337 115 5MB
English Pages [114]
Appendix A—Command Line Basics When taking the CompTIA Security+ exam, CompTIA expects you to know commandline basics. Many people working in IT jobs know the command line because they work with
this appendix is for you.
Ah
Windows Command Line
ea d
it regularly. However, it can be challenging for others. If you’re new to the command line,
Before you can use the command line in Windows, you first need to launch the
Windows Command Prompt window. The simplest way to do so is to click the Start button,
G et
type in Command, and select Command Prompt. The Start button is at the lower left of your screen.
In some situations, you need to start the Command Prompt window with elevated permissions as an administrator. To do this, click the Start button, type in Command, right-
d
click on Command Prompt, and select Run as administrator.
ie
If you’re using a different version of Windows, you can find directions online. Use your
tif
favorite search engine and enter “command prompt” to find it.
er
Linux Terminal
C
The terminal is where you run commands in a Linux system. There are different ways to access the terminal, depending on the distribution you’re using. If you’re
et
running Kali Linux (recommended while using this book), you can start it by simply clicking the terminal icon on the Kali menu.
G
Many test takers find learning Linux commands challenging because they don’t
have a Linux system. If you can’t enter them and see what they do, you might have trouble with even the easiest questions. However, it’s easy to create a bootable USB (or buy one) and use any PC as a Linux box. The online labs include a lab you can use to create a bootable USB. Figure Appx A.1 shows an instance of Kali with the menu on the left. If you hover over the second icon, you’ll see “Terminal” appear. Click it, and it starts the terminal.
ea d Ah
Figure Appx A.1: Launching the terminal in Kali Linux
G et
For simplicity, instead of stating “Linux or Unix” throughout this book, I’m just stating it as Linux. Note that Linux is a popular version of Unix, and most commands that run in a Unix terminal will also run in a Linux terminal.
ie
d
Understanding Switches and Getting Help Almost every command you’ll run across has options available that you can invoke
tif
with a switch. A Windows command-line switch uses a forward slash (/) or a dash (-)
er
after the command and includes an option that modifies the command to perform a different function.
C
Linux commands use switches too, but they typically only use a dash. If you use a forward slash, you will typically get unexpected results or an error.
et
The most used switch in Windows systems is the help switch identified with a question mark. For example, you can use the help switch to get help using these
G
commands: •
ping /? or ping -?
•
ipconfig /? or ipconfig -?
•
netstat /? or netstat -?
Although Linux terminal commands also use switches, they don’t use the question mark for help. The common way to get help on a command is to query the online system Copyright 2021 YCDA, LLC.
reference manual using the man command. For example, the following commands retrieve help on the relevant commands: • man ping • man ifconfig • man netstat Some commands have extensive feedback available when you use incorrect syntax.
ea d
As an example, ping doesn’t recognize the -? switch on Linux systems. Instead of just
giving you a message of “incorrect syntax,” it provides details on usage. This looks like
Ah
help, but it is different than the information in the man page.
Understanding Case
G et
Most Windows commands are not case sensitive. In other words, you can type in
commands using uppercase characters, lowercase characters, or any combination. For example, each of the following commands ping the localhost IPv6 address (::1) and provide
ping -6 localhost
•
PiNg -6 localHOST
•
PING -6 LocalHost
ie
•
d
the same output:
tif
However, this is not true in the Linux terminal. Instead, commands are typically
er
lowercase, and if you use uppercase letters, you’ll find that the command is not recognized. Of the three commands shown for the Windows command line, only ping -6
C
localhost works within the Linux terminal. As you go through these commands, note that many of them support both IPv4
et
addresses and IPv6 addresses. By querying help, you can see how to do each.
G
Understanding Linux Permissions Linux permissions may look odd the first time you see them, but they represent three
simple concepts—read, write, and execute: • Read (R) indicates someone can open the file and view its contents.
Copyright 2021 YCDA, LLC.
• Write (W) indicates a user can modify the contents. You’ll see read combined with write most, if not all of the time. • Executes (X) indicates a user can launch the file. It is assigned to files that can be executed. Additionally, permissions apply to three identities: • The first set of permissions applies to the owner of the file.
ea d
• The second set of permissions applies to the owner’s primary group (by default). Any user can be a member of multiple groups, but a user will have only one • The third set of permissions applies to everyone else.
Ah
primary group. The default owner group can be changed if desired.
You can see a list of files in a folder along with their permissions by using the ls -l command at the terminal. The following shows an abbreviated output from the ls -l
G et
command:
-rwx rw- r-- user usergroup size/date/time myfile.txt
drwx r-- --- user usergroup size/date/time mydirectory
The first line shows the permissions assigned to a file named myfile.txt, and the second
d
line shows the permissions assigned to a directory named mydirectory. Note that the first
ie
character is a dash (-) or a d and indicates the entry refers to a file using a dash (-) or a
tif
directory, using a d. The three group permissions for the file are: • rwx indicating read, write, and execute permissions for the owner
er
• rw- indicating read and write permissions for the owner group • r-- indicating read permission only for everyone else
C
Note that when a permission isn’t assigned, you’ll see a dash instead.
et
Converting Linux Permissions to Numbers
G
You’ll often see permissions represented as octal numbers (from 0 to 7). As an example,
consider the myfile.txt mentioned earlier. Instead of representing the permissions as rwx rwr- -, it would be 7 6 4. It’s worthwhile to refresh your knowledge of octal numbers, which is a base-8 numbering system. Three binary bits represent each octal number, as shown in the following list: Copyright 2021 YCDA, LLC.
• Octal 0 = Binary 0 0 0 • Octal 1 = Binary 0 0 1 • Octal 2 = Binary 0 1 0 • Octal 3 = Binary 0 1 1 • Octal 4 = Binary 1 0 0
ea d
• Octal 5 = Binary 1 0 1 • Octal 6 = Binary 1 1 0 • Octal 7 = Binary 1 1 1
Additionally, each group of binary bits represents specific permissions:
Ah
• The first bit is used for read (r). • The second bit is used for write (w). • The third bit is used for execute (x).
G et
If the bit is a 1, it indicates that a permission is granted. If the bit is a 0, it indicates that a permission is not granted. The following list shows the commonly used octal numbers and their related permissions:
d
• Octal 0 = Binary 0 0 0 No permissions (- - - ) • Octal 4 = Binary 1 0 0 Read (r - -)
ie
• Octal 5 = Binary 1 0 1 Read and Execute (r - x)
tif
• Octal 6 = Binary 1 1 0 Read and Write (r w -)
er
• Octal 7 = Binary 1 1 1 Read, Write, and Execute (r w x) The following list shows octal numbers that are not normally used:
C
• Octal 1 = 0 0 1 Binary Execute (not used because Execute also needs read) • Octal 2 = 0 1 0 Binary Write (rarely used because Write would typically include
et
Read) • Octal 3 = Binary 0 1 1 Write and Execute (not used because Execute also needs
G
read)
This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-
601 Study Guide. It is provided as an extra resource for test takers in PDF format. However, distribution of PDF copies of the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized. Copyright 2021 YCDA, LLC.
Appendix B—Log Basics When taking the CompTIA Security+ exam, you’ll be expected to read and understand log entries. It’s often trivial for administrators who look at logs every day to identify relevant
challenging.
Ah
Understanding Log Basics
ea d
elements in a log entry. However, for people who don’t look at logs regularly, this can be
CompTIA frequently refers to logs throughout the exam objectives. They are
valuable tools when troubleshooting. Unfortunately, there isn’t a single way that logs are
G et
formatted making them sometimes hard to read, especially when randomly placed within a question. However, there are many common elements that you can usually identify in log entries.
Logs typically record what happened, when it happened, where it happened, and
d
who did it. This allows someone, such as an administrator or security professional, to
ie
analyze the logs to gain details of events.
Many times, security administrators are searching the logs looking for event
tif
anomalies. As a simple example, attackers sometimes try to log on to accounts by
er
guessing passwords. Security logs record these attempts as failed logons, which is an event anomaly. After investigating the failed logins, administrators can determine if the
C
failed logins were part of normal operation or a security incident. It’s tempting to set up logging to record every event and provide as much detail as
et
possible—most logs support a verbose mode that will log additional details. However, a limiting factor is the amount of disk space available. Additionally, when logging is
G
enabled, there is an implied responsibility to review the logs. The more you choose to log, the more you may have to review. The goal is to balance what is needed and the amount of available space for storage. The following sections cover some issues to consider when reviewing logs.
Reading Logs It isn’t feasible to describe every possible log from every known vendor, at least if I want to keep the page count of this book less than 2,000 pages. However, there are
When It Happened
ea d
common log attributes that you can look for to help you read them.
Every log entry has a timestamp to let you know when the event happened.
For example, you may see something like the following: 22:02:2021 20:10:05 10.10.80.5:49154 > 192.168.1.15:21 22:02:2021 20:24:17 10.10.80.5:49154 > 192.168.1.15:20
Ah
Timestamps include both the date and time, but not always in an easily readable form.
G et
22:02:2021 20.37.37 10.80.5:49:154 > 192.168.1.15:25
22:02:2021 20.46.41 10.10.80.5:49154 > 192.168.1.15:23
With a little deductive reasoning, you can see that each entry includes 22:02:2021 (February 2nd, 2021), and that is the date. The next set of data is the time (using a 24-
d
hour clock). It indicates the traffic occurred at 8:10 and 5 seconds (PM), 8:24 and 17
ie
seconds (PM), 8:37 and 37 seconds (PM), and 8:46 and 41 seconds (PM), respectively. In many logs, they spell out the month because an entry such as 05:12:2021 is
tif
ambiguous. Is it May 12th or December 5th? It just isn’t clear.
er
Using a 24-hour clock saves space in a log but is confusing to some people. Hours less than 12 are in the morning (AM) and hours after 12 are in the afternoon and
C
evening. An easy way to identify the time for any hours after 12 is by subtracting 12 from the hour. For example, with a time of 13:10:05, you’d subtract 12 from 13
et
(indicating 1 PM).
G
Where It Happened Many log entries include a source and a destination. This is simply where the traffic
originated and where it is going. There are several ways that a log entry may indicate the source and destination, such as: • A computer name (such as Server 1) • An IPv4 address (such as 192.168.80.14) • A socket, which includes an IPv4 address and a port (such as 192.168.80.14:443) • An IPv6 address
• A media access control (MAC) address such as 01:23:45:67:89:ab Sometimes, the log entry may list the computer name (such as Server1), but more often, it uses the IPv4 address or the socket. A socket is an established connection and includes an IP address and a port number. You’ll see the IP address and port separated by a colon, such as 192.168.80.14:443. When a socket is used, the IP address indicates the source or destination computer, and
ea d
the port tells the computer what service to send the traffic to when it arrives. A destination
port of 443 indicates the Hypertext Transfer Protocol Secure (HTTPS) service should receive and handle the traffic.
Ah
In some cases, you’ll find that one socket has a public IP address and another socket has a private IP address. If the log entry is recording traffic in an attack, the public IP address indicates the system sending the attack. The private IP address is the internal computer being
G et
attacked. Note that the public IP address may be a spoofed address or a compromised system controlled by an attack.
Some logs use MAC addresses to identify computers. If you can recognize MAC addresses, this should be easy to identify. MAC addresses are typically represented as six
ie
d
pairs of hexadecimal characters (such as 12:ab:34:cd:56:ef).
tif
What Happened
Some log entries require you to analyze them and identify what is the same and what is
er
different. The following entries provide insight into what happened, but you need to understand sockets:
C
22:11:20 20:10:05 10.10.80.5:49154 > 192.168.1.15:21 22:11:20 20:24:17 10.10.80.5:49154 > 192.168.1.15:20
et
22:11:20 20.37.37 10.80.5:49154 > 192.168.1.15:25 22:11:20 20.46.41 10.10.80.5:49154 > 192.168.1.15:23
G
It’s not always apparent, but in these entries, the “>” character indicates the direction of
the traffic. Traffic is going from 10.10.80.5 to 192.168.1.15. Notice that the source sockets are identical. They have the same IP address and the same port. In contrast, the ports in the destination socket are all different. This indicates that the attacker (10.10.80.5:49154) is
Copyright 2021 YCDA, LLC.
performing a port scan on the destination computer (192.168.1.15). If the port is open, the system responds. If the port is closed, it doesn’t respond.
Who Did It Some log entries include human-readable text. Take a look at the following partial log entries and see if you can identify what happened:
ea d
2/24/2021/02:01:05 Homer 192.168.1.10 action:login/success 2/24/2021/02:02:30 Homer 192.168.1.10 action:login/fail 2/24/2021/02:03:31 Homer 192.168.1.10 action:login/fail
Ah
2/24/2021/02:04:32 Homer 192.168.1.10 action:login/fail
The first entry indicates Homer logged in successfully. Afterward, it shows three login failures. This could suggest many things. However, notice that all four entries are within a
G et
minute of each other. Homer could have logged off accidentally and then forgot the credentials he just used a moment ago. It could also indicate a malicious actor who previously captured Homer’s credentials, logged on, changed Homer’s password, and then
d
verified that the old credentials aren’t working.
ie
Applying Critical Thinking Skills
tif
You’ll often find that a CompTIA Security+ question will lack details, such as entire log entries. Other times, you may see questions with an excessive amount of details that
C
critical thinking.
er
have nothing to do with the question. In these circumstances, you’ll need to apply some
In short, critical thinking is the process of analyzing the facts you have to make a
et
judgment. Admittedly, critical thinking is a complex topic. While the single sentence description explains what you need for the CompTIA Security+ exam, there are several
G
definitions. Here are a few: • “Disciplined thinking that is clear, rational, open-minded, and informed by evidence.” (dictionary.com)
• “Critical thinking is the ability to think in an organized and rational manner in order to understand connections between ideas and/or facts.” (zety.com) • “Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection,
reasoning, or communication, as a guide to belief and action.” (criticalthinking.org) Some of you may be wondering, “What does this have to do with logs and the CompTIA Security+ exam?” When you see a question with sample log output, you’ll often be required to apply
additional concepts. Consider these questions: • Does the log entry show IP addresses? •
ea d
your knowledge to understand the question, even if the question doesn’t directly mention
If so, are some private and some public? See RFC 1918 if you don’t know
Ah
how to tell the difference. •
Are any IP addresses the same?
•
Do you see any sockets? Are any of the sockets the same? Are any of the
G et
sockets different? This can help you determine the direction of the traffic. • Does the entry show any MAC addresses? Can you identify a MAC address if you see one?
• Are there any timestamps? Do you recognize them?
d
• Are there English words, such as account name or action results? You’ll rarely
ie
see full sentences in a log entry, but instead, you need to determine what the log
tif
entry is communicating with just a few words. This appendix addresses each of these questions, but it doesn’t cover every
er
possibility. Instead, my intention is to give you some basics you can apply when you see
C
questions that include log entries.
This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-
et
601 Study Guide. It is provided as an extra resource for test takers in PDF format.
G
However, distribution of PDF copies of the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized.
Copyright 2021 YCDA, LLC.
Appendix C—Well-Known Ports CompTIA has deemphasized ports in recent exams. However, they may still include them in tests. Additionally, some test-takers don’t fully understand how ports are used. This appendix may
d
fill in some holes for you and will give you a reminder of the ports in case you need it.
ea
Port Basics
Ports are logical numbers used by TCP/IP to identify what service or application should handle data received by a system. Both TCP and UDP use ports with a total of 65,536 TCP ports (0 to 65,535) and
Ah
65,536 UDP ports (0 to 65,535). Administrators open ports on firewalls and routers to allow the
associated protocol into or out of a network. For example, Hypertext Transfer Protocol (HTTP) uses port 80, and an administrator allows HTTP traffic by opening port 80.
et
Additionally, administrators disable unnecessary ports and services as part of a basic security practice. These ports and services are associated with specific protocols and if they are disabled, it blocks
G
any attacks on these ports, services, and protocols.
The Internet Assigned Numbers Authority (IANA) maintains a list of official port assignments that you can view at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-
ed
numbers.xhtml.
IANA divided the ports into three ranges, as follows:
Well-known ports: 0–1023. IANA assigns port numbers to commonly used protocols in the
•
tif i
well-known ports range.
Registered ports: 1024–49,151. IANA registers these ports for companies as a convenience to
•
er
the IT community. A single company may register a port for proprietary use, or multiple companies may use the same port for a specific standard. As an example, Microsoft SQL Server
C
uses port 1433 for database servers, Layer 2 Tunneling Protocol (L2TP) uses port 1701, and Point-to-Point Tunneling Protocol (PPTP) uses port 1723. Dynamic and private ports: 49,152–65,535. These ports are available for use by any
•
et
application. Applications commonly use these ports to map an application to a port temporarily.
G
These temporary port mappings are often called ephemeral ports, indicating that they are shortlived.
Although virtually all the ports are subject to attack, most port attacks are against the well-known
ports. Port scanners often simply check to see if a well-known port is open. For example, SMTP uses the
well-known port 25, so if port 25 is open, the system is likely running SMTP.
Network administrators who regularly work with routers and firewalls can easily tell you which protocol is associated with which well-known port, such as 20, 21, 22, 23, 25, 80, 443, and so on. The reason is that they use these ports to allow or block traffic. For example, an administrator can close port 25 to block all SMTP traffic into a network. The router
d
then ignores traffic on port 25 instead of forwarding it. Similarly, an administrator can close port 1433 to block database traffic to a Microsoft SQL server. On the other hand, the administrator can open port 25 or
ea
port 1433 to allow SMTP traffic or traffic to a Microsoft SQL server, respectfully.
Although ports are second nature to router and firewall administrators, they might not be so familiar you’re ready for the exam.
Combining the IP Address and the Port
Ah
to you. If you don’t work with the ports often, you’ll need to spend some extra time studying to ensure
et
At any moment, a computer could be receiving dozens of packets, and each of these packets includes a destination IP address and a destination port. TCP/IP uses the IP address to get the packet to the
G
computer. The computer then uses the port number to get the packet to the correct service, protocol, or application that can process it.
For example, if the packet has a destination port of 443, the well-known port for Hypertext Transfer
ed
Protocol Secure (HTTPS), the system passes the packet to the process handling HTTPS. It wouldn’t do much good to pass an SMTP email packet to the HTTPS service or send an HTTPS request packet to the
tif i
SMTP service.
IP Address Used to Locate Hosts
er
Imagine that the IP address of GetCertifiedGetAhead.com is 35.221.53.172, and the address assigned to your computer in an internal network is 192.168.10.11. TCP/IP uses these IP addresses to get the
C
packets from your computer to the web server and the web server’s answer back to your computer. There’s a lot more that occurs under the hood with TCP/IP (such as DNS, NAT, and ARP), but the
main point is that the server’s IP address is used to get the requesting packet from your computer to the
et
server. The server gets the response packets back to your computer using your IP address (or the IP
G
address of your NAT server).
Server Ports Different protocols are enabled and running on a server. These protocols have well-known or registered port numbers, such as port 22 for SSH, 25 for SMTP, 80 for HTTP, 443 for HTTPS, and so on.
Copyright 2021 YCDA, LLC.
When the system receives traffic with a destination of port 443, the system knows to send it to the service handling HTTPS. Any web browser knows that the well-known port for HTTPS is 443. Even though you don’t see port 443 in the URL, it is implied as HTTPS://GetCertifiedGetAhead.com:443. If you omit the port number,
d
HTTPS uses the well-known port number 443 by default. Popular web servers on the Internet include Apache and Internet Information Services (IIS). Apache
ea
is free and runs on Unix or Linux systems. Apache can also run on other platforms, such as Microsoft
systems. IIS is included in Microsoft Server products. These web servers use port 443 for HTTPS. When
Ah
the server receives a packet with a destination port of 443, the server sends the packet to the web server application (Apache or IIS) that processes it and sends back a response.
Client Ports
et
TCP/IP works with the client operating system to maintain a table of client-side ports using available ports in the dynamic and private ports range. This table associates port numbers with different
G
applications that are expecting return traffic. Client-side ports start at port 49,152 and increment up to 65,535. If the system uses all the ports between 49,152 and 65,535 before being rebooted, it’ll start over at 49,152.
ed
When you use your web browser to request a page from a site, your system will record an unused client port number such as 49,152 in an internal table to handle the return traffic. When the web server
tif i
returns the webpage, it includes the client port as a destination port. When the client receives webpage packets with a destination port of 49,152, it sends these packets to the web browser application. The
er
browser processes the packets and displays the page.
Putting It All Together
C
The previous section described the different pieces, but it’s useful to put this together into a single
description. Imagine that you decide to visit the website https://GetCertifiedGetAhead.com using your web browser, so you type the URL into the browser, and the webpage appears. Here are the details of
et
what is happening. Figure C.1 provides an overview of how this will look, and the following text explains
G
the process.
Copyright 2021 YCDA, LLC.
d ea Ah et G ed
tif i
Figure C.1: Using source and destination ports
Your computer creates a packet with source and destination IP addresses and source and destination ports. It queries a DNS server for the IP address of GetCertifiedGetAhead.com and learns that the IP
er
address is 35.221.53.172. Additionally, your computer will use its IP address as the source IP address. For this example, imagine your computer’s IP address is 192.168.10.11.
C
Because the web server is serving webpages using HTTPS and the well-known port is used, the
destination port is 443. Your computer will identify an unused port in the dynamic and private ports range (a port number between 49,152 and 65,535) and map that port to the web browser. For this example,
et
imagine it assigns 49,152 to the web browser. It uses this as the source port. At this point, the outgoing packet has both destination and source data as follows: Destination IP address: 35.221.53.172 (the web server)
•
Destination port: 443
•
Source IP address: 192.168.10.11 (your computer)
•
Source port: 49,152
G
•
Copyright 2021 YCDA, LLC.
TCP/IP uses the IP address (35.221.53.172) to get the packet to the GetCertifiedGetAhead web server. When it reaches the web server, the server looks at the destination port (443) and determines that the packet needs to go to the web server program servicing HTTPS. The web server creates the page and puts the data into one or more return packets. At this point, the source and destinations are swapped
•
Destination port: 49,152
•
Source IP address: 35.221.53.172 (the web server)
•
Source port: 443
ea
Destination IP address: 192.168.10.11 (your computer)
Ah
•
d
because the packet is coming from the server back to you:
Again, TCP/IP uses the IP address to get the packets to the destination. Once the packets reach your system, it sends them to the destination port (port 49,152). Because your system mapped this port to your web browser, it sends the packets to the web browser, displaying the webpage.
et
The Importance of Ports in Security
G
Routers, and the routing component of firewalls, filter packets based on IP addresses, ports, and some protocols such as ICMP or IPsec. Because many protocols use well-known ports, you can control
ed
protocol traffic by allowing or blocking traffic based on the port. In the previous example, the client firewall must allow outgoing traffic on port 443. Firewalls automatically determine the client ports used for return traffic, and if they allow the outgoing traffic, they
tif i
allow the return traffic. In other words, because the firewall allows the packet to go to the web server on the destination port of 443, it also allows the webpage to return on the dynamic source port of 49,152.
er
Note that the client firewall doesn’t need to allow incoming traffic on port 443 for this to work. The web client isn’t hosting a web server with HTTPS, so the client firewall would block incoming traffic on port 443. However, the firewall that is allowing traffic to the web server needs to allow incoming traffic
C
on port 443.
You can apply this same principle to any protocol and port. For example, if you want to allow SMTP
et
traffic, you create a rule on the firewall to allow traffic on port 25 or port 587 for SMTP encrypted with TLS. IT professionals modifying access control lists (ACLs) on routers and firewalls commonly refer to
G
this as opening a port to allow traffic or closing a port to block traffic.
Comparing Ports and Protocol Numbers Ports and protocol numbers are not the same things, though they are often confused. Well-known ports identify many services or protocols, as discussed previously. Copyright 2021 YCDA, LLC.
However, many protocols are not identified by the port but instead by the protocol numbers. For example, within Internet Protocol security (IPsec), protocol number 50 indicates the packet is an Encapsulating Security Payload (ESP) packet, and protocol number 51 indicates it’s an Authentication Header (AH) packet. Similarly, ICMP uses the protocol number of 1, TCP is 6, and UDP is 17.
d
You can use a protocol number to block or allow traffic on routers and firewalls just as you can block or allow traffic based on the port. Note that it is not accurate to say that you can allow IPsec ESP
ea
traffic by opening port 50. IANA lists port 50 as a Remote Mail Checking Protocol. However, you can allow IPsec traffic by allowing traffic using protocol number 50.
Ah
Port Tables
The following tables show many of the well-known ports that you may need to know when taking
er
tif i
ed
G
et
the CompTIA Security+ exam.
G
et
C
Table C.1: Ports and protocols
Copyright 2021 YCDA, LLC.
d ea Ah
et
C
er
tif i
ed
G
et
Table C.2: Ports and protocols
G
This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study
Guide. It is provided as an extra resource for test-takers in PDF format. However, PDF copies of
the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized.
Copyright 2021 YCDA, LLC.
Appendix D—The OSI Model The CompTIA Security+ objectives refer to the Open Systems Interconnection (OSI) model in a couple of places: Given a scenario, analyze potential indicators associated with network attacks. • Layer 2 attacks - Address Resolution Protocol (ARP) poisoning - Media access control (MAC) flooding - MAC cloning
3.6
Given a scenario, apply cybersecurity solutions to the cloud. • Solutions - Firewall considerations in a cloud environment - Open Systems Interconnection (OSI) layers
Ah
ea
d
1.4
et
The OSI reference model conceptually divides different networking requirements into seven separate layers. For most people studying for the CompTIA Security+ exam, the OSI
G
model isn’t new. However, because it’s primarily theoretical and rarely used in day-to-day maintenance, some of the knowledge often slips away.
d
The good news is that you don’t need to know it as in-depth as you would for other
ie
certification exams such as the CompTIA Network+ exam. If you recently studied for
tif
Network+, you probably mastered these concepts, and this will just be a quick review.
er
Understanding the Layers
C
The OSI model has seven layers. The layers from Layer 1 to Layer 7 are Physical, Data Link, Network, Transport, Session, Presentation, and Application. Many people use mnemonics to memorize the layers. For example, “Please Do Not Throw Sausage Pizza
et
Away.” The first letter in each of the words represents the first letter of the layer. The P in
G
Please is for Physical, the D in Do is for the Data Link layer, and so on. Another common mnemonic is “All People Seem To Need Data Processing” (for
Application, Presentation, Session, Transport, Network, Data Link, and Physical). Notice that this method lists the layers from Layer 7 to Layer 1.
G et
Table D.1: OSI layers and common mnemonics
Ah
ea d
Table D.1 summarizes the layers with the mnemonics.
After mastering the mnemonic, you also need to remember which layer is Layer 1, and which layer is Layer 7. This memory technique may help. You may have heard about a “Layer 8 error.” This is another way of saying “user error” and users interact with
d
applications. In other words, a user on the mythical Layer 8 interacts with applications, which
ie
are on Layer 7. I don’t mean to belittle users or user errors—I make my fair share of errors. However, this memory trick has helped me, and many other people, remember that the
tif
Application layer is Layer 7.
er
The following sections provide a short synopsis of these layers.
C
Layer 1: Physical
The Physical layer is associated with the physical hardware. It includes specifications
et
for cable types, such as 1000BaseT, connectors, and hubs. Computing devices such as computers, servers, routers, and switches transmit data onto the transmission medium in a
G
bitstream. This bitstream is formatted according to specifications at higher-level OSI layers.
Layer 2: Data Link The Data Link layer is responsible for ensuring that data is transmitted to specific devices on the network. It formats the data into frames and adds a header that includes media
Copyright 2021 YCDA, LLC.
access control (MAC) addresses for the source and destination devices. It adds frame check sequence data to the frame to detect errors, but it doesn’t support error correction. The Data Link layer simply discards frames with detected errors. Flow control functions are also available on this layer. Traditional switches (Layer 2 switches) operate on this layer. Computer network interface cards have a MAC assigned, and switches map the computer MAC addresses to
IPv4 addresses to MAC addresses. VLANs are defined on this layer.
ea d
physical ports on the switch. Systems use the Address Resolution Protocol (ARP) to resolve
The CompTIA Security+ objectives list Layer 2 attacks as Address Resolution Protocol “Protecting Against Advanced Attacks,” covers these attacks.
G et
Layer 3: Network
Ah
(ARP) poisoning, media access control (MAC) flooding, and MAC cloning. Chapter 7,
The Network layer uses logical addressing in the form of IP addresses at this layer. This includes both IPv4 addresses and IPv6 addresses. Packets identify where the traffic originated (the source IP address) and where it is going (the destination IP address). Other
d
protocols that operate on this layer are IPsec and ICMP. Routers and Layer 3 switches
tif
Layer 4: Transport
ie
operate on this layer.
er
The Transport layer is responsible for transporting data between systems, commonly referred to as end-to-end connections. Transmission Control Protocol (TCP) and User
C
Datagram Protocol (UDP) operate on this layer. TCP provides reliability with error control,
et
flow control, and segmentation of data.
G
Layer 5: Session
The Session layer is responsible for establishing, maintaining, and terminating sessions
between systems. In this context, a session refers to an extended connection between two systems, sometimes referred to as dialogues or conversations. As an example, if you log on to a webpage, the Session layer establishes a connection with the web server and keeps it open
Copyright 2021 YCDA, LLC.
while you’re interacting with the webpages. When you close the pages, the Session layer terminates the session. If you’re like many users, you probably have more than one application open at a time. For example, in addition to having a web browser open, you might have an email application open. Each of these is a different session, and the Session layer manages them separately.
ea d
Layer 6: Presentation
The Presentation layer is responsible for formatting the data needed by the end-user
applications. For example, American Standard Code for Information Interchange (ASCII)
define codes used to display characters on this layer.
G et
Layer 7: Application
Ah
and Extended Binary Coded Decimal Interchange Code (EBCDIC) are two standards that
The Application layer is responsible for displaying information to the end user in a readable format. Application layer protocols typically use this layer to determine if sufficient network resources are available for an application to operate on the network.
d
Note that this layer doesn’t refer to end-user applications directly. However, many end-
ie
user applications use protocols defined at this layer. For example, a web browser interacts
tif
with DNS services to identify the IP address of a website name. Similarly, Hypertext
on this layer.
er
Transfer Protocol (HTTP) and HTTP Secure (HTTPS) transmit webpages over the Internet
Some of the protocols that operate on this layer are:
C
• HTTP and HTTPS
• Secure Shell (SSH)
et
• Domain Name System (DNS)
G
• Post Office Protocol 3 (POP3) • Simple Mail Transfer Protocol (SMTP) • File Transfer Protocol (FTP) and FTP Secure (FTPS) • Secure FTP (SFTP) and Trivial FTP (TFTP) • Internet Message Access Protocol 4 (IMAP4)
Copyright 2021 YCDA, LLC.
• Simple Network Management Protocol (SNMP) • Lightweight Directory Access Protocol (LDAP) and LDAP Secure (LDAPS) Many advanced devices are application-aware and operate on all of the layers up to the Application layer. This includes proxy servers, web application firewalls, next-generation firewalls (NGFWs), unified threat management (UTM) security appliances, and web security
d
G et
Ah
Table D.2 summarizes the layers with relevant devices and protocols
ea d
gateways.
G
et
C
er
tif
ie
Table D.2: OSI layers, devices, protocols
Copyright 2021 YCDA, LLC.
Appendix E—Glossary This glossary from the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide
d
includes the key terms included in the SY0-601 objectives, along with some other relevant terms. CompTIA sometimes spell out acronyms in the objectives, and they sometimes use acronyms in test
ea
questions. This glossary often includes both spellings. As an example, you’ll see two entries for Advanced Encryption Standard (AES):
Ah
Advanced Encryption Standard (AES)—A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly
secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.
et
AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly
G
secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.
This should make it easy for people to find either AES or Advanced Encryption Standard when
tif i
Numbers
ed
searching.
3DES—Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide
er
confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was originally designed as a replacement for DES, and is still used in some applications, such as when hardware doesn’t support AES.
C
802.1X— A port-based authentication protocol, also known as IEEE 802.1X. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS
et
server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-
G
TLS, and EAP-TTLS.
A
AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses
during a session. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks a user’s access with logs. ABAC—Attribute-based access control. An access control scheme. ABAC grants access to resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based
d
access control, and rule-based access control. acceptable use policy (AUP)—A policy defining proper system usage and the rules of behavior for
ea
employees. It will often describe the purpose of computer systems and networks, how users can access
them, and the
Ah
access control vestibules—A physical security mechanism designed to control access to a secure
area. An access control vestibule prevents tailgating. It is a room, or even a building, with two doors that creates a large buffer area between the secure and unsecured areas. This was previously known as a mantrap.
et
access point (AP)—A device that connects wireless clients to wireless networks. Sometimes called a wireless access point (WAP).
G
account audit—An audit that analyzes user accounts and assigned privileges. It identifies the privileges (rights and permissions) granted to users, and compares them against what the users need.
ed
accounting—The process of tracking the activity of users and recording this activity in logs. One method of accounting is audit logs that create an audit trail. ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource.
tif i
ACEs are contained within a DACL in NTFS.
ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN
er
packet but don’t complete the handshake after receiving the SYN/ACK packet. ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use
C
the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols. active reconnaissance—A penetration testing method used to collect information. It uses tools to send data to systems and analyzes responses, and gain knowledge on the target. Compare with
et
passive reconnaissance.
address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual
G
MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.
ad hoc—A connection mode used by wireless devices without an AP. When wireless devices
connect through an AP, they are using infrastructure mode. Compare with WiFi Direct.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
Advanced Encryption Standard (AES)—A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.
d
advanced persistent threat (APT)—A group that has both the capability and intent to launch sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.
ea
AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly
Ah
secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.
AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys, and AES-256 uses 256-bit encryption keys.
et
affinity—A scheduling method used with load balancers. It uses the client’s IP address to ensure the client is redirected to the same server during a session.
G
agent—A NAC agent that is installed on a client. It checks the client for health and is sometimes called just an agent. Compare with agentless or dissolvable agent. agentless—A NAC agent that runs on a client, but deletes itself later. It checks the client for health
ed
and is the same as a dissolvable client. Compare with permanent agent. AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality,
tif i
integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID number 51. Compare with IPSec and ESP.
er
air gap—A physical security control that provides physical isolation. Systems separated by an air gap (a gap of air) don’t typically have any physical connections to other systems. Sometimes spelled as
C
airgap.
ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk
et
assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO. allow list—A list of applications that a system allows. Users are only able to install or run applications
G
on the list. Sometimes referred to as a whitelist. Compare with block list and deny list. annualized (or annual) loss expectancy (ALE)—The expected loss for a year. The ALE identifies
the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.
Copyright 2021 YCDA, LLC v0.1
annualized (or annual) rate of occurrence (ARO)—The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE. anomaly—A variance from a baseline. Some intrusion detection and intrusion prevention systems
d
detect attacks by comparing traffic against a baseline. It is also known as heuristic detection. anonymization—A process that removes PII from a data set. The goal is to remove any data from a
ea
data set to ensure that data can’t be traced back to an individual. Ideally, anonymization is
permanent, but if not done effectively, the process can be reversed. Compare with data masking,
Ah
pseudo-anonymization, and tokenization.
anti-malware—Software that protects systems from viruses and other malware. It protects against most malware, including viruses, Trojans, worms, and more. Compare with antivirus.
antivirus—Software that protects systems from malware. Although it is called antivirus software, it
et
protects against most malware, including viruses, Trojans, worms, and more. Compare with antimalware.
G
Anything as a Service (XaaS)—A cloud computing model. XaaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS. wireless access point (WAP).
ed
AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs
tif i
or often used with web applications, Internet of Things (IoT) devices, and cloud-based services. API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to
er
discover and exploit vulnerabilities in APIs.
application programming interface (API)—A software module or component. An API gives
C
developers access to features or data within another application, service, or operating system. APIs or often used with web applications, Internet of Things (IoT) devices, and cloud-based services. application programming interface (API) attacks—Attacks on an API. API attacks attempt to
et
discover and exploit vulnerabilities in APIs.
APT—Advanced persistent threat. A group that has both the capability and intent to launch
G
sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.
Argon2—A key stretching algorithm. Argon2 uses a password and salt that is passed through an
algorithm several times. This thwarts rainbow table attacks. Compare with Bcrypt and PBKDF2.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE. arp—A command-line tool used to show and manipulate the Address Resolution Protocol (ARP) cache.
d
Compare with ARP. ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.
ea
Address Resolution Protocol (ARP)—Resolves IPv4 addresses to MAC addresses. Compare with arp.
ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP
Ah
poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.
ASCII—American Standard Code for Information Interchange. Code used to display characters. asset value—An element of a risk assessment. It identifies the value of an asset and can include any
et
product, system, resource, or process. The value can be a specific monetary value or a subjective value.
G
asymmetric encryption—A type of encryption using two keys to encrypt and decrypt data. It uses a public key and a private key. Compare with symmetric encryption. attestation—A process that checks and validates system files during the boot process. TPMs
ed
sometimes use remote attestation, sending a report to a remote system for attestation. audit trail—A record of events recorded in one or more logs. When security professionals have access to all the logs, they can re-create the events that occurred leading up to a security incident.
tif i
AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access
er
them, and the responsibilities of users when accessing the systems. authentication—The process that occurs when a user proves an identity. Users often claim an
C
identity with a username and prove the identity is theirs with a password. authentication attributes—Attributes that are sometimes used with authentication factors. They include somewhere you are, something you can do, something you exhibit, and someone you know.
et
Compare with somewhere you are, something you can do, something you exhibit, and someone you
know.
G
authentication factors—The different methods used for authentication. The common authentication
factors are something you know, such as a password or personal identification number (PIN),
something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes, something you know, something you have, and something you are. Copyright 2021 YCDA, LLC v0.1
authorization—The process of granting access to resources for users who prove their based on their proven identity. Users typically claim an identity with a username and prove their identity with a password. availability—One of the three main goals of information security known as the CIA security triad.
d
Availability ensures that systems and data are up and operational when needed. Compare with
ea
confidentiality and integrity.
B
Ah
backdoor—An alternate method of accessing a system. Malware often adds a backdoor into a system after it infects it.
background check—A check into a person’s history, typically to determine eligibility for a job. banner grabbing—A method used to gain information about a remote system. It identifies the
et
operating system and other details on the remote system.
BCP—Business continuity plan. A plan that helps an organization predict and plan for potential
G
outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA
ed
drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.
bcrypt—A key stretching algorithm. It is used to protect passwords. Bcrypt salts passwords with
tif i
additional bits before encrypting them with Blowfish. This thwarts rainbow table attacks. Compare with Argon2 and PBKDF2.
er
BIA—Business impact analysis. A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an
C
incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix
et
servers. Most Internet-based DNS servers use BIND. BIOS—Basic Input/Output System. A computer’s firmware used to manipulate different settings
G
such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI. birthday attack—A password attack named after the birthday paradox in probability theory. The
paradox states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birthday.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
blockchain—A distributed, decentralized, public ledger. The word block refers to pieces of digital information (the ledger), and chain refers to a public database. Digital cryptocurrencies use blockchain technology. block cipher—An encryption method that encrypts data in fixed-sized blocks. Compare with stream
d
cipher. block list— A list of applications that a system blocks or denies. Users are unable to install or run any
ea
applications on the list. Also called deny list. Compare with allow list.
Blowfish—A strong symmetric block cipher. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits. Compare with Twofish. to nearby Bluetooth devices.
Ah
bluejacking—An attack against Bluetooth devices. It is the practice of sending unsolicited messages bluesnarfing—An attack against Bluetooth devices. Attackers gain unauthorized access to
et
Bluetooth devices and can access all the data on the device.
bluebugging—An attack against Bluetooth devices. Attackers gain full access to the phone and
G
installs a backdoor giving the attacker full access to the phone at any time. In addition to gaining full access to the phone, the attacker installs a backdoor.xml.
blue team—Personnel involved in cybersecurity readiness that are experts in defending systems.
ed
Compare with red team, purple team, white team and capture the flag. bollards—Short vertical posts that act as a barricade. Bollards block vehicles but not people. boot attestation—An entity verifies (or attests) that the boot files have not been modified. As an have changed.
tif i
example, a TPM supports a secure boot attestation process by first verifying none of the boot files
er
boot integrity—Processes that verify the integrity of the boot process for a system. Compare with measured boot, boot attestation, and hardware root of trust.
C
bots and botnets—Software robots that function automatically. A botnet is a group of computers that are joined together. Attackers often use malware to join computers to a botnet and then use the botnet to launch attacks.
et
braindump—A list of questions and answers for exams. They rarely have explanations and often
have incorrect answers. Braindump users are tricked into memorizing incorrect answers for
G
questions after memorizing them. They think they’re ready for the live exam, but they often fail the exam repeatedly without understanding why. Bridge Protocol Data Unit (BPDU) guard—A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack. Copyright 2021 YCDA, LLC v0.1
bring your own device (BYOD)—A mobile device deployment model. A BYOD model allows employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD.
d
brute force—A password attack that attempts to guess a password. Online brute force attacks guess passwords of online systems. Offline attacks guess passwords contained in a file or database. than it expects. It exposes system memory that is normally inaccessible.
ea
buffer overflow—An error that occurs when an application receives more input, or different input,
Compare with shredding, pulping, pulverizing, and degaussing.
Ah
burning—A data sanitization process. Burning is typically performed within an incinerator.
business continuity plan (BCP)—A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps
et
used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA
G
and DRP.
business impact analysis (BIA)—A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can
d
impact these systems and components, maximum downtime limits, and potential losses from an
ie
incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows
er tif
employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD. Pass the First Time with Quality Practice Test Questions
C
https://gcgapremium.com/sy0-601-practice-test-questions/
et
C
G
CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part
of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text often from a slightly distorted image. captive portal—A technical solution that forces wireless clients using web browsers to complete a
d
process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.
ea
capture the flag—A competition involving cybersecurity personnel. Capture the flag (CTF) events vary depending on who is hosting the event but typically involved red teams, blue teams, purple
Ah
teams, and white teams. Compare with red team, blue team, purple team, and white team.
carrier unlocking—The process of unlocking a mobile phone from a specific cellular provider. CASB—Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network
et
traffic, and can enforce security policies.
CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It
G
uses an IV for the first block and each subsequent block is combined with the previous block. CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.
d
CCTV—Closed-circuit television. A detective control that provides video surveillance. Video
ie
surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.
er tif
CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.
CERT—Computer Emergency Response Team. A group of experts who respond to security incidents.
C
certificate—A digital file used for encryption, authentication, digital signatures, and more. Public certificates include a public key used for asymmetric encryption. Certificate Authority (CA)—An organization that manages, issues, and signs certificates and is
et
part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public
keys and details on the owner of the certificate and the CA that issued the certificate. Certificate
G
owners share their public key by sharing a copy of their certificate. Compare with PKI. share their public key by sharing a copy of their certificate. certificate chaining—A process that combines all certificates within a trust model. It includes all
the certificates in the trust chain from the root CA down to the certificate issued to the end user. Compare with certificate authority and intermediate CA. Copyright 2021 YCDA, LLC v0.1
certification revocation list (CRL)—A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. certificate signing request (CSR)—A method of requesting a certificate from a CA. It starts by
d
creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10
ea
specification.
chain of custody—A process that provides assurances that evidence has been controlled and
Ah
handled properly after collection. Forensic experts establish a chain of custody when they first collect evidence.
change management—The process used to prevent unauthorized changes. Unauthorized changes often result in unintended outages.
et
CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a server challenges a client. Compare with MS-CHAPv2 and PAP.
G
checksum—A type of a hash that is quick but not necessarily cryptographically secure. It is often used to validate the integrity of data. RAID-5 disks use checksum bits to verify that data on disks aren’t corrupt.
d
Choose your own device (CYOD)—A mobile device deployment model. Employees can connect
ie
their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.
er tif
CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.
C
CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO focuses on using methods within the organization to answer relevant questions and solve problems. ciphertext—The result of encrypting plaintext. Ciphertext is not in an easily readable format until it is
et
decrypted. Compare with plaintext.
clean desk space—A security policy requiring employees to keep their areas organized and free of
G
papers. The goal is to reduce threats of security incidents by protecting sensitive data. closed-circuit television (CCTV)—A detective control that provides video surveillance. Video
surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
cloud access security broker (CASB)—A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies. cloud deployment models—Cloud model types that identify who has access to cloud resources.
d
Public clouds are for any organization, and private clouds are for a single organization. Community clouds are shared among community organizations. A hybrid cloud is a combination of two or more
ea
clouds.
code reuse—Code reuse refers to reusing code instead of re-creating code that already exists. A
Ah
primary benefit is that existing code has already been tested, while new code may introduce new bugs.
code signing—The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.
et
cold site—An alternate location for operations. A cold site will have power and connectivity needed for activation, but little else. Compare with hot site and warm site.
G
collision—A hash vulnerability that can be used to discover passwords. A hash collision occurs when two different passwords create the same hash. A collision attack attempts to find two different passwords that create the same hash.
ie
vulnerabilities and exposures.
d
Common Vulnerabilities and Exposures (CVE)—A dictionary of publicly known security compensating controls—Security controls that are alternative controls used when a primary
er tif
security control is not feasible. Compare with preventive, detective, corrective, deterrent, and physical security controls.
confidential data—Data meant to be kept secret among a certain group of people. As an example, salary data is meant to be kept secret and not shared with everyone within a company.
C
confidentiality—One of the core goals of information security sometimes referred to as the CIA security triad. Confidentiality ensures that unauthorized entities cannot access data. Encryption and access controls help protect against the loss of confidentiality. Compare with availability and
et
integrity.
containerization—A method used to isolate application and data in mobile devices. It isolates and
G
protects the application, including any data used by the application. It is useful when using the BYOD model because the container can be encrypted without encrypting the user’s data.
containers—A method used to isolate services or applications in virtual machines. Container
virtualization runs services or applications within isolated containers or application cells
Copyright 2021 YCDA, LLC v0.1
context-aware authentication—An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more. Continuity of operations planning (COOP)—Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment,
d
software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a
ea
compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. control diversity—The use of different security control types, such as technical controls,
Ah
administrative controls, and physical controls. Compare with vendor diversity, technology diversity, and crypto diversity.
COOP—Continuity of operations planning. Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment,
et
software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a
G
compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.
d
corporate-owned, personally enabled (COPE)—A mobile device deployment model. The
ie
organization purchases and issues devices to employees. Compare with BYOD and CYOD. corrective controls—Security controls that attempt to reverse the impact of a security incident.
er tif
Compare with preventive, detective, deterrent, compensating, and physical security controls. Compare with preventive, detective, corrective, deterrent, compensating, and physical security controls.
CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has
C
revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. crossover error rate—The point where the false acceptance rate (FAR) crosses over with the false
et
rejection rate (FRR). A lower CER indicates a more accurate biometric system.
cross-site request forgery (XSRF)—A web application attack. Attackers use XSRF attacks to trick
G
users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords. cross-site scripting (XSS)— A web application vulnerability that allows attackers to inject scripts into
webpages. Attackers use XSS to capture user information such as cookies. Input validation
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting. crypto diversity—Using different methods to protect cryptographic keys. Compare with control diversity, vendor diversity, and technology diversity.
d
cryptomalware—A type of ransomware that encrypts the user’s data. CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the
ea
private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and
Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits
Ah
the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.
CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most
et
CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.
G
CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.
CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs
d
focus on technology and evaluate new technologies.
ie
custom firmware—Mobile device firmware other than the firmware provided with the device. People sometimes use custom firmware to root Android devices.
er tif
CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security vulnerabilities and exposures.
Cybersecurity Framework (CSF)—A framework that aligns with the RMF and can be used in the private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and
C
Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.
et
cybersecurity resilience—A system’s ability to continue to operate even after an adverse event.
Resilience is similar to availability. However, availability tries to keep systems operational 100
G
percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with
availability.
Copyright 2021 YCDA, LLC v0.1
CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.
d
D
ea
DAC—Discretionary access control. An access control scheme. All objects (files and folders) have
owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.
Ah
data at rest—Any data stored on media. It’s common to encrypt sensitive data-at-rest.
data bias—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative
et
Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced twice as many false positives for black offenders (45%) than white offenders (23%). Compare with
G
tainted data.
data controller—A GDPR data role. The data controller determines how and why personal data
d
should be processed and typically delegates the data processing to a data processor. data custodian/steward—A GDPR data role. The data custodian (sometimes called a data steward)
ie
performs routine daily tasks such as storing and backing up data.
er tif
data owner—A GDPR data role. The data owner is most responsible for protecting privacy and user rights for any data owned by an organization. data processor—A GDPR data role. The data processor uses and manipulates data on behalf of the data controller.
data protection officer (DPO)—A GDPR data role. The DPO is responsible for ensuring the
C
organization complies with all relevant laws and acts as an independent advocate for customer data. Data Execution Prevention (DEP)—A security feature in some operating systems. DEP prevents
et
an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.
G
data exfiltration—The unauthorized transfer of data outside an organization. data in transit/motion—Any data sent over a network. It’s common to encrypt sensitive data in transit.
data in use—Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
data loss prevention (DLP)— A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.
d
data masking—Modifying the data to hide the original content. Data masking replaces data with other data that looks valid but is inaccurate. For example, Homer can be replaced with Fred. Data
ea
masking creates data sets that used for testing. Compare with anonymization, pseudo-anonymization, and tokenization.
Ah
data minimization—A principle requiring organizations to limit the information they collect and use. Compare with data retention.
data retention policy—A security policy specifying how long data should be kept or retained. data sanitization—The process of destroying or removing all sensitive data from systems and
et
devices. Data sanitization methods include burning, shredding, pulping, pulverizing, and degaussing. data sovereignty—A term that refers to the legal implications of data stored in different countries. It
G
is primarily a concern related to backups stored in alternate locations via the cloud. DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically
d
include sustained, abnormally high network traffic. Compare to DoS.
ie
denial-of-service (DoS)—An attack from a single source. A DoS attack that attempts to disrupt the services provided by the attacked system. Compare to DDoS.
er tif
dead code—Code that is never executed or used. It is often caused by logic errors. defense in depth—The use of multiple layers of security to protect resources. Control diversity and vendor diversity are two methods organizations implement to provide defense in depth. degaussing—A data sanitization process. Degaussing removes data from magnetic media using a
C
powerful electronic magnet. Degaussing is sometimes used to remove data from backup tapes or to destroy hard disks. Compare with burning, shredding, pulping, and pulverizing. deny list— A list of applications that a system denies or blocks. Users are unable to install or run any
et
applications on the list. Also called block list. Compare with allow list.
DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an
G
application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.
DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER.
Copyright 2021 YCDA, LLC v0.1
detective controls—Security controls that attempt to detect security incidents after they have occurred. Compare with preventive, corrective, deterrent, compensating, and physical security controls. deterrent controls—Security controls that attempt to discourage individuals from causing a security
d
incident. Compare with preventive, detective, corrective, compensating, and physical security controls.
ea
DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH
Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE
Ah
(ECDHE) uses elliptic curve cryptography to generate encryption keys.
DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.
et
DHCP snooping—A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP
G
discover message) to trusted ports.
DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each
d
new session. Sometimes listed as EDH.
ie
Dictionary attack—A password attack that uses a file of words and character combinations. The attack tries every entry within the dictionary file when trying to guess a password.
er tif
differential backup—A type of backup. A differential backup will back up all the data that has changed or is different since the last full backup. Compare with incremental backup. Diffie-Hellman (DH)—An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE
C
(ECDHE) uses elliptic curve cryptography to generate encryption keys. dig—A Linux command-line tool. It is used to test DNS on Linux systems. Compare with nslookup. digital signature—An encrypted hash of a message, encrypted with the sender’s private key. It
et
provides authentication, non-repudiation, and integrity. Digital Signature Algorithm (DSA)—The algorithm used to create a digital signature. A digital
G
signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online
transactions and prevents the sender from later denying he sent the email.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
directory traversal attack—An attack that attempts to access a file or folder by entering the directory path. It is often used as part of an HTTP GET command. For example, the passwd file on Linux systems is within the ../etc/passwd path, and directory traversal attacks include some form of the ../etc/passwd path in the GET command.
d
disablement policy—A policy that identifies when administrators should disable user accounts. Accounts are disabled or deleted when an employee leave a company.
ea
disassociation attack—An attack that removes wireless clients from a wireless network. It forces wireless clients to connect with an AP again and allows attackers to capture the authentication
Ah
process.
disaster recovery plan (DRP)—A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery
et
includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.
G
discretionary access control (DAC)—An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, rolebased access control, and rule-based access control.
d
dissolvable agent—A NAC agent that runs on a client, but deletes itself later. It checks the client for
ie
health and is the same as agentless. Compare with permanent agent. distributed denial-of-service (DDoS)—An attack on a system launched from multiple sources.
er tif
DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS. DLL—Dynamic-link library. A compiled set of code that can be called from other programs. DLL injection—An attack that injects a Dynamic Link Library (DLL) into memory and runs it.
C
Attackers rewrite the DLL, inserting malicious code. DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems
et
monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.
G
DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network. CompTIA is using the term screened subnet to replace DMZ. Compare with screened subnet. Copyright 2021 YCDA, LLC v0.1
DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone transfers. Compare with DNS poisoning and pharming.
d
DNS poisoning—An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning. protect the integrity of DNS records and prevent some DNS attacks.
ea
DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to
from the owner.
Ah
domain hijacking—An attack that changes the registration of a domain name without permission DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS.
et
downgrade attack—A type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control.
G
DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery
ie
with BCP and BIA.
d
includes a review to identify any lessons learned and may include an update of the plan. Compare DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A A digital
er tif
signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online
C
transactions and prevents the sender from later denying he sent the email. dumpster diving—The practice of searching through trash looking for information from discarded documents. Shredding or burning papers helps prevent the success of dumpster diving.
G
et
dynamic-link library (DLL)—A compiled set of code that can be called from other programs.
E
EAP—Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with EAP, EAP-TLS, EAP-TTLS, and PEAP. EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP
d
sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X
ea
server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP.
EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of
Ah
EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.
ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller
et
wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.
G
ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session. elasticity—The ability of a system to handle an increased workload by dynamically scaling up or scaling
d
out as the need arise. A system may add more resources (such as more memory) when it suddenly
ie
experiences high demand. Scalability requires rebooting a server to add the resources, but elasticity dynamically adds the resources without rebooting the server. Compare with scalability.
er tif
electromagnetic interference (EMI)—Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.
elliptic curve cryptography (ECC)—An asymmetric encryption algorithm commonly used with smaller
C
wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)—A version of Diffie-Hellman that uses ECC to
et
generate encryption keys. Ephemeral keys are re-created for each session.
embedded system—Any device that has a dedicated function and uses a computer system to
G
perform that function. It includes a CPU, an operating system, and one or more applications.
EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.
Copyright 2021 YCDA, LLC v0.1
Encapsulating Security Protocol (ESP)—A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.
d
encryption—A process that scrambles, or ciphers, data to make it unreadable. Encryption normally includes a public algorithm and a private key. Compare with asymmetric and symmetric encryption. with a username and password. Compare with Open and PSK modes.
ea
Enterprise—A wireless mode that uses an 802.1X server for security. It forces users to authenticate
Ah
entropy—The randomness of a cryptographic algorithm. A higher level of randomness results in a higher level of security when using the algorithm. A lack of entropy results in a weaker algorithm and makes it much easier for the algorithm to be cracked.
ephemeral key—A type of key used in cryptography. Ephemeral keys have short lifetimes and are
et
re-created for each session. In contrast, static keys are semi-permanent and stay the same over a long period of time.
G
error handling—A programming process that handles errors gracefully.
ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity,
d
and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50. Compare with rogue AP.
ie
evil twin—A type of rogue AP. An evil twin has the same or similar SSID as a legitimate AP.
er tif
exit interview—An interview conducted with departing employees just before they leave an organization.
exploitation frameworks—Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.
C
Extensible Authentication Protocol (EAP)—An authentication framework that provides general guidance for authentication methods. Compare with EAP-TLS, EAP-TTLS, EAP-FAST, and PEAP. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)—An extension of EAP
et
sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X
G
server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP. Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)—. An
extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
Extensible Markup Language (XML)—A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data. extranet—The part of an internal network shared with outside entities. Extranets are often used to provide access to authorized business partners, customers, vendors, or others. Compare with
ea
d
intranet.
F
Ah
facial recognition— A biometric authentication system. Facial recognition systems identify people based on facial features.
factors of authentication—The different methods used for authentication. The common
authentication factors are something you know, such as a password or personal identification number
et
(PIN), something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes,
G
something you know, something you have, and something you are.
false acceptance—A biometric error. It indicates a biometric system incorrectly accepted an result in a true acceptance.
d
unknown user as if the user was known. If the biometric system was working correctly, it would
ie
false acceptance rate (FAR)—Also called the false match rate. A rate that identifies the percentage
er tif
of times a biometric authentication system incorrectly indicates a match. false negative—A security incident that isn’t detected or reported. As an example, a NIDS false negative occurs if an attack is active on the network, but the NIDS does not raise an alert. A false negative on a vulnerability scanner indicates a vulnerability exists, but the vulnerability scanner didn’t detect it.
C
false positive—An alert on an event that isn’t a security incident. As an example, a NIDS false positive occurs if the NIDS raises an alert but activity on the network is normal. A false positive on a
et
vulnerability scanner indicates a vulnerability scanner detected a vulnerability, but a vulnerability doesn’t exist.
G
false rejection—A biometric error. It indicates a biometric system incorrectly rejected a valid user. If the biometric system was working correctly, it would result in a true acceptance. As an example, a NIDS false negative occurs if an attack is active on the network but the NIDS does not raise an alert. A false negative in a biometric system
Copyright 2021 YCDA, LLC v0.1
FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match. Faraday cage—A room or enclosure that prevents signals from emanating beyond the room or enclosure. way, the system can tolerate the fault as if it never occurred.
ea
FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.
d
fault tolerance—The capability of a system to suffer a fault, but continue to operate. Said another
federation—Two or more members of a federated identity management system. Used for single
Ah
sign-on.
File Transfer Protocol (FTP)—Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.
et
File Transfer Protocol Secure (FTPS)—An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.
G
fingerprint scanners—A biometric authentication system. Fingerprint scanners scan fingerprints for authentication.
firewall—A software or a network device used to filter traffic. Firewalls can be host-based (running as an
d
application on a host) or network-based. Stateless firewalls filter traffic using rules within an ACL.
ie
firmware OTA updates—Over-the-air updates for mobile device firmware that keep them up to date. These are typically downloaded to the device from the Internet and applied to update the device.
er tif
forward proxy server—A server used to forward requests for services such as HTTP or HTTPS. All internal clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A forward proxy server is commonly called a proxy server. Compare with reverse proxy
C
server.
framework—A structure used to provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts and provide guidance to professionals on how to implement security.
et
FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage
of times a biometric authentication system incorrectly rejects a valid match.
G
FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.
FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
full backup—A type of backup that backs up all the selected data. A full backup could be considered a normal backup. full disk encryption (FDE)—A method to encrypt an entire disk. Compare with SED. full tunnel—An encrypted connection used with VPNs. When a user is connected to a VPN, all Pass the First Time with Quality Practice Test Questions
ea
https://gcgapremium.com/sy0-601-practice-test-questions/
d
traffic from the user is encrypted. Compare with split tunnel.
Ah
G
gamification—A training method that increases participation and interaction. Gamification intertwines game-design elements within user training methods. Some gamification techniques
et
include a sense of competition, such as capture the flag competitions.
GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter
G
(CTM) mode with hashing techniques for data authenticity and confidentiality. GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that
d
clarifies requirements to protect the personal data of anyone living in the EU. It also defines the roles protection officer (DPO).
ie
of data owners, data controllers, data processors, data custodians or data stewards, and the data
er tif
General Data Protection Regulation—A European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It defines the roles of data owners,
data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO).
C
geofencing—A virtual fence or geographic boundary. It uses GPS to create the boundary. Apps can then respond when a mobile device is within the virtual fence.
et
geolocation—The location of a device identified by GPS. It can help locate a lost or stolen mobile
device.
G
Global Positioning System (GPS)—A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.
GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a
device or vehicle. Mobile devices often incorporate GPS capabilities.
Copyright 2021 YCDA, LLC v0.1
GPS tagging—A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created. group-based access control—A role-based access control method that uses groups as roles. Guest account—A pre-created account in Windows systems. It is disabled by default.
ea
d
H
hacktivist—An attacker who launches attacks as part of an activist movement or to further a cause.
hardware root of trust—A known secure starting point for an operating system. A TPM ships with
Ah
a matched key pair used for encryption, and this key pair provides a hardware root of trust.
hardware security module (HSM)—A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM.
et
hash—A number created by executing a hashing algorithm against data, such as a file or message. Hashing is commonly used for integrity. Common hashing algorithms are MD5, SHA-3, and
G
HMAC.
heat map—A graph that plots risks onto a graph or chart using color-coding. Compare with risk
d
matrix.
heuristic/behavioral—A type of monitoring on intrusion detection and intrusion prevention
ie
systems. It detects attacks by comparing traffic against a baseline. It is also known as anomaly
er tif
detection.
HIDS—Host-based intrusion detection system. Software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.
C
high availability—A term that indicates a system or component remains available close to 100 percent of the time. Five nines indicates a system is up and operation 99.999 percent of the time.
et
Compare with availability and resilience.
HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to
G
react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.
HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity
and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
HMAC-based One-Time Password (HOTP)—An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Compare with TOTP.
d
hoax—A message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.
ea
homomorphic encryption—A processes that allows data to remain encrypted while it is being
processed. Most homomorphic encryption methods work best when data is stored and manipulated
Ah
as integers.
honeyfile—A file designed to attract an attacker. As an example, a file named passwords.text might attract the attention of an attacker. It doesn’t contain valid passwords. Compare with honeypot and honeynet.
et
honeynet—A group of honeypots in a network. Honeynets are often configured in virtual networks. Honeypots within a honeynet have weakened security and are designed to attact attackers. Compare
G
with honeypot and honeyfile.
honeypot—A server designed to attract an attacker. It typically has weakened security encouraging attackers to investigate it. Compare with honeyfile and honeynet.
d
host-based intrusion detection system (HIDS)—Software installed on a system to detect attacks. A
ie
HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by
er tif
antivirus software. Compare with HIPS, NIDS, and NIPS. host-based intrusion prevention system (HIPS)—An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS. hot and cold aisles—A method commonly used in data centers to keep equipment cool. Cool air
C
flows from the front of the cabinets to the back, making the front aisle cooler and the back aisle warmer.
HOTP—HMAC-based One-Time Password. An open standard used for creating one-time
et
passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until
G
they are used. Compare with TOTP.
hot site—An alternate location for operations. A hot site typically includes everything needed to be
operational within 60 minutes. Compare with cold site and warm site.
Copyright 2021 YCDA, LLC v0.1
HSM—Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM. HTML—Hypertext Markup Language. Language used to create webpages. HTML documents are
d
displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these
ea
tags and prevent cross-site scripting attacks.
HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP
Ah
uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS.
HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts HTTP traffic with TLS using TCP port 443.
HVAC—Heating, ventilation, and air conditioning. A physical security control that increases
et
availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity
G
controls to reduce the potential damage from condensation.
Hypertext Markup Language (HTML)—Language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-
d
than and greater-than characters (< and >) to create tags. Many sites use input validation to block
er tif
ie
these tags and prevent cross-site scripting attacks.
I
IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent
C
access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.
et
ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity
G
to a server succeeds, it indicates that ICMP is blocked.
ICS—Industrial control system. A system that controls large systems such as power plants or water
treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA. identification—The process that occurs when a user claims an identity, such as with a username.
Users prove their identity with other credentials, such as with a password.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with
d
IPS. IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with
ea
a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.
Ah
IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS.
et
ifconfig—A command-line tool. The ifconfig tool is used on Linux systems to show and manipulate settings on a network interface card (NIC). Sit is similar to ipconfig used on Windows systems.
G
IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address. IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with
d
Microsoft Windows Server products. Linux systems use Apache as a web server.
ie
IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4
er tif
traffic on TCP port 993.
impact—The magnitude of harm related to a risk. It is the negative result of an event, such as the loss of confidentiality, integrity, or availability of a system or data. Compare with likelihood of occurrence and qualitative risk assessment.
C
implicit deny—A rule in an ACL that blocks all traffic that hasn’t been explicitly allowed. The implicit deny rule is the last rule in an ACL. incident—An adverse event or series of events that can negatively affect the confidentiality,
et
integrity, or availability of an organization’s information technology (IT) systems and data.
Sometimes referred to as a security incident.
G
incident response. The process of responding to a security incident. Organizations often create an
incident response plan that outlines the procedures to be used when responding to an incident. incident response plan—A formal, coordinated plan that personnel can use when responding to an incident. It typically includes definitions of incident types, details on an incident response team, and team members’ roles and responsibilities. Copyright 2021 YCDA, LLC v0.1
incident response process—The phases of incident response. It includes preparation, identification, containment, eradication, recovery, and lessons learned. incident response team—A group of experts who respond to security incidents. It includes employees with expertise in different areas. changed since the last full or incremental backup. Compare with differential backup.
d
incremental backup—A type of backup. An incremental backup backs up all the data that has
ea
Infrastructure as a Service (IaaS)—A cloud computing model. IaaS allows an organization to rent access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS
Ah
system up to date. Compare to PaaS, SaaS, and XaaS.
initialization vector (IV)—An IV provides randomization of encryption keys to help ensure that keys are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.
et
initialization vector (IV) attack—A wireless attack that attempts to discover the IV. Legacy wireless security protocols are susceptible to IV attacks.
G
injection attack—An attack that injects code or commands. Common injection attacks are dynamic link library (DLL) injection, command injection, and SQL injection, and XML injection attacks. inline—A configuration that forces traffic to pass through a device. A NIPS is placed inline, allowing
d
it to prevent malicious traffic from entering a network. Sometimes called in-band. Compare with out-of-
ie
band.
input validation—A programming process that verifies data is valid before using it. Input validation
er tif
prevents many web-based attacks such as buffer overflow attacks, SQL injection attacks, and crosssite scripting attacks.
insider threat—An attacker who launches attacks from within an organization, typically as an employee.
C
integer overflow—An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack. integrity—One of the core goals of information security sometimes referred to as the CIA security
et
triad. Integrity provides assurance that data or system configurations have not been modified. Audit logs and hashing are two methods used to ensure integrity. Compare with availability and
G
confidentiality.
intermediate CA—intermediate certificate authority. A CA created by a root CA that can issue
certificates and/or create child CAs that issue certificates. Compare with certificate authority and
certificate chaining.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
Internet Message Access Protocol v4 (IMAP4)—Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.
Internet of things (IoT)—The network of physical devices connected to the Internet. It typically refers
d
to smart devices with an IP address, such as wearable technology and home automation systems. intranet—An internal network. People use an intranet to communicate and share content with each
ea
other on an internal network. Compare with extranet.
IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to
Ah
smart devices with an IP address, such as wearable technology and home automation systems. IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6.
ipconfig—A command-line tool. It is used on Windows systems to show the configuration settings on a NIC.
et
IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data
G
streams, detect malicious content, and stop attacks in progress. It can be used internally to protect private networks, such as those holding SCADA equipment. Compare with IDS. IPsec—Internet Protocol security. A suite of protocols used to encrypt data-in-transit. IPSec can
d
operate in both Tunnel mode and Transport mode. IPsec is built into IPv6, but can also work with
ie
IPv4. Both versions support AH and ESP. AH provides authentication and integrity using HMAC, and ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES.
er tif
Compare with AH, ESP, tunnel mode, and transport mode. IP spoofing—An attack that changes the source IP address. IP spoofing makes an attack appear as though it’s coming from a different source.
IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in
C
dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1. IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly larger address space than IPv4. IPsec is built in to IPv6 and can encrypt any type of IPv6 traffic.
et
iris scanners—A biometric system. Iris scanners scan the iris of an eye for authentication. ISP—Internet Service Provider. A company that provides Internet access to customers.
G
IT—Information technology. Computer systems and networks used within organizations. IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys
are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.
Copyright 2021 YCDA, LLC v0.1
J allows a user to install software from any third-party source. Compare with rooting.
d
jailbreaking—The process of modifying an Apple mobile device to remove software restrictions. It
by a wireless network.
ea
jamming—A DoS attack against wireless networks. It transmits noise on the same frequency used
job rotation—A process that ensures employees rotate through different jobs to learn the processes and
Ah
procedures in each job. It can sometimes detect fraudulent activity.
Pass the First Time with Quality Practice Test Questions
et
https://gcgapremium.com/sy0-601-practice-test-questions/
G
K
KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.
d
Kerberos—A network authentication mechanism used with Windows Active Directory domains and
ie
some Unix environments known as realms. It uses a KDC to issue tickets. kernel—The central part of the operating system. In container virtualization, guests share the kernel.
er tif
key escrow—The process of placing a copy of a private key in a safe environment. If the original key is lost, an organization can retrieve a copy of the key to access the data. key exchange—A cryptographic method used to share cryptographic keys. asymmetric encryption uses key exchange to share a symmetric key.
C
keylogger—Software or hardware used to capture a user’s keystrokes. Keystrokes are stored in a file and can be manually retrieved or automatically sent to an attacker. key stretching—A technique used to increase the strength of stored passwords. It adds additional bits
et
(called salts) and can help thwart brute force and rainbow table attacks. known environment test—A type of penetration test. Testers have full knowledge of the
G
environment prior to starting the test. This was previously known as a white box test. Compare with unknown environment test and partially known environment test.
known plaintext—A cryptographic attack that decrypts encrypted data. In this attack, the attacker
knows the plaintext used to create ciphertext. Compare with ciphertext and plaintext.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
L L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701. can be physical labels, such as on backup tapes, or digital labels embedded in files.
d
labeling—The process of ensuring data is tagged clearly so that users know its classification. Labels
ea
Layer 2 Tunneling Protocol (L2TP)—Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.
Ah
LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS.
et
LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes
G
referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.
least privilege—A security principle that minimizes privileges given to individuals. The lease
d
privilege principle specifies that individuals and processes are granted only the rights and permissions
ie
needed to perform assigned tasks or functions, but no more. legal hold—A court order to maintain data for evidence.
er tif
lightweight cryptography—Cryptography deployed to smaller devices. Many Internet of Things (IoT) devices use lightweight cryptography.
Lightweight Directory Access Protocol (LDAP)—A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes
C
such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS. Lightweight Directory Access Protocol over SSL (LDAPS)—A protocol used to encrypt LDAP
et
traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with
G
TLS over TCP port 636. Compare with LDAP.
likelihood of occurrence—The probability that something will occur. It is used with impact in a
qualitative risk assessment. Compare with impact and qualitative risk assessment. load balancer—Hardware or software that balances the load between two or more servers. Load
balancers add redundancy and fault tolerance and can help eliminate single points of failure. Copyright 2021 YCDA, LLC v0.1
logic bomb—A type of malware that executes in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program. loop prevention—Methods used to prevent switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.
ea
d
M
MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know.
Ah
Compare with ABAC, DAC, role-based access control, and rule-based access control.
MAC—media access control. A 48-bit address used to identify network interface cards. It is also called a hardware address or a physical address. and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.
et
MAC cloning attack—An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized
G
MAC addresses, and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.
d
MAC filtering—A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.
ie
MAC flooding—An attack against a switch that attempts to overload it. Most ports on a switch have
er tif
only a single host connected to them, with only a single MAC address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.
malware—Malicious software. It includes a wide range of software that has malicious intent, such as viruses, worms, ransomware, rootkits, logic bombs, and more.
C
managerial controls— Security controls implemented via managerial or administrative or methods. They are typically documented in an organization’s security policy and focus on managing risk.
et
Compare with technical and operational controls. Mandatory Access Control (MAC)—An access control scheme. MAC uses sensitivity labels
G
assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know. Compare with ABAC, DAC, role-based access control, and rule-based access control. mandatory vacation—A policy that forces employees to take a vacation. The goal is to deter
malicious activity, such as fraud and embezzlement, and detect malicious activity when it occurs.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a
d
checksum in some situations. MDM—Mobile device management. A group of applications and technologies used to manage
ea
mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.
Ah
measured boot—A process that verifies the integrity of the boot process. It completes these checks before allowing the user to interact with the system.
media access control (MAC) flooding—An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC address.
et
A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.
G
Memorandum of understanding (MOU)—A type of agreement that defines the responsibilities of each party. Sometimes called a memorandum of agreement.
memory leak—An application flaw that consumes memory without releasing it. In extreme cases,
d
the application can consume so much memory that the operating system crashes
ie
Message Digest 5 (MD5)—A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by
er tif
applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations. MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include
C
multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images. Compare with SMS and Rich Communication Services. Mobile device management (MDM)—A group of applications and technologies used to manage
et
mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.
G
MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of
CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication. MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP. Copyright 2021 YCDA, LLC v0.1
MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures. Higher MTBF numbers indicate a higher reliability of a product or system. MTTF—Mean time to failure. The length of time you can expect a device to remain in operation
d
before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair
ea
a device after it fails.
MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a
Ah
failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.
multifactor authentication—A type of authentication that uses methods from more than one factor of authentication. Compare with something you know, something you have, and something you are.
et
Multimedia Message Service (MMS)—An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images.
G
Compare with SMS and Rich Communication Services.
d
N
NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy
ie
clients are granted access to the network, and unhealthy clients are redirected to a remediation
er tif
network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.
NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses. National Institute of Standards and Technology (NIST)—NIST is a part of the U.S. Department
C
of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available to anyone. They can found at
et
http://csrc.nist.gov/publications/PubsSPs.html. NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing
G
proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.
Netcat (nc)—A command-line tool. Netcat is used to connect to remote systems. netstat—A command-line tool. Netstat is used to show network statistics on a system.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
network access control (NAC)—A system that inspects clients to ensure they are healthy. Healthy clients are granted access to the network, and unhealthy clients are redirected to a remediation network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.
d
Network Address Translation (NAT)—A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses.
ea
network-based intrusion detection system (NIDS)—A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It
Ah
can detect network-based attacks.
network-based intrusion prevention system (NIPS)—A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.
et
network interface card (NIC)—Provides connectivity to a network. A NIC is typically built into a circuit board and includes a connector, such as an RJ-45 connector.
G
network scanner—A tool used to discover devices on a network, including their IP addresses, their operating system, along with services and protocols running on the devices. near field communication (NFC)—A group of standards used on mobile devices that allow them to
d
communicate with other nearby mobile devices. Many credit card readers support payments using
ie
NFC technologies with a smartphone.
network interface card (NIC) teaming—A group of two or more network adapters acting as a
er tif
single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities. NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using NFC technologies with a smartphone.
C
NFC attack—An attack against mobile devices that use near field communication (NFC). NFC is a group of standards that allow mobile devices to communicate with nearby mobile devices. NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a
et
circuit board and includes a connector, such as an RJ-45 connector.
NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters
G
acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.
NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks. Copyright 2021 YCDA, LLC v0.1
NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress. NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of publications related to security that are freely available to anyone. They can found at
ea
http://csrc.nist.gov/publications/PubsSPs.html.
d
Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special
nmap—A command-line tool. Nmap is used to scan networks, and it is a type of network scanner.
Ah
nonce—A number used once. Cryptography elements frequently use a nonce to add randomness. non-disclosure agreement (NDA)—An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.
et
non-persistence—A method used in virtual desktops where changes made by a user are not saved. Most (or all) users have the same desktop. When users log off, the desktop reverts to its original state. access logs provide non-repudiation.
G
non-repudiation—The ability to prevent a party from denying an action. Digital signatures and normalization—The process of organizing tables and columns in a database. Normalization reduces
d
redundant data and improves overall database performance.
ie
nslookup—A command-line tool. The nslookup tool is used to test DNS on Microsoft systems. Compare with dig.
er tif
NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.
NTP—Network Time Protocol. Protocol used to synchronize computer times.
C
Pass the First Time with Quality Practice Test Questions
et
https://gcgapremium.com/sy0-601-practice-test-questions/
G
O
OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0 Authorization Framework,” describes it. obfuscation—An attempt to make something unclear or difficult to understand. Steganography methods use obfuscation to hide data within data. Sometimes referred to as camouflage.
d
OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.
ea
offboarding—The process of removing an individuals access to an organization’s computing
resources leaving the company. It also includes collecting any equipment (such as smartphones,
Ah
tablets, or laptops), security badges, or proximity cards the organization issued to the employee. Compare with onboarding.
offline brute force password attack—A password attack against a database downloaded from a site. An offline attack can repeatedly guess passwords without ever getting locked out. Compare
et
with online brute force password attack.
onboarding—The process of granting individuals access to an organization’s computing resources permissions. Compare with offboarding.
G
after being hired. It typically includes giving the employee a user account with appropriate online brute force password attack—A password attack against an online system. Online systems
d
typically have account lockout capabilities, so online password attacks often use different methods password attack.
ie
(such as a spraying attack) to guess passwords. Compare with spraying attack and offline brute force
er tif
Online Certificate Status Protocol (OCSP)—An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.
on-path attack—A form of active interception or active eavesdropping. It uses a separate computer
C
that accepts traffic from each party in a conversation and forwards the traffic between the two. An on-path attack is sometimes referred to as a man-in-the-middle or man-in-the-broser attack. open—A wireless mode that doesn’t use security. Compare with Enterprise and PSK modes.
et
OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID.
G
OpenID Connect (OIDC)—An open source standard used for identification on the Internet. It
builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation (JSON) Web Token (JWT), sometimes called an ID token. open-source intelligence (OSINT)—A method of gathering data using public sources, such as
social media sites and news outlets. Copyright 2021 YCDA, LLC v0.1
OpenSSL—An open source software library used with Transport Layer Security (TLS) and the legacy Secure Sockets Layer (SSL) protocols. Many Linux distributions include access to OpenSSL via the command line. operational controls—Controls used to handle the day-to-day operations of an organization.
d
Operational controls help an organization comply with the security policy, and people implement them. Compare with managerial and technical controls.
ea
order of volatility—A term that refers to the order in which you should collect evidence. For example, data in memory is more volatile than data on a disk drive, so it should be collected first.
Ah
OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.
OSINT—A method of gathering data using public sources, such as social media sites and news outlets.
et
out-of-band—A configuration that allows a device to collect traffic without the traffic passing through it. Sometimes called passive. Compare with inline.
G
Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/
d
P
ie
P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often
er tif
hold certificates with the private key. They are commonly encrypted. P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.
PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform,
C
meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.
et
PAM—Privileged access management. A method of protecting access to privileged accounts. PAM
implements the concept of just-in-time administration, giving users elevated privileges only when
G
they need them and only for a limited time. PAM is sometimes called privileged account management. PAP—Password Authentication Protocol. An older authentication protocol where passwords or PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
partially known environment test—A type of penetration test. Testers have some knowledge of the environment prior to starting the test. This was previously known as a gray box test. Compare with known environment test and unknown environment test. passive reconnaissance—A penetration testing method used to collect information. It typically uses
d
open-source intelligence. Compare with active reconnaissance. pass the hash—A password attack that captures and uses the hash of a password. It attempts to log
ea
on as the user with the hash and is commonly associated with the Microsoft NTLM protocol. password cracker—A tool used to discover passwords. includes evaluating and testing patches before deploying them.
Ah
patch management—The process used to keep systems up to date with current patches. It typically PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks.
et
Compare with Bcrypt and Argon2.
PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware
G
in PDFs.
PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X.
ie
EAP-FAST.
d
PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER
er tif
(ASCII) or DER (binary) formats and can be used for almost any type of certificates. penetration testing—A method of testing targeted systems to determine if vulnerabilities can be exploited. Penetration tests are intrusive.
perfect forward secrecy—A characteristic of encryption keys ensuring that keys are random.
C
Perfect forward secrecy methods generate random public keys for each session, and do not use deterministic algorithms. permanent agent—A NAC agent that is installed on a client. It checks the client for health.
et
Compare with agentless or dissolvable agent. Personal Identity Verification card (PIV)—A specialized type of smart card used by U.S. federal
G
agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC. Personally Identifiable Information (PII)—Information about individuals that can be used to trace
a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a
Copyright 2021 YCDA, LLC v0.1
Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it. PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.
d
pharming—A type of DNS poisoning attack. Pharming attacks redirect a website’s traffic to another PHI—Personal Health Information. PII that includes health information.
ea
website.
phishing—The practice of sending spam to users with the purpose of tricking them into revealing links.
Ah
personal information or clicking on a link. Phishing often includes malicious attachments or malicious physical controls—Security controls that you can physically touch. Compare with preventive, detective, corrective, deterrent, and, compensating controls.
et
PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a
G
Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it. PIN—Personal identification number. A number known by a user and entered for authentication.
d
PINs are often combined with smart cards to provide dual-factor authentication.
ie
ping—A command-line tool. Ping is used to test connectivity with remote systems. pinning—A security mechanism used by some websites to prevent website impersonation. Websites website.
er tif
provide clients with a list of public key hashes. Clients store the list and use it to validate the PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and
C
non-repudiation for the users. Compare with CAC. pivoting—Process of using various tools to gain additional information on a system or network. After escalating privileges, a penetration tester (or attacker) uses the exploited computer to gain
et
additional information on other systems within the network. PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store,
G
distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most trust models are hierarchical and centralized with a central root CA.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
plaintext—Text displayed in a readable format. Encryption converts plaintext to ciphertext, and plaintext is unencrypted. Compare with ciphertext. Platform as a Service (PaaS)—A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform,
d
meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.
ea
playbooks—Used with SOAR. A automated response to a potential checklist. Playbooks are derived from runbooks. Compare with SOAR and runbooks.
Ah
pointer dereference—A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.
POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections
et
port mirror—A monitoring port on a switch. All traffic going through the switch is also sent to the port mirror.
G
port taps—Monitoring ports on a network device. IDSs use taps to capture traffic. post-quantum cryptography—Cryptographic algorithms that are likely to be resistant to attacks from attackers using a quantum computer. NIST is expected to release a draft of selected standards
d
by 2024.
ie
posturing—A method of verifying a device complies with security policies. Some mobile device management (MDM) systems use device posturing to check the status of a device, such as the
er tif
operating system version and whether the screen lock is enabled or not. potentially unwanted programs (PUPs)—Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. Compare with spyware.
C
preshared key (PSK)—A secret shared among different systems. Wireless networks using WPA2 support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.
et
preventive controls—Security controls that attempt to prevent a security incident from occurring. Compare with detective, corrective, deterrent, compensating, and physical security controls.
G
private data—Information about an individual that should remain private. Personally Identifiable
Information (PII) and Personal Health Information (PHI) are two examples. private key—Part of a matched key pair used in asymmetric encryption. The private key always
stays private. Compare with public key. privileged account—An account with elevated privileges, such as an administrator account. Copyright 2021 YCDA, LLC v0.1
privileged access management (PAM)—A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when they need them and only for a limited time. PAM is sometimes called privileged account management.
d
privilege escalation—The process of gaining elevated rights and permissions. Attackers and malware typically uses a variety of techniques to gain elevated privileges.
ea
proprietary data—Data that is related to ownership. Common examples are information related to patents or trade secrets.
Ah
Protected Extensible Authentication Protocol (PEAP)—An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAPTTLS, and EAP-FAST.
et
protocol analyzer—A tool used to capture network traffic. Both professionals and attackers use text.
G
protocol analyzers to examine packets. A protocol analyzer can be used to view data sent in clear proximity card readers—Devices that sense when proximity cards are close. They are often used by authorized personnel to open doors.
d
proximity cards—Small credit card-sized cards that activate when they are in close proximity to a
ie
proximity card reader. They are often used by authorized personnel to open doors. proxy server— A server used to forward requests for services such as HTTP or HTTPS. All internal
er tif
clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A proxy server is commonly called a forward proxy server. Compare with reverse proxy server. pseudo-anonymization—The process of replacing PII data with pseudonyms. The data set appears
C
anonymous, but the owner of the data maintains a database that matches the pseudonyms back to the original data. Compare with anonymization, data masking, and tokenization. PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2
et
support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.
G
public data—Data that is available to anyone. It might be in brochures, in press releases, or on
websites. public key—Part of a matched key pair used in asymmetric encryption. The public key is publicly
available. Compare with private key.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
public ledgers—A record of transactions such as deposits and withdrawals. Blockchain uses public ledgers used to track transactions while keeping the transactions anonymous. Some ransomware transactions can be viewed by viewing the public ledgers, but the transactions are still anonymous. Compare with blockchain.
d
Public Key Infrastructure (PKI)—Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the
ea
owner of the certificate, and on the CA that issued the certificate. Certificate owners share their
public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most
Ah
trust models are hierarchical and centralized with a central root CA.
pulping—A data sanitization process. Pulping is performed after shredding papers, and it reduces the shredded paper to a mash or puree. Compare with burning, shredding, pulverizing, and degaussing.
et
PUPs—Potentially unwanted programs. Software installed on users’ systems without their such as Trojans. Compare with spyware.
G
awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, pulverizing— A data sanitization process. A process used to physically destroy items such as optical degaussing.
d
discs that can’t be erased by a degausser. Compare with burning, shredding, pulping, and
ie
purging—A data sanitization process. A general sanitization term indicating that all sensitive data has been removed from a device. Compare with burning, shredding, pulping, pulverizing, and
er tif
degaussing.
purple team—Personnel involved in cybersecurity readiness that can join either a red team or a blue team. Compare with red team, blue team, white team and capture the flag. push notification services—The services that send messages to mobile devices. Many mobile
et
Q
C
device applications push notification messages to users.
qualitative risk assessment—A risk assessment that uses judgment to categorize risks. It is based
G
on impact and likelihood of occurrence. quantitative risk assessment—A risk assessment that uses specific monetary amounts to identify
cost and asset value. It then uses the SLE and ARO to calculate the ALE. quantum computing—Cryptography that uses quantum mechanical properties to perform
cryptographic tasks. Copyright 2021 YCDA, LLC v0.1
quantum cryptography—An example of quantum computing. It uses quantum computing standards to create a cryptographic key.
R
d
RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the
ea
context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some
situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.
Ah
RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process
et
using TCP. Compare with TACACS+.
race condition—A programming flaw that occurs when two sets of code attempt to access the same
G
resource. The first one to access the resource wins, which can result in inconsistent results. RAID—Redundant array of inexpensive disks. Multiple disks added together to increase
d
performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.
ie
RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance.
er tif
RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance. RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It can survive the failure of a single drive.
RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.
C
RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has
et
an even number of drives.
rainbow table—A file containing precomputed hashes for character combinations. Rainbow tables
G
are used to discover passwords. PBKDF2, Bcrypt, and Argon2 thwart rainbow table attacks.
RAM—Random access memory. Volatile memory within a computer that holds active processes,
data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
ransomware—A type of malware used to extort money from individuals and organizations. Ransomware typically encrypts the user’s data and demands a ransom before decrypting the data. Rapid Spanning Tree Protocol (RSTP)—An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports
d
of a switch are connected together. RAS—Remote Access Service. Provides access to an internal network from an outside source
ea
location using dial-up or a VPN.
RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a
Ah
remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.
RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in TCP 3389 or UDP 3389.
et
different services such as Remote Desktop Services and Remote Assistance. RDP uses either port real-time operating system (RTOS)—An operating system that reacts to input within a specific
G
time. Many embedded systems include an RTOS.
reconnaissance—A penetration phase where testers gather information on a target. Compare with active reconnaissance and passive reconnaissance.
d
recovery agent (RA)—A designated individual who can recover or restore cryptographic keys. In
ie
the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can
er tif
recover the private key from a key escrow.
recovery point objective (RPO)—A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.
C
recovery site—An alternate location for business functions after a major disaster. Compare with cold site, warm site, and hot site. recovery time objective (RTO)—The maximum amount of time it should take to restore a system
et
after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.
G
red team—Personnel involved in cybersecurity readiness that are experts in attacking systems. Red team members emulate the techniques used by potential attackers. Compare with blue team, purple team, white team, and capture the flag.
redundancy—The process of adding duplication to critical system components and networks. Redunancy and fault-tolerance methods increase increase availability supporting resiliency. Copyright 2021 YCDA, LLC v0.1
redundant array of inexpensive disks (RAID)—Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10. refactoring—A driver manipulation method. Developers rewrite the code without changing the
d
driver’s behavior. registration authority (RA)—An entity that can collect registration information for a certificate
ea
authority (CA). An RA never issues certificates, but instead only assists the CA. All CAs don’t use an RA. Compare with certificate authority.
Ah
remote access Trojan (RAT)—Malware that allows an attacker to take control of a system from a remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.
Remote Authentication Dial-In User Service (RADIUS)—Provides central authentication for
et
remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses
G
TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+.
Remote Desktop Protocol (RDP)—Used to connect to remote systems. Microsoft uses RDP in
ie
TCP 3389 or UDP 3389.
d
different services such as Remote Desktop Services and Remote Assistance. RDP uses either port remote wipe—The process of sending a signal to a remote device to erase all data. It is useful when a
er tif
mobile device is lost or stolen.
replay attack—An attack where the data is captured and replayed. Attackers typically modify data before replaying it.
resilience—A system’s ability to continue to operate even after an adverse event. Resilience is
C
similar to availability. However, availability tries to keep systems operational 100 percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with availability.
et
resource exhaustion—The malicious result of many DoS and DDoS attacks. The attack overloads a
computer’s resources (such as the processor and memory), resulting in service interruption.
G
retina scanners—A biometric authentication system. Retina scanners scan the retina of an eye for authentication. Some people object to using these scanners for authentication because they can identify medical issues and because you typically need to have physical contact with the scanner.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
reverse proxy server—A server used to accept requests from the Internet and forward them to a Web server. It appears to clients as a web server but is forwarding the requests to the web server and serving the pages returned by the web server. Compare with forward proxy server. RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters.
d
RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.
ea
RFID—Radio frequency identification. RFID methods are often used for inventory control.
RFID attacks—Attacks against radio-frequency identification (RFID) systems. Some common
Ah
RFID attacks are eavesdropping, replay, and DoS.
Rich Communication Services (RCS)— An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and Multimedia Message Service.
et
risk—The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. Compare with threat and vulnerability.
G
risk assessment—A process used to identify and prioritize risks. It includes quantitative risk assessments and qualitative risk assessments. Compare with quantitative assessment and qualitative assessment.
d
risk management—The practice of identifying, monitoring, and limiting risks to a manageable assessments.
ie
level. It includes risk response techniques, qualitative risk assessments, and quantitative risk
er tif
Risk Management Framework (RMF)—A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.
C
risk matrix—A graph that plots risks onto a graph or chart. A risk matrix typically plots the likelihood of occurrence against the impact of a risk. Compare with heat map. risk mitigation—The process of reducing risk by implementing security controls. Security controls
et
reduce risk by reducing vulnerabilities associated with a risk or by reducing the impact of a threat.
risk register—A document listing information about known risks. It typically includes risk scores
G
along with recommended security controls to reduce the risk scores.
risk response techniques—Methods used to manage risks. Common risk response techniques are
accept, avoid, mitigate, transfer, and cybersecurity insurance. RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Copyright 2021 YCDA, LLC v0.1
Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls. rogue AP—An unauthorized AP. It can be placed by an attacker or an employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a
d
legitimate AP. ROI—Return of investment or return on investment. A performance measure used to identify when
ea
an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.
Ah
role-based access control—An access control scheme. Role-based access control uses roles based on jobs and functions to define access. It is often implemented with groups (providing group-based privileges) and uses a matrix as a planning document to match roles with the required privileges. Compare with ABAC, DAC, MAC, and rule-based access control.
et
root certificate—A PKI certificate identifying a root CA. access. Compare with jailbreaking.
G
rooting—The process of modifying an Android device, giving the user root-level, or administrator, rootkit—A type of malware that has system-level access to a computer. Rootkits are often able to hide themselves from users and antivirus software.
d
ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each
ie
letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces. router—A network device that connects multiple network segments together into a single network. ACLs.
er tif
They route traffic based on the destination IP address and do not pass broadcast traffic. Routers use RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare
C
with RTO.
RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a
et
public key and a private key in a matched pair.
RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are
G
enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together. RTO—Recovery time objective. The maximum amount of time it should take to restore a system
after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS. rule-based access control—An access control scheme. Rule-based access control is based on a set of approved instructions, such as an access control list, or rules that trigger in response to an event
d
such as modifying ACLs after detecting an attack. Compare with ABAC, DAC, MAC, and role-based access control.
ea
runbooks—Used with SOAR. A checklist of things to check in response to a suspected incident. Runbooks are used when creating playbooks. Compare with SOAR and playbooks.
Ah
S
SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the up-to-date. Compare with IaaS, PaaS and XaaS.
et
Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and salt—A random set of data added to a password when creating the hash. PBKDF2, Bcrypt, and
G
Argon2 are some protocols that use salts. These help thwart rainbow table attacks. salting—The process of adding a random set of data to a password when creating the hash. PBKDF2,
d
Bcrypt, and Argon2 are three protocols that use salts.
SAML—Security Assertions Markup Language. An XML-based standard used to exchange
er tif
web-based applications.
ie
authentication and authorization information between different parties. SAML provides SSO for SAN—Storage Area Network. A specialized network of high-speed storage devices. sandboxing—The use of an isolated area on a system, typically for testing. Virtual machines are often used to test patches in an isolated sandbox. Application developers sometimes use sandboxes to create isolated systems for testing. Antivirus software uses sandboxes to check suspicious
C
software before allowing it to run on a system. sanitize—The process of destroying or removing all sensitive data from systems and devices. Data
et
sanitization methods include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping.
G
SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS. scalability—A system's ability to handle increased workload either by scaling up or by scaling out. Copyright 2021 YCDA, LLC v0.1
Scaling up adds additional resources (such as more RAM) to a server, and scaling out adds additional servers. Compare with elasticity. SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.
d
screened subnet—A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services
ea
hosted on servers in the screened subnet, but the screened subnet provides a layer of protection for the internal network. A screened subnet was previously known as a demilitarized zone (DMZ).
Ah
Compare with DMZ.
screen filter—A physical security device used to reduce visibility of a computer screen. Screen filters help prevent shoulder surfing.
script kiddie—An attacker with little expertise or sophistication. Script kiddies use existing scripts
et
to launch attacks.
SDN—Software defined network. A method of using software and virtualization technologies to
G
replace hardware routers. SDNs separate the data and control planes.
SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.
d
Secure Hash Algorithm (SHA)—A hashing function used to provide integrity. Versions include
ie
SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3
er tif
(previously known as Keccak) was selected as the next version after a public competition. Secure/Multipurpose Internet Mail Extensions (S/MIME)—Used to secure email. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and
C
private keys for encryption and decryption, and depends on a PKI for certificates. Secure Orchestration, Automation, and Response (SOAR)—Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and
et
playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.
G
Secure Real-time Transport Protocol (SRTP)—A protocol used to encrypt and provide
authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
Secure Shell (SSH)—A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure alternative than Telnet when connecting to remote servers. Secure Sockets Layer (SSL)—The predecessor to TLS. SSL is used to encrypt data in transit with
d
the use of certificates. Security Assertions Markup Language (SAML)—An XML-based standard used to exchange
ea
authentication and authorization information between different parties. SAML provides SSO for web-based applications.
Ah
security incident—An adverse event or series of events that can negatively affect the
confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. Sometimes referred to as an incident.
Security information and event management (SIEM)—A system that provides a centralized logs to the SIEM system, and it aggregates the logs.
et
solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send
G
SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive.
d
Compare with FDE.
ie
self-encrypting drive (SED)—A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically
er tif
encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.
SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating
C
systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log
et
anything related to the policy. separation of duties—A security principle. The separation of duties principle prevents any single
G
person or entity from controlling all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.
service account—An account used by a service or application. service level agreement (SLA)—An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations Copyright 2021 YCDA, LLC v0.1
use SLAs when contracting services from service providers such as Internet Service Providers (ISPs). session hijacking—An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies.
d
Service Set Identifier (SSID)—The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it
ea
with a wireless sniffer. It’s recommended to change the SSID from the default name.
SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP
Ah
traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.
SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3
et
(previously known as Keccak) was selected as the next version after a public competition. shadow IT—Unauthorized systems or applications installed on a network. Users sometimes install
G
systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.
shimming—A driver manipulation method. It uses additional code to modify the behavior of a driver.
d
Simple Network Management Protocol, version 3 (SNMPv3)—Used to manage and monitor
ie
network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.
er tif
single loss expectancy (SLE)—The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with ALE and ARO.
shoulder surfing—The practice of looking over someone’s shoulder to obtain information, such as
C
on a computer screen. A screen filter placed over a monitor helps reduce the success of shoulder surfing.
shredding—A method of destroying data or sanitizing media. Cross-cut paper shredders cut papers
et
into fine particles. File shredders remove all remnants of a file by overwriting the contents multiple times.
G
sideloading—The process of copying an application package to a mobile device. It is useful for
developers when testing apps, but can be risky if users sideload unauthorized apps to their device. SIEM—Security information and event management. A system that provides a centralized solution
for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
signature-based—A type of monitoring used on intrusion detection and intrusion prevention systems. It detects attacks based on known attack patterns documented as attack signatures. SIM—Subscriber Identity Module. A small card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or networks the device
d
will use. simulation exercise—Functional exercises that allow personnel to test plans in a simulated
ea
operational environment. Personnel go through the actual steps of an exercise but in a simulated environment.
Ah
single point of failure (SPOF)—Any component whose failure results in the failure of an entire
system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.
single sign-on (SSO)—Authentication method where users can access multiple resources on a
et
network using a single account. SSO can provide central authentication against a federated database for different operating systems.
G
SLA—Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers
d
(ISPs).
ie
SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare
er tif
with ALE and ARO.
smart card—A credit card-sized card that has an embedded microchip and a certificate. It is used for authentication in the something you have factor of authentication. S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides
C
confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.
et
smishing—A mashup of SMS and phishing. The practice of sending spam to users via text. SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS.
G
Compare with Multimedia Message Service and Rich Communication Services. SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and
between email servers and other email servers. SMTP uses TCP port 25.
Copyright 2021 YCDA, LLC v0.1
snapshot—A copy of a virtual machine (VM) at a moment in time. If you later have problems with the VM, you can revert it to the state it was in when you took the snapshot. Some backup programs also use snapshots to create a copy of data at a moment in time. SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices
d
such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.
ea
SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and
Ah
playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.
SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.
et
social engineering—The practice of using social tactics to gain information. Social engineers attempt to gain information from people, or get people to do things they wouldn’t normally do.
G
Software as a Service (SaaS)—A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS, and XaaS.
d
software defined network (SDN)—A method of using software and virtualization technologies to
ie
replace hardware routers. SDNs separate the data and control planes. software-defined visibility (SDV) —Technologies used to view all network traffic. SDV technologies
er tif
ensure that all cloud-based traffic is viewable and can be analyzed. solid state drive (SSD)—A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.
C
someone you know— An authentication attribute. The someone you know attribute indicates that someone is vouching for you. Compare with somewhere you are, something you can do, something you exhibit, and authentication factors.
et
something you are—An authentication factor. The something you are factor of authentication uses
biometrics, such as a fingerprint scanner. Compare with something you know and something you
G
have.
something you can do— An authentication attribute. The something you can do attribute indicates action, such as gestures on a touch screen. Compare with somewhere you are, something you exhibit,
someone you know, and authentication factors.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
something you exhibit— An authentication attribute. The something you exhibit attribute indicates something someone wears, such as an identification badge. Compare with somewhere you are, something you can do, someone you know, and authentication factors. something you have—An authentication factor. The something you have factor of authentication
d
refers to something a user possesses, such as a smart card. Compare with something you know and something you are.
ea
something you know—An authentication factor. The something you know factor of authentication
refers to something a user knows, such as a password or PIN. Compare with something you have and
Ah
something you are.
somewhere you are—An authentication attribute. The somewhere you are attribute identifies a user’s location using geolocation technologies. Compare with something you can do, something you exhibit, someone you know, and authentication factors.
et
spam—Unwanted or unsolicited email. Attackers often launch attacks using spam. spam filter—A method of blocking unwanted email. By blocking email, it often blocks malware.
G
spam over Internet messaging (SPIM)—A form of spam using instant messaging. SPIM targets instant messaging users.
Spanning Tree Protocol (STP)—Protocol enabled on most switches that protects against switching
d
loops. A switching loop is caused when two ports of a switch are connected together.
ie
spear phishing—A targeted form of phishing. Spear phishing attacks attempt to target specific groups of users, such as those within a specific organization or even a single user.
er tif
SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.
split tunnel—An encrypted connection used with VPNs. A split tunnel only encrypts traffic going to private IP addresses used in the private network. Compare with full tunnel.
C
SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.
et
spraying attack—A password attack that loops through a list of targeted user accounts. It picks a
password and then tries it against each of the accounts in the list. These targeted user accounts can be
G
on multiple systems. Once it gets through the list, it picks another password and loops through the list again. This bypasses account lockout policies because it takes a long time before it guesses a password for the same account again.
Copyright 2021 YCDA, LLC v0.1
spyware—Software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Compare with potentially unwanted programs. SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server.
d
Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP
ea
port 1433 by default.
SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication
Ah
for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.
SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.
et
SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure
G
alternative than Telnet when connecting to remote servers.
SSH File Transfer Protocol (SFTP)—An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.
d
SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users
ie
can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it
with a wireless sniffer. It’s recommended to change the SSID from the default name.
er tif
SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.
stapling—The process of appending a digitally signed OCSP response to a certificate. It reduces the
C
overall OCSP traffic sent to a CA.
stateful firewall— A firewall that filters traffic based on the state of the traffic within a session. A stateful firewall inspects traffic and makes decisions based on the traffic context or state.
et
stateless firewall—A firewall that filters traffic based on the contents of each packet. Stateless firewalls
filter traffic based on IP addresses, ports, and protocols.
G
steganography—The practice of hiding data within data. For example, it’s possible to embed text files within an image, hiding them from casual users. Other methods include hiding data with audio and video files. Steganography can obscure data to hide it. Storage Area Network (SAN)—A specialized network of high-speed storage devices.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
storage segmentation—A method used to isolate data on mobile devices. It allows personal data to be stored in one location and encrypted corporate data to be stored elsewhere. stored procedures—A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks. loops. A switching loop is caused when two ports of a switch are connected together.
d
STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching
ea
stream cipher—An encryption method that encrypts data as a stream of bits or bytes. Compare with block cipher.
Ah
Structured Query Language (SQL)—Used by SQL-based databases, such as Microsoft SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input
validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.
et
Subscriber Identity Module (SIM)—A small smart card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or
G
networks the device will use.
substitution cipher—An encryption method that replaces characters with other characters. Supervisory control and data acquisition (SCADA)—Supervisory control and data acquisition. A
d
system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is
ie
within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.
er tif
supply chain—All the elements required to produce and sell products and services. If the supply chain is disrupted, it impacts an organization’s ability to produce and sell products and services. switch—A network device used to connect devices. Layer 2 switches send traffic to ports based on their MAC addresses. Layer 3 switches send traffic to ports based on their IP addresses and support
C
VLANs.
symmetric encryption—A type of encryption using a single key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption Compare with asymmetric encryption.
et
SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this packet, but don’t complete the handshake after receiving the SYN/ACK packet.
G
system on chip (SoC)—An integrated circuit that includes a computing system within the hardware.
Many mobile devices include an SoC.
Copyright 2021 YCDA, LLC v0.1
Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/
ea
d
T
tabletop exercise—A discussion-based exercise where participants talk through an event while
sitting at a table or in a conference room. It is often used to test business continuity plans (BCPs) and
Ah
disaster recovery plans (DRPs).
TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It
et
encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.
G
tainted data—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative
d
Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced
ie
twice as many false positives for black offenders (45%) than white offenders (23%). Compare with data bias.
er tif
tailgating—A social engineering attack where one person follows behind another person without using credentials. Access control vestibules help prevent tailgating. TCO—Total cost of ownership. A factor considered when purchasing new products and services. TCO attempts to identify the cost of a product or service over its lifetime.
C
TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP. TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols
et
used on the Internet and most internal networks. tcpdump—A command-line protocol analyzer. Administrators use it to capture packets.
G
tcprelay—A command-line protocol tool. Tcpreplay is a suite of utilities used to edit packet captures
and then send the edited packets over the network. technical controls—Security controls implemented through technology. This includes hardware, software, and firmware technical controls. Compare with managerial and operational controls.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
technology diversity—The practice of using different technologies to protect an environment Compare with control diversity, vendor diversity, and crypto diversity. Terminal Access Controller Access-Control System+ (TACACS+)—Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP
d
port 49. It encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.
ea
tethering—The process of sharing an Internet connection from one mobile device to another.
TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In
Ah
contrast, FTP is used to transfer larger files using TCP ports 20 and 21.
TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.
third-party app store—An app store other than the primary source for mobile device apps. It refers
et
to an app store other than the App Store or Google Play for Apple and Android devices, respectively.
G
threat—Any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Compare with risk and vulnerability.
time-based logins—An account restriction that prevents users from logging on at certain times.
d
Time-based One-Time Password (TOTP)—An open standard used for creating one-time
ie
passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP.
er tif
time offset—An offset used by logs to provide consistency in timestamps. As an example, many logs use Greenwich Mean Time (GMT) for log entries, but a time offset needs to be applied to determine the local time for log entries.
TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and
C
like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAPTTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.
et
token—An authentication device or file. A hardware token is a physical device used in the something
you have factor of authentication. A software token is a small file used by authentication services
G
indicating a user has logged on. tokenization—A practice of replacing sensitive data with a token which is a string of characters.
Point of sale (POS) terminals use tokenization to replace credit card data with tokens. Only a thirdparty entity (such as the credit card processor) can convert the token into the original data (the credit card data in this example). Copyright 2021 YCDA, LLC v0.1
TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP. TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer
d
laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM
ea
provides full disk encryption. Compare with HSM.
tracert—A command-line tool. It is used to trace the route between two systems.
Ah
Transport Layer Security (TLS)—Used to encrypt data in transit. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAP-TTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.
et
Trivial File Transfer Protocol (TFTP)—Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.
G
Trojan—Malware also known as a Trojan horse. A Trojan often looks useful, but is malicious. Trusted Platform Module (TPM)—A hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root
d
key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM
ie
provides full disk encryption. Compare with HSM.
Twofish—A symmetric key block cipher. It encrypts data in 128-bit blocks and supports 128-, 192-,
er tif
or 256-bit keys. Compare with Blowfish.
typo squatting—The purchase of a domain name that is close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called URL
U
C
hijacking.
et
UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers. UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is
G
not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP. UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS.
Uniform Resource Locator (URL) redirection—A technique used to redirect traffic to a different page or a different site.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
uninterruptible power supply (UPS)—A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time to shut down smoothly or transfer to generator power. Generators provide long-term power in
d
extended outages.
ea
unknown environment test—A type of penetration test. Testers have zero knowledge of the
environment prior to starting the test. This was previously known as a black box test. Compare with
Ah
known environment test and partially known environment test.
UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time outages.
et
to shut down smoothly or transfer to generator power. Generators provide long-term power in extended URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the
G
protocol such as http://GetCertifiedGetAhead.com.
URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are
d
allowed.
ie
URL hijacking—The purchase of a domain name that is close to a legitimate domain name. squatting.
er tif
Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash drives, and external hard disk drives. Data on USB drives can be protected against loss of confidentiality with encryption. Attackers have spread malware through Trojans.
C
USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media. use case—A methodology used in system analysis and software engineering to identify and clarify
et
requirements to achieve a goal. For example, a use case of supporting confidentiality can help an organization identify the steps required to protect the confidentiality of data.
G
UTM—Unified threat management. A security appliance that combines multiple security controls
into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering, malware inspection, and content inspection components.
Copyright 2021 YCDA, LLC v0.1
V VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops
d
from desktop PCs or mobile devices. vendor diversity—The practice of implementing security controls from different vendors to increase
ea
security. Compare with control diversity, technology diversity, and crypto diversity.
version control—A method of tracking changes to software as it is updated.Virtualization Desktop
Ah
Infrastructure (VDI)—Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops from desktop PCs or mobile devices.
virtualization—A technology that allows you to host multiple virtual machines on a single physical
et
system.
virtual local area network (VLAN)—A method of segmenting traffic. A VLAN can logically
G
group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.
d
virtual machine (VM) escape—An attack that allows an attacker to access the host system from
ie
within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. Compare with virtual machine sprawl.
er tif
virtual machine (VM) sprawl—A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches. Compare with virtual machine escape.
virtual private network (VPN)—Provides access to a private network over a public network such
C
as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs. virus—Malicious code that attaches itself to a host application. The host application must be
et
executed to run, and the malicious code executes when the host application is executed. vishing—A phishing attack using phones.Vishing attacks often use Voice over IP (VoIP)
G
technologies.
VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group
several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power. Voice over IP (VoIP)—A group of technologies used to transmit voice over IP networks. Vishing is a
d
form of phishing that sometimes uses VoIP. voice recognition— A biometric authentication system. Voice recognition systems identify who is
ea
speaking using speech recognition.
VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a
Ah
form of phishing that sometimes uses VoIP.
VPN—Virtual private network. Provides access to a private network over a public network such as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs.
et
vulnerability—A weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating the system. Compare with risk and threat.
G
vulnerability scanner—A tool used to detect vulnerabilities. A scan typically identifies vulnerabilities, misconfigurations, and a lack of security controls. It passively tests security controls.
d
W
ie
WAF—Web application firewall—A firewall specifically designed to protect a web application. A
er tif
WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.
walkthrough exercise—workshops or orientation seminars that train team members about their roles and responsibilities. Walkthroughs familiarize personnel with an organization’s business continuity plans and their roles and responsibilities.
C
WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).
et
warm site—An alternate location for operations. A compromise between an expensive hot site and a
cold site. Compare with cold site and hot site.
G
watering hole attack—An attack method that infects websites that a group is likely to trust and visit.
wearable technology—Smart devices that a person can wear or have implanted.
Copyright 2021 YCDA, LLC v0.1
web application firewall (WAF)—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it. whaling—A form of spear phishing that attempts to target high-level executives. When successful,
d
attackers gain confidential company information that they might not be able to get anywhere else. purple team, and capture the flag.
ea
white team—Personnel involved in cybersecurity readiness Compare with red team, blue team,
WiFi analyzers—A device used to identify activity on the wireless spectrum. WiFi analyzers are
Ah
commonly used with site surveys. Compare with wireless scanner.
WiFi Direct—A standard that allows devices to connect without a wireless access point. Compare with ad hoc.
WiFi Protected Access 2 (WPA2)—Security protocol used to protect wireless transmissions. It
et
supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.
G
WiFi Protected Access 3 (WPA3)—Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.
d
WiFi Protected Setup (WPS)—Allowed users to easily configure a wireless network, often by
ie
using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2. wildcard certificate—A certificate that can be used for multiple domains with the same root
er tif
domain. It starts with an asterisk.
wiping—The process of completely removing all remnants of data on a disk. A bit-level overwrite writes patterns of 1s and 0s multiple times to ensure data on a disk is unreadable. wireless access point (WAP)—A device that connects wireless clients to wireless networks.
C
Sometimes called an access point (AP).
wireless scanners—A network scanner that scans wireless frequency bands. Scanners can help discover rogue APs and crack passwords used by wireless APs. Sometimes called WiFi analyzers.
et
Wireshark—A free protocol analyzer. Wireshark is a windows-based application used to capture and analyze packets sent over a network.
G
worm—Self-replicating malware that travels through a network. Worms do not need user interaction
to execute. WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK. WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the
d
newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.
ea
WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2.
Ah
WPS attack—An attack against an AP. A WPS attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.
Pass the First Time with Quality Practice Test Questions
et
https://gcgapremium.com/sy0-601-practice-test-questions/
G
X
XaaS—Anything as a Service. A cloud computing model. XaaS refers to any cloud computing model
d
not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS. XML—Extensible Markup Language. A language used by many databases for inputting or
ie
exporting data. XML uses formatting rules to describe the data.
er tif
XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords. XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into webpages. Attackers use XSS to capture user information such as cookies. Input validation
C
techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags.
et
Many sites prevent the use of < and > characters to block cross-site scripting.
G
Z
zero-day vulnerability—A vulnerability or bug that is unknown to trusted sources but can be
exploited by attackers. Zero-day attacks take advantage of zero-day vulnerabilities.
Copyright 2021 YCDA, LLC v0.1
zero trust—A network that doesn’t trust any devices by default. This helps reduce attacks by coming from compromised internal clients. Zero trust isn’t a technology, but instead, it’s a security
Ah
ea
d
model based on the principle of zero trust.
G
et
C
er tif
ie
d
G
et
Version 0.1 May 11 2021
Security+ Practice Test Questions
https://gcgapremiumpass.com/sy0-601-practice-test-questions/
Appendix F—Acronyms This acronym list is derived from the SY0-601 objectives and The CompTIA Security+ Get Certified
d
Get Ahead: SY0-601 Study Guide. By knowing the acronyms, many questions on the live exam will be much easier.
ea
CompTIA often spells out acronyms in the objectives. However, they tend to use acronyms in many test questions. As an example, Objective 5.4 includes these terms: Business impact analysis (BIA) o
Recovery time objective (RTO)
o
Recovery point objective (RPO)
Consider this potential question on the Security+ exam:
Ah
•
et
Q. Lisa is reviewing an organization’s BIA. It indicates that a key website can tolerate a maximum of three hours of downtime. Administrators have identified several systems that require redundancy
B. MTTR C. MTBF D. RTO
ie
A. RPO
d
maximum of three hours of downtime?
G
additions to meet this maximum downtime requirement. Of the following choices, what term refers to the
er tif
If you know that RTO is an acronym for recovery time objective and understand that “three hours of downtime” refers to time, this question is trivial. The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. Because the business impact analysis (BIA) states that the website can only
C
tolerate three hours of downtime, this identifies the RTO. The recovery point objective (RPO) identifies a point in time where data loss is acceptable, but it doesn’t refer to downtime. The mean time to repair (MTTR) metric and mean time between failures (MTBF) metric refer to an average or arithmetic mean.
et
While the RTO is used to identify the MTTR, MTTR refers to how long it’ll take to repair a system or
G
component, not the maximum amount of downtime for a system or component.
Replace Acronyms with Words When doing practice test questions, it’s best to read all acronyms as words instead of letters. As an example, read this sentence “Lisa is reviewing an organization’s BIA” as Lisa is reviewing an
organization’s business impact analysis. Also, instead of reading the answers as letters, read them as words. If you see the following: A. RPO B. MTTR
d
C. MTBF
ea
D. RTO Read them as the following in your head: A. Recovery point objective
C. Mean time between failures D. Recovery time objective
et
If you forget what an acronym represents, come back here.
Ah
B. Mean time to repair
G
Numbers
3DES—Triple Digital Encryption Standard. A symmetric algorithm is used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was initially
ed
designed to replace DES and is still used in some applications, such as when hardware doesn’t support AES.
tif i
A
AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access
er
systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user’s identification. Authorization determines if a user
C
should have access. Accounting tracks a user’s access with logs. ABAC—Attribute-based access control. An access control scheme. ABAC grants access to
et
resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based access control, and rule-based access control.
G
ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS. ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN packet but don’t complete the handshake after receiving the SYN/ACK packet. ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates. AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide
d
confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly
bits, or 256 bits.
ea
secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192
AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used
Ah
in the encryption keys, and AES-256 uses 256-bit encryption keys.
AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID
et
number 51. Compare with IPSec and ESP.
ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the
G
expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.
wireless access point (WAP).
d
AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a
ie
API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs
er tif
are often used with web applications, Internet of Things (IoT) devices, and cloud-based services. API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.
APT—Advanced persistent threat. A group that has both the capability and intent to launch
C
sophisticated and targeted attacks. A nation state (such as a foreign government) sponsors APTs. ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The
et
calculation is SLE × ARO = ALE. Compare with SLE and ALE. ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.
G
ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates. ASCII—American Standard Code for Information Interchange. Code used to display characters.
Copyright 2021 YCDA, LLC
AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access
them, and the responsibilities of users when accessing the systems.
d
B
ea
BCP—Business continuity plan. A plan that helps an organization predict and plan for potential
outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA
Ah
drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.
BIA—Business impact analysis. A process that helps an organization identify critical systems and
et
components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an
G
incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix servers. Most Internet-based DNS servers use BIND.
d
BIOS—Basic Input/Output System. A computer’s firmware that is used to manipulate different
ie
settings such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI.
er tif
BPDU guard—Bridge Protocol Data Unit guard. A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack. BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows
C
employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider
Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/
G
et
CYOD or COPE models. Compare with COPE and CYOD.
C
CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI. CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text
d
often from a slightly distorted image. CASB—Cloud access security broker. A software tool or service that enforces cloud-based
ea
security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.
Ah
CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It uses an IV for the first block, and each subsequent block is combined with the previous block. CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.
et
CCTV—Closed-circuit television. A detective control that provides video surveillance. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security
G
control, and it can increase the safety of an organization’s assets.
CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.
d
CERT—Computer Emergency Response Team. A group of experts who respond to security
ie
incidents.
CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a
er tif
server challenges a client. Compare with MS-CHAPv2 and PAP. CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are
C
available when needed.
CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO
et
focuses on using methods within the organization to answer relevant questions and solve problems. COOP—Continuity of operations planning. Continuity of operations planning sites provide an
G
alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD. Copyright 2021 YCDA, LLC
CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the
d
private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and
ea
Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.
Ah
CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by
creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.
The combined result is used to encrypt blocks.
et
CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter.
G
CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs focus on technology and evaluate new technologies.
vulnerabilities and exposures.
d
CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security
ie
CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that
er tif
the device is purchased by and owned by employees. Compare with BYOD and COPE.
D
C
DAC—Discretionary access control. An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.
et
DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically
G
include sustained, abnormally high network traffic. Compare to DoS. DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER. DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE
d
(ECDHE) uses elliptic curve cryptography to generate encryption keys.
ea
DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP
configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.
Ah
DHCP snooping—Dynamic Host Configuration Protocol (DHCP) snooping. A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP discover message) to trusted ports. DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using
et
static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH.
G
DLL—Dynamic-link library. A compiled set of code that can be called from other programs. DLL injection— Dynamic-link library injection. An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite the DLL, inserting malicious code.
d
DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP
ie
systems can prevent users from copying or printing sensitive data. Network-based DLP systems
the cloud.
er tif
monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in
DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal
C
network. CompTIA is using the term screened subnet to replace DMZ. DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include
et
records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone
G
transfers. Compare with DNS poisoning and pharming. DNS poisoning— Domain Name System poisoning. An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning. DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks.
Copyright 2021 YCDA, LLC
DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS. DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes
d
services to restore after an outage. Testing validates the plan. The final phase of disaster recovery
ea
includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.
DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A digital
Ah
signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the
message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online
et
transactions and prevents the sender from later denying he sent the email.
G
E
EAP—Extensible Authentication Protocol. An authentication framework that provides general
d
guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.
ie
EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with
er tif
EAP, EAP-TLS, EAP-TTLS, and PEAP.
EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X
C
server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP. EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as
et
PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.
G
ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods. ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable. ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH
d
and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity,
ea
and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.
F
Ah
FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match.
FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.
et
FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage of times a biometric authentication system incorrectly rejects a valid match.
G
FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.
d
FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic.
ie
Some implementations of FTPS use TCP ports 989 and 990. Pass the First Time with Quality Practice Test Questions
er tif
https://gcgapremium.com/sy0-601-practice-test-questions/
G
C
GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.
et
GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It also defines the
G
roles of data owners, data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO). GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.
Copyright 2021 YCDA, LLC
GPS tagging—Global Positioning System tagging. A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created.
d
H
ea
HIDS—Host-based intrusion detection system. HIDS is software installed on a system to detect
attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on
by antivirus software. Compare with HIPS, NIDS, and NIPS.
Ah
the host such as the operating system files, and in some cases, it can detect malicious activity missed
HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.
et
HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC
G
is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively. HOTP—HMAC-based One-Time Password. An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing
ie
they are used. Compare with TOTP.
d
counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until
HSM—Hardware security module. A removable or external device that can generate, store, and
er tif
manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM. HTML—Hypertext Markup Language. A language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than
C
and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks. HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP
et
uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS. HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS
G
encrypts HTTP traffic with TLS using TCP port 443. HVAC—Heating, ventilation, and air conditioning. A physical security control that increases availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential damage from condensation.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
I
d
IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent
ea
access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.
ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks
to a server succeeds, it indicates that ICMP is blocked.
Ah
use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity
ICS—Industrial control system. A system that controls large systems such as power plants or water
et
treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA.
IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A
G
network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with
d
IPS.
ie
IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well
er tif
respected and followed by vendors around the world. IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of
C
the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS. IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address.
et
IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Linux systems use Apache as a web server.
G
IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.
IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to smart devices with an IP address, such as wearable technology and home automation systems.
Copyright 2021 YCDA, LLC
IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6. IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can be used internally to protect
d
private networks, such as those holding SCADA equipment. Compare with IDS.
ea
IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1.
IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly
Ah
larger address space than IPv4. IPsec is built into IPv6 and can encrypt any type of IPv6 traffic. ISP—Internet Service Provider. A company that provides Internet access to customers.
IT—Information technology. Computer systems and networks used within organizations.
IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys
et
are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to
G
analyze and discovers the encryption key.
Pass the First Time with Quality Practice Test Questions
d
https://gcgapremium.com/sy0-601-practice-test-questions/
ie
K
er tif
KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.
L
C
L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.
et
LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as
G
CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS. LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
M MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know.
d
Compare with ABAC, DAC, role-based access control, and rule-based access control. MAC—media access control. A 48-bit address used to identify network interface cards. It is also
ea
called a hardware address or a physical address. and is commonly displayed as six pairs of
hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.
Ah
MAC cloning attack—Media access control cloning attack. An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized MAC addresses and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.
et
MAC filtering—Media access control filtering. A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for
G
wireless security.
MAC flooding—Media access control flooding. An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC
d
address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch
ie
operates as a hub instead of as a switch.
MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes,
er tif
which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations.
C
MDM—Mobile device management. A group of applications and technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with
et
security policies.
MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images.
G
Compare with SMS and Rich Communication Services. MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication.
Copyright 2021 YCDA, LLC
MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP. MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually
d
represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures.
ea
Higher MTBF numbers indicate a higher reliability of a product or system.
MTTF—Mean time to failure. The length of time you can expect a device to remain in operation
before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates
Ah
you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.
MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of
et
the contract.
G
N
NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy
d
clients are granted access to the network, and unhealthy clients are redirected to a remediation
ie
network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.
er tif
NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses. NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside
C
organizations. It is commonly embedded as a clause in a contract. NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using
et
NFC technologies with a smartphone. NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a
G
circuit board and includes a connector, such as an RJ-45 connector. NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks. NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in
d
progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor
ea
data streams, detect malicious content, and stop attacks in progress.
NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of
Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special
Ah
publications related to security that are freely available to anyone. They can found at http://csrc.nist.gov/publications/PubsSPs.html.
NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and
et
NTLM2 Session.
G
NTP—Network Time Protocol. Protocol used to synchronize computer times.
Pass the First Time with Quality Practice Test Questions
d
https://gcgapremium.com/sy0-601-practice-test-questions/
ie
O
er tif
OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0
C
Authorization Framework,” describes it.
OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.
et
OIDC - OpenID Connect—An open source standard used for identification on the Internet. It builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation
G
(JSON) Web Token (JWT), sometimes called an ID token. OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID. OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.
Copyright 2021 YCDA, LLC
OSINT—A method of gathering data using public sources, such as social media sites and news outlets. Pass the First Time with Quality Practice Test Questions
d
https://gcgapremium.com/sy0-601-practice-test-questions/
ea
P
P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often hold certificates with the private key. They are commonly encrypted.
Ah
P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.
PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a
et
preconfigured computing platform they can use as needed. PaaS is a fully managed platform, meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS,
G
SaaS and XaaS.
PAM—Privileged access management. A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when
d
they need them and only for a limited time. PAM is sometimes called privileged account
ie
management.
PAP—Password Authentication Protocol. An older authentication protocol where passwords or
er tif
PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2. PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks. Compare with Bcrypt and Argon2.
C
PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware in PDFs.
PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with
et
802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and
G
EAP-FAST.
PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certificates. PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
PHI—Personal Health Information. PII that includes health information. PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify
d
procedures for handling and retaining PII in data policies such as encrypting it.
ea
PIN—Personal identification number. A number known by a user and entered for authentication. PINs are often combined with smart cards to provide dual-factor authentication.
PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal
Ah
agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC.
PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the
et
owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most
G
trust models are hierarchical and centralized with a central root CA.
POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections
d
PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2
ie
support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.
er tif
PUPs—Potentially unwanted programs. Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious,
R
C
such as Trojans. Compare with spyware.
RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the
et
context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can
G
recover the private key from a key escrow. RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP.
Copyright 2021 YCDA, LLC
RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+. RAID—Redundant array of inexpensive disks. Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a
d
single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.
ea
RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance. RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance.
RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It
Ah
can survive the failure of a single drive.
RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.
RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and
et
striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has an even number of drives.
G
RAM—Random access memory. Volatile memory within a computer that holds active processes, data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.
ie
location using dial-up or a VPN.
d
RAS—Remote Access Service. Provides access to an internal network from an outside source
RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a
er tif
remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.
RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in different services such as Remote Desktop Services and Remote Assistance. RDP uses either port
C
TCP 3389 or UDP 3389.
RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters.
et
RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.
G
RFID—Radio frequency identification. RFID methods are often used for inventory control. RFID attacks— Radio frequency identification attacks. Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS. RCS—Rich Communication Services. An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and MMS.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.
d
rogue AP—Rogue access point. An unauthorized AP. It can be placed by an attacker or an
ea
employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a legitimate AP.
ROI—Return of investment or return on investment. A performance measure used to identify when
Ah
an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.
ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces.
et
RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare
G
with RTO.
RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a
d
public key and a private key in a matched pair.
ie
RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports
er tif
of a switch are connected together.
RTO—Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.
C
RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS.
et
S
G
SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS and XaaS.
Copyright 2021 YCDA, LLC
SAML—Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. SAN—Storage Area Network. A specialized network of high-speed storage devices.
d
SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a
ea
power plant or water treatment facility. Ideally, a SCADA is within an isolated network without
direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.
Ah
SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.
SDN—Software defined network. A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.
et
SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.
G
SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive.
d
Compare with FDE.
ie
SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating
er tif
systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log anything related to the policy.
C
SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.
et
SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to
G
weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3 (previously known as Keccak) was selected as the next version after a public competition. shadow IT—Shadow information technology. Shadow IT refers to unauthorized systems or applications installed on a network. Users sometimes install systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
SIEM—Security information and event management. A system that provides a centralized solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs. SIM—Subscriber Identity Module. A small card that contains programming and information for
d
mobile devices such, as cell phones. The SIM card identifies what countries or networks the device
ea
will use.
SLA—Service level agreement. An agreement between a company and a vendor that stipulates
performance expectations, such as minimum uptime and maximum downtime levels. Organizations
Ah
use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).
SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare
et
with ALE and ARO.
S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides
G
confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.
d
SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS.
ie
Compare with Multimedia Message Service and Rich Communication Services. SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and
er tif
between email servers and other email servers. SMTP uses TCP port 25. SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.
C
SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and
et
playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.
G
SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC. SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.
Copyright 2021 YCDA, LLC
SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure. SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server.
d
Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with
ea
forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.
SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication
Ah
for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.
SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.
et
SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure
G
alternative than Telnet when connecting to remote servers.
SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it
d
with a wireless sniffer. It’s recommended to change the SSID from the default name .
ie
SSL—Secure Sockets Layer. The predecessor to TLS. SSL was used to encrypt data in transit with the use of certificates but is deprecated now.
er tif
SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.
STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching
C
loops. A switching loop is caused when two ports of a switch are connected together. SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this
et
packet, but don’t complete the handshake after receiving the SYN/ACK packet. system on chip (SoC)—An integrated circuit that includes a computing system within the hardware.
G
Many mobile devices include an SoC.
Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
T TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It
the password. It uses multiple challenges and responses. Compare with RADIUS.
d
encrypts the entire authentication process, compared with the default RADIUS, which only encrypts
TCO attempts to identify the cost of a product or service over its lifetime.
ea
TCO—Total cost of ownership. A factor considered when purchasing new products and services.
Ah
TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP.
TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols used on the Internet and most internal networks.
et
TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.
tickets that expire after a certain time period.
G
TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped
TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and
d
like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can
ie
use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAPTTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.
er tif
TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP. TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer
C
laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM
et
provides full disk encryption. Compare with HSM.
G
U
UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers. UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP.
Copyright 2021 YCDA, LLC
UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS. UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time
d
to shut down smoothly or transfer to generator power. Generators provide long-term power in extended
ea
outages.
URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the protocol such as http://GetCertifiedGetAhead.com.
Ah
URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are allowed.
URL hijacking— Uniform Resource Locator hijacking. The purchase of a domain name that is
et
close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo squatting.
G
URL redirection—Uniform Resource Locator redirection. A technique used to redirect traffic to a different page or a different site.
USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash
d
drives, and external hard disk drives. Data on USB drives can be protected against loss of
ie
confidentiality with encryption. Attackers have spread malware through Trojans. USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many
er tif
methods that you can use to connect a mobile device to external media. UTM—Unified threat management. A security appliance that combines multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often
V
C
include URL filtering, malware inspection, and content inspection components.
et
VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops
G
from desktop PCs or mobile devices. VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/
VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power. VM escape—Virtual machine escape. An attack that allows an attacker to access the host system
d
from within a virtual machine. The primary protection is to keep hosts and guests up to date with
ea
current patches. Compare with virtual machine sprawl.
VM sprawl—Virtual machine sprawl. A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches.
Ah
Compare with virtual machine escape.
VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a form of phishing that sometimes uses VoIP.
VPN—Virtual private network. Provides access to a private network over a public network such as
et
the Internet. VPNs can provide access to internal networks for remote clients, or provide access to
G
other networks via site-to-site VPNs.
W
d
WAF—Web application firewall—A firewall specifically designed to protect a web application. A
ie
WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.
er tif
WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).
WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.
C
WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.
et
WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of
G
the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange. WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2. WPS attack—An attack against an AP. A WiFi Protected Setup (WPS) attack discovers the eightdigit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.
Copyright 2021 YCDA, LLC
Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/
d
X
ea
XaaS—Anything as a Service. A cloud computing model. XaaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS.
exporting data. XML uses formatting rules to describe the data.
Ah
XML—Extensible Markup Language. A language used by many databases for inputting or
XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In
et
some cases, it allows an attacker to steal cookies and harvest passwords.
XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into
G
webpages. Attackers use XSS to capture user information such as cookies. Input validation techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags.
G
et
C
er tif
ie
Version 0.1 May 11 2021
d
Many sites prevent the use of < and > characters to block cross-site scripting.
Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/