test Flashcards

Question 1

Q

802.1X

Answer

A

802.1X (or EAP [Extensible Authentication Protocol]) is an authentication standard, developed to allow remote, wireless, and wired authentication to be centrally managed. A client device such as an access point passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a user name and password or could employ smart cards or tokens.

Question 2

Q

AAA,

Answer

A

Authentication, Authorization, and Accounting - the principal stages of security control. A resource should be protected by all three types of control.

Question 3

Q

Access Control

Answer

A

Creating one or more barriers around a resource such that only authenticated users can gain access. Each resource has an Access Control List (ACL) specifying what users can do. Resources often have different access levels (for example, being able to read a file or being able to read and edit it).

Question 4

Q

Account Expiration

Answer

A

Some user accounts may be created to allow only temporary access (for guest users, contractors, temporary staff, and so on). These accounts may be set to expire after a certain amount of time, eliminating the possibility that they will be forgotten about and act as possible system backdoors.

Question 5

Q

ACL (Access Control List)

Answer

A

The permissions attached to or configured on a network resource, such as folder, file, or firewall. The ACL specifies which subjects (user accounts, host IP addresses, and so on) are allowed or denied access and the privileges given over the object (read only, read/write, and so on).

Question 6

Q

Adware

Answer

A

Software that records information about a PC and its user. Adware is used to describe software that the user has acknowledged can record information about their habits. For example, an online store might record past purchases and display prominent advertisements to market new products based on the user’s purchase history.

Question 7

Q

AES (Advanced Encryption Standard)

Answer

A

Modern encryption suite providing symmetric encryption (the same key is used to encrypt and decrypt). AES is a very strong cipher with many applications, including being part of the WPA2 Wi-Fi encryption scheme.

Question 8

Q

ALE (Annual Loss Expectancy)

Answer

A

The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).

Question 9

Q

Algorithm

Answer

A

Any defined method of performing a process but in encryption, the term specifically refers to the technique used to encrypt a message. The strength of an algorithm depends to a large extent on the size of its key (the code that enables a message to be encrypted or decrypted). A minimum key size of 2048 bits is considered secure by NIST. There are a number of algorithms in use for different types of encryption. Some of the main technologies are SHA-1 and MD5 (hash functions), 3DES, AES, RC (Rivest Cipher), IDEA, Blowfish/Twofish, and CAST (used for symmetric encryption [where the same key is used to encrypt and decrypt]), and Diffie-Hellman, RSA, ElGamal, and ECC (used for asymmetric encryption, where two linked keys are used).

Question 10

Q

Antenna

Answer

A

Specially arranged metal wires that can send and receive radio signals. These are used for radio-based wireless networking. For WLANs, antennas are small and short-range (~45m [150 feet] indoor range) and generally send and receive in all directions (omni-directional). The antennas are built into the WLAN adapter or AP (in the case of portables the wires are often integrated into the chassis). More powerful directional antennae (such as the type used for receiving TV broadcasts) can be used for point-to-point connections (such as between buildings).

Question 11

Q

Anti-spam

Answer

A

Techniques to prevent a user being overwhelmed with spam (junk email). Spam can be blocked from reaching an organization using a mail gateway to filter messages. At the user level, software can redirect spam to a junk folder (or similar). Anti-spam filtering needs to balance blocking illegitimate traffic with permitting legitimate messages. Anti-spam techniques can also use lists of known spam servers (blacklists).

Question 12

Q

Anti-virus

Answer

A

Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on. Antivirus software works on the basis of both identifying malware code (signatures) and detecting suspicious behavior (heuristics). Anti-virus software must be kept up-to-date with the latest malware definitions and protect itself against tampering.

Question 13

Q

API (Application Programming Interface)

Answer

A

A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

Question 14

Q

Application Hardening

Answer

A

The basic steps in making an application secure (hardening) are to configure access control and permissions on the application data and functions and to set up a monitoring and maintenance program, so that events are logged and the application is patched against software exploits.

Question 15

Q

APT (Advanced Persistent Threat)

Answer

A

An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Question 16

Q

ARP Poisoning

Answer

A

The Address Resolution Protocol (ARP) maps IP addresses to network interfaces (MAC addresses). ARP poisoning means injecting a false IP:MAC lookup into the victim’s ARP cache. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.

Question 17

Q

Asymmetric Algorithm

Answer

A

An asymmetric cryptographic algorithm uses different keys (public and private; the keys are linked but the private key is not derivable from the public one). The most popular type of asymmetric cryptography (RSA) is based on the fact that factoring large numbers to discover whether they are prime (a number that is only divisible by itself and 1) is difficult. If there were a breakthrough in mathematics that made factoring large numbers less computationally intensive, the security of these cryptographic products would be broken. Elliptic Curve Cryptography (ECC) is a different means of creating key pairs such that it is easy to determine that the keys are linked but very difficult to determine one key from the other. The other advantage of ECC is that the algorithm is more efficient, allowing smaller keys to give the same level of security as larger RSA keys.

Question 18

Q

Attack Surface

Answer

A

Attack surface is the degree of exposure a network or piece of software has to attack. For example, the more ports a server has open or the more features installed under an OS, the greater the likelihood of an attacker finding a vulnerability.

Question 19

Q

Auditing

Answer

A

Windows and other operating systems provide the ability to track system and file access and usage and report this activity to a log file. The administrator can use this trail to track appropriate (or inappropriate) access of resources.

Question 20

Q

AUP (Acceptable Use Policy)

Answer

A

An acceptable use policy usually governs employees’ use of company equipment.

Question 21

Q

Authentication

Answer

A

A means for a user to prove their identity to a computer system. Authentication is implemented as either something you know (a user name and password), something you have (a smart card or key fob), or something you are (biometric information). Often, more than one method is employed (2-factor authentication).

Question 22

Q

Availability

Answer

A

Availability is the principle that something should not be so secure that it is completely inaccessible. A practical example is a password policy that forces users to adopt unsecure practices (such as writing their password on a post-it attached to their monitor). Another example is providing key recovery or escrow so that encrypted data can be recovered if the encryption key is lost or damaged. Availability also involves protecting a resource against loss or damage or DoS attacks.

Question 23

Q

Backdoor

Answer

A

A remote administration utility providing a means of configuring a computer. Remote admin software may be installed intentionally, in which case it must be properly secured. Backdoors may also be installed by malware.

Question 24

Q

Backup

Answer

A

Recovery of data can be provided through the use of a backup system. Most backup systems provide support for tape devices. This provides a reasonably reliable and quick mechanism for copying critical data. Different backup types (full, incremental, or differential) balance media capacity, time required to backup, and time required to restore.

Question 25

Q

Beaconing

Answer

A

A means for a network node to advertise its presence and establish a link with other nodes. Legitimate software and appliances do this but it is also associated with Remote Access Trojans (RAT) communicating with a Command & Control server.

Question 26

Q

Behavior-based Monitoring

Answer

A

Software that monitors a system for malware infection, intrusion detection, or performance may be configured to recognize baseline behavior and (conversely) alert the administrator to anomalous behavior. This usually works by compiling a statistical profile of expected behavior then configuring thresholds beyond which the system generates an alert (an anomaly). This sort of system requires expert tuning to minimize false negative and false positives.

Question 27

Q

BIA (Business Impact Analysis)

Answer

A

A risk assessment will identify a range of threats and for each significant threat perform a Business Impact Analysis (BIA) to determine the likelihood of the threat exploiting a vulnerability and the cost to the business should a vulnerability be exposed.

Question 28

Q

Big Data

Answer

A

Large stores of unstructured information. As well as volume, big data is often described as having velocity, as it may involve the capture and analysis of high bandwidth network links.

Question 29

Q

Biometric

Answer

A

Identifying features stored as digital data can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires the relevant scanning device, such as a fingerprint reader, and a database of biometric information (template).

Question 30

Q

Birthday Attack

Answer

A

A cryptographic function may produce collisions (where the function produces the same output for two different inputs). These may be connected to weak keys. The birthday paradox means that these collisions are less computationally intensive to attack than pure brute force (that is, you do not need to try every possible permutation to discover a weakness).

Question 31

Q

Blackhole

Answer

A

A blackhole is a means of mitigating DoS or intrusion attacks by dropping (discarding) traffic.

Question 32

Q

Bluejacking / Bluesnarfing

Answer

A

Bluetooth is a short-range radio-based connectivity protocol used by many peripherals, cell phones, and smartphones. Bluejacking refers to sending someone an unsolicited message or picture message using a Bluetooth connection; bluesnarfing refers to hijacking a Bluetooth device using some software exploit.

Question 33

Q

Botnet

Answer

A

A network of computers that have been compromised by Trojan / rootkit / worm malware. Providing the botnet can also subvert any firewalls between the controller (or “herder”) and the compromised computers (“zombies”), they can be remotely controlled and monitored using covert channels. The Internet contains botnets of many millions of computers and their exploitation (mostly to send spam or for identity theft) is a robust part of the “shadow” economy.

Question 34

Q

BPA (Business Partners Agreement)

Answer

A

While there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.

Question 35

Q

Buffer Overflow

Answer

A

Where a software program accepts input from the user, if the programmer has not created a routine to validate the input, it may be possible for an attacker to exploit this and overfill the program’s buffer (memory used by the program). This can allow the attacker to crash the system or execute arbitrary code (such as a virus).

Question 36

Q

Business Continuity Plan (BCP) / Continuity of Operations Plan (COOP)

Answer

A

A business continuity plan is designed to ensure that critical business functions demonstrate high availability and fault tolerance. Typically, this is achieved by allowing for redundancy in specifying resources. Examples include cluster services, RAID disk arrays, UPS. Business continuity plans should not be limited to technical elements however; they should also consider employees, utilities, suppliers, and customers. Associated with business continuity is the disaster recovery plan, which sets out actions and responsibilities for foreseen and unforeseen critical incidents.

Question 37

Q

BYOD (Bring Your Own Device)

Answer

A

Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.

Question 38

Q

CAC (Common Access Card)

Answer

A

An identity and authentication smart card produced for Department of Defense employees and contractors in response to a Homeland Security Directive.

Question 39

Q

CAN (Controller Area Network)

Answer

A

A serial network designed to allow communications between embedded programmable logic controllers.

Question 40

Q

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)

Answer

A

A CAPTCHA is an image of text characters or audio of some speech that is difficult for a computer to interpret. CAPTCHAs are used for purposes such as preventing “bots” from creating accounts on web forums and social media sites to spam them.

Question 41

Q

Captive Portal

Answer

A

Secondary authentication mechanism for open access points. On connecting, the user’s browser is redirected to a server to enter credentials (and possibly payment for access).

Question 42

Q

CAR (Corrective Action Report / Request)

Answer

A

A formal response setting out the plan to correct a defect in a system, such as a security vulnerability. This type of report or request may be implemented as part of a wider Failure Reporting, Analysis and Corrective Action System (FRACAS).

Question 43

Q

Certificate

Answer

A

A public key that has been certified by some agency, validating that the owner of the key is really who he says he is. This allows a sender to encrypt a message using the public key in the knowledge that only the recipient will be able to read it (using their linked private key). Certificates can also be used as proof of identity (for authentication or signing documents). Most certificates are based on the X.509 standard though PGP web of trust certificates are also popular.

Question 44

Q

Chain of Custody

Answer

A

Documentation attached to evidence from a crime scene detailing when, where, and how it was collected, where it has been stored, and who has handled it subsequently to collection.

Question 45

Q

CHAP (Challenge Handshake Authentication Protocol)

Answer

A

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.

Question 46

Q

CIRT (Cyber Incident Response Team) / CERT (Computer Emergency Response Team)

Answer

A

Team with responsibility for incident response. The CIRT must have expertise across a number of business domains (IT, HR, legal, and marketing for instance).

Question 47

Q

CIS (Center for Internet Security)

Answer

A

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

Question 48

Q

CISO (Chief Information Security Officer) / CIO (Chief Information Officer)

Answer

A

Typically the job title of the person with overall responsibility for information assurance and systems security.

Question 49

Q

Classification

Answer

A

Any significant data resource or documentation should be classified. In a mandatory access control system, information is formally classified with labels such as “Top Secret”, “Secret”, and “Confidential”. In a discretionary or role-based access control system, resources are classified using Access Control Lists. These show what permissions (or rights) given users or groups have on the resource. One of the critical points distinguishing access control models is how a resource’s classification can be changed. This will generally require some process of notification (at the very least, the change should be logged).

Question 50

Q

Cloud Computing

Answer

A

Any environment where software (Software as a Service and Platform as a Service) or computer / network resources (Infrastructure as a Service and Network as a Service) are provided to an end user who has no knowledge of or responsibility for how the service is provided. Cloud services provide elasticity of resources and pay-per-use charging models. Cloud access arrangements can be public, hosted private, or private (this type of cloud could be onsite or offsite relative to the other business units).

Question 51

Q

COBIT (Control Objectives for Information and Related Technologies)

Answer

A

An IT governance framework with security as a core component. COBIT is published by ISACA and is a commercial product, available through APMG International.

Question 52

Q

Code of Ethics

Answer

A

Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.

Question 53

Q

Comparative Strength of Algorithms

Answer

A

The choice of encryption algorithm is mostly driven by application (for example, symmetric encryption is the best choice for file or folder encryption for performance reasons). The basic measure of strength within an algorithm is the key size. Most current algorithms support key sizes of 128-bit or better. Most cryptography suites are open to independent analysis but this is no guarantee that they will remain secure indefinitely. It is also important to note that while an algorithm may be secure, its implementation in a particular product may not.

Question 54

Q

Configuration Baseline

Answer

A

Settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on). In Windows, the current configuration can be compared to the baseline defined in a security template using the Security Configuration and Analysis tool.

Question 55

Q

Continuous Security Monitoring

Answer

A

Typically, security is only seriously investigated after some sort of incident. Continuous security monitoring refers to a proactive approach to performing risk assessments, checking audit logs, and reviewing threat sources. This reduces risk but requires either a particularly sophisticated intrusion detection system or the manpower to review logs and other security metrics.

Question 56

Q

Cookie

Answer

A

Text file used to store information about a user when they visit a website. Some sites still use cookies to support user sessions. This type of site can be vulnerable to replay attacks, where an attacker obtains a user’s cookies and resends the session information.

Question 57

Q

Cryptographic Access Control

Answer

A

Cryptography is the basis of most “Something You Have” authentication systems. The user is given a smart card that stores a digital certificate issued to the user by a certificate authority. To authenticate, the user presents the card to the reader and inputs a PIN (which protects against use of a stolen card).

Question 58

Q

Cryptographic Algorithm

Answer

A

A cryptographic algorithm is a mathematical function that transforms plaintext into ciphertext in such a way that the plaintext cannot be recovered without knowledge of the appropriate key. A symmetric algorithm uses the same key for encrypting and decrypting; an asymmetric algorithm uses different keys (public and private; the keys are linked but one is not derivable from the other). A hashing algorithm is one-way only; once encrypted, the ciphertext cannot be decrypted.

Question 59

Q

Cryptographic Confidentiality

Answer

A

Cryptography can provide message confidentiality because the message can only be read by someone in possession of the correct key. The main problem with this is secure distribution of the key. Typically asymmetric encryption is used to distribute keys. As asymmetric algorithms are processor and memory intensive, they are not suitable for encrypting long messages.

Question 60

Q

Cryptographic Integrity and Authentication

Answer

A

It is often important to prove that a message has not been modified in transit and to confirm the identity of the sender. This can be done using a cryptographic digital signature. This is typically achieved using a hash function. If both sender and receiver use the same hash function on the same message, they should derive the same value (a message digest). The message digest is also encrypted using an asymmetric algorithm and the sender’s private key. The recipient uses the sender’s linked public key to decrypt the hash. This provides authentication, as only the sender (the possessor of the private key) could have encrypted the message in this way. This also provides non-repudiation (that is, the sender cannot deny creating and sending the message).

Question 61

Q

Cryptographic Standards

Answer

A

The most important set of standards governing cryptography are the PKIX RFCs for digital certificates and PKI. Many cryptographic applications have been developed from RSA’s PKCS. Cryptographic products may be certified by Common Criteria and FIPS.

Question 62

Q

CVE (Common Vulnerabilities and Exposures)

Answer

A

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Question 63

Q

DAC (Discretionary Access Control)

Answer

A

Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).

Question 64

Q

Data Emanation

Answer

A

Unless shielded, all electrical cabling “leaks” signals to some extent. However data emanation is more of a concern for wireless media, as the signals can be received for a considerable distance and shielding / containment is not a realistic option in most environments. Consequently, it is imperative that wireless communications use a strong encryption system.

Answer 65

A

Most network applications utilize databases. Major database server products include Oracle, Microsoft SQL Server, IBM’s DB2 and Informix, and Sybase. Many databases are operated using Structured Query Language (SQL, pronounced “sequel”). The freeware MySQL database is a popular choice to provide database functionality on websites. Database engines are often subject to software exploits, and so should be kept patched. Database design, programming, and administration is complex and security should be considered as a critical requirement.

Answer 66

A

The IT role responsible for the configuration, management, and support of database applications.

Answer 67

A

Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access. It is good practice to rename the Windows administrative account and on UNIX / Linux to leave the “root” system owner account unused.

Answer 68

A

Symmetric encryption protocol. DES and its replacement 3DES are considered weak in comparison with modern standards, such as AES.

Answer 69

A

A service that provides dynamic allocation of IP addresses to appropriately configured clients. It is important to monitor the network to ensure that only valid DHCP servers are running on the network.

Answer 70

A

Tool for querying DNS server records.

Answer 71

A

Directory services provide general and security information (permissions) for network users and objects. Most directory services are based on the LDAP standard. The directory server is a critical point of failure for most networks; without it clients cannot log on. Most networks are configured with backup servers. It is also important to configure access control on the server to ensure that directory information can only be modified by authorized personnel.

Answer 72

A

A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents. The recovery plan may also provide for practice exercises or drills for testing and to familiarize staff with procedures. As well as facilitating a smooth transition in the event of disaster, plans must stress the importance of maintaining secure systems.

Answer 73

A

Disposal refers to both information security and environmental damage issues when decommissioning out-ofdate or used systems. A disposal policy should set out what information should be disposed of securely (for example, by shredding paper documents or CDs or by erasing magnetic media). Many PCs, components, and consumables can be disposed of through recycling schemes, reducing the pressure on landfill sites and minimizing the environmental impact of any toxic products used in their manufacture.

Answer 74

A

Data Loss (or Leakage) Prevention (DLP) is software that can identify data that has been classified and apply “finegrained” user privileges to it (preventing copying it or forwarding by email for instance).

Answer 75

A

A private network connected to the Internet must be protected against intrusion from the Internet. However, certain services may need to be made publicly accessible from the Internet (web and email for instance). One solution is to put such servers in a DMZ. The idea of a DMZ is that traffic cannot pass through it. If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. It takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ. A DMZ is implemented using either two firewalls (screened subnet) or a single three-legged firewall (one with three network ports).

Answer 76

A

This industry standard name resolution system provides name to IP address mapping services on the Internet and large intranets.

Answer 77

A

Using Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).

Answer 78

A

DNS allows for mapping of human-readable resource names to numerical IP addresses. DNS is a hierarchical, distributed database. DNS name servers host the database for domains for which they are authoritative. Root servers hold details of the top-level domains. DNS servers also perform queries or lookups to service client requests. The DNS protocol defines the mechanisms by which DNS servers and clients interact. The DNS protocol utilizes TCP/UDP port 53. It is essential to ensure that clients utilize a reliable DNS server, to prevent spoofing attacks. A DNS server also needs to be protected against footprinting, DoS, and cache pollution (poisoning) attacks.

Answer 79

A

There are various ways of exploiting the domain name registration process. Kiting refers to continually registering a name without having to pay for it. Tasting involves registering a domain temporarily to see how many “hits” it generates while hijacking and cybersquatting are means of occupying a domain of some trusted brand or company.

Answer 80

A

A network attack that aims to disrupt a service, usually by overloading it. A Distributed DoS (DDoS) attack uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.

Answer 81

A

Due process is a term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land. More generally, due process can be understood to mean having a set of procedural safeguards to ensure fairness. This principle is central to forensic investigation.

Answer 82

A

A “social engineering” technique of discovering things about an organization (or person) based on what it throws away.

Answer 83

A

Framework for negotiating authentication methods, supporting a range of authentication devices. EAP-TLS uses PKI certificates, Protected EAP (PEAP) creates a TLS-protected tunnel between the supplicant and authenticator to secure the user authentication method, and Lightweight EAP (LEAP) is a password-based mechanism used by Cisco.

Answer 84

A

A computer system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.

Answer 85

A

EMI sources (such as fluorescent lights, air conditioning, and power cables) can corrupt signals. Copper cabling and radio transmissions can be affected by EMI, though cable shielding can be employed in problem areas.

Answer 86

A

A high intensity burst of electromagnetic radiation, such as that produced by a nuclear explosion or ElectroStatic Discharge (ESD).

Answer 87

A

In terms of privilege management, escalation (or elevation) is where a user gains additional privileges without authorization. This may happen because the user is able to exploit the privilege management system design to change his or her privileges. It can also be a result of software exploits, which can crash the system and give the user administrative or root privileges.

Answer 88

A

A number that uniquely identifies a mobile device, similar to a network adapter MAC address. ESNs have been replaced for CDMA-based devices by MEID (Mobile Equipment ID). GSM/UMTS/LTE devices are identified by an IMEI (International Mobile Station Equipment Identity).

Answer 89

A

In an evil twin attack, the attacker creates a malicious wireless access point masquerading as a genuine one, enabling the attacker to harvest confidential information as users connect via the AP.

Answer 90

A

A network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.

Answer 91

A

An electronic lock requires a power source. If the power source fails, a lock can fail in one of two ways. Failsafe (or fail-secure) means that the door will be locked (and unlockable) while failopen means the door will be open.

Answer 92

A

Error in monitoring or identification technology that either reports an event as an incident when it is not (false positive) or does not report an event as an incident (false negative).

Answer 93

A

Hardware or software that filters traffic passing into or out of a network (for example, between a private network and the Internet). A basic packet-filtering firewall works at Layers 3 and 4 (Network and Transport) of the OSI model. Packets can be filtered depending on several criteria (inbound or outbound, IP address, and port number). More advanced firewalls (proxy and stateful inspection) can examine higher layer information, to provide enhanced security.

Answer 94

A

The critical first steps to take when a security incident is discovered. General staff should be trained to identify an incident and report it. The response to the incident will be governed by policy.

Answer 95

A

A firewall or IPS that prevents DDoD attacks where multiple compromised “bots” attempt to deny network connectivity by flooding it with malicious packets. Another type of flood guard might be deployed to protect against broadcast loops in layer 2 (MAC) and layer 3 (IP) segments.

Answer 96

A

The process of gathering and submitting computer evidence to trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified. The key points in collecting evidence are to record every step and action, to gather appropriate evidence, and to bag evidence. To preserve evidence correctly, it should be stored securely. Any investigation should be done on a copy of the digital files, not the originals. Each piece of evidence must be accompanied by a chain of custody form, detailing when, where, and how it was collected, where it has been stored, and who has handled it subsequently to collection.

Answer 97

A

Commercial digital forensics investigation management and utilities suite, published by AccessData.

Answer 98

A

A protocol used to transfer files across the Internet. Variants include S(ecure)FTP and T(rivial)FTP. FTP utilizes ports 20 and 21.

Answer 99

A

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself. Used with a strong authentication method, this mitigates against data theft in the event that the device is lost or stolen. The key used to encrypt the disk can either be stored on a USB stick or smart card or in a Trusted Platform Module.

Answer 100

A

Fuzzing is a means of testing software input validation routines by inputting random or known malicious code. Fuzzing is also used in packet crafting to generate fake IP and MAC addresses.

Answer 101

A

Identifying the location of a mobile device through GPS, association with access points, or triangulation against cellular base stations.

Answer 102

A

Using Google search operators to locate vulnerable web servers and applications.

Answer 103

A

Means of determining a receiver’s position on the Earth based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites.

Answer 104

A

A group account is a collection of user accounts. These are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users. The group could then be assigned the necessary rights.

Answer 105

A

On a Windows domain, per-user and per-computer settings can be deployed through Group Policy Objects, attached to Active Directory containers such as domains and Organization Units. Group policy can be used to configure security settings such as password policy, account restrictions, firewall status, and so on.

Answer 106

A

Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.

Answer 107

A

A Hardware Security Module (HSM) is an appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

Answer 108

A

Monitoring technique that allows dynamic pattern matching based on past experience rather than relying on preloaded signatures.

Answer 109

A

Email, instant messaging, and website pop-ups are commonly used to spread hoax information, such as false virus or spyware alerts. Users should be trained to identify genuine sources of information.

Answer 110

A

A computer set up to entice attackers with the purpose of discovering attack strategies and weaknesses in the security configuration. A related term is honeynet, meaning a whole network set up to entice attackers.

Answer 111

A

Users are usually seen as the weak point of any security system. However, effective training and HR policies can use employees to strengthen security. Other security considerations for the HR department are coordinating secure recruitment and termination procedures. This means screening new employees through background checks, ensuring employees are set up with the correct privileges when they join or change job roles, and ensuring that privileges are revoked if the employee is fired or retires.

Answer 112

A

The protocol (HyperText Transfer Protocol) used to provide web content to browsers. HTTP uses port 80. HTTPS provides for encrypted transfers, using SSL and port 443.

Answer 113

A

Building control systems maintain an optimum working environment for different parts of the building. The acronym HVAC (Heating, Ventilation, Air Conditioning) is often used to describe these services. For general office areas, this basically means heating and cooling; for other areas different aspects of climate control, such as humidity may be important.

Answer 114

A

Operates at layer 3 (Network) to report errors about the delivery of TCP/IP packets.

Answer 115

A

A network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

Answer 116

A

Authentication identifies a particular user account to a computer system; identification (or enrollment) is the process by which a user account (and its credentials) is issued to the correct person.

Answer 117

A

Software or security appliance designed to monitor network traffic (NIDS) or configuration files and logs on a host (HIDS) to record and detect unusual activity. Many systems can automatically take preventive action (Intrusion Prevention System [IPS]). Detection is either signature-based or anomaly-based (or both). IDS software typically requires a lengthy period of configuration and “training” to recognize baseline “normal” activity.

Answer 118

A

Web server product shipped with Windows.

Answer 119

A

Real-time text communications products. IM also supports file exchange and remote desktop. Like email, communications are generally unencrypted and unauthenticated. IM can be difficult to block on private networks as most applications can work over HTTP.

Answer 120

A

Copying the structure and contents of a physical disk device or logical volume to a single file, using a tool such as dd.

Answer 121

A

TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time. IMAP4 utilizes TCP port number 143.

Answer 122

A

Implicit deny is a basic principle of security stating that unless something has explicitly been granted access it should be denied access. An example of this is firewall rule processing, where the last (default) rule is to deny all connections not allowed by a previous rule.

Answer 123

A

Employees are a vital component of an effective security and health and safety model. Company policy should set out the procedure for reporting incidents, such as who to contact and how quickly.

Answer 124

A

Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents. The stages will generally be notification, investigation, remediation, and follow-up. Incident response is often handled by a special group - the Computer Security Incident Response Team - made up of staff with both technical skills and decision making authority.

Answer 125

A

Where a program expects input from a user, good programming practice dictates that the user input should be validated before the program attempts any further processing of it. Failing to do this can leave the application vulnerable to buffer overflow and similar attacks.

Answer 126

A

Software that sits between a client and server (a Man-in-the-Middle) and allows requests from the client and responses from the server to be analyzed and modified. Examples include PortSwigger’s Burp Suite, OWASP’s Zed Attack Proxy (ZAP), and Vega.

Answer 127

A

A software application or gateway that filters client requests for various types of Internet content (web, FTP, IM, and so on). The filtering software can work on the basis of keywords, URLs, time of day / total browsing time, and so on.

Answer 128

A

A zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.

Answer 129

A

A network of trusted hosts owned and controlled by the organization.

Answer 130

A

Command-line utility providing information about the IP configuration of a workstation.

Answer 131

A

Layer 3 protocol suite providing security for TCP/IP. It can be used in two modes (transport, where only the data payload is encrypted, and tunnel, where the entire IP packet is encrypted and a new IP header added). IPsec can provide confidentiality and / or integrity. Encryption can be applied using a number of hash (MD5 or SHA) and symmetric (DES or AES) algorithms. Key exchange and security associations are handled by the Internet Key Exchange Protocol. Hosts can be authenticated by a shared secret, PKI, or Kerberos.

Answer 132

A

Any federal agency interconnecting its IT system to a third-party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.

Answer 133

A

Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series).

Answer 134

A

Faults in the way that WEP implements the stream cipher used to encrypt traffic mean that the key can be recovered using cryptanalysis tools such as Aircrack given sufficient packets to analyze. Such tools can typically crack both 64-bit and 128-bit WEP encryption in a matter of minutes. WPA is not vulnerable to this attack (though weak passwords are still vulnerable to dictionary cracking).

Answer 135

A

Programming language used to create web server applications (J2EE) and client-side applications (running in the Java VM).

Answer 136

A

Scripting language used to add interactivity to web pages and HTML-format email. JavaScript can also be used maliciously to exploit software vulnerabilities. It is possible to block scripts from running using browser security settings.

Answer 137

A

Job rotation is the policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.

Answer 138

A

Named after the mythical multi-headed guard-dog of the underworld, Kerberos is an authentication standard and protocol. Windows networks use this protocol for client and server authentication. Kerberos provides a Single Sign-On (SSO) authentication scheme where clients authenticate once to a Key Distribution Center and are granted service tickets to use particular applications without having to log on to each application separately.

Answer 139

A

An encryption cipher scrambles a message (plaintext) using an algorithm. The algorithm is given a key so that someone intercepting the message could not just reverse the algorithm to unscramble the message; they must also know the key. In symmetric encryption, the same key is used for encryption and decryption. In asymmetric encryption, different keys are used (one key is linked to but not derivable from the other key).

Answer 140

A

Apart from validating a user’s identity, one of the main functions of a CA is management of cryptographic keys over their lifecycle. Some of the main issues are as follows. Usage - keys should be issued for the stated purpose only; for example, a key used for signing should not be used for encryption. Storage - hardware based is generally more secure than software; it is imperative that private keys are not compromised. Lifetime - a key pair is set to expire after a number of years; it may also be revoked or suspended before that time if the key is compromised; a status checking mechanism (Certificate Revocation List) must be in place so that clients can discover whether a key is still valid. Renewal - a certificate needs to be renewed before the old one expires; however, keys should not be reused. Recovery and escrow - if a key is lost, some mechanism may be required to recover data encrypted with the key; this mechanism is typically protected by M of N control, to ensure that no one user can abuse the recovery process.

Answer 141

A

Term used to describe the stages of a cyber-attack.

Answer 142

A

VPN protocol developed by Cisco. Its main advantage over PPTP is support for frame types and protocols other than PPP and TCP/IP. L2TP uses UDP port 1701. Encryption can be provided by IPsec.

Answer 143

A

Configuring security controls on hosts (endpoints) as well as providing network (perimeter) security, physical security, and administrative controls.

Answer 144

A

Standard for accessing and updating information in an X.500-style network resource directory. LDAP uses port 389. Unless secure communications are used, LDAP is vulnerable to packet sniffing and Man-in-the-Middle attacks. It is also usually necessary to configure user permissions on the directory. LDAP version 3 supports simple authentication or Simple Authentication and Security Layer, which integrates it with Kerberos or TLS.

Answer 145

A

Least privilege is a basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Answer 146

A

Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.

Answer 147

A

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

Answer 148

A

A set of policies relating to log on, passwords, and other security issues that can be enforced or disabled on the local machine. On domains, security policy is configured centrally using Group Policy Objects (GPO).

Answer 149

A

Site location is an important security consideration, especially as regards reliable utility supply. Conversely, remote sites may suit some organizations, as this makes surveillance easier.

Answer 150

A

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

Answer 151

A

A single sign-on system such as Kerberos issues users with a software token to present as confirmation that they have been previously authenticated.

Answer 152

A

OS and applications software can be configured to log events automatically. This provides an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamper-proof.

Answer 153

A

If broadcast traffic is allowed to continually loop around a network, the number of broadcast packets increases exponentially, crashing the network. Loop protection in switches (such as Spanning Tree Protocol), and in routers (Time To Live for instance) is designed to prevent this.

Answer 154

A

Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label). There are a number of privilege models, such as Bell-LaPadula, Biba, and Clark-Wilson providing either confidentiality or integrity.

Answer 155

A

A MAC is a unique hardware address that is hard-coded into a network card by the manufacturer. This is required for directing data frames across a network and for allowing the network card to compare destination addresses (coded into the data frame) and its own unique MAC address. A MAC address is 48 bits long with the first half representing the manufacturer’s Organizationally Unique Identifier (OUI).

Answer 156

A

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Answer 157

A

Mandatory vacations means that employees are forced to take their vacation time, during which someone else fulfils their duties.

Answer 158

A

Where the attacker intercepts communications between two hosts.

Answer 159

A

A secure entry system with two gateways, only one of which is open at any one time.

Answer 160

A

If a cryptographic function (algorithm) has known weaknesses, an attack can be formulated to exploit this (for example, to decrypt a document or to fake a digital signature).

Answer 161

A

Software used to determine whether Windows is fully patched and configured securely.

Answer 162

A

The Message Digest Algorithm was designed in 1990 by Ronald Rivest, one of the “fathers” of modern cryptography. The most widely used version is MD5, released in 1991, which uses a 128-bit hash value.

Answer 163

A

Software suites designed to manage use of smartphones and tablets within an enterprise.

Answer 164

A

Any Windows-based server computer configured into a domain but not maintaining the Active Directory database (authenticating users) is referred to as a member server. Servers in a workgroup are referred to as standalone servers.

Answer 165

A

An exploit framework such as Metasploit is a platform for launching modularized attacks against known software vulnerabilities. The framework comprises a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures). The exploit code can be coupled with modular payloads.

Answer 166

A

Software licensing enforces certain conditions on the licensee, such as agreeing to install the software for an agreed number of users, desktops, or servers. Such agreements will also set out limited warranties and support arrangements.

Answer 167

A

Legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). MOAs are often used by public bodies.

Answer 168

A

Portable phones and smart phones can be used to interface with workstations using technologies such as Bluetooth or USB. As such, they are increasingly the focus of viruses and other malware. Portable devices storing valuable information are a considerable security risk when taken offsite.

Answer 169

A

Usually a preliminary or exploratory agreement to express an intent to work together.

Answer 170

A

Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF) represent the expected lifetime of a product or system. Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation.

Answer 171

A

Strong authentication is multi-factor. Authentication schemes work on the basis of something you know, something you have, or something you are. These schemes can be made stronger by combining them (for example, protecting use of a smart card certification [something you have] with a PIN [something you know]).

Answer 172

A

Typically a client authenticates to a server. In many circumstances, it may be necessary for the server to authenticate to the client also (to prevent Man-in-the-Middle attacks for instance). This is referred to as mutual authentication.

Answer 173

A

NAC is a means of ensuring endpoint security; that is, ensuring that all devices connecting to the network conform to a “health” policy (patch level, anti-virus / firewall configuration, and so on). NAC can work on the basis of pre- or post-admission control. The core components are an agent running on the client, policy enforcers (network connection devices such as switches and access points), and policy decision points (NAC policy server and AAA / RADIUS server).

Answer 174

A

Similar to NAT, NAPT (or PAT or NAT overloading) maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications.

Answer 175

A

Where hosts on a private network need Internet access, it is no longer practical or secure to allocate each host a unique IP address. Instead, hosts on the private network use private addressing. A router or proxy server provides Network Address Translation to map the private address to one or more publicly accessible IP addresses. As well as being easier to configure, this hides the private network addressing scheme from Internet users.

Answer 176

A

A basic principle of confidentiality is that employees should know what they need to do their job and no more. Restricting the distribution of information makes it more secure.

Answer 177

A

One of the best-known commercial vulnerability scanners, produced by Tenable Network Security.

Answer 178

A

Utility to show network information on a machine running TCP/IP, notably active connections and the routing table.

Answer 179

A

The basic steps in network hardening are to ensure the physical security of infrastructure (cabling, servers, switches, routers), configure services and protocols (disabling anything that is not required), configure access control (on firewalls and key devices), and set up a monitoring and maintenance program to detect unauthorized equipment or applications connected to the network and apply critical firmware or patch updates to network hardware.

Answer 180

A

Software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on.

Answer 181

A

Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).

Answer 182

A

Enforcing a security zone by separating a segment of the network from access by the rest of the network. This could be accomplished using firewalls or VPNs or VLANs. A physically separate network or host (with no cabling or wireless links to other networks) is referred to as air-gapped.

Answer 183

A

Standard for radio communications over very short (around 4”) distances, facilitating contactless payment and similar technologies.

Answer 184

A

Remote file access protocol used principally on UNIX and Linux networks.

Answer 185

A

Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.

Answer 186

A

Versatile port scanner used for topology, host, service, and OS discovery and enumeration.

Answer 187

A

A principle of computer security is that only necessary services and protocols should be run. On many OS, this means disabling or uninstalling services following a default installation. Also, services should be secured so that they can be used only by authorized accounts.

Answer 188

A

Tool for querying DNS server records.

Answer 189

A

TCP/IP application protocol allowing machines to synchronize to the same time clock. NTP runs over UDP port 123.

Answer 190

A

Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.

Answer 191

A

Hardening is the process of making the OS (or Network OS) configuration secure. The exact steps vary greatly depending on the OS. However, the basic steps are to enable only necessary services (and configure access to them), set up access control on the file system and data directories, install monitoring software to protect against malware and intrusions, and establish a maintenance schedule to ensure the OS is patched to be secure against software exploits.

Answer 192

A

Publicly available information and tools for aggregating and searching it.

Answer 193

A

An XML schema for describing system security state and querying vulnerability reports and information.

Answer 194

A

A charity and community publishing a number of secure application development resources.

Answer 195

A

File sharing networks where data is distributed around the clients that use the network. Apart from consuming bandwidth and disk space, P2P sites are associated with hosting malware and illegal material.

Answer 196

A

A type of script that allows a browser to select and configure an appropriate proxy server address and port number without requiring user intervention. PACs can also be used maliciously to try to redirect browsers to phishing sites.

Answer 197

A

Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.

Answer 198

A

Password guessing software such as John the Ripper or Cain and Abel can attempt to crack user passwords by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases. If a password is extremely simple or left to a default value, it may also be possible for the attacker to guess it without needing special software.

Answer 199

A

A weakness of password-based authentication systems is when users demonstrate poor password practice. Examples include choosing a password that is too simple, reusing passwords for different tasks, writing a password down, and not changing a password regularly. Some of these poor practices can be addressed by system policies; others are better approached by education.

Answer 200

A

Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, securitycritical, recommended, and optional.

Answer 201

A

An automated switchboard providing a single connection point for the organization’s voice and data lines. Access to a PBX must be carefully restricted to authorized personnel only, with special consideration for any remote admin features built into it.

Answer 202

A

Information security standard for organizations that process credit card payments.

Answer 203

A

White hat hacking to try to discover and exploit any weaknesses in network security.

Answer 204

A

Tool for viewing CPU, memory, and pagefile utilization, accessible through the Performance and Reliability Monitor. You can also view statistics on the Performance tab in Task Manager. Actual performance needs to be measured against a baseline, usually taken when the system is first installed. Most software can also generate alerts if performance breaches defined thresholds.

Answer 205

A

To access files and folders on a volume, the administrator of the computer will need to grant file permissions to the user (or a group to which the user belongs). File permissions are supported by NTFS-based Windows systems.

Answer 206

A

A firewall implemented as applications software running on the host. Personal software firewalls can provide sophisticated filtering of network traffic and also block processes at the application level. However, as a usermode application they are more vulnerable to attack and evasion than kernel mode firewalls or network firewall appliances.

Answer 207

A

Email encryption product providing message confidentiality and integrity using web of trust PGP certificates.

Answer 208

A

Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.

Answer 209

A

Obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Pharming is a related technique where the attacker uses DNS spoofing to redirect the user to the fake site. Vishing refers to phishing attacks conducted over voice channels (VoIP) while spear phishing or whaling refers to attacks specifically directed at managers or senior executives.

Answer 210

A

Physical access to premises and equipment should not be overlooked in designing security. Barriers can be physical and / or psychological. Entry control mechanisms range from ID badges and simple key locks to certificatebased (physical tokens) or biometric access control.

Answer 211

A

PII is data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them). A social security number is a good example of PII. Others include names, Date of Birth, email address, telephone number, street address, biometric data, and so on.

Answer 212

A

Asymmetric encryption provides a solution to the problem of secure key distribution for symmetric encryption. The main problem is making a link between a particular public-private key pair and a specific user. One way of solving this problem is through PKI. Under this system, keys are issued as digital certificates by a Certificate Authority (CA). The CA acts as a guarantor that the user is who he says he is. Under this model, it is necessary to establish trust relationships between users and CAs. In order to build trust, CAs must publish and comply with Certificate Policies and Certificate Practice Statements.

Answer 213

A

TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server. The server usually deletes messages once the client has downloaded them. POP3 utilizes TCP port 110.

Answer 214

A

Pop-ups are browser windows that open automatically using a script in the host page or some sort of adware or spyware installed on the PC. A popup blocker can prevent these windows from being opened. Some popups are now implemented using Flash or Shockwave plug-ins, though blocking software can often deal with these too.

Answer 215

A

Port forwarding means that a router takes requests from the Internet for a particular application (say, HTTP / port 80) and sends them to a designated host on the LAN.

Answer 216

A

Software that enumerates the status of TCP and UDP ports on a target system. Port scanning can be blocked by some firewalls and IDS.

Answer 217

A

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Answer 218

A

Enterprise-class wireless access points and adapters support configurable power level controls. In some circumstances, increasing power can increase range and overcome local interference.

Answer 219

A

Dial-up protocol working at Layer 2 (Data Link) used to connect devices remotely to networks. Often used to connect to an ISP’s routers and out to the Internet. PPPoE (PPP over Ethernet) or PPPoA (PPP over ATM) are used to provide broadband connections (over DSL or cable Internet for instance).

Answer 220

A

Protocol developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP uses TCP port 1723. Encryption can be provided by Microsoft Point-to-Point Encryption.

Answer 221

A

Symmetric encryption technologies, such as those used for WEP, require both parties to use the same private key. This key must be kept secret, which means that making the key known to both parties securely is a significant security problem. A pre-shared key is normally generated from a passphrase. A passphrase should be longer than a password and contain a mixture of characters.

Answer 222

A

Privacy policy generally covers what monitoring and data collection will be made of an organization’s employees. A privacy policy is also important when collecting data from third parties, such as customers and suppliers. Privacy policy may have to be formulated within the bounds of civil rights and data protection legislation, though this is not true of all countries.

Answer 223

A

In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used for encryption or decryption, but the same key should not be used for both.

Answer 224

A

Exploiting a bug in software (such as buffer overflow) to gain elevated privileges, either within the application or OS, for a malicious process. For example an exploitable buffer overflow on web browser software might allow a virus, rootkit, or Trojan to run with system privileges rather than the privileges of the logged on user.

Answer 225

A

This is the practical application of access control measures. The basic task is to set up and monitor (audit) resources and users to ensure that user privileges (or rights) on each resource are correct. The way privilege management is implemented depends on the model of access control being used (discretionary, role-based, or mandatory). A discretionary system tends towards decentralized management; role-based tends to be centrally managed.

Answer 226

A

A server that mediates the communications between a client and another server. The proxy server can filter and often modify communications as well as providing caching services to improve performance.

Answer 227

A

In PKI, the functions of registering and identity proofing users may be devolved from the Certificate Authority (CA) to a Registration Authority (RA). The function of signing and issuing certificates is always reserved by the CA.

Answer 228

A

A programming environment that helps developers to create software quickly.

Answer 229

A

Remote Authentication Dial-in User Service was used by ISPs to authenticate and audit Internet access by account holders. RADIUS is now also widely used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA server, which processes the request.

Answer 230

A

Using RAID technology, multiple hard disks can be configured to provide improved performance and/or protection for data (fault tolerance). Several levels of backup are suggested by this system, ranging from level 0 to level 6, each level representing a particular type of fault tolerance (note that RAID 0 provides no fault tolerance).

Answer 231

A

A type of malware that tries to extort money from the victim, by appearing to lock their computer or by encrypting their files for instance.

Answer 232

A

A server configured to process remote connections. Historically, this meant dial-up connections. These days, remote connections are more likely to be created via a VPN. Remote access policies define how users are able to connect to the server (media, protocols, authentication method, time of day restrictions, and so on) and rights and accessibility of resources over the connection.

Answer 233

A

A user configured to restore encrypted data in the event that the original key is lost. The recovery agent is granted access to a backup of the key, stored in some secure location. Recovery access is often subject to “M of N” control, requiring more than one user to authorize the recovery, to deter fraud.

Answer 234

A

Most disaster recovery plans call for the presence of redundant systems and backed up data. One goal is to eliminate Single Points of Failure. At the high end, these plans may involve alternate sites. These can be classified as cold, warm, or hot, depending on their state of readiness. Redundancy is also provided by spare parts for key systems, servers that can provide for failover (clusters), redundant network links, disk arrays (RAID), power supply, and backup ISP services (Internet connection and web hosting).

Answer 235

A

Software that allows deletion of data and settings on a mobile device to be initiated from a remote server.

Answer 236

A

Where the attacker intercepts some authentication data and reuses it to try to re-establish a session.

Answer 237

A

Risk assessment is the process of assessing threats and vulnerabilities to an organization’s assets and processes. The first steps are to identify and document assets and threats. The next step is to quantify the degree of risk associated with each asset and procedure. Purely quantitative risk assessment assigns concrete values to each risk factor, depending on variables such as the likelihood of the threat being realized and the impact (factors such as the value of the asset or the cost of disruption if the asset is compromised). This is very hard to do, so many risk assessments use a qualitative approach, in which the assessor makes a more generalized assessment. Risk and the threat of loss make a vulnerability. Each vulnerability must be controlled. Risk can be removed, mitigated, assigned, or accepted, but not ignored.

Answer 238

A

The attachment of rogue network devices and services, including access points, DHCP servers, and DNS servers, can allow very effecting spoofing or Man-in-the-Middle attacks to be launched. Various scanning and monitoring software is available to detect rogues.

Answer 239

A

Access control model where resources are protected by ACLs. However, management of ACLs is reserved to administrators rather than owners and users are assigned permissions according to job function rather than personally.

Answer 240

A

A class of malware (typically a Trojan, which is to say the user believes they are installing something else) that modifies system files, often at the kernel level, to conceal its presence.

Answer 241

A

Routers are able to link dissimilar networks and can support multiple alternate paths between locations based upon the parameters of speed, traffic loads, and cost. A router works at Layer 3 (Network) of the OSI model. Routers form the basic connections of the Internet. They allow data to take multiple paths to reach a destination (reducing the likelihood of transmission failure). Routers can access source and destination addresses within packets and can keep track of multiple active paths within a given source and destination network. TCP/IP routers on a LAN can also be used to divide the network into logical subnets.

Answer 242

A

Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. Recovery Time Objective (RTO) is the period following a disaster that a system may remain offline.

Answer 243

A

Any access control model that follows system-enforced rules that cannot be countermanded can be described as “rule-based”. A firewall is a good example of rule-based access control but the MAC and role-based models can also be described as rule-based. DAC is not rule-based as decisions are made by the resource owner.

Answer 244

A

Email encryption standard (Cryptographic Message Standard) using PKI (X.509) certificates for confidentiality (digital envelopes) and integrity (digital signatures). S/MIME provides extensions for standard MIME (Multipurpose Internet Mail Extensions) headers.

Answer 245

A

Network dedicated to data storage, typically consisting of storage devices and servers connected to switches via Host Bus Adapters. Data access in a SAN is handled at block level.

Answer 246

A

A company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC).

Answer 247

A

A type of Industrial Control System typically deployed to manage large-scale, multiple-site devices and equipment spread over geographically large areas.

Answer 248

A

Allows compatible scanners to determine whether a computer meets a particular configuration baseline from NIST’s database (scap.nist.gov).

Answer 249

A

A protocol developed by Cisco to provision users and appliances (such as routers and switches or smartphones) with certificates more easily. SCEP uses HTTP to submit a Certificate Signing Request (CSR) then monitors the status of the request. It can also automatically renew certificates that are about to expire.

Answer 250

A

A secure file transfer program based on Secure Shell (SSH).

Answer 251

A

Many web pages use scripts, ActiveX, Java, or plug-ins to provide “rich” content. Many sites depend on the use of scripts for even their basic navigation tools. Unfortunately, there are scripts can be used to exploit browser or OS vulnerabilities or to perform actions that the user may find annoying (such as opening multiple popup windows). Most browsers enable the user to disable scripting and other executable content on a site-bysite basis.

Answer 252

A

The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.

Answer 253

A

When performing auditing, performance monitoring, or configuring software such as intrusion detection, it is necessary to establish a baseline of “normal” activity. Any variation from the baseline is then treated as an incident, which may need investigation or remediation.

Answer 254

A

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the Confidentiality, Integrity, and Availability (CIA) of information. Control types are often classed in different ways, such as technical, operational, and management.

Answer 255

A

Each organization should have a documented security policy backed by senior management. The policy should set out requirements for protecting technology and information assets from threats and misuse. The policy should be communicated effectively to all levels of the organization and backed up with procedures and resources to put it into effect.

Answer 256

A

Settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on). In Windows, the current configuration can be compared to the baseline defined in a security template using the Security Configuration and Analysis tool.

Answer 257

A

A zone is an area of the network (or of a connected network) where the security configuration is the same for all hosts within it.

Answer 258

A

A mechanism in Windows for allowing software developers to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.

Answer 259

A

For a critical business function to be secure, it may be necessary to ensure that no one person can perform that function.

Answer 260

A

Using network scans to discover open TCP and UDP ports plus information about the servers operating them.

Answer 261

A

A type of FTP using SSH for confidentiality.

Answer 262

A

SHA is a cryptographic hashing algorithm created to address possible weaknesses in MDA. The earlier SHA-1 has been superseded by SHA-2.

Answer 263

A

Most network media leak signals to some extent, with wireless radio being the easiest to intercept (eavesdrop). Shielding can counteract this risk. Twisted pair cabling can be shielded or screened; whole rooms can be shielded using metal paint or wire mesh.

Answer 264

A

Social technique to gain access to a building by following someone else (or persuading them to “hold the door”) or to obtain someone’s password or PIN by observing them as they type it in.

Answer 265

A

The value assigned to an account by Windows. The SID is the “real” account identifier as far as the OS is concerned. The account name is just a convenient label.

Answer 266

A

Software designed to assist with security logging and alerting. SIEM provides correlation between observables and indicators and usually includes graphing tools to assist analysis of trends.

Answer 267

A

Software that monitors a system for malware infection, intrusion detection, or performance may be configured to recognize threat signatures or definitions based on known malware or attack patterns. This sort of system is quite simple to install but cannot provide any defense against unknown threats (zero day exploits) and requires its signature database to be kept up-to-date.

Answer 268

A

A small chip card that identifies the user and phone number of a mobile device, via an International Mobile Subscriber Identity (ISMI). A SIM card also provides a limited amount of local storage, for contacts.

Answer 269

A

Sinkhole routing is a means of mitigating a DoS attack by redirecting traffic away from the production network.

Answer 270

A

Planning a wireless deployment by identifying optimum locations for antenna and access point placement to provide the required coverage for clients and identifying sources of interference.

Answer 271

A

Operating procedures and standards for a service contract.

Answer 272

A

The amount that would be lost in a single occurrence of the risk factor.

Answer 273

A

A system for sending text messages between cell phones. SMS has been one of the world’s most popular communications methods but is now under some threat from messaging apps.

Answer 274

A

An SMTP server left configured as an open relay means that anyone can use the server to send mail. This can be exploited by spammers and disguises the true source of the messages.

Answer 275

A

TCP/IP application protocol used for monitoring and managing network devices. A management system collates data sent by agents running on each device. The agents maintain a Management Information Base of configuration and usage data. An agent can also generate a trap, alerting the management system of some notable event (such as a printer being out of paper). SNMP works over UDP ports 161 and 162 by default.

Answer 276

A

An open source NIDS. A subscription (“oinkcode”) is required to obtain up-to-date rulesets, which allows the detection engine to identify the very latest threats. Non-subscribers can obtain community-authored rulesets.

Answer 277

A

A hacking technique, widely publicized by Kevin Mitnick in his book “The Art of Deception”, whereby the hacker gains useful information about an organization by deceiving its users or by exploiting their unsecure working practices. Typical social engineering methods include impersonation, domination, and charm.

Answer 278

A

Most software contains vulnerabilities caused by bugs or poor design. An exploit is code that can use the vulnerability to crash or gain control of the system.

Answer 279

A

Junk messages sent over email (or instant messaging [SPIM]). Filters and blacklists are available to block spam and know spam servers. It is also important to ensure that any mail servers you operate are not open relays, allowing a spammer to leverage your server to distribute spam and making it likely that it will be blacklisted.

Answer 280

A

A component or system that would cause a complete interruption of a service if it failed. SPoFs are mitigated by providing redundant parts, connections, or services that either provide failover (the replacement is automatically switched in) or swift replacement.

Answer 281

A

Where the attacker disguises their identity. Some examples include IP spoofing, where the attacker changes their IP address, or phishing, where the attacker sets up a false website.

Answer 282

A

Software that records information about a PC and its user. Spyware is used to describe malicious software installed without the user’s content. Aggressive spyware is used to gather passwords or financial information such as credit card details.

Answer 283

A

A remote administration and file copy program that is flexible enough to support VPNs too (using port forwarding). SSH runs on TCP port 22.

Answer 284

A

The name for a wireless network. A device wishing to participate in a wireless network must be configured with the SSID. However, devices can broadcast the SSID or can be left configured with the default SSID, making the existence of the network obvious, which may or may not be the intention.

Answer 285

A

SSL was developed by Netscape to provide privacy and authentication over the Internet. It is application independent (working at Layer 5 [Session]) and can be used with a variety of protocols, such as HTTP or FTP. Client and server set up a secure connection through PKI (X.509) certificates (optionally, both client and server can authenticate to one another). The protocol is now being developed as Transport Layer Security (TLS).

Answer 286

A

Resources on a network may be hosted by multiple software applications from different vendors. Each application may have a different log on method, requiring administrators to create multiple user accounts and for users to have to remember and input multiple logons. A single sign-on system, such as Kerberos, centralizes user authentication in one module then negotiates with applications on behalf of the user to obtain service tickets.

Answer 287

A

Policy sets the overall tone for how something should be done and is usually intended for a general audience. More detailed guidance and standards may be produced for different audiences, such as end users and technical staff. In addition to internal standards, many job tasks may be guided by external standards, legislation, and “best practice” guidance. External standards may come from industry practice, professional organizations, or legislation.

Answer 288

A

Steganography (literally meaning “hidden writing”) is a technique for obscuring the presence of a message. Typically, information is embedded where you would not expect to find it (a message hidden in a picture for instance). This technique is used for counterfeit deterrence and detection and in the creation of “covert channels” (embedding messages in IP headers).

Answer 289

A

Many security systems focus on the protection of data that is in use on a “live” or “production” system. When data reaches the end of its useful life, it may either be destroyed or archived. A retention policy will dictate which is the case and for how long information needs to be retained (this may be subject to legislative requirements). The storage facility needs to have similar security mechanisms to the production system, to ensure that the data is kept securely and accessed only by authorized users. Another storage security consideration is data copied to backup media, especially when it is stored offsite.

Answer 290

A

Businesses can only depend so far on written procedures. Many tasks, especially at management level, require skill and experience to conduct properly. Succession planning is the task of identifying ways in which a business could cope if a disaster led to loss of key staff.

Answer 291

A

A network appliance capable of creating temporary virtual circuits between two Ethernet interfaces to reduce contention on the network. Switches have replaced hubs on most Ethernet networks. Most switches work at Layer 2 (Data Link) but more advanced models work at Layer 3 (Network), functioning much like a router.

Answer 292

A

A suite of tools designed to assist with troubleshooting issues with Windows.

Answer 293

A

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

Answer 294

A

Software that tracks the health of a computer’s subsystems using metrics reported by system hardware or sensors. This provides an alerting service for faults such as high temperature, chassis intrusion, and so on.

Answer 295

A

Regular scanning (or penetration testing or ethical hacking) is vital to ensure the security of a computer system and network. There are many types of scanners, notably anti-virus and Intrusion Detection software.

Answer 296

A

An alternative to RADIUS developed by Cisco. The version in current use is TACACS+; TACACS and XTACACS are legacy protocols.

Answer 297

A

Social engineering technique to gain access to a building by following someone else (or persuading them to “hold the door”).

Answer 298

A

A device used to eavesdrop on communications at the physical layer. An Ethernet tap can be inserted between a switch and a node while a passive tap can intercept emanations from unshielded cable.

Answer 299

A

A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host’s IP address.

Answer 300

A

Command-line packet sniffer.

Answer 301

A

Telnet provides terminal emulation software that supports a remote connection to another computer. When you connect, your computer acts as if your keyboard is attached to the remote computer and you can use the same commands as a local user. Often used for router configuration. Telnet communications are not secured.

Answer 302

A

A simplified form of FTP supporting only file copying (FTP can also enumerate directory contents, create directories, remove files and directories, and so on). TFTP works over UDP port 69.

Answer 303

A

Time of day restrictions applied to a user account mean that the account may only be accessed at proscribed times. This is useful in preventing abuse of the account.

Answer 304

A

Mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

Answer 305

A

A token contains some sort of authentication data. Software tokens are generated by logon systems such as Kerberos, so that users do not have to authenticate multiple times (Single Sign-on). A hardware token can be a device containing a chip with a digital certificate, but is more usually a device that generates a one-time password. This can be used in conjunction with an ordinary user name and password (or PIN) to provide more secure two-factor authentication.

Answer 306

A

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. Essentially it functions as an embedded smart card.

Answer 307

A

A malicious software program hidden within an innocuous-seeming piece of software. Usually the Trojan is used to try to compromise the security of the target computer.

Answer 308

A

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function).

Answer 309

A

Allows a client providing an update to a dynamic DNS server to be authenticated by a password (MD5 HMAC).

Answer 310

A

Analysis of historical cyber-attacks and adversary actions.

Answer 311

A

A tunneling (or encapsulation) protocol wraps up data from one protocol for transfer over a different type of network. For example, PPP can carry TCP/IP data over a dial-up line, enabling a remote computer to communicate with the LAN.

Answer 312

A

Security system in Windows designed to restrict abuse of accounts with administrator privileges. Actions such as installing hardware and software can be performed without changing accounts but the user must authorize the use of administrative rights by clicking a prompt or re-entering user credentials.

Answer 313

A

Usually one of the last stages in software development before release (beta testing), UAT proves that a program is usable and fit-for-purpose in real-world conditions.

Answer 314

A

A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.

Answer 315

A

Updates are made freely available by the software manufacturer to fix problems in a particular software version, including any security vulnerabilities. Updates can be classified as hotfixes (available only to selected customers and for a limited problem), patches (generally available), and service packs (installable collections of patches and software improvements).

Answer 316

A

Uninterruptible power supplies provide an alternative AC power supply in the event of power failure. A UPS requires an array of batteries, a charging circuit, an inverter to convert DC to AC current, a circuit to allow the system to take over from a failing power supply, and some degree of spike, surge, or brownout protection (possibly including a line conditioner).

Answer 317

A

Part of privilege management is auditing the use users make of privileges that they have been allocated. This may reveal whether privileges are insufficient or too generous. One common problem is “rights creep”, where a user acquires more-and-more privileges over time. Another problem is that of disabling expired or unused accounts.

Answer 318

A

In order to control access to resources and perform proper auditing, every user of a computer system must be uniquely identified and allocated appropriate privileges. Different access control models (discretionary, rolebased, or mandatory) can be adopted to suit different networks. Many networks use groups or roles to simplify privilege management. Instead of allocating privileges directly to user accounts, they are allocated to group accounts or roles and then users placed in the appropriate security groups.

Answer 319

A

All-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and so on.

Answer 320

A

Surveillance is an important element of physical security and an effective psychological deterrent. CCTV cameras come in various types designed to monitor different locations and require appropriate lighting and positioning (monitoring a doorway and monitoring an open space require different camera types for instance).

Answer 321

A

Software allowing a single computer (the host) to run multiple “guest” operating systems (or Virtual Machines [VM]). The VMs are configured via a hypervisor or VM Monitor (VMM). VMs can be connected using virtual networks (vSwitch) or leverage the host’s network interface(s). It is also possible for the VMs to share data with the host (via shared folders or the clipboard for instance). VT is now used as major infrastructure in data centers as well as for testing and training.

Answer 322

A

A malicious software program that attempts to replicate by infecting the boot sector of disks or inserting itself in program code (for example, in application files or macro-enabled files).

Answer 323

A

A virtual LAN is a separate network, created using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, traffic is restricted to each VLAN. This provides traffic management and protection against packet sniffing.

Answer 324

A

Operating systems running in Protected Mode can utilize a separate VM for various 32-bit processes. This provides protection so that each program is protected from all other programs. Virtual Machine also (more commonly now) refers to multiple operating systems installed on a single host PC using virtualization software (a hypervisor), such as Microsoft Hyper-V or VMware.

Answer 325

A

Voice over IP or Internet telephony refers to carrying voice traffic over data networks. A network carrying both voice and data is said to be converged. Converged networks introduce a whole new class of devices whose security implications need to be considered. There is also a greater vulnerability to DoS (without redundancy the network is a single point of failure for both voice and data traffic) and eavesdropping on voice communications.

Answer 326

A

A secure tunnel created between two endpoints connected via an unsecure network (typically the Internet). VPNs are typically created using PPTP, L2TP, or IPsec.

Answer 327

A

Software configured with a list of known exploits and can scan for their presence in a host OS or particular application.

Answer 328

A

Specialized host firewall designed to prevent attacks against web applications, such as SQL injection or XSS.

Answer 329

A

Using a laptop with suitable software to detect unsecured or poorly secured Wireless LANs (WLAN).

Answer 330

A

Weak passwords are a fruitful exploit for attackers, whether used to access web services, networks, or the administration interface of network devices such as switches and access points. A strong password does not use dictionary words or part of the username, is complex (combines upper and lower case and alphanumeric and non-alphanumeric characters), and is sufficiently long (8 characters or more).

Answer 331

A

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

Answer 332

A

HTTP servers host websites. A basic website consists of static HTML pages but many sites are developed as frontend applications for databases. Web servers are popular targets for attack, particularly DoS, spoofing, and software exploits. Many companies use hosted web servers but if not, the server should be located in a DMZ. Web servers are also commonly used for intranet services, especially on Microsoft networks.

Answer 333

A

Mechanism for encrypting (protecting) data sent over a wireless connection. WEP is considered flawed (that is, a determined and well-resourced attack could probably break the encryption). WEP uses a 64-bit RC4 cipher. An updated version using longer keys (128-bit) was released but is still considered unsecure. Apart from problems with the cipher, the use and distribution of a pre-shared key (effectively a password) depends on good user practice. WEP has been replaced by WPA.

Answer 334

A

Cell phone coverage is achieved through a network of transmitters (or base stations) arranged in a cell-like structure. Mobile devices are a security risk as they can be used to transfer data and (potentially) to spread malware. This risk will only grow as data rates for mobiles increase (3G). Signals can be blocked by metal shielding, but this is rarely practical.

Answer 335

A

Widely-used packet analyzer.

Answer 336

A

Virus-like software that can reside in memory (it does not require a host file as a virus does, but can infect files like a virus).

Answer 337

A

An improved encryption scheme for protecting Wi-Fi communications, designed to replace WEP. The original version of WPA was subsequently updated (to WPA-2) following the completion of the 802.11i security standard. WPA features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA-2 uses the improved AES cipher, replacing TKIP and RC4.

Answer 338

A

A type of fingerprinting where the scanner probes a server or router with packets that have unusual flags set in the header (FIN, PUSH, and URG) for instance. The way a server responds to such packets can reveal information about it (OS type and version for instance).

Answer 339

A

A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Answer 340

A

A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.

Answer 341

A

An attack that exploits a vulnerability in software that is unknown to the software vendor and users. Most vulnerabilities are discovered by security researchers and the vendor will have time to create a patch and distribute it to users before exploits can be developed so zero day exploits have the potential to be very destructive.

Brainscape's Knowledge GenomeTM

test Flashcards

Brainscape's Knowledge Genome^TM