Lists to Memorize

Question 1

CIA Triad

Answer 1

Confidentiality
Integrity
Availability

Question 2

CIANA Pentagon

Answer 2

Confidentiality
Integrity
Availability
Non-Repudiation
Authentication

Question 3

AAA of Security

Answer 3

Authentication
Authorization
Accounting

Question 4

Security Control Categories

Answer 4

Technical
Managerial
Operational
Physical

Question 5

Types of Security Controls

Answer 5

Preventative
Deterrent
Detective
Corrective
Compensating
Directive

Question 6

4 Kinds of Redundancy

Answer 6

Server
Data
Network
Power

Question 7

5 Methods of Authentication

Answer 7

Something you know: Knowledge Factor
Something you have: Possession Factor
Something you are: Inherence Factor
Something you do: Action Factor
Somewhere you are: Location Factor

Question 8

5 Steps of Accounting

Answer 8

1. Audit Trail
2. Regulatory Compliance
3. Forensic Analysis
4. Resource Optimization
5. User Accountability

Question 9

Steps of Gap Analysis

Answer 9

1. Define the scope of the analysis.
2. Gather data on the current state of the organization.
3. Analyze the data to identify the gaps.
4. Develop a plan to bridge the gap.

Question 10

6 Triggers of Social Engineering

Answer 10

1. Authority
2. Urgency
3. Social Proof
4. Scarcity
5. Likability
6. Fear

Question 11

6 Kinds of Phishing Attacks

Answer 11

1. Phishing
2. Vishing
3. Smishing
4. Whaling
5. Spear Phishing
6. Business Email Compromise (BEC)

Question 12

10 Types of Computer Viruses

Answer 12

1. Boot Sector
2. Macro
3. Program
4. Multipartite
5. Encrypted
6. Polymorphic
7. Metamorphic
8. Stealth
9. Armored
10. Hoax

Question 13

Operating System Rings

Answer 13

Ring 0 = Kernel
Ring 1 = Administrator
Ring 2 = Between Administrator and User
Ring 3 = User

Question 14

9 Indications of Malware Attacks

Answer 14

1. Account Lockouts
2. Concurrent Session Utilization
3. Blocked Content
4. Impossible Travel
5. Resource Consumption
6. Resource Inaccessibility
7. Out-of-Cycle Logging
8. Missing Logs
9. Published or Documented Attacks

Question 15

Commercial Data Classifications

Answer 15

Public
Private
Confidential
Critical

Question 16

Government Data Classifications

Answer 16

Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret

Question 17

Forms of Data Ownership

Answer 17

Data Owner
Data Controller
Data Processor
Data Steward
Data Custodian

Question 18

3 States of Data

Answer 18

Data-at-Rest
Data-in-Transit
Data-in-Use

Question 19

Types of Data

Answer 19

Regulated Data
Personal Identification Information (PII)
Protected Health Information (PHI)
Trade Secrets
Intellectual Property (IP)
Legal information
Financial information
Human-readable vs. Non-human readable data

Question 20

Data Loss Prevention (DLP) Systems

Answer 20

Endpoint DLP System
Network DLP System
Storage DLP
Cloud-based DLP System

Question 21

Symmetric Algorithms

Answer 21

Data Encryption Standard (DES)
Triple DES (3DES)
International Data Encryption Algorithm (IDEA)
Advanced Encryption Standard (AES)
Blowfish
Twofish
Rivest Cipher (RC4)
Rivest Cipher (RC5)
Rivest Cipher (RC6)

Question 22

Asymmetric Algorithms

Answer 22

Digital Signature = Private Key Hash to verify authorship
Diffie-Hellman (DH) = Secure Key Exchange Method
Rivest, Shamir, and Adleman (RSA)
Elliptic Curve Cryptography (ECC)
Elliptic Curve Diffie-Hellman (ECDH)
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
Elliptic Curve Digital Signature Algorithm (ECDSA)

Question 23

Hashing Algorithms

Answer 23

MD5 = Susceptible to hash collisions, insecure
SHA-1 = Outdated first version
SHA-2 = SHA-256 is most secure version, all other versions are insecure
SHA-3 = Most recent family, all versions are secure
RIPEMD (RACE Integrity Primitive Evaluation Message Digest) = Hash family that competes against SHA
RIPEMD-160 = Competitor to SHA-256
HMAC (Hash-based Message Authentication Code) = Protocol that checks messages to validate authenticity
Digital Security Standard (DSS) = Hash algorithm used by government

Question 24

Digital Certificates

Answer 24

Digital Certificate
Wildcard Certificate
Single-Sided Certificate
Dual-Sided Certificate
Self-Signed Certificate
Third Party Certificate

Question 25

Risk Assessment Frequencies

Answer 25

Ad-Hoc Recurring One-Time Continuous

Question 26

Risk Register Components

Answer 26

Risk Description Risk Impact Risk Likelihood Risk Outcome Risk Level Cost Risk Tolerance/Acceptance Risk Appetite

Question 27

4 Elements of Vendor Due Diligence

Answer 27

Financial Stability Operational History Client Testimonials On-the-ground Practices

Question 28

List of Contracts

Answer 28

Basic Contract Service-Level Agreement (SLA) Memorandum of Agreement (MOA) Memorandum of Understanding (MOU) Master Service Agreement (MSA) Statement of Work (SOW) Non-Disclosure Agreement (NDA) Business Partnership Agreement (BPA)

Question 29

GRC Triad

Answer 29

Governance Risk Compliance

Question 30

Governance Structures

Answer 30

Boards Committees Government Entities Centralized Structures Decentralized Structures

Question 31

Forms of Access Control

Answer 31

Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Rule-Based Access Control (RBAC) Attribute-Based Access Control (ABAC)

Question 32

3 Forms of Mobile Asset Deployment

Answer 32

Bring Your Own Device (BYOD) Corporate-Owned, Personally Enabled (COPE) Choose Your Own Device (CYOD)

Question 33

4 Different Types of Pentesting

Answer 33

Physical Offensive (Red Teaming) Defensive (Blue Teaming) Integrated (Purple Teaming)

Question 34

Different forms of RAID

Answer 34

RAID 0 RAID 1 RAID 5 RAID 6 RAID 10

Question 35

5 Power Conditions

Answer 35

Surges Spikes Sags Undervoltage Events Full Power Loss Events

Question 36

4 Power Systems

Answer 36

Line Conditioners Uninterruptible Power Supply Systems (UPS) Generators Power Distribution Centers (PDC)

Question 37

The Steps of Data Recovery

Answer 37

Selection of the backup Initiating the recovery process Data validation Testing and validation Documentation and reporting Notification

Question 38

Different Kinds of Redundant Sites

Answer 38

Hot Warm Cold Mobile Virtual

Question 39

Elements of Cloud Computing

Answer 39

Servers Storage Databases Networking Software Analytics Intelligence

Question 40

Cloud Security Threats

Answer 40

Shared Physical Server Vulnerabilities: Can lead to vulnerabilities if one user's data is compromised. Inadequate Virtual Environment Security: Can lead to unauthorized access, data breaches, and other security incidents. User Access Management: Can lead to unauthorized access to sensitive data and systems. Lack of Up-to-Date Security Measures: Can lead to leaving the system vulnerable to new threats. Single Point of Failure: Can lead to a complete system outage affecting all users. Weak Authentication and Encryption Practices: Can lead to allowing unauthorized users to gain access to cloud systems. Unclear Policies and Data Remnants: Lack of unclear guidelines or procedures for various security aspects. Data Remnants: Residual data left behind after deletion or erasure processes.

Question 41

Different Kinds of Ports

Answer 41

Inbound Outbound Well-Known Registered Dynamic/Private

Question 42

Different Kinds of Firewalls

Answer 42

Screened Subnet (Dual-Homed Host) Packet Filtering Stateful Proxy Circuit Level Proxy Application Level Proxy Kernel Proxy Next-Generation Firewall (NGFW) Unified Threat Management (UTM) Web Application Firewall (WAF)

Question 43

3 Kinds of IDS/IPS Systems

Answer 43

Network based Host Based Wireless Based

Question 44

4 Kinds of Network Appliances

Answer 44

Load Balancers Proxy Servers Sensors Jump Servers

Question 45

Different Tools of Port Security

Answer 45

Content Addressable Memory (CAM) Table Persistent (Sticky) MAC Learning 802.1x Protocol EAP-MD5 EAP-TLS EAP-TTLS EAP-FAST PEAP LEAP

Question 46

3 Methods to Secure Network Communications

Answer 46

1. Virtual Private Networks (VPN) 2. Transport Layer Security (TLS) 3. Internet Protocol Security Suite (IPSec)

Question 47

Infrastructure Considerations

Answer 47

1. Correct placement of devices 2. Security zones and screened subnets 3. Understanding the attack surface 4. Determining connectivity methods 5. Understanding device attributes 6. Configuring the failure mode

Question 48

6 Steps to Federation

Answer 48

Login Initiation Redirection to an Identity Provider Authenticating the User Generation of an Assertion Returning to the Service Provider Verification and Access

Question 49

3 Parts of Privileged Access Management (PAM)

Answer 49

Just-in-Time Permissions Password Vaulting Temporal Accounts

Question 50

Hardware Vulnerabilities

Answer 50

Firmware End-of-Life Systems Legacy Systems Unsupported Systems Unpatched Systems Hardware Misconfiguration

Question 51

Bluetooth Vulnerabilities

Answer 51

Insecure Pairing Device Spoofing On-Path Attacks

Question 52

Bluetooth Attacks

Answer 52

Bluejacking Bluesnarfing Bluebugging Bluesmack Blueborne

Question 53

OS Vulnerabilities

Answer 53

Unpatched Systems Zero-day Vulnerabilities Misconfigurations Data Exfiltration Malicious Updates

Question 54

Race Condition Attacks

Answer 54

Time-of-Check (TOC) Time-of-Use (TOU) Time-of-Evaluation (TOE)

Question 55

Denial-of-Service (DoS) Attacks

Answer 55

Denial-of-Service (DoS) Flood Attack Ping Flood SYN Flood Permanent Denial of Service (PDoS) Fork Bomb Distributed Denial of Service (DDoS) DNS Amplification Attack

Question 56

Domain Name System (DNS) Attacks

Answer 56

DNS Cache Poisoning (DNS Spoofing) DNS Amplification DNS Tunneling Domain Hijacking (Domain Theft) DNS Zone Transfer Attack

Question 57

Indicators of Compromise (IoC)

Answer 57

Account lockouts Concurrent session usage: One user having multiple sessions. Blocked content Impossible travel Resource consumption Resource inaccessibility Out-of-cycle logging: Logging events happening at odd times when no one is supposed to be active. Articles or documents on security breach Missing logs