Practice Exam 6 Flashcards
(25 cards)
Which of the following answers can be used to describe self-signed digital certificates? (Select 3 answers)
Answer: Not trusted by default by web browsers and other applications, Used in trusted environments, such as internal networks and development environments, and Not backed by a well-known and trusted third party.
Important Information
Not trusted by default by web browsers and most applications.
Used in trusted environments, like internal networks or development/testing setups.
Not backed by a trusted third party (no Certificate Authority involved).
Quick Explanation
A self-signed certificate is created and signed by the same entity rather than a trusted CA. Because there’s no external validation, browsers flag them as untrusted unless manually trusted.
Why It Matters
Self-signed certificates can be useful for testing or internal use but are not suitable for public-facing services due to trust issues. Knowing this distinction is important for Security+ and practical security decisions.
A self-signed digital certificate is also referred to as:
Answer: None of the above | Here were the answers listed: Client certificate, EV certificate, Server certificate, Wildcare certificate.
Important Information
Self-signed certificate = signed by the same entity that created it, no third-party CA involved.
Not the same as:
Client certificate (issued by CA to a client for authentication)
EV certificate (Extended Validation, high-trust CA-issued cert)
Server certificate (CA-issued cert for servers/websites)
Wildcard certificate (CA-issued cert covering multiple subdomains)
Quick Explanation
A self-signed certificate stands alone without external trust validation, unlike other types which involve a trusted CA.
Why It Matters
Knowing the difference helps avoid confusion during certification and real-world certificate management, especially for Security+ exam scenarios.
Third-party digital certificates, issued by trusted CAs, are automatically trusted by most browsers and operating systems, involve a cost, and require validation of the applicant’s identity. In contrast, self-signed certificates, issued by the entity to itself, are not automatically trusted, are free to create and use, and do not require validation by a CA.
Answer: True
Important Information
Third-party certificates:
Issued by trusted Certificate Authorities (CAs).
Automatically trusted by browsers and OS.
Cost money to obtain.
Require identity validation of the applicant.
Self-signed certificates:
Issued by the entity itself (no CA).
Not trusted by default.
Free to create and use.
No identity validation required.
Quick Explanation
Third-party certificates build trust through validation and CA backing, while self-signed certs are quick, free, but not trusted externally without manual intervention.
Why It Matters
Understanding the difference is critical for deploying secure websites and systems, and is commonly tested on the Security+ exam.
In the context of digital certificates, the term “Root of trust” refers to the highest level of trust within a PKI system. It is typically represented by a root CA, which is a trusted third party that serves as the foundation for the entire PKI. All other entities in the PKI hierarchy, including intermediate CAs and end-entities (such as web servers, email servers, user devices, IoT devices, and individual users), derive their trust from this root. When a certificate is issued and signed by an intermediate CA, it gains trust through a chain of trust back to the root CA. This hierarchical trust model allows users and systems to trust certificates presented by websites, services, or individuals because they can trace the trust back to the well-established root of trust.
Answer: True
Important Information
Root of trust = highest trust level in a PKI system.
Represented by the Root Certificate Authority (Root CA).
Root CA is a trusted third party and foundation of the trust hierarchy.
All other certificates (intermediate CAs, end-entities) derive trust from the root.
Trust is established through a chain of trust leading back to the root CA.
Quick Explanation
The root CA signs intermediate CAs, which in turn sign end-entity certificates, creating a trust chain. Users and systems trust certificates by verifying this chain back to the trusted root.
Why It Matters
Understanding the root of trust is essential for grasping how PKI establishes secure and trusted communications—a core topic for the Security+ exam.
Which of the answers listed below refers to a PKI trust model?
Answer: All of the above | Here are the listed answer: Single CA model, Hierarchical model (root CA + intermediate CAs), Mesh model (cross-certifying CAs), Web of trust model (all CAs function as root CAs), Chain of trust model (multiple CAs in a sequential chain), Bridge model (cross-certifying between separate PKIs), and Hybrid model (combining aspects of different models).
Important Information
PKI Trust Models describe how trust is established and managed between CAs and entities.
Common models include:
Single CA model — one CA issues all certificates.
Hierarchical model — root CA at top, intermediate CAs below (most common).
Mesh model — CAs cross-certify each other.
Web of trust model — all participants act as root CAs (used in PGP).
Chain of trust model — sequential chain of multiple CAs.
Bridge model — connects separate PKIs via cross-certification.
Hybrid model — combination of the above models.
Quick Explanation
Different PKI trust models define how entities trust certificates issued by various CAs, affecting scalability, security, and management of trust relationships.
Why It Matters
Knowing PKI trust models helps you understand how digital certificates and trust relationships work in different environments—a key concept for Security+.
Which of the following answers refers to a cryptographic file generated by an entity requesting a digital certificate from a CA?
Answer: CSR (Certificate Signed Request)
Important Information
CSR = cryptographic file generated by an entity (user, server, device) requesting a digital certificate.
Contains:
The public key to be certified.
Information about the requester (e.g., domain name, organization).
Sent to the Certificate Authority (CA) to request certificate issuance.
Signed by the requester to prove ownership of the private key.
Quick Explanation
A CSR is like an application form for a digital certificate, containing necessary info and the public key. The CA reviews it, validates the info, and issues the certificate.
Why It Matters
CSRs are the starting point for obtaining trusted digital certificates, foundational for secure communications and identity verification—critical for Security+.
A type of digital certificate that can be used to secure multiple subdomains within a primary domain is known as:
Answer: Wildcard certificate
Important Information
Wildcard certificate secures multiple subdomains under a single primary domain.
Uses a wildcard character (e.g., *.example.com) to cover:
mail.example.com
blog.example.com
shop.example.com, etc.
Simplifies certificate management by covering many subdomains with one certificate.
Typically issued by trusted Certificate Authorities (CAs).
Quick Explanation
A wildcard certificate allows you to secure all subdomains of a domain with a single SSL/TLS certificate, reducing cost and complexity.
Why It Matters
Wildcard certificates make managing secure connections easier and more efficient for organizations with multiple subdomains—a useful concept for Security+ and real-world deployments.
Which digital certificate type allows to secure multiple domain names or subdomains with a single certificate?
Answer: Subject Alternative Name (SAN) certificate
Important Information
SAN certificate allows securing multiple domain names and/or subdomains in a single certificate.
Lists several domain names or IP addresses in the certificate’s SAN field.
Commonly used to secure:
Different domains (e.g., example.com, example.net)
Multiple subdomains
Also called multi-domain certificates.
Issued by trusted Certificate Authorities (CAs).
Quick Explanation
SAN certificates let one certificate protect several different domains or subdomains, simplifying management and reducing cost.
Why It Matters
Knowing about SAN certificates helps with flexible, scalable certificate deployment—important for Security+ and managing secure environments.
Which of the answers listed below refers to an identifier used for PKI objects?
Answer: OID (Object Identifier)
Important Information
OID (Object Identifier) = a unique identifier used in PKI and other systems.
Identifies objects, algorithms, protocols, or attributes within certificates and cryptographic standards.
Represented as a series of numbers separated by dots (e.g., 1.2.840.113549).
Used to specify:
Cryptographic algorithms (e.g., SHA-256)
Certificate policies
Extended key usages
Other standardized elements in digital certificates.
Quick Explanation
An OID is like a standardized “name tag” that precisely identifies cryptographic elements or attributes in PKI objects, ensuring consistency across systems.
Why It Matters
Recognizing OIDs helps understand certificate contents and how cryptographic systems specify and use algorithms—important for Security+ exam topics.
In IT security, the term “Shadow IT” is used to describe the practice of using IT systems, software, or services within an organization without the explicit approval or oversight of the organization’s IT department.
Answer: True
Important Information
Shadow IT = use of IT systems, apps, or services without approval or knowledge of the IT department.
Common examples: unauthorized cloud services, personal devices, unapproved software.
Creates security risks due to lack of oversight and control.
Can lead to data leaks, compliance violations, and vulnerabilities.
Quick Explanation
Shadow IT happens when employees bypass IT policies to quickly use tools they find useful, but this can introduce significant security risks.
Why It Matters
Managing Shadow IT is crucial for maintaining security, compliance, and data protection in organizations—a key focus for Security+.
Choose an answer from the drop-down list on the right to match a threat actor type on the left with its common attack vector attribute.
Answer: Nation-state - External, Unskilled attacker - Internal/External, Hacktivist - External, Insider threat - Internal, Organized crime - External, Shadow IT - Internal
Quick Explanation
External attackers operate outside the organization.
Internal attackers are insiders, like employees or contractors.
Some actors (e.g., unskilled attackers) can come from either inside or outside.
Shadow IT is an internal risk due to unauthorized use of technology.
Why It Matters
Identifying threat actors and their typical attack vectors helps in designing effective security controls and incident response strategies—essential for Security+.
Match each threat actor type with its corresponding resources/funding attribute.
Answer: Nation-state - High resources and funding, Unskilled attacker - Low resources and funding, Hacktivist - Low to medium resources and funding, Insider threat - Low to high resources and funding, Organized crime - Medium to high resources and funding, Shadow IT - Low to medium resources and funding
Quick Explanation
Nation-states have extensive funding for sophisticated attacks.
Unskilled attackers have minimal resources.
Hacktivists and shadow IT users operate with limited to moderate resources.
Insider threats can vary widely based on their position and access.
Organized crime groups are well-funded but usually less than nation-states.
Why It Matters
Knowing the funding and resource levels of threat actors helps assess the sophistication of attacks and tailor defenses—key for Security+.
Assign the level of sophistication attribute to each threat actor type listed below.
Answer: Nation-state - High level of sophistication, Unskilled attacker - Low level of sophistication, Hacktivist - Low to medium level of sophistication, Insider threat - Low to high level of sophistication, Organized crime - Medium to high level of sophistication, Shadow IT - Low to medium level of sophistication
Quick Explanation
Nation-states use advanced, well-planned tactics.
Unskilled attackers rely on basic or automated attacks.
Hacktivists and shadow IT users have variable but generally limited sophistication.
Insider threats and organized crime actors vary widely depending on skill and resources.
Why It Matters
Understanding sophistication levels helps prioritize defenses and anticipate attack complexity, crucial for Security+ preparation.
From the drop-down list on the right, select the typical motivations behind the actions of each threat actor type.
Answer: Nation-state - Espionage, political/philosophical beliefs, disruption/chaos, and war, Unskilled attacker - Disruption/chaos, financial gain, revenge, Hacktivist - Ethical beliefs, philosophical/political beliefs, disruption/chaos, Insider threat - Revenge, financial gain, service disruption, Organized crime - Financial gain, data exfiltration, extortion, Shadow IT - Convenience, lack of awareness of security risks, meeting specific needs
Quick Explanation
Different threat actors are driven by various goals ranging from political motives and espionage (nation-states) to financial gain (organized crime) and personal motives (insiders). Shadow IT isn’t malicious but driven by convenience.
Why It Matters
Understanding motivations helps in threat profiling and developing targeted defense strategies—important for Security+.
Which of the following terms is used to describe sophisticated and prolonged cyberattacks often carried out by well-funded and organized groups, such as nation-states?
Answer: APT (Advanced Persistent Threat)
Important Information
APT = Sophisticated, targeted, and prolonged cyberattacks.
Typically executed by well-funded, organized groups (often nation-states).
Goals often include espionage, data theft, or disruption.
Attackers maintain long-term access to the target network.
Use stealthy and advanced techniques to avoid detection.
Quick Explanation
APTs are not quick smash-and-grab attacks; they are carefully planned campaigns aimed at gaining persistent control over critical systems for intelligence or strategic advantage.
Why It Matters
Recognizing APTs helps in understanding advanced attack strategies and emphasizes the need for robust, continuous security monitoring—key for Security+.
An attack surface is the sum of all the potential points (vulnerabilities) through which an attacker can interact with or compromise a system or network, indicating the overall exposure to potential threats. Examples of attack surfaces can be all software, hardware, and network interfaces with known security flaws. A threat vector represents the method or means through which a cyber threat is introduced or delivered to a target system. It outlines the pathway or avenue used by attackers to exploit vulnerabilities. Common threat vector types include phishing emails, malware, drive-by downloads, and social engineering techniques.
Answer: True
Important Information
Attack Surface:
Sum of all potential points (vulnerabilities) where an attacker can interact with or compromise a system.
Includes software, hardware, network interfaces, etc.
Represents overall exposure to threats.
Threat Vector:
The method or path used by an attacker to deliver a cyber threat.
Examples: phishing, malware, drive-by downloads, social engineering.
Quick Explanation
The attack surface is like the “doors and windows” of a system that can be exploited, while the threat vector is how an attacker uses those openings to get in.
Why It Matters
Understanding both helps prioritize defense strategies by reducing exposure (attack surface) and monitoring common attack methods (threat vectors)—crucial for Security+.
Which of the answers listed below refers to an email-based threat vector?
Answer: All of the above | Here are the answers listed: Spoofing, Phishing, BEC attacks, Malicious links, and Malware attachments
Important Information
Email-based threats include:
Spoofing: Faking sender addresses to appear legitimate.
Phishing: Deceptive emails aimed at stealing credentials or info.
Business Email Compromise (BEC): Targeted scams impersonating executives.
Malicious links: Links that lead to malware or phishing sites.
Malware attachments: Harmful files sent via email attachments.
Quick Explanation
Emails are a common delivery method for various attack techniques, making them a prime vector for cyber threats.
Why It Matters
Recognizing email threats helps in applying effective email security measures, user training, and incident response—a key focus area for Security+.
Which of the following terms refers to a threat vector commonly associated with SMS-based communication?
Answer: Smishing
Important Information
Smishing = SMS phishing.
A threat vector where attackers send malicious text messages to trick users into revealing info or clicking malicious links.
Often impersonates trusted sources (banks, service providers).
Can lead to credential theft, malware installation, or fraud.
Quick Explanation
Smishing uses text messages instead of email to carry out phishing attacks, exploiting mobile users’ trust and habits.
Why It Matters
With the rise of mobile device use, smishing poses a significant risk and highlights the need for mobile security awareness—a key concept for Security+.
Which of the answers listed below refers to an example of a potential threat vector in IM-based communication?
Answer: All of the above | Here are the answers listed: Phishing attack, Malware distribution, Spoofing attack, Eavesdropping, Account hijacking, and Malicious link/attachment
Important Information
IM-based threat vectors include:
Phishing attacks: Trick users into revealing info.
Malware distribution: Sending harmful files or links.
Spoofing attacks: Impersonating trusted contacts.
Eavesdropping: Intercepting private conversations.
Account hijacking: Taking control of user accounts.
Malicious links/attachments: Leading to malware or scams.
Quick Explanation
Instant Messaging can be exploited through various methods similar to email and SMS, making it a versatile threat vector.
Why It Matters
Awareness of IM-related threats helps protect communications and sensitive data, reinforcing overall cybersecurity—important for Security+.
Which of the following answers refer to examples of image-based threat vectors? (Select 3 answers)
Answer: Steganography, Image spoofing (deep fakes), and Malware-embedded images
Important Information
Steganography: Hiding malicious code or messages within images.
Image spoofing (deep fakes): Manipulated images or videos used to deceive or impersonate.
Malware-embedded images: Images crafted to exploit vulnerabilities when viewed or processed.
Quick Explanation
Attackers use images not just as visuals but as carriers or tools for delivering malware or deception.
Why It Matters
Understanding image-based threats helps in detecting subtle attacks and protecting data integrity—key for Security+.
Which of the answers listed below refers to a file-based threat vector?
Answer: All of the above | Here are the answers listed: PDF exploits, Malicious macros in documents, Compressed files (ZIP, RAR), Malicious scripts in web pages, Infected images, and Malicious executables
Important Information
File-based threats include:
PDF exploits: Malicious code embedded in PDF files.
Malicious macros in documents: Automated harmful scripts in Office files.
Compressed files (ZIP, RAR): Used to hide malware.
Malicious scripts in web pages: Code embedded in web content.
Infected images: Images containing hidden malware.
Malicious executables: Harmful programs disguised as legitimate files.
Quick Explanation
Files are common carriers for malware and exploits, making them critical threat vectors in cybersecurity.
Why It Matters
Recognizing these helps enforce safe file handling, scanning, and user education—important for Security+.
Which of the following answer choices is an example of a threat vector type that is typical for voice communication?
Answer: Vishing
Important Information
Vishing = Voice phishing.
Attackers use phone calls or voice messages to trick victims into revealing sensitive information.
Often involves impersonating trusted entities like banks or government agencies.
May use social engineering tactics to create urgency or fear.
Quick Explanation
Vishing exploits the trust and immediacy of voice communication to conduct phishing attacks.
Why It Matters
With phone scams on the rise, recognizing vishing helps protect against social engineering attacks—a key Security+ topic.
Examples of threat vectors directly related to the use of removable devices include: (Select 2 answers)
Answer: Malware delivery and Data exfiltration
Important Information
Malware delivery: Removable devices (USB drives, external HDDs) can carry malware that infects connected systems.
Data exfiltration: Devices can be used to steal sensitive data by copying it off the network.
Quick Explanation
Removable devices are common physical threat vectors that can both introduce malware and be used to extract data.
Why It Matters
Controlling and monitoring removable media is critical for preventing infections and data breaches—essential for Security+.
Which of the answers listed below refer(s) to client-based software threat vector(s)? (Select all that apply)
Answer: Drive-by download via web browser, Malicious macro, USB-based attack, Infected executable file, and Malicious attachment in email application
Important Information
Client-based software threats include:
Drive-by download via web browser: Automatic malware download without user consent.
Malicious macro: Harmful code embedded in documents executed by client apps.
USB-based attack: Malware introduced via USB devices interacting with client systems.
Infected executable file: Malicious programs run on client machines.
Malicious attachment in email application: Harmful files opened in email clients.
Quick Explanation
These vectors exploit vulnerabilities or user actions within client software to deliver malware or execute attacks.
Why It Matters
Awareness helps secure endpoints and applications, a core Security+ concept.
