine if a system or other asset is meeting the enterprise's strategic and operational goals

Answer 159

(key risk indicator) A metric that measures how much risk a particular task or asset will bring to the organization.

Answer 160

(MAC Authentication Bypass) A mechanism that can determine whether or not a device supports 802.1X, and if it doesn't, the port will send the device's MAC address to the authentication server as credentials.

Answer 161

(message authentication code) Mathematical functions that verify both integrity and authenticity of messages.

Answer 162

A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.

Answer 163

(memorandum of understanding) An informal business agreement that is not legally binding and does not involve the exchange of money.

Answer 164

(master service agreement) An agreement that lays the groundwork for any future business documents that two parties may agree to.

Answer 165

(managed security service provider) An organization that provides SECaaS/managed security services.

Answer 166

(mean time between failures) The rating on a device or component that predicts the expected time between failures.

Answer 167

(maximum tolerable downtime) The longest period of time a business can be inoperable without causing irrevocable business failure.

Answer 168

(mean time to failure) The average time a device or component is expected to be in operation.

Answer 169

(mean time to repair/replace/recover) The average time taken for a device or component to be repaired, replaced, or otherwise recovered from a failure.

Answer 170

(Network Access Control) The collected protocols, policies, and hardware that govern access on device network interconnections.

Answer 171

(National Institute of Standards and Technology 800 Series) A U.S. government publication that focuses on implementing a wide range of cybersecurity practices.

Answer 172

(no-execute bit) A security technique that creates an area in memory that cannot be executed by the operating system.

Answer 173

A token-based authorization protocol that is often used in conjunction with OpenID.

Answer 174

(Online Certificate Status Protocol) An HTTP- based alternative to a certificate revocation list that checks the status of certificates.

Answer 175

(operating-level agreement) A business agreement that outlines the relationship between divisions or departments in an organization.

Answer 176

(Platform as a Service) A cloud service model in which the cloud service provides virtual systems, such as operating systems, to customers.

Answer 177

(Password Authentication Protocol) A remote access authentication service that sends user IDs and passwords as plaintext.

Answer 178

(Password-Based Key Derivation Function 2) A key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks.

Answer 179

(Protected Extensible Authentication Protocol) An open standard that encapsulates EAP in an encrypted Transport Layer Security (TLS) tunnel.

Answer 180

(perfect forward secrecy) A characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key.

Answer 181

(Pretty Good Privacy) A method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography.

Answer 182

A social engineering attack in which an attacker redirects a user's request for a website to their own similar-looking, but fake, website.

Answer 183

A risk analysis method that uses descriptions and words to measure the likelihood and impact of risk.

Answer 184

A risk analysis method that is based completely on numeric values.

Answer 185

(Remote Authentication Dial-In User Service) A standard protocol for providing centralized authentication and authorization services for remote users.

Answer 186

The most used and well-known stream cipher

Answer 187

A cross-site scripting (XSS) attack in which an attacker crafts a malicious form or other request to be sent to a legitimate web server. The victim selects the malicious request and the script is sent to the server and reflected off it onto the victim's browser.

Answer 188

A testing method that evaluates whether or not changes in software have caused previously existing functionality to fail.

Answer 189

(Request for Comments) A collection of documents that detail standards and protocols for Internet-related technologies.

Answer 190

(request for information) The first phase in the contract requirement process, in which a company sends out notices to prospective vendors or contractors asking them for their experience and qualification in filling the business's need for services or equipment.

Answer 191

(request for proposal) The second phase in the contract requirement process, in which a company asks prospective vendors or contractors for their proposed solutions to the business's needs.

Answer 192

(request for quote) The third phase in the contract requirement process, in which a company negotiates the financial details of their relationship with prospective vendors or contractors.

Answer 193

The response of taking no additional action after identifying and analyzing a risk

Answer 194

The security process used for assessing risk damages that can affect an organization.

Answer 195

The response of eliminating the source of a risk so that the risk is removed entirely.

Answer 196

The property that dictates how susceptible an organization is to loss.

Answer 197

The cyclical process of identifying, assessing, analyzing, and responding to risks.

Answer 198

The response of reducing risk to fit within an organization's risk appetite.

Answer 199

The response of moving the responsibility of risk to another entity.

Answer 200

(recovery point objective) The longest period of time that an organization can tolerate lost data being unrecoverable.

Answer 201

(remotely triggered black hole) An advanced black hole routing technique that alters routing tables to provide a more effective and granular means of mitigating DDoS traffic with minimal collateral damage.

Answer 202

(recovery time objective) The length of time it takes after an event to resume normal business operations and activities.

Answer 203

(Software as a Service) A cloud service model in which the cloud service provides applications to users.

Answer 204

(supervisory control and data acquisition) A type of industrial control system that typically monitors water, gas, and electrical assets, and can issue remote commands to those assets.

Answer 205

(Security Content Automation Protocol) A framework developed by the National Institute of Standards and Technology (NIST) that automates the vulnerability management process, including identifying flaws in security configurations.

Answer 206

(Simple Certificate Enrollment Protocol) A protocol that provides a scalable means to request and enroll digital certificates.

Answer 207

(software-defined networking) An approach to networking architecture that simplifies management by separating systems that control where traffic is sent from systems that actually forward this traffic to its destination

Answer 208

(Security as a Service) A cloud service model in which the cloud service shoulders the responsibility of building, maintaining, and hosting security technologies for a client.

Answer 209

An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.

Answer 210

(service-level agreement) A business agreement that outlines what services and support will be provided to a client.

Answer 211

(single loss expectancy) The financial loss expected from a single adverse event.

Answer 212

A phishing variant in which an attacker uses SMS messages to entice a victim.

Answer 213

(Sarbanes-Oxley Act) A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization's financial and business operations.

Answer 214

A type of phishing attack in which an attacker targets a specific individual or institution

Answer 215

(Service Provisioning Markup Language) An XML-based authorization framework used primarily for automating and managing the provisioning of resources across networks and organizations

Answer 216

(Trusted Computing Group) An implementation of TPM that is used to verify trusted operating systems.

Answer 217

(total cost of ownership) The total cost of a solution beyond its acquisition cost, when all additional costs are factored in.

Answer 218

A NAT traversal technology that enables IPv6 Teredo traffic to cross one or more NATs to access other Teredo hosts on the IPv4 Internet or the IPv6 Internet through a Teredo relay.

Answer 219

(time of check to time of use) A race condition vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

deck 0 Flashcards

(243 cards)