Security+ Flashcards

Question

Wildcard certificate

Answer 1

Allows all subdomains to use same public key and have it display as valid

Answer 2

Certificate field that specifies what additional domains and IP addresses are going to be supported

Answer 3

Only requires server to be validated

Answer 4

Requires both server and user to be validated

Answer 5

certificate is signed by same party whose identity it certifies

Answer 6

Certificate issued and signed by a trusted certificate authority

Answer 7

Block of encoded text containing information about the entity requesting the certificate

Answer 8

Online Certificate Status Protocol Allows to determine the revocation status of any digital certificate using its serial number

Answer 9

Allows the certificate holder to get OCSP record from the server at regular intervals

Answer 10

Trusted Platform Module Dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Answer 11

Hardware Security Module Physical device that manages digital keys

Answer 12

Co-processor integrated into the main processor of some devices, designed with the sole purpose of ensuring data protection

Answer 13

Hiding secret data in non-secret files or messages

Answer 14

substiture sensitive data elements with non-sensitive equivalents; can only be fixed by authorized systems

Answer 15

Senior executive responsible for maintaining the confidentiality, integrity and availability of the information asset.

Answer 16

Responsible for deciding purposed and methods of data storage, collection, usage and guaranteeing legality of processes

Answer 17

Hired by data controller to help with tasks like collecting, storing and analyzing data

Answer 18

Responsible for management of system(s) on which data assets are stored

Answer 19

Focused on quality of data and associated metadata

Answer 20

Responsible for oversight of privacy-related data (PHI, SPI, PII)

Answer 21

Bring your own device

Answer 22

Corporate-Owned, Personally Enabled

Answer 23

Race condition that occurs when a process performs an action on a resource without verifying that it is still in the same state or value as when it was last checked. It can lead to incorrect or unauthorized actions based on invalid assumptions.

Answer 24

Type of memory corruption that occurs when a program writes more data than the allocated buffer can hold, causing it to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation.

Answer 25

Insertion of malicious code into a system’s memory, not the exploitation of a time gap between a check and use of a condition. Memory injection is a technique that involves injecting code into a running process to alter its behavior or gain access to its memory. It can be used for malicious or legitimate purposes on mobile devices, such as debugging or hooking.

Answer 26

Race condition that occurs when a process checks the state or value of a resource before using it, but another process changes it in between. It can lead to incorrect or unauthorized actions based on outdated information.

Answer 27

Mimics legitimate remote control programs but operates covertly. It provides the threat actor unauthorized access to a host, enabling them to upload files, install software, or execute commands.

Answer 28

Malware that replicate themselves to spread to other computers.

Answer 29

Displays unwanted ads on a user's device.

Answer 30

Provides unauthorized access to a computer, but it doesn't specifically mimic legitimate remote control programs.

Answer 31

Involves evaluating the security measures and vulnerabilities of a vendor's systems and infrastructure, but it does not specifically focus on ethical and legal requirements. It occurs after the vendor is chosen.

Answer 32

Type of human vector/social engineering attack that involves creating a fabricated scenario or pretext to justify the request for confidential information or action from the target.

Answer 33

Duplication of items such as badges, access cards, or even digital identities. It's about copying something authentic to gain unauthorized access.

Answer 34

Also known as "piggybacking," is a method where unauthorized individuals follow authorized personnel into secure locations by exploiting their courtesy or distraction. It relies on physical access rather than fabricated stories.

Answer 35

Attacker sends deceptive emails (or other forms of communication) to a broad audience, enticing recipients to click on malicious links, download malware, or provide sensitive information. The attacker's goal is to trick recipients into believing the message is from a trusted source.

Answer 36

Process of evaluating and choosing vendors based on various criteria, including their alignment with the organization's ethical and legal requirements. It occurs before the partnership begins.

Answer 37

Refers to continuously evaluating a vendor's security performance and compliance with contractual requirements, but it does not directly relate to ethical and legal criteria. It occurs after the vendor is chosen.

Answer 38

Agreement precisely designed to establish the overall framework for a long-term business relationship between an organization and a vendor. It provides a foundation for future agreements and contracts by outlining general terms, conditions, and responsibilities. It generally is concluded after a vendor is chosen.

Answer 39

Period when a system is unavailable or its performance is degraded, often due to planned maintenance or unforeseen incidents. In the scenario, the server's unavailability during the upgrade process is a clear example of downtime.

Answer 40

Act of stopping and then starting a service, often to apply changes or updates. While this can lead to downtime, the scenario specifically mentioned a system upgrade, not just a service restart.

Answer 41

Predefined time frame during which system changes or updates are applied to minimize disruption to business operations. This indicates when changes may occur but does not specifically define the period of system unavailability.

Answer 42

Formalized procedure to ensure changes are reviewed and approved before implementation. This is a process but does not specifically define the time a system is unavailable.

Answer 43

Sensitive personal data refers to specific categories of personal information that could harm an individual if made public. This includes, but is not limited to: - religious beliefs - political opinions - trade union membership - gender - sexual orientation - racial or ethnic origin - genetic data - health information

Answer 44

Standards that provide important guidelines and requirements for cryptography used to secure federal information systems, except those related to national security.

Answer 45

Important standard for information security management systems. It does not set specific requirements for cryptographic modules within federal computer systems.

Answer 46

Relates to the protection of cardholder data

Answer 47

Chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices.

Answer 48

Hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems.

Answer 49

Physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard.

Answer 50

Process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a chip or device.

Answer 51

Mobile device vulnerability that results from installing applications from sources other than the official app store, such as third-party websites, USB drives, or email attachments. It can expose the device to malware, spyware, or unauthorized access.

Answer 52

Creates a vulnerability on mobile device by bypassing the restrictions imposed by the manufacturer or provider of a device, such as an iPhone or iPad, to gain root access and install unauthorized applications or customizations. It can expose the device to malware, spyware, or unauthorized access.

Answer 53

Human vector/social engineering attack that involves creating a fake website or domain name that resembles a legitimate one, but with slight spelling or punctuation differences.

Answer 54

Human vector/social engineering attack that involves compromising or spoofing a legitimate business email account to request fraudulent payments or transfers from unsuspecting employees or customers.

Answer 55

Human vector/social engineering attack that involves pretending to be someone else, such as an authority figure or a trusted person, to persuade users to share confidential information or perform certain actions.

Answer 56

Document used to specify the specific tasks, deliverables, and timelines for a particular project or service. It is not intended to establish an overall framework for a long-term relationship.

Answer 57

Outlines specific performance metrics, service levels, and responsibilities for ongoing services, rather than establishing an overall framework for a long-term relationship.

Answer 58

Non-binding document used to express mutual understanding and intentions between parties. It is not typically suitable for establishing a formal framework for a long-term business relationship.

Answer 59

Comprehensive record that lists all identified risks, their potential impacts, assigned risk owners, and current risk status. It serves as a central repository for tracking and monitoring risks over time.

Answer 60

Initial step in the risk management process, involving the identification, analysis, and evaluation of potential risks.

Answer 61

Assesses the potential consequences of specific risks on critical business functions, helping prioritize risk response efforts.

Answer 62

The regular communication and documentation of identified risks, their potential impact, and risk management strategies to relevant stakeholders.

Answer 63

Attacker forces network participants to resort to a weaker encryption standard, making it easier to compromise the data. It deliberately reduces the security of encrypted communications.

Answer 64

Type of side-channel attack targeting implementations of block ciphers in CBC mode.

Answer 65

Attacker aims to intercept or manipulate the key exchange process, potentially gaining access to the shared secret key.

Answer 66

Type of vulnerability that involves accessing or modifying data or communications from other virtual machines by exploiting the shared CPU between them. It can allow an attacker to execute malicious code or commands on other virtual machines.

Answer 67

Type of performance issue that occurs when a process or thread does not receive enough CPU time to perform its tasks. It can affect the responsiveness and functionality of the process or thread.

Answer 68

Expected frequency of occurrence of a specific risk within a given time frame.

Answer 69

Qualitative term used to express the chance of a risk occurring, typically described in terms of low, medium, or high.

Answer 70

The percentage of asset loss that would occur if a specific risk is realized. It is a quantitative risk analysis metric.

Answer 71

Quantitative risk analysis metric that represents the expected number of times a specific risk occurs in a year.

Answer 72

Authentication protocol that uses tickets to prevent eavesdropping and replay attacks. It relies on a trusted third-party, the Key Distribution Center (KDC), to facilitate mutual authentication between clients and services.

Answer 73

Protocol used to access and manage directory information over a network.

Answer 74

Open standard for access delegation. It allows third-party services to use account information without exposing user passwords.

Answer 75

XML-based standard for exchanging authentication and authorization data between parties. It's focused more on Single Sign-On (SSO) and doesn't use the Kerberos ticketing mechanism.

Answer 76

Technique used in cryptography to add random data to the input of a hash function to increase security.

Answer 77

Method used that repeatedly hashing the password to make it more random and longer than it originally appeared. The key difference between key stretching and regular hashing or salting is the number of times the hashing is done.

Answer 78

Process of converting an input of any length into a fixed size string of text, using a mathematical function. Hashing doesn't add data to the input before completing the conversion.

Answer 79

Type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document.

Answer 80

Focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure.

Answer 81

Evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT.

Answer 82

Pertains to overseeing individual software solutions and ensuring their security and performance.

Answer 83

Refers to an organization's willingness to take on risk in pursuit of its business objectives. It reflects the organization's strategic approach to risk and how much risk it is willing to undertake to achieve specific goals.

Answer 84

Extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization's ability to withstand potential losses or disruptions.

Answer 85

Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance.

Answer 86

Taking measures to reduce or mitigate the impact of an event.

Answer 87

- mean time to repair - refers to the measure of the time taken to repair a system or process after it experiences a failure or disruption. - average time it takes to restore functionality

Answer 88

- recovery time objective - measure of the maximum time it takes to recover a system or process after a disruption - represents the time within which normal operations need to be restored

Answer 89

- mean time between failures - the measure of the average time between two consecutive failures of a system or component - represents the average reliability or time between incidents.

Answer 90

- recovery point objective - measure of the maximum amount of data loss an organization is willing to tolerate in the event of a disruption - determines the point in time to which data must be restored after recovery.

Answer 91

- future cost of rectifying present-day shortcuts or less optimal solutions. It can arise when known inefficiencies aren't addressed due to various constraints, like time.

Answer 92

Primarily denotes the intricacy of a system or process.

Answer 93

Refers to a vulnerable component whose failure can disrupt an entire system, not the consequence of avoiding known system inefficiencies.

Answer 94

Pertains to the financial considerations of a decision or action, not the implications of deferring system improvements.

Answer 95

Technology that allows creating multiple isolated environments on a single physical device. It can offer benefits such as resource optimization, isolation, flexibility, and security.

Answer 96

Systems that are designed to monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities, not creating multiple isolated environments on a single physical device.

Answer 97

Technology that allows running applications in isolated environments called containers, not creating multiple isolated environments on a single physical device.

Answer 98

Network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device.

Answer 99

Pertains to a threat actor's proficiency in devising new exploit techniques and tools. It can range from using commonly found attack tools to creating zero-day exploits in various systems. Those with the highest capabilities can even deploy non-cyber tools, such as political or military assets.

Answer 100

Relates to the level of intricacy and advancement of a threat actor's methods and tools, but does not directly address their skill in crafting novel exploits.

Answer 101

Secure Real-time Transport Protocol - provides encryption, message authentication, and integrity for voice communications over IP - designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic.

Answer 102

- Internet Control Message Protocol - mainly used by operating systems of networked computers to send error messages

Answer 103

- Security Assertion Markup Language - login federation protocol - most effective approach for achieving a seamless user login experience for both internal employees and external partners - allows for the secure exchange of authentication and authorization data between different organizations, enabling users to log in using their own organization's credentials while accessing resources and applications from other federated organizations without the need for separate accounts -simplifies identity management and enhances user experience while maintaining centralized control.

Security+ Flashcards

(127 cards)