GIBSON REMEMBER Flashcards by Govind Raj

The CIA Triad is the foundation of everything we do in
cybersecurity. It’s one of the essential concepts listed in the
Security+ exam objectives, and you should be very familiar with it
when you take the exam. As you learn about different security
threats and controls throughout this book, try to relate each of
them to one or more of the three goals of confidentiality,
integrity, and availability.

How well did you know this?

Not at all

Perfectly

Confidentiality ensures that data is only viewable by authorized
users. The best way to protect the confidentiality of data is by
encrypting it. This includes any type of data, such as PII, data in
databases, and data on mobile devices. Access controls help
protect confidentiality by restricting access.

How well did you know this?

Not at all

Perfectly

Integrity verifies that data has not been modified. Loss of
integrity can occur through unauthorized or unintended changes.
Hashing algorithms, such as SHA, calculate hashes to verify
integrity. A hash is simply an alphanumeric string created by applying a hashing algorithm to a file or message. You can then
later run the same algorithm on the data and you should get the
same hash value. By comparing the hashes, you can verify that
there haven’t been any changes (authorized or unauthorized) to
the data. If the hashes are the same, the data is unchanged. If
the hash has changed, the data has changed.

How well did you know this?

Not at all

Perfectly

Availability ensures that systems are up and operational when
needed and often addresses single points of failure. You can
increase availability by adding fault tolerance and redundancies,
such as RAID, failover clusters, backups, and generators.

How well did you know this?

Not at all

Perfectly

Redundancy and fault tolerance methods increase the availability
of systems and data. Scalability refers to manually adding servers
to a service or resources to a system to meet new demand.
Elasticity refers to automatically adding or removing resources as needed.

How well did you know this?

Not at all

Perfectly

Risk is the likelihood that a threat will exploit a vulnerability. Risk
mitigation reduces the chances that a threat will exploit a
vulnerability or reduces the risk’s impact by implementing security
controls.

How well did you know this?

Not at all

Perfectly

You may find all this talk of categories and types a little
confusing. Remember that every control you encounter will
belong to at least one category and at least one type. For
example, a firewall is a technical control because it uses
technology to achieve its goals. It is also a preventive control
because its goal is to stop unwanted traffic from entering the
network, preventing an incident from occurring.

How well did you know this?

Not at all

Perfectly

Managerial controls are administrative in function and
documented in security policies. Operational controls are
implemented by people who perform the day-to-day operations to
comply with an organization’s overall security plan.

How well did you know this?

Not at all

Perfectly

Security controls are categorized as managerial (documented in
written policies), operational (performed in day-to-day
operations), technical (implemented with technology), or physical
(impacting the physical world).

How well did you know this?

Not at all

Perfectly

Technical controls use technology to reduce vulnerabilities. Some
examples include encryption, antivirus software, IDSs, IPSs,
firewalls, and the least privilege principle. Physical security and
environmental controls include motion detectors and fire
suppression systems.

How well did you know this?

Not at all

Perfectly

Preventive controls attempt to prevent security incidents.
Hardening systems modifies the basic configuration to increase
security. Security guards can prevent unauthorized personnel
from entering a secure area. Change management processes help
prevent outages from configuration changes. An account
disablement process ensures that accounts are disabled when a
user leaves the organization.

How well did you know this?

Not at all

Perfectly

How well did you know this?

Not at all

Perfectly

Identification occurs when a user claims an identity, such as with
a username or email address. Authentication occurs when the
user proves the claimed identity (such as with a password) and
the credentials are verified (such as with a password). Access
control systems provide authorization by granting access to
resources based on permissions granted to the proven identity.
Logging provides accounting.

How well did you know this?

Not at all

Perfectly

Complex passwords use a mix of character types. Strong
passwords use a mix of character types and have a minimum
password length of at least eight characters. A password
expiration identifies when a password must be changed.

How well did you know this?

Not at all

Perfectly

Account lockout policies thwart some password attacks, such as
brute force and dictionary attacks. Many applications and devices
have default passwords. These should be changed before putting
the application or device into service.

How well did you know this?

Not at all

Perfectly

Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are

How well did you know this?

Not at all

Perfectly

HOTP and TOTP are open-source standards used to create onetime-use passwords. HOTP creates a one-time-use password that
does not expire until it is used, and TOTP creates a one-time
password that expires after 30-60 seconds. Both can be used as
software tokens for authentication.

How well did you know this?

Not at all

Perfectly

The third factor of authentication (something you are, defined
with biometrics) is the strongest individual authentication factor.
Biometric methods include fingerprint recognition, vein pattern
matching, retinal and iris scans, facial recognition, voice
recognition, and gait analysis.

How well did you know this?

Not at all

Perfectly

Iris and retina scans are the strongest biometric methods
mentioned in this section. Iris scans are commonly preferred over
retinal scans because retinal scans are intrusive and may reveal
private medical concerns. Facial recognition and gait analysis can
bypass the enrollment process when used for identification
instead of authorization

How well did you know this?

Not at all

Perfectly

Using two or more methods in the same factor of authentication
(such as a PIN and a password) is single-factor authentication.
Two-factor authentication uses two different authentication
factors, such as using a hardware token and a PIN. Multifactor
authentication uses two or more factors.

How well did you know this?

Not at all

Perfectly

Passwordless authentication is not necessarily multifactor
authentication. You can use a single something you have or
something you are factor to use passwordless authentication.

How well did you know this?

Not at all

Perfectly

Privileged access management (PAM) systems implement
stringent security controls over accounts with elevated privileges
such as administrator or root-level accounts. Some capabilities
include allowing authorized users to access the administrator
account without knowing the password, logging all elevated
privilege usage, and automatically changing the administrator
account password.

How well did you know this?

Not at all

Perfectly

Requiring administrators to use two accounts, one with
administrator privileges and another with regular user privileges,
helps prevent privilege escalation attacks. Users should not use
shared accounts.

How well did you know this?

Not at all

Perfectly

An account disablement policy identifies what to do with accounts
for employees who leave permanently or are on a leave of
absence. Most policies require administrators to disable the
account as soon as possible so that ex-employees cannot use the
account. Disabling the account ensures that data associated with
it remains available. Security keys associated with an account
remain available when the account is disabled, but the security
keys (and data they encrypted) are no longer accessible if it is
deleted.

How well did you know this?

Not at all

Perfectly

Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to re-create an audit trail. Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

It’s easy to get confused about what OAuth does because the name is ambiguous! Remember that the “Auth” in OAuth stands for authorization, not authentication!

A role-based access control scheme uses roles based on jobs and functions. A roles and permissions matrix is a planning document that matches the roles with the required privileges.

Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.

Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.

The DAC scheme specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC scheme.

The MAC scheme uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.

The ABAC scheme uses attributes defined in policies to grant access to resources. It’s commonly used in software-defined networks (SDNs).

You can use a memory trick to remember the order of the OSI layers – make a sentence that has words starting with the seven letters of the model layers in order. My personal favorite is “Please Do Not Throw Sausage Pizza Away!” Other people use “All People Seem To Need Data Processing.” You can choose whatever works for you.

Secure Shell (SSH) encrypts traffic over TCP port 22 and is used to transfer encrypted files over a network. Transport Layer Security (TLS) is a replacement for SSL and is used to encrypt many different protocols, including browser-based connections using HTTPS. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP Secure (FTPS) uses TLS to encrypt traffic.

SMTP, POP3, and IMAP4 are primary email protocols. Well-known ports for encrypted and unencrypted traffic (respectively) are: SMTP uses ports 25 and 587, POP3 uses 110 and 995, IMAP4 uses 143 and 993. HTTP and HTTPS use ports 80 and 443, respectively.

Directory services, such as Microsoft Active Directory Domain Services (AD DS), provide authentication and authorization services for a network. AD DS uses LDAP, encrypted with TLS when querying the directory.

Administrators connect to servers remotely using protocols such as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In some cases, administrators use virtual private networks to connect to remote systems.

OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers securely. The ssh-keygen command creates a public/private key pair, and the ssh-copy-id command copies the public key to a remote server. The private key must always stay private.

Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Broadcast storm and loop prevention such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected.

Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.

Administrators use SNMPv3 to manage and monitor network devices, and SNMP uses UDP ports 161 and 162. SNMPV3 encrypts credentials before sending them over the network and is more secure than earlier versions.

Host-based firewalls provide protection for individual hosts, such as servers or workstations. Network-based firewalls run on dedicated hardware and provide protection for an entire network. You should use host-based firewalls and network-firewalls together to achieve a defense-in-depth approach to network security.

Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

A stateless firewall blocks traffic using only an ACL, and a stateful firewalls use ACLs as well but also consider the state of the packet within a session. Web application firewalls provide strong protection for web servers. They protect against several different types of attacks, focusing on web application attacks.

A screened subnet (sometimes called a DMZ) is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on servers in the screened subnet, but the screened subnet provides a layer of protection for the intranet (internal network).

NAT translates public IP addresses to private IP addresses and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP addresses, while static NAT uses a single public IP address.

An air gap isolates one network from another by ensuring there is physical space (literally a gap of air) between all systems and cables.

Virtual local area networks (VLANs) separate or segment traffic on physical networks, and you can create multiple VLANs with a single switch. A VLAN can logically group several different computers together or logically separate computers without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on one VLAN and data traffic on a separate VLAN.

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Non-transparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity

A unified threat management (UTM) appliance combines multiple security controls into a single appliance. It can inspect data streams and often includes URL filtering, malware inspection, and content inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.

A jump server is placed between different security zones and provides secure access from devices in one zone to devices in the other zone. It can provide secure access to devices in a screened subnet from an internal network.

A HIDS can monitor all traffic on a single host system such as a server or a workstation. In some cases, it can detect malicious activity missed by antivirus software.

A NIDS console is installed on a network appliance. Sensors are installed on network devices such as switches, routers, or firewalls to monitor network traffic and detect network-based attacks. You can also use taps or port mirrors to capture traffic. A NIDS cannot monitor encrypted traffic and cannot monitor traffic on individual hosts.

Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known attack types. Trend-based IDSs (also called anomaly-based) can detect unusual activity. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the system sends an alert.

A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrator’s workload. A false negative is when an attack occurs, but the system doesn’t detect and report it. Administrators often set the IDS threshold high enough to minimize false positives but low enough that it does not allow false negatives.

An intrusion prevention system (IPS) is a preventive control. It is placed in-line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.

An IPS is placed in-line with the traffic and can detect, react to, and prevent attacks. An IDS monitors and responds to an attack. It is not in-line but instead collects data passively (also known as out-of-band).

Honeypots and honeynets attempt to deceive attackers and disrupt attackers. They divert attackers from live networks and allow security personnel to observe current methodologies attackers are using. A honeyfile is a file with a name (such as password.txt) that will attract the attacker’s attention. A honeytoken is a fake record inserted into a database to detect data theft.

MAC filtering can restrict wireless network access to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It’s relatively simple for an attacker to spoof a MAC address

A site survey examines the wireless environment to identify potential problem areas. A heat map shows wireless coverage and dead spots if they exist. Wireless footprinting gives you a detailed diagram of wireless access points, hotspots, and dead spots within an organization.

WPA2-PSK uses a pre-shared key and does not provide individual authentication. Open mode doesn’t use security and allows all users to access the AP. Enterprise mode is more secure than Personal mode, providing strong authentication. Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

WPA2 supports CCMP (based on AES) and replaced earlier wireless cryptographic protocols. WPA3 uses Simultaneous Authentication of Equals (SAE) instead of a pre-shared key (PSK) used with WPA2.

Enterprise mode requires an 802.1X server. EAP-FAST supports PACs. PEAP and EAP-TTLS require a certificate on the 802.1X server. EAP-TLS also uses TLS, but it requires certificates on both the 802.1X server and each of the clients. An 802.1X server provides port-based authentication, ensuring that only authorized clients can connect to a device or a network. It prevents rogue devices from connecting.

A disassociation attack effectively removes a wireless client from a wireless network, forcing it to re-authenticate. WPS allows users to configure a wireless device by entering an eight-digit PIN and/or pressing buttons on the device. A WPS attack guesses all possible PINs until it finds the correct one. It will typically discover the PIN within hours and use it to discover the passphrase.

Rogue access points are often used to capture and exfiltrate data. An evil twin is a rogue access point using the same SSID (or a similar SSID) as a legitimate access point. A secure AP blocks unauthorized users, but a rogue access point provides access to unauthorized users.

Bluejacking is the unauthorized sending of text messages to a nearby Bluetooth device. Bluesnarfing is the unauthorized access to, or theft of information from, a Bluetooth device. Ensuring devices cannot be paired without manual user intervention prevents these attacks and placing them in Faraday cages will prevent pairing.

Administrators use war driving techniques as part of a wireless audit. A wireless audit checks a wireless signal footprint, power levels, antenna placement, and encryption of wireless traffic. Wireless audits using war driving can detect rogue access points and identify unauthorized users. War flying is similar to war driving, but it uses planes or drones instead of cars.

A virtual private network (VPN) provides remote access to a private network via a public network. VPN concentrators are dedicated devices used for VPNs. They include all the services needed to create a secure VPN supporting many clients.

IPsec is a secure encryption protocol used with VPNs. Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel mode for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE over port 500. A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN’s private network.

Network access control (NAC) includes methods to inspect clients for health, such as having up-to-date antivirus software, and can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and internal clients.

PAP authentication uses a password. A significant weakness is that PAP sends the information across a network in cleartext, making it susceptible to sniffing attacks. CHAP is more secure than PAP because CHAP doesn’t send passwords over the network in cleartext.

RADIUS and TACACS+ provide centralized authentication. RADIUS only encrypts the password by default but can be used with EAP to encrypt entire sessions. TACACS+ encrypts the entire session by default and can be used with Kerberos.

Virtualization allows multiple virtual servers to operate on a single physical server providing increased cybersecurity resilience with lower operating costs. Keeping systems up to date with current patches is the best protection from VM escape attacks.

A master images provides secure starting points for systems. Administrators sometimes create them with templates or with other tools to create secure baselines. They then use integrity measurements to discover when a system deviates from the baseline.

Patch management procedures ensure that operating systems, applications, and firmware are up-to-date with current patches. This protects systems against known vulnerabilities. Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.

An application allow list is a list of authorized software, and it prevents users from installing or running software that isn’t on the list. An application block list is a list of unauthorized software and prevents users from installing or running software on the list.

Full disk encryption (FDE) protects all of the contents of a disk using encryption. This may be done with specialized software or it may be done using specialized hardware, known as selfencrypting drives (SED).

A Trusted Platform Module (TPM) is a hardware chip included in many desktops and laptops. It provides full disk encryption support and features a secure boot process and remote attestation. The endorsement key is a unique asymmetric key pair burned into the TPM chip that provides a hardware root of trust.

A hardware security module (HSM) is a removable or external device that can generate, store, and manage keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys. A microSD HSM is an HSM device installed on a microSD card and can be installed on any device with a microSD or SD slot.

Data exfiltration is the unauthorized transfer of data out of a network. Data loss prevention (DLP) techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing network traffic for unauthorized data transfers.

The primary methods of protecting the confidentiality of data is with encryption and strong access controls. Database column encryption protects individual fields within a database.

Applications such as web-based email provided over the Internet are Software as a Service (SaaS) cloud-based technologies. Platform as a Service (PaaS) provides customers with a fully managed platform, including hardware, operating systems, and limited applications. The vendor keeps systems up to date with current patches. Infrastructure as a Service (IaaS) provides customers with access to hardware in a self-managed platform.

Public cloud services are available to any customer who wishes to use them. Private clouds are available for only one organization. Two or more organizations with shared concerns can share a community cloud. A hybrid cloud is a combination of two or more cloud deployment models.

A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization. A managed service provider (MSP) provides any IT services needed by an organization, including security services provided by an MSSP.

A cloud based DLP can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information (PII) is encrypted.

A cloud access security broker (CASB) is a software tool or service deployed between an organization’s network and the cloud provider. It provides security by monitoring traffic and enforcing security policies. A next-generation secure web gateway (SWG) provides proxy services for traffic from clients to Internet sites, such as filtering URLs and scanning for malware.

Corporate-owned, personally enabled (COPE) devices are owned by the organization, but employees can use them for personal reasons. A bring your own device (BYOD) policy allows employees to connect their own personal devices to the corporate network. A choose your own device (CYOD) policy includes a list of approved devices that employees can purchase and connect to the network.

Mobile device management (MDM) tools help enforce security policies on mobile devices. This includes the use of storage segmentation, containerization, and full device encryption to protect data. Containerization is useful when using the BYOD model. They also include enforcing strong authentication methods to prevent unauthorized access.

Remote wipe sends a signal to a lost or stolen device to erase all data. Geolocation uses Global Positioning System (GPS) and can help locate a lost or stolen device. Geofencing creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization’s property. GPS tagging adds geographical data to files such as pictures. Context-aware authentication uses multiple elements to authenticate a user and a mobile device.

Tethering and mobile hotspots allow devices to access the Internet and bypass network controls. Wi-Fi Direct is a standard that allows devices to connect without a wireless access point or wireless router. MDM tools can block access to devices using tethering, mobile hotspot, or Wi-Fi Direct to access the Internet.

A supervisory control and data acquisition (SCADA) system has embedded systems that control an industrial control system (ICS), such as one used in a power plant or water treatment facility. Embedded systems are also used for many special purposes, such as medical devices, automotive vehicles, aircraft, and unmanned aerial vehicles (UAVs).

An embedded system is any device that has a dedicated function and uses a computer system to perform that function. It includes any devices in the Internet of Things (IoT) category, such as wearables and home automation systems. Some embedded systems use a system on a chip (SoC).

An advanced persistent threat (APT) refers to an organized and sophisticated group of threat actors. Nation-states (governments) sponsor them and give them specific targets and goals. Organized crime groups are organized individuals involved in crime. Their primary motivation is money.

An unskilled attacker uses existing computer scripts or code to launch attacks. These unskilled attackers typically have very little expertise, sophistication, and funding. A hacktivist launches attacks as part of an activist movement or to further a cause. An insider is anyone with legitimate access to an organization’s internal resources, such as an employee of a company. DLP solutions can prevent users from writing data to external media devices.

Different types of attackers have different attributes. The major differences are whether an attacker comes from an internal or external source, the resources and funding available to the attacker and the attacker’s level of sophistication and capability.

You need to know the common threat actor motivations when you take the Security+ exam. The motivations listed by CompTIA include data exfiltration, service disruption, blackmail, financial gain, philosophical/political beliefs, ethical hacking, revenge, espionage, and war.

Attackers use many different threat vectors to gain access to an organization. So far, we’ve discussed message-based, imagebased, and file-based attack vectors as well as voice calls, removable devices, vulnerable software, unsecure networks, open service ports, default credentials, and the supply chain. Later in this chapter, we’ll discuss human vectors and social engineering attacks.

Shadow IT refers to unauthorized systems or applications used within an organization without authorization or approval.

A logic bomb executes in response to an event, such as when a specific application is executed, or a specific time arrives.

A Trojan appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also infect systems with fake antivirus software, pirated software, games, and browser extensions.

Keyloggers capture a user’s keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. Spyware monitors a user’s computer and often includes a keylogger

Rootkits have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking and similar techniques. Tools that can inspect RAM can discover these hidden hooked processes.

Ransomware is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user’s system or data if the victim does not pay the ransom, and attackers increasingly target hospitals, cities, and other larger organizations.

Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more. A virus is malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn’t need user interaction to run.

Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn’t normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.

A social engineer can gain unauthorized information just by looking over someone’s shoulder. This might be in person, such as when a user is at a computer or remotely using a camera. Screen filters help prevent shoulder surfing by obscuring people’s view unless they are directly in front of the monitor.

Tailgating is a social engineering tactic that occurs when one user follows closely behind another user without using credentials. Access control vestibules (sometimes called mantraps) allow only a single person to pass at a time. Sophisticated mantraps can identify and authenticate individuals before allowing access. Dumpster divers search through trash looking for information. Shredding or burning papers instead of throwing them away mitigates this threat.

Spam is unwanted email. Phishing is malicious spam. Attackers attempt to trick users into revealing sensitive or personal information or clicking on a link. Links within email can also lead unsuspecting users to install malware.

A spear phishing attack targets specific groups of users. It could target employees within a company or customers of a company. Digital signatures provide assurances to recipients about who sent an email and can reduce the success of spear phishing. Whaling targets high-level executives or impersonates high-level executives.

Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start as automated calls, but an attacker takes over at some point during the call. Smishing is a form of phishing using text messages.

Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions. Heuristic-based antivirus software detects previously unknown malware based on behavior.

Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users’ objections. These techniques include representing themselves as authority figures, using intimidation, faking scarcity, creating a sense of urgency, establishing familiarity, and creating a sense of trust.

A distributed denial-of-service (DDoS) attack is an attack from multiple computers against a single target. DDoS attacks typically include sustained, abnormally high network traffic and usage of memory and processor time resulting in resource exhaustion. Major variants of DDoS attacks include reflected attacks, which involve using third-party servers to redirect traffic to the target, and amplified attacks, which combine reflection techniques with amplification to generate an even greater volume of traffic directed at the target.

An on-path attack is a form of active eavesdropping. It captures data from two other computers in a session. When secure channels are used, the on-path system may use certificates that aren’t issued by a CA and will generate certificate warnings. SSH gives a warning if previously established keys have changed.

A DNS poisoning attack attempts to modify or corrupt DNS data. Pharming is also an attack on DNS, and it manipulates the DNS name resolution process. A primary indicator of both attacks is that a user tries to go to one website but is taken to a different website.

In a domain hijacking attack, an attacker changes a domain name registration without permission from the owner.

Replay attacks capture data in a session to impersonate one of the parties in the session. Timestamps, sequence numbers, and multi-factor authentication are effective countermeasures against replay attacks.

The lack of input validation is one of the most common security issues on web-based applications. Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation. Input validation protects against many attacks, such as buffer overflow, SQL injection, dynamic link library injection, and cross-site scripting attacks.

Error and exception handling helps protect the operating system’s integrity and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.

Static code analysis examines the code without running it. In a manual review, a developer goes through the code line by line, looking for vulnerabilities. Dynamic code analysis checks the code while it is running. Fuzzing techniques send random strings of data to applications looking for vulnerabilities.

A secure development environment includes multiple stages. Stages are completed in separate non-production environments. Quality assurance methods are used in each of the stages.

Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the code ' or 1=1 to trick the database server into providing information. Input validation techniques and stored procedures help prevent SQL injection attacks

Buffer overflows occur when an application receives more data than it can handle or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as 0x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

The common use cases for automation and scripting in security operations are user provisioning, resource provisioning, guardrails, security groups, ticket creation, escalation, enabling/disabling services and access, continuous integration and testing, and the use of APIs to create integrations.

The key benefits of automation and scripting in security operations include improved efficiency and time saving, consistent enforcement of baselines, standardized infrastructure configurations, secure scaling, increased employee retention, faster reaction times, and serving as a workforce multiplier.

When implementing automation and scripting in security operations, it is essential to consider the potential complexity, cost, single points of failure, technical debt, and ongoing supportability to ensure long-term success and maintainability.

It is not possible to eliminate risk, but you can take steps to manage it. An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls, but when the cost of the controls exceeds the cost of the risk, an organization accepts the remaining, or residual, risk.

A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The SLE identifies each loss’s cost, the ARO identifies the number of events in a typical year, and the ALE identifies the expected annual loss from the risk. You calculate the ALE as SLE × ARO. A qualitative risk assessment uses judgment to categorize risks based on the likelihood of occurrence and impact.

A risk register is a comprehensive document listing known information about risks such as the risk owner. It typically includes risk scores along with recommended security controls to reduce the risk scores. A risk matrix plots risks onto a chart.

A vulnerability scanner can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches. Vulnerability scans may be configured as passive and have little impact on a system during a test. In contrast, a penetration test is intrusive and can potentially compromise a system.

A false positive from a vulnerability scan indicates that a scan detected a vulnerability, but the vulnerability doesn’t exist. Credentialed scans run under the context of a valid account and can get more detailed information on targets, such as the software versions of installed applications. They are typically more accurate than non-credentialed scans and result in fewer false positives.

A penetration test is an active test that can assess deployed security controls and determine the impact of a threat. It starts with reconnaissance and then tries to exploit vulnerabilities by attacking or simulating an attack

After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.

Unknown environment testers have zero prior knowledge of a system prior to a penetration test. Known environment testers have full knowledge of the environment, and partially known environment testers have some knowledge.

Administrators use a protocol analyzer to capture, display, and analyze packets sent over a network. It is useful when troubleshooting communication problems between systems. It is also useful to detect attacks that manipulate or fragment packets.

Proximity cards are typically credit card-sized access cards. Users pass the card near a proximity card reader, and the card reader then reads data on the card. Some access control points use proximity cards with PINs for authentication.

Video surveillance provides reliable proof of a person’s location and activity. It can identify who enters and exits secure areas and can record theft of assets. Many cameras include motion detection and object detection capabilities. CCTV systems can be used as a compensating control in some situations.

Sensors monitor the environment and can detect changes. Common sensor types include motion and noise detection as well as sensors designed to monitor infrared temperature, pressure, microwaves, and ultrasonic waves.

A single point of failure is any component whose failure results in the failure of an entire system. Elements such as RAID, load balancing, UPSes, and generators remove many single points of failure. RAID is an inexpensive method used to add fault tolerance and increase availability. If only one person knows how to perform specific tasks, that person can become a single point of failure.

RAID subsystems, such as RAID-1, RAID-5, and RAID-6, provide fault tolerance and increased data availability. RAID-1 and RAID-5 can survive the failure of one disk, and RAID-6 can survive the failure of two disks.

Load balancing increases the overall processing power of a service by sharing the load among multiple servers. Configurations can be active/passive or active/active. Scheduling methods include round-robin and source IP address affinity. Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.

If you have unlimited time and money, the full backup alone provides the fastest recovery time. Full/ incremental strategies reduce the amount of time needed to perform backups. Full/differential strategies reduce the amount of time needed to restore backups.

Test restores are the best way to test the integrity of a company’s backup data. Backup media should be protected with the same level of protection as the data on the backup. Geographic considerations for backups include storing backups off-site, choosing the best location, and considering legal implications and data sovereignty.

The BIA identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.

The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. The recovery point objective (RPO) refers to the amount of data you can afford to lose.

The mean time between failures (MTBF) provides a measure of a system’s reliability and would provide an estimate of how often the systems will experience outages. The mean time to repair (MTTR) refers to the time it takes to restore a system.

A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up-to-date. A hot site provides the shortest recovery time compared with warm and cold sites. It is the most effective disaster recovery solution, but it is also the most expensive to maintain.

A cold site will have power and connectivity needed for a recovery site, but little else. Cold sites are the least expensive and the hardest to test. A warm site is a compromise between a hot site and a cold site. Mobile sites do not have dedicated locations but can provide temporary support during a disaster.

A disaster recovery plan (DRP) identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

You can validate business continuity plans through testing. Tabletop exercises are discussion-based only and are typically performed in a conference setting. Simulations are hands-on exercises using a simulated environment. Parallel processing activates the disaster recovery site and runs it alongside the primary site. Fail over tests shut down the primary site to determine whether the fail over site works properly.

Hashing verifies integrity for data such as email, downloaded files, and files stored on a disk. A hash is a hexadecimal number created with a hashing algorithm.

Hashing is a one-way function that creates an alphanumeric string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.

If you can recognize the hashing algorithms such as MD5, SHA, and HMAC, it will help you answer some exam questions. For example, if a question asks what you would use to encrypt data and it lists three hashing algorithms, you can quickly eliminate them because hashing algorithms don’t encrypt data.

Online attacks guess the password of an online system. Offline attacks guess the password stored within a downloaded file, such as a database. Logs will show a large volume of failed logon attempts as Event ID 4625 and/or several accounts being locked out as Event ID 4740. Spraying attacks attempt to avoid account lockout policies, but logs will still show a large volume of failed logon attempts, but with a time lapse between each entry.

Passwords are typically stored as hashes. A pass the hash attack attempts to use an intercepted hash to access an account. These attacks can be detected in Event ID 4624 with a Logon Process of NTLMSSP and/or an Authentication Package of NTLM

Birthday attacks exploit collisions in hashing algorithms. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks.

Bcrypt, PBKDF2, and Argon2 are key stretching techniques that help prevent brute force and rainbow table attacks. They salt the password with additional bits and then send the result through a cryptographic algorithm.

Encryption provides confidentiality and helps ensure that data is viewable only by authorized users. This applies to any data at rest (such as data stored in a database) or data in transit being sent over a network

Symmetric encryption uses the same key to encrypt and decrypt data. For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media.

Stream ciphers encrypt data a single bit, or a single byte, at a time in a stream. Block ciphers encrypt data in a specific-sized block such as 64-bit or 128-bit blocks. Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.

AES is a strong symmetric block cipher that encrypts data in 128- bit blocks. AES uses 128-bit, 192-bit, or 256-bit keys. 3DES is a block cipher that encrypts data in 64-bit blocks. 3DES was originally designed as a replacement for DES, but NIST selected AES as the current standard. However, 3DES is still used in some applications, such as when legacy hardware doesn’t support AES.

Only a private key can decrypt information encrypted with a matching public key. Only a public key can decrypt information encrypted with a matching private key. A key element of several asymmetric encryption methods is that they require a digital certificate and a PKI

Digital certificates are an important part of asymmetric encryption. Digital certificates include public keys along with details on the owner of the certificate and on the Certificate Authority (CA) that issued the certificate. Certificate owners share their public key by sharing a copy of their digital certificate.

Steganography, tokenization, and masking are examples of obfuscation techniques used to protect sensitive data. Steganography hides messages or data within other files. Tokenization replaces sensitive data with non-sensitive tokens, retaining essential information without revealing sensitive details. Masking partially or fully conceals sensitive data with characters, symbols, or other data.

Knowing which key encrypts and which key decrypts will help you answer some questions on the exam. For example, just by knowing that a private key is encrypting, you know that it is being used for a digital signature.

A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the digital signature to reveal the hash with the sender’s public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.

The recipient’s public key encrypts when encrypting an email message and the recipient uses the recipient’s private key to decrypt an encrypted email message.

TLS is the replacement for SSL. TLS requires certificates issued by certificate authorities (CAs). TLS encrypts HTTPS traffic, but it can also encrypt other traffic.

Administrators should disable weak cipher suites and weak protocols on servers. When a server has both strong and weak cipher suites, attackers can launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite.

You typically request certificates using a certificate signing request (CSR). The first step is to create the RSA-based private key, which is used to create the public key. You then include the public key in the CSR and the CA will embed the public key in the digital certificate. The private key is not sent to the CA.

CAs revoke certificates for several reasons such as when the private key is compromised or the CA is compromised. The certificate revocation list (CRL) includes a list of revoked certificates and is publicly available. An alternative to using a CRL is the Online Certificate Status Protocol (OCSP), which returns answers such as good, revoked, or unknown.

Certificate stapling is an alternative to OCSP. The certificate presenter (such as a web server) appends the certificate with a timestamped digitally signed OCSP response from the CA. This reduces OCSP traffic to and from the CA.

CER is an ASCII format for certificates and DER is a binary format. PEM is the most used certificate format and can be used for just about any certificate type. P7B files are commonly used to share public keys. P12 and PFX files are commonly used to hold the private key.

An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.

The first step in the incident response process is preparation. Next, the organization detects security incidents that occur and analyzes their effects. After identifying an incident, personnel attempt to contain the problem to protect critical systems while maintaining business operations. Eradication attempts to remove all malicious components from an attack, and recovery returns affected systems to normal operation. Reviewing lessons learned allows personnel to analyze the incident and the response to help prevent a future occurrence.

When collecting data for forensic analysis, you should collect it from the most volatile to the least volatile. The order of volatility is cache memory, regular RAM, swap file (or paging file), hard drive data, and data stored on network systems.

Security Orchestration, Automation, and Response (SOAR) platforms use internal tools to respond to low-level security events automatically, reducing administrator workload. A SOAR playbook provides a checklist of things to check for suspected incidents. A SOAR runbook implements the playbook checklist using available tools within the organization.

Data governance refers to the processes an organization uses to manage, process, and protect data. Some data governance methods help ensure or improve the quality of data. Other methods are driven by regulations and laws. Proper data governance practices ensure that critical data elements are identified.