Appendixes from CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide

Citation preview

Appendix A—Command Line Basics When taking the CompTIA Security+ exam, CompTIA expects you to know commandline basics. Many people working in IT jobs know the command line because they work with

this appendix is for you.

Ah

Windows Command Line

ea d

it regularly. However, it can be challenging for others. If you’re new to the command line,

Before you can use the command line in Windows, you first need to launch the

Windows Command Prompt window. The simplest way to do so is to click the Start button,

G et

type in Command, and select Command Prompt. The Start button is at the lower left of your screen.

In some situations, you need to start the Command Prompt window with elevated permissions as an administrator. To do this, click the Start button, type in Command, right-

d

click on Command Prompt, and select Run as administrator.

ie

If you’re using a different version of Windows, you can find directions online. Use your

tif

favorite search engine and enter “command prompt” to find it.

er

Linux Terminal

C

The terminal is where you run commands in a Linux system. There are different ways to access the terminal, depending on the distribution you’re using. If you’re

et

running Kali Linux (recommended while using this book), you can start it by simply clicking the terminal icon on the Kali menu.

G

Many test takers find learning Linux commands challenging because they don’t

have a Linux system. If you can’t enter them and see what they do, you might have trouble with even the easiest questions. However, it’s easy to create a bootable USB (or buy one) and use any PC as a Linux box. The online labs include a lab you can use to create a bootable USB. Figure Appx A.1 shows an instance of Kali with the menu on the left. If you hover over the second icon, you’ll see “Terminal” appear. Click it, and it starts the terminal.

ea d Ah

Figure Appx A.1: Launching the terminal in Kali Linux

G et

For simplicity, instead of stating “Linux or Unix” throughout this book, I’m just stating it as Linux. Note that Linux is a popular version of Unix, and most commands that run in a Unix terminal will also run in a Linux terminal.

ie

d

Understanding Switches and Getting Help Almost every command you’ll run across has options available that you can invoke

tif

with a switch. A Windows command-line switch uses a forward slash (/) or a dash (-)

er

after the command and includes an option that modifies the command to perform a different function.

C

Linux commands use switches too, but they typically only use a dash. If you use a forward slash, you will typically get unexpected results or an error.

et

The most used switch in Windows systems is the help switch identified with a question mark. For example, you can use the help switch to get help using these

G

commands: •

ping /? or ping -?

•

ipconfig /? or ipconfig -?

•

netstat /? or netstat -?

Although Linux terminal commands also use switches, they don’t use the question mark for help. The common way to get help on a command is to query the online system Copyright 2021 YCDA, LLC.

reference manual using the man command. For example, the following commands retrieve help on the relevant commands: • man ping • man ifconfig • man netstat Some commands have extensive feedback available when you use incorrect syntax.

ea d

As an example, ping doesn’t recognize the -? switch on Linux systems. Instead of just

giving you a message of “incorrect syntax,” it provides details on usage. This looks like

Ah

help, but it is different than the information in the man page.

Understanding Case

G et

Most Windows commands are not case sensitive. In other words, you can type in

commands using uppercase characters, lowercase characters, or any combination. For example, each of the following commands ping the localhost IPv6 address (::1) and provide

ping -6 localhost

•

PiNg -6 localHOST

•

PING -6 LocalHost

ie

•

d

the same output:

tif

However, this is not true in the Linux terminal. Instead, commands are typically

er

lowercase, and if you use uppercase letters, you’ll find that the command is not recognized. Of the three commands shown for the Windows command line, only ping -6

C

localhost works within the Linux terminal. As you go through these commands, note that many of them support both IPv4

et

addresses and IPv6 addresses. By querying help, you can see how to do each.

G

Understanding Linux Permissions Linux permissions may look odd the first time you see them, but they represent three

simple concepts—read, write, and execute: • Read (R) indicates someone can open the file and view its contents.

Copyright 2021 YCDA, LLC.

• Write (W) indicates a user can modify the contents. You’ll see read combined with write most, if not all of the time. • Executes (X) indicates a user can launch the file. It is assigned to files that can be executed. Additionally, permissions apply to three identities: • The first set of permissions applies to the owner of the file.

ea d

• The second set of permissions applies to the owner’s primary group (by default). Any user can be a member of multiple groups, but a user will have only one • The third set of permissions applies to everyone else.

Ah

primary group. The default owner group can be changed if desired.

You can see a list of files in a folder along with their permissions by using the ls -l command at the terminal. The following shows an abbreviated output from the ls -l

G et

command:

-rwx rw- r-- user usergroup size/date/time myfile.txt

drwx r-- --- user usergroup size/date/time mydirectory

The first line shows the permissions assigned to a file named myfile.txt, and the second

d

line shows the permissions assigned to a directory named mydirectory. Note that the first

ie

character is a dash (-) or a d and indicates the entry refers to a file using a dash (-) or a

tif

directory, using a d. The three group permissions for the file are: • rwx indicating read, write, and execute permissions for the owner

er

• rw- indicating read and write permissions for the owner group • r-- indicating read permission only for everyone else

C

Note that when a permission isn’t assigned, you’ll see a dash instead.

et

Converting Linux Permissions to Numbers

G

You’ll often see permissions represented as octal numbers (from 0 to 7). As an example,

consider the myfile.txt mentioned earlier. Instead of representing the permissions as rwx rwr- -, it would be 7 6 4. It’s worthwhile to refresh your knowledge of octal numbers, which is a base-8 numbering system. Three binary bits represent each octal number, as shown in the following list: Copyright 2021 YCDA, LLC.

• Octal 0 = Binary 0 0 0 • Octal 1 = Binary 0 0 1 • Octal 2 = Binary 0 1 0 • Octal 3 = Binary 0 1 1 • Octal 4 = Binary 1 0 0

ea d

• Octal 5 = Binary 1 0 1 • Octal 6 = Binary 1 1 0 • Octal 7 = Binary 1 1 1

Additionally, each group of binary bits represents specific permissions:

Ah

• The first bit is used for read (r). • The second bit is used for write (w). • The third bit is used for execute (x).

G et

If the bit is a 1, it indicates that a permission is granted. If the bit is a 0, it indicates that a permission is not granted. The following list shows the commonly used octal numbers and their related permissions:

d

• Octal 0 = Binary 0 0 0 No permissions (- - - ) • Octal 4 = Binary 1 0 0 Read (r - -)

ie

• Octal 5 = Binary 1 0 1 Read and Execute (r - x)

tif

• Octal 6 = Binary 1 1 0 Read and Write (r w -)

er

• Octal 7 = Binary 1 1 1 Read, Write, and Execute (r w x) The following list shows octal numbers that are not normally used:

C

• Octal 1 = 0 0 1 Binary Execute (not used because Execute also needs read) • Octal 2 = 0 1 0 Binary Write (rarely used because Write would typically include

et

Read) • Octal 3 = Binary 0 1 1 Write and Execute (not used because Execute also needs

G

read)

This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-

601 Study Guide. It is provided as an extra resource for test takers in PDF format. However, distribution of PDF copies of the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized. Copyright 2021 YCDA, LLC.

Appendix B—Log Basics When taking the CompTIA Security+ exam, you’ll be expected to read and understand log entries. It’s often trivial for administrators who look at logs every day to identify relevant

challenging.

Ah

Understanding Log Basics

ea d

elements in a log entry. However, for people who don’t look at logs regularly, this can be

CompTIA frequently refers to logs throughout the exam objectives. They are

valuable tools when troubleshooting. Unfortunately, there isn’t a single way that logs are

G et

formatted making them sometimes hard to read, especially when randomly placed within a question. However, there are many common elements that you can usually identify in log entries.

Logs typically record what happened, when it happened, where it happened, and

d

who did it. This allows someone, such as an administrator or security professional, to

ie

analyze the logs to gain details of events.

Many times, security administrators are searching the logs looking for event

tif

anomalies. As a simple example, attackers sometimes try to log on to accounts by

er

guessing passwords. Security logs record these attempts as failed logons, which is an event anomaly. After investigating the failed logins, administrators can determine if the

C

failed logins were part of normal operation or a security incident. It’s tempting to set up logging to record every event and provide as much detail as

et

possible—most logs support a verbose mode that will log additional details. However, a limiting factor is the amount of disk space available. Additionally, when logging is

G

enabled, there is an implied responsibility to review the logs. The more you choose to log, the more you may have to review. The goal is to balance what is needed and the amount of available space for storage. The following sections cover some issues to consider when reviewing logs.

Reading Logs It isn’t feasible to describe every possible log from every known vendor, at least if I want to keep the page count of this book less than 2,000 pages. However, there are

When It Happened

ea d

common log attributes that you can look for to help you read them.

Every log entry has a timestamp to let you know when the event happened.

For example, you may see something like the following: 22:02:2021 20:10:05 10.10.80.5:49154 > 192.168.1.15:21 22:02:2021 20:24:17 10.10.80.5:49154 > 192.168.1.15:20

Ah

Timestamps include both the date and time, but not always in an easily readable form.

G et

22:02:2021 20.37.37 10.80.5:49:154 > 192.168.1.15:25

22:02:2021 20.46.41 10.10.80.5:49154 > 192.168.1.15:23

With a little deductive reasoning, you can see that each entry includes 22:02:2021 (February 2nd, 2021), and that is the date. The next set of data is the time (using a 24-

d

hour clock). It indicates the traffic occurred at 8:10 and 5 seconds (PM), 8:24 and 17

ie

seconds (PM), 8:37 and 37 seconds (PM), and 8:46 and 41 seconds (PM), respectively. In many logs, they spell out the month because an entry such as 05:12:2021 is

tif

ambiguous. Is it May 12th or December 5th? It just isn’t clear.

er

Using a 24-hour clock saves space in a log but is confusing to some people. Hours less than 12 are in the morning (AM) and hours after 12 are in the afternoon and

C

evening. An easy way to identify the time for any hours after 12 is by subtracting 12 from the hour. For example, with a time of 13:10:05, you’d subtract 12 from 13

et

(indicating 1 PM).

G

Where It Happened Many log entries include a source and a destination. This is simply where the traffic

originated and where it is going. There are several ways that a log entry may indicate the source and destination, such as: • A computer name (such as Server 1) • An IPv4 address (such as 192.168.80.14) • A socket, which includes an IPv4 address and a port (such as 192.168.80.14:443) • An IPv6 address

• A media access control (MAC) address such as 01:23:45:67:89:ab Sometimes, the log entry may list the computer name (such as Server1), but more often, it uses the IPv4 address or the socket. A socket is an established connection and includes an IP address and a port number. You’ll see the IP address and port separated by a colon, such as 192.168.80.14:443. When a socket is used, the IP address indicates the source or destination computer, and

ea d

the port tells the computer what service to send the traffic to when it arrives. A destination

port of 443 indicates the Hypertext Transfer Protocol Secure (HTTPS) service should receive and handle the traffic.

Ah

In some cases, you’ll find that one socket has a public IP address and another socket has a private IP address. If the log entry is recording traffic in an attack, the public IP address indicates the system sending the attack. The private IP address is the internal computer being

G et

attacked. Note that the public IP address may be a spoofed address or a compromised system controlled by an attack.

Some logs use MAC addresses to identify computers. If you can recognize MAC addresses, this should be easy to identify. MAC addresses are typically represented as six

ie

d

pairs of hexadecimal characters (such as 12:ab:34:cd:56:ef).

tif

What Happened

Some log entries require you to analyze them and identify what is the same and what is

er

different. The following entries provide insight into what happened, but you need to understand sockets:

C

22:11:20 20:10:05 10.10.80.5:49154 > 192.168.1.15:21 22:11:20 20:24:17 10.10.80.5:49154 > 192.168.1.15:20

et

22:11:20 20.37.37 10.80.5:49154 > 192.168.1.15:25 22:11:20 20.46.41 10.10.80.5:49154 > 192.168.1.15:23

G

It’s not always apparent, but in these entries, the “>” character indicates the direction of

the traffic. Traffic is going from 10.10.80.5 to 192.168.1.15. Notice that the source sockets are identical. They have the same IP address and the same port. In contrast, the ports in the destination socket are all different. This indicates that the attacker (10.10.80.5:49154) is

Copyright 2021 YCDA, LLC.

performing a port scan on the destination computer (192.168.1.15). If the port is open, the system responds. If the port is closed, it doesn’t respond.

Who Did It Some log entries include human-readable text. Take a look at the following partial log entries and see if you can identify what happened:

ea d

2/24/2021/02:01:05 Homer 192.168.1.10 action:login/success 2/24/2021/02:02:30 Homer 192.168.1.10 action:login/fail 2/24/2021/02:03:31 Homer 192.168.1.10 action:login/fail

Ah

2/24/2021/02:04:32 Homer 192.168.1.10 action:login/fail

The first entry indicates Homer logged in successfully. Afterward, it shows three login failures. This could suggest many things. However, notice that all four entries are within a

G et

minute of each other. Homer could have logged off accidentally and then forgot the credentials he just used a moment ago. It could also indicate a malicious actor who previously captured Homer’s credentials, logged on, changed Homer’s password, and then

d

verified that the old credentials aren’t working.

ie

Applying Critical Thinking Skills

tif

You’ll often find that a CompTIA Security+ question will lack details, such as entire log entries. Other times, you may see questions with an excessive amount of details that

C

critical thinking.

er

have nothing to do with the question. In these circumstances, you’ll need to apply some

In short, critical thinking is the process of analyzing the facts you have to make a

et

judgment. Admittedly, critical thinking is a complex topic. While the single sentence description explains what you need for the CompTIA Security+ exam, there are several

G

definitions. Here are a few: • “Disciplined thinking that is clear, rational, open-minded, and informed by evidence.” (dictionary.com)

• “Critical thinking is the ability to think in an organized and rational manner in order to understand connections between ideas and/or facts.” (zety.com) • “Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection,

reasoning, or communication, as a guide to belief and action.” (criticalthinking.org) Some of you may be wondering, “What does this have to do with logs and the CompTIA Security+ exam?” When you see a question with sample log output, you’ll often be required to apply

additional concepts. Consider these questions: • Does the log entry show IP addresses? •

ea d

your knowledge to understand the question, even if the question doesn’t directly mention

If so, are some private and some public? See RFC 1918 if you don’t know

Ah

how to tell the difference. •

Are any IP addresses the same?

•

Do you see any sockets? Are any of the sockets the same? Are any of the

G et

sockets different? This can help you determine the direction of the traffic. • Does the entry show any MAC addresses? Can you identify a MAC address if you see one?

• Are there any timestamps? Do you recognize them?

d

• Are there English words, such as account name or action results? You’ll rarely

ie

see full sentences in a log entry, but instead, you need to determine what the log

tif

entry is communicating with just a few words. This appendix addresses each of these questions, but it doesn’t cover every

er

possibility. Instead, my intention is to give you some basics you can apply when you see

C

questions that include log entries.

This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-

et

601 Study Guide. It is provided as an extra resource for test takers in PDF format.

G

However, distribution of PDF copies of the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized.

Copyright 2021 YCDA, LLC.

Appendix C—Well-Known Ports CompTIA has deemphasized ports in recent exams. However, they may still include them in tests. Additionally, some test-takers don’t fully understand how ports are used. This appendix may

d

fill in some holes for you and will give you a reminder of the ports in case you need it.

ea

Port Basics

Ports are logical numbers used by TCP/IP to identify what service or application should handle data received by a system. Both TCP and UDP use ports with a total of 65,536 TCP ports (0 to 65,535) and

Ah

65,536 UDP ports (0 to 65,535). Administrators open ports on firewalls and routers to allow the

associated protocol into or out of a network. For example, Hypertext Transfer Protocol (HTTP) uses port 80, and an administrator allows HTTP traffic by opening port 80.

et

Additionally, administrators disable unnecessary ports and services as part of a basic security practice. These ports and services are associated with specific protocols and if they are disabled, it blocks

G

any attacks on these ports, services, and protocols.

The Internet Assigned Numbers Authority (IANA) maintains a list of official port assignments that you can view at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-

ed

numbers.xhtml.

IANA divided the ports into three ranges, as follows:

Well-known ports: 0–1023. IANA assigns port numbers to commonly used protocols in the

•

tif i

well-known ports range.

Registered ports: 1024–49,151. IANA registers these ports for companies as a convenience to

•

er

the IT community. A single company may register a port for proprietary use, or multiple companies may use the same port for a specific standard. As an example, Microsoft SQL Server

C

uses port 1433 for database servers, Layer 2 Tunneling Protocol (L2TP) uses port 1701, and Point-to-Point Tunneling Protocol (PPTP) uses port 1723. Dynamic and private ports: 49,152–65,535. These ports are available for use by any

•

et

application. Applications commonly use these ports to map an application to a port temporarily.

G

These temporary port mappings are often called ephemeral ports, indicating that they are shortlived.

Although virtually all the ports are subject to attack, most port attacks are against the well-known

ports. Port scanners often simply check to see if a well-known port is open. For example, SMTP uses the

well-known port 25, so if port 25 is open, the system is likely running SMTP.

Network administrators who regularly work with routers and firewalls can easily tell you which protocol is associated with which well-known port, such as 20, 21, 22, 23, 25, 80, 443, and so on. The reason is that they use these ports to allow or block traffic. For example, an administrator can close port 25 to block all SMTP traffic into a network. The router

d

then ignores traffic on port 25 instead of forwarding it. Similarly, an administrator can close port 1433 to block database traffic to a Microsoft SQL server. On the other hand, the administrator can open port 25 or

ea

port 1433 to allow SMTP traffic or traffic to a Microsoft SQL server, respectfully.

Although ports are second nature to router and firewall administrators, they might not be so familiar you’re ready for the exam.

Combining the IP Address and the Port

Ah

to you. If you don’t work with the ports often, you’ll need to spend some extra time studying to ensure

et

At any moment, a computer could be receiving dozens of packets, and each of these packets includes a destination IP address and a destination port. TCP/IP uses the IP address to get the packet to the

G

computer. The computer then uses the port number to get the packet to the correct service, protocol, or application that can process it.

For example, if the packet has a destination port of 443, the well-known port for Hypertext Transfer

ed

Protocol Secure (HTTPS), the system passes the packet to the process handling HTTPS. It wouldn’t do much good to pass an SMTP email packet to the HTTPS service or send an HTTPS request packet to the

tif i

SMTP service.

IP Address Used to Locate Hosts

er

Imagine that the IP address of GetCertifiedGetAhead.com is 35.221.53.172, and the address assigned to your computer in an internal network is 192.168.10.11. TCP/IP uses these IP addresses to get the

C

packets from your computer to the web server and the web server’s answer back to your computer. There’s a lot more that occurs under the hood with TCP/IP (such as DNS, NAT, and ARP), but the

main point is that the server’s IP address is used to get the requesting packet from your computer to the

et

server. The server gets the response packets back to your computer using your IP address (or the IP

G

address of your NAT server).

Server Ports Different protocols are enabled and running on a server. These protocols have well-known or registered port numbers, such as port 22 for SSH, 25 for SMTP, 80 for HTTP, 443 for HTTPS, and so on.

Copyright 2021 YCDA, LLC.

When the system receives traffic with a destination of port 443, the system knows to send it to the service handling HTTPS. Any web browser knows that the well-known port for HTTPS is 443. Even though you don’t see port 443 in the URL, it is implied as HTTPS://GetCertifiedGetAhead.com:443. If you omit the port number,

d

HTTPS uses the well-known port number 443 by default. Popular web servers on the Internet include Apache and Internet Information Services (IIS). Apache

ea

is free and runs on Unix or Linux systems. Apache can also run on other platforms, such as Microsoft

systems. IIS is included in Microsoft Server products. These web servers use port 443 for HTTPS. When

Ah

the server receives a packet with a destination port of 443, the server sends the packet to the web server application (Apache or IIS) that processes it and sends back a response.

Client Ports

et

TCP/IP works with the client operating system to maintain a table of client-side ports using available ports in the dynamic and private ports range. This table associates port numbers with different

G

applications that are expecting return traffic. Client-side ports start at port 49,152 and increment up to 65,535. If the system uses all the ports between 49,152 and 65,535 before being rebooted, it’ll start over at 49,152.

ed

When you use your web browser to request a page from a site, your system will record an unused client port number such as 49,152 in an internal table to handle the return traffic. When the web server

tif i

returns the webpage, it includes the client port as a destination port. When the client receives webpage packets with a destination port of 49,152, it sends these packets to the web browser application. The

er

browser processes the packets and displays the page.

Putting It All Together

C

The previous section described the different pieces, but it’s useful to put this together into a single

description. Imagine that you decide to visit the website https://GetCertifiedGetAhead.com using your web browser, so you type the URL into the browser, and the webpage appears. Here are the details of

et

what is happening. Figure C.1 provides an overview of how this will look, and the following text explains

G

the process.

Copyright 2021 YCDA, LLC.

d ea Ah et G ed

tif i

Figure C.1: Using source and destination ports

Your computer creates a packet with source and destination IP addresses and source and destination ports. It queries a DNS server for the IP address of GetCertifiedGetAhead.com and learns that the IP

er

address is 35.221.53.172. Additionally, your computer will use its IP address as the source IP address. For this example, imagine your computer’s IP address is 192.168.10.11.

C

Because the web server is serving webpages using HTTPS and the well-known port is used, the

destination port is 443. Your computer will identify an unused port in the dynamic and private ports range (a port number between 49,152 and 65,535) and map that port to the web browser. For this example,

et

imagine it assigns 49,152 to the web browser. It uses this as the source port. At this point, the outgoing packet has both destination and source data as follows: Destination IP address: 35.221.53.172 (the web server)

•

Destination port: 443

•

Source IP address: 192.168.10.11 (your computer)

•

Source port: 49,152

G

•

Copyright 2021 YCDA, LLC.

TCP/IP uses the IP address (35.221.53.172) to get the packet to the GetCertifiedGetAhead web server. When it reaches the web server, the server looks at the destination port (443) and determines that the packet needs to go to the web server program servicing HTTPS. The web server creates the page and puts the data into one or more return packets. At this point, the source and destinations are swapped

•

Destination port: 49,152

•

Source IP address: 35.221.53.172 (the web server)

•

Source port: 443

ea

Destination IP address: 192.168.10.11 (your computer)

Ah

•

d

because the packet is coming from the server back to you:

Again, TCP/IP uses the IP address to get the packets to the destination. Once the packets reach your system, it sends them to the destination port (port 49,152). Because your system mapped this port to your web browser, it sends the packets to the web browser, displaying the webpage.

et

The Importance of Ports in Security

G

Routers, and the routing component of firewalls, filter packets based on IP addresses, ports, and some protocols such as ICMP or IPsec. Because many protocols use well-known ports, you can control

ed

protocol traffic by allowing or blocking traffic based on the port. In the previous example, the client firewall must allow outgoing traffic on port 443. Firewalls automatically determine the client ports used for return traffic, and if they allow the outgoing traffic, they

tif i

allow the return traffic. In other words, because the firewall allows the packet to go to the web server on the destination port of 443, it also allows the webpage to return on the dynamic source port of 49,152.

er

Note that the client firewall doesn’t need to allow incoming traffic on port 443 for this to work. The web client isn’t hosting a web server with HTTPS, so the client firewall would block incoming traffic on port 443. However, the firewall that is allowing traffic to the web server needs to allow incoming traffic

C

on port 443.

You can apply this same principle to any protocol and port. For example, if you want to allow SMTP

et

traffic, you create a rule on the firewall to allow traffic on port 25 or port 587 for SMTP encrypted with TLS. IT professionals modifying access control lists (ACLs) on routers and firewalls commonly refer to

G

this as opening a port to allow traffic or closing a port to block traffic.

Comparing Ports and Protocol Numbers Ports and protocol numbers are not the same things, though they are often confused. Well-known ports identify many services or protocols, as discussed previously. Copyright 2021 YCDA, LLC.

However, many protocols are not identified by the port but instead by the protocol numbers. For example, within Internet Protocol security (IPsec), protocol number 50 indicates the packet is an Encapsulating Security Payload (ESP) packet, and protocol number 51 indicates it’s an Authentication Header (AH) packet. Similarly, ICMP uses the protocol number of 1, TCP is 6, and UDP is 17.

d

You can use a protocol number to block or allow traffic on routers and firewalls just as you can block or allow traffic based on the port. Note that it is not accurate to say that you can allow IPsec ESP

ea

traffic by opening port 50. IANA lists port 50 as a Remote Mail Checking Protocol. However, you can allow IPsec traffic by allowing traffic using protocol number 50.

Ah

Port Tables

The following tables show many of the well-known ports that you may need to know when taking

er

tif i

ed

G

et

the CompTIA Security+ exam.

G

et

C

Table C.1: Ports and protocols

Copyright 2021 YCDA, LLC.

d ea Ah

et

C

er

tif i

ed

G

et

Table C.2: Ports and protocols

G

This is an appendix for the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study

Guide. It is provided as an extra resource for test-takers in PDF format. However, PDF copies of

the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide are not authorized.

Copyright 2021 YCDA, LLC.

Appendix D—The OSI Model The CompTIA Security+ objectives refer to the Open Systems Interconnection (OSI) model in a couple of places: Given a scenario, analyze potential indicators associated with network attacks. • Layer 2 attacks - Address Resolution Protocol (ARP) poisoning - Media access control (MAC) flooding - MAC cloning

3.6

Given a scenario, apply cybersecurity solutions to the cloud. • Solutions - Firewall considerations in a cloud environment - Open Systems Interconnection (OSI) layers

Ah

ea

d

1.4

et

The OSI reference model conceptually divides different networking requirements into seven separate layers. For most people studying for the CompTIA Security+ exam, the OSI

G

model isn’t new. However, because it’s primarily theoretical and rarely used in day-to-day maintenance, some of the knowledge often slips away.

d

The good news is that you don’t need to know it as in-depth as you would for other

ie

certification exams such as the CompTIA Network+ exam. If you recently studied for

tif

Network+, you probably mastered these concepts, and this will just be a quick review.

er

Understanding the Layers

C

The OSI model has seven layers. The layers from Layer 1 to Layer 7 are Physical, Data Link, Network, Transport, Session, Presentation, and Application. Many people use mnemonics to memorize the layers. For example, “Please Do Not Throw Sausage Pizza

et

Away.” The first letter in each of the words represents the first letter of the layer. The P in

G

Please is for Physical, the D in Do is for the Data Link layer, and so on. Another common mnemonic is “All People Seem To Need Data Processing” (for

Application, Presentation, Session, Transport, Network, Data Link, and Physical). Notice that this method lists the layers from Layer 7 to Layer 1.

G et

Table D.1: OSI layers and common mnemonics

Ah

ea d

Table D.1 summarizes the layers with the mnemonics.

After mastering the mnemonic, you also need to remember which layer is Layer 1, and which layer is Layer 7. This memory technique may help. You may have heard about a “Layer 8 error.” This is another way of saying “user error” and users interact with

d

applications. In other words, a user on the mythical Layer 8 interacts with applications, which

ie

are on Layer 7. I don’t mean to belittle users or user errors—I make my fair share of errors. However, this memory trick has helped me, and many other people, remember that the

tif

Application layer is Layer 7.

er

The following sections provide a short synopsis of these layers.

C

Layer 1: Physical

The Physical layer is associated with the physical hardware. It includes specifications

et

for cable types, such as 1000BaseT, connectors, and hubs. Computing devices such as computers, servers, routers, and switches transmit data onto the transmission medium in a

G

bitstream. This bitstream is formatted according to specifications at higher-level OSI layers.

Layer 2: Data Link The Data Link layer is responsible for ensuring that data is transmitted to specific devices on the network. It formats the data into frames and adds a header that includes media

Copyright 2021 YCDA, LLC.

access control (MAC) addresses for the source and destination devices. It adds frame check sequence data to the frame to detect errors, but it doesn’t support error correction. The Data Link layer simply discards frames with detected errors. Flow control functions are also available on this layer. Traditional switches (Layer 2 switches) operate on this layer. Computer network interface cards have a MAC assigned, and switches map the computer MAC addresses to

IPv4 addresses to MAC addresses. VLANs are defined on this layer.

ea d

physical ports on the switch. Systems use the Address Resolution Protocol (ARP) to resolve

The CompTIA Security+ objectives list Layer 2 attacks as Address Resolution Protocol “Protecting Against Advanced Attacks,” covers these attacks.

G et

Layer 3: Network

Ah

(ARP) poisoning, media access control (MAC) flooding, and MAC cloning. Chapter 7,

The Network layer uses logical addressing in the form of IP addresses at this layer. This includes both IPv4 addresses and IPv6 addresses. Packets identify where the traffic originated (the source IP address) and where it is going (the destination IP address). Other

d

protocols that operate on this layer are IPsec and ICMP. Routers and Layer 3 switches

tif

Layer 4: Transport

ie

operate on this layer.

er

The Transport layer is responsible for transporting data between systems, commonly referred to as end-to-end connections. Transmission Control Protocol (TCP) and User

C

Datagram Protocol (UDP) operate on this layer. TCP provides reliability with error control,

et

flow control, and segmentation of data.

G

Layer 5: Session

The Session layer is responsible for establishing, maintaining, and terminating sessions

between systems. In this context, a session refers to an extended connection between two systems, sometimes referred to as dialogues or conversations. As an example, if you log on to a webpage, the Session layer establishes a connection with the web server and keeps it open

Copyright 2021 YCDA, LLC.

while you’re interacting with the webpages. When you close the pages, the Session layer terminates the session. If you’re like many users, you probably have more than one application open at a time. For example, in addition to having a web browser open, you might have an email application open. Each of these is a different session, and the Session layer manages them separately.

ea d

Layer 6: Presentation

The Presentation layer is responsible for formatting the data needed by the end-user

applications. For example, American Standard Code for Information Interchange (ASCII)

define codes used to display characters on this layer.

G et

Layer 7: Application

Ah

and Extended Binary Coded Decimal Interchange Code (EBCDIC) are two standards that

The Application layer is responsible for displaying information to the end user in a readable format. Application layer protocols typically use this layer to determine if sufficient network resources are available for an application to operate on the network.

d

Note that this layer doesn’t refer to end-user applications directly. However, many end-

ie

user applications use protocols defined at this layer. For example, a web browser interacts

tif

with DNS services to identify the IP address of a website name. Similarly, Hypertext

on this layer.

er

Transfer Protocol (HTTP) and HTTP Secure (HTTPS) transmit webpages over the Internet

Some of the protocols that operate on this layer are:

C

• HTTP and HTTPS

• Secure Shell (SSH)

et

• Domain Name System (DNS)

G

• Post Office Protocol 3 (POP3) • Simple Mail Transfer Protocol (SMTP) • File Transfer Protocol (FTP) and FTP Secure (FTPS) • Secure FTP (SFTP) and Trivial FTP (TFTP) • Internet Message Access Protocol 4 (IMAP4)

Copyright 2021 YCDA, LLC.

• Simple Network Management Protocol (SNMP) • Lightweight Directory Access Protocol (LDAP) and LDAP Secure (LDAPS) Many advanced devices are application-aware and operate on all of the layers up to the Application layer. This includes proxy servers, web application firewalls, next-generation firewalls (NGFWs), unified threat management (UTM) security appliances, and web security

d

G et

Ah

Table D.2 summarizes the layers with relevant devices and protocols

ea d

gateways.

G

et

C

er

tif

ie

Table D.2: OSI layers, devices, protocols

Copyright 2021 YCDA, LLC.

Appendix E—Glossary This glossary from the CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide

d

includes the key terms included in the SY0-601 objectives, along with some other relevant terms. CompTIA sometimes spell out acronyms in the objectives, and they sometimes use acronyms in test

ea

questions. This glossary often includes both spellings. As an example, you’ll see two entries for Advanced Encryption Standard (AES):

Ah

Advanced Encryption Standard (AES)—A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly

secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

et

AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly

G

secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

This should make it easy for people to find either AES or Advanced Encryption Standard when

tif i

Numbers

ed

searching.

3DES—Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide

er

confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was originally designed as a replacement for DES, and is still used in some applications, such as when hardware doesn’t support AES.

C

802.1X— A port-based authentication protocol, also known as IEEE 802.1X. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS

et

server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-

G

TLS, and EAP-TTLS.

A

AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses

during a session. Authentication verifies a user’s identification. Authorization determines if a user should have access. Accounting tracks a user’s access with logs. ABAC—Attribute-based access control. An access control scheme. ABAC grants access to resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based

d

access control, and rule-based access control. acceptable use policy (AUP)—A policy defining proper system usage and the rules of behavior for

ea

employees. It will often describe the purpose of computer systems and networks, how users can access

them, and the

Ah

access control vestibules—A physical security mechanism designed to control access to a secure

area. An access control vestibule prevents tailgating. It is a room, or even a building, with two doors that creates a large buffer area between the secure and unsecured areas. This was previously known as a mantrap.

et

access point (AP)—A device that connects wireless clients to wireless networks. Sometimes called a wireless access point (WAP).

G

account audit—An audit that analyzes user accounts and assigned privileges. It identifies the privileges (rights and permissions) granted to users, and compares them against what the users need.

ed

accounting—The process of tracking the activity of users and recording this activity in logs. One method of accounting is audit logs that create an audit trail. ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource.

tif i

ACEs are contained within a DACL in NTFS.

ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN

er

packet but don’t complete the handshake after receiving the SYN/ACK packet. ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use

C

the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols. active reconnaissance—A penetration testing method used to collect information. It uses tools to send data to systems and analyzes responses, and gain knowledge on the target. Compare with

et

passive reconnaissance.

address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual

G

MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

ad hoc—A connection mode used by wireless devices without an AP. When wireless devices

connect through an AP, they are using infrastructure mode. Compare with WiFi Direct.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

Advanced Encryption Standard (AES)—A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

d

advanced persistent threat (APT)—A group that has both the capability and intent to launch sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.

ea

AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly

Ah

secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys, and AES-256 uses 256-bit encryption keys.

et

affinity—A scheduling method used with load balancers. It uses the client’s IP address to ensure the client is redirected to the same server during a session.

G

agent—A NAC agent that is installed on a client. It checks the client for health and is sometimes called just an agent. Compare with agentless or dissolvable agent. agentless—A NAC agent that runs on a client, but deletes itself later. It checks the client for health

ed

and is the same as a dissolvable client. Compare with permanent agent. AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality,

tif i

integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID number 51. Compare with IPSec and ESP.

er

air gap—A physical security control that provides physical isolation. Systems separated by an air gap (a gap of air) don’t typically have any physical connections to other systems. Sometimes spelled as

C

airgap.

ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk

et

assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO. allow list—A list of applications that a system allows. Users are only able to install or run applications

G

on the list. Sometimes referred to as a whitelist. Compare with block list and deny list. annualized (or annual) loss expectancy (ALE)—The expected loss for a year. The ALE identifies

the expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.

Copyright 2021 YCDA, LLC v0.1

annualized (or annual) rate of occurrence (ARO)—The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE. anomaly—A variance from a baseline. Some intrusion detection and intrusion prevention systems

d

detect attacks by comparing traffic against a baseline. It is also known as heuristic detection. anonymization—A process that removes PII from a data set. The goal is to remove any data from a

ea

data set to ensure that data can’t be traced back to an individual. Ideally, anonymization is

permanent, but if not done effectively, the process can be reversed. Compare with data masking,

Ah

pseudo-anonymization, and tokenization.

anti-malware—Software that protects systems from viruses and other malware. It protects against most malware, including viruses, Trojans, worms, and more. Compare with antivirus.

antivirus—Software that protects systems from malware. Although it is called antivirus software, it

et

protects against most malware, including viruses, Trojans, worms, and more. Compare with antimalware.

G

Anything as a Service (XaaS)—A cloud computing model. XaaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS. wireless access point (WAP).

ed

AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs

tif i

or often used with web applications, Internet of Things (IoT) devices, and cloud-based services. API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to

er

discover and exploit vulnerabilities in APIs.

application programming interface (API)—A software module or component. An API gives

C

developers access to features or data within another application, service, or operating system. APIs or often used with web applications, Internet of Things (IoT) devices, and cloud-based services. application programming interface (API) attacks—Attacks on an API. API attacks attempt to

et

discover and exploit vulnerabilities in APIs.

APT—Advanced persistent threat. A group that has both the capability and intent to launch

G

sophisticated and targeted attacks. A nation state (such as a foreign government) sponsored APTs.

Argon2—A key stretching algorithm. Argon2 uses a password and salt that is passed through an

algorithm several times. This thwarts rainbow table attacks. Compare with Bcrypt and PBKDF2.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ALE. arp—A command-line tool used to show and manipulate the Address Resolution Protocol (ARP) cache.

d

Compare with ARP. ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.

ea

Address Resolution Protocol (ARP)—Resolves IPv4 addresses to MAC addresses. Compare with arp.

ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP

Ah

poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates.

ASCII—American Standard Code for Information Interchange. Code used to display characters. asset value—An element of a risk assessment. It identifies the value of an asset and can include any

et

product, system, resource, or process. The value can be a specific monetary value or a subjective value.

G

asymmetric encryption—A type of encryption using two keys to encrypt and decrypt data. It uses a public key and a private key. Compare with symmetric encryption. attestation—A process that checks and validates system files during the boot process. TPMs

ed

sometimes use remote attestation, sending a report to a remote system for attestation. audit trail—A record of events recorded in one or more logs. When security professionals have access to all the logs, they can re-create the events that occurred leading up to a security incident.

tif i

AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access

er

them, and the responsibilities of users when accessing the systems. authentication—The process that occurs when a user proves an identity. Users often claim an

C

identity with a username and prove the identity is theirs with a password. authentication attributes—Attributes that are sometimes used with authentication factors. They include somewhere you are, something you can do, something you exhibit, and someone you know.

et

Compare with somewhere you are, something you can do, something you exhibit, and someone you

know.

G

authentication factors—The different methods used for authentication. The common authentication

factors are something you know, such as a password or personal identification number (PIN),

something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes, something you know, something you have, and something you are. Copyright 2021 YCDA, LLC v0.1

authorization—The process of granting access to resources for users who prove their based on their proven identity. Users typically claim an identity with a username and prove their identity with a password. availability—One of the three main goals of information security known as the CIA security triad.

d

Availability ensures that systems and data are up and operational when needed. Compare with

ea

confidentiality and integrity.

B

Ah

backdoor—An alternate method of accessing a system. Malware often adds a backdoor into a system after it infects it.

background check—A check into a person’s history, typically to determine eligibility for a job. banner grabbing—A method used to gain information about a remote system. It identifies the

et

operating system and other details on the remote system.

BCP—Business continuity plan. A plan that helps an organization predict and plan for potential

G

outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA

ed

drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

bcrypt—A key stretching algorithm. It is used to protect passwords. Bcrypt salts passwords with

tif i

additional bits before encrypting them with Blowfish. This thwarts rainbow table attacks. Compare with Argon2 and PBKDF2.

er

BIA—Business impact analysis. A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an

C

incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix

et

servers. Most Internet-based DNS servers use BIND. BIOS—Basic Input/Output System. A computer’s firmware used to manipulate different settings

G

such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI. birthday attack—A password attack named after the birthday paradox in probability theory. The

paradox states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birthday.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

blockchain—A distributed, decentralized, public ledger. The word block refers to pieces of digital information (the ledger), and chain refers to a public database. Digital cryptocurrencies use blockchain technology. block cipher—An encryption method that encrypts data in fixed-sized blocks. Compare with stream

d

cipher. block list— A list of applications that a system blocks or denies. Users are unable to install or run any

ea

applications on the list. Also called deny list. Compare with allow list.

Blowfish—A strong symmetric block cipher. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits. Compare with Twofish. to nearby Bluetooth devices.

Ah

bluejacking—An attack against Bluetooth devices. It is the practice of sending unsolicited messages bluesnarfing—An attack against Bluetooth devices. Attackers gain unauthorized access to

et

Bluetooth devices and can access all the data on the device.

bluebugging—An attack against Bluetooth devices. Attackers gain full access to the phone and

G

installs a backdoor giving the attacker full access to the phone at any time. In addition to gaining full access to the phone, the attacker installs a backdoor.xml.

blue team—Personnel involved in cybersecurity readiness that are experts in defending systems.

ed

Compare with red team, purple team, white team and capture the flag. bollards—Short vertical posts that act as a barricade. Bollards block vehicles but not people. boot attestation—An entity verifies (or attests) that the boot files have not been modified. As an have changed.

tif i

example, a TPM supports a secure boot attestation process by first verifying none of the boot files

er

boot integrity—Processes that verify the integrity of the boot process for a system. Compare with measured boot, boot attestation, and hardware root of trust.

C

bots and botnets—Software robots that function automatically. A botnet is a group of computers that are joined together. Attackers often use malware to join computers to a botnet and then use the botnet to launch attacks.

et

braindump—A list of questions and answers for exams. They rarely have explanations and often

have incorrect answers. Braindump users are tricked into memorizing incorrect answers for

G

questions after memorizing them. They think they’re ready for the live exam, but they often fail the exam repeatedly without understanding why. Bridge Protocol Data Unit (BPDU) guard—A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack. Copyright 2021 YCDA, LLC v0.1

bring your own device (BYOD)—A mobile device deployment model. A BYOD model allows employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD.

d

brute force—A password attack that attempts to guess a password. Online brute force attacks guess passwords of online systems. Offline attacks guess passwords contained in a file or database. than it expects. It exposes system memory that is normally inaccessible.

ea

buffer overflow—An error that occurs when an application receives more input, or different input,

Compare with shredding, pulping, pulverizing, and degaussing.

Ah

burning—A data sanitization process. Burning is typically performed within an incinerator.

business continuity plan (BCP)—A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps

et

used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA

G

and DRP.

business impact analysis (BIA)—A process that helps an organization identify critical systems and components that are essential to the organization’s success. It identifies various scenarios that can

d

impact these systems and components, maximum downtime limits, and potential losses from an

ie

incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows

er tif

employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider CYOD or COPE models. Compare with COPE and CYOD. Pass the First Time with Quality Practice Test Questions

C

https://gcgapremium.com/sy0-601-practice-test-questions/

et

C

G

CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part

of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text often from a slightly distorted image. captive portal—A technical solution that forces wireless clients using web browsers to complete a

d

process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.

ea

capture the flag—A competition involving cybersecurity personnel. Capture the flag (CTF) events vary depending on who is hosting the event but typically involved red teams, blue teams, purple

Ah

teams, and white teams. Compare with red team, blue team, purple team, and white team.

carrier unlocking—The process of unlocking a mobile phone from a specific cellular provider. CASB—Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network

et

traffic, and can enforce security policies.

CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It

G

uses an IV for the first block and each subsequent block is combined with the previous block. CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.

d

CCTV—Closed-circuit television. A detective control that provides video surveillance. Video

ie

surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.

er tif

CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.

CERT—Computer Emergency Response Team. A group of experts who respond to security incidents.

C

certificate—A digital file used for encryption, authentication, digital signatures, and more. Public certificates include a public key used for asymmetric encryption. Certificate Authority (CA)—An organization that manages, issues, and signs certificates and is

et

part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public

keys and details on the owner of the certificate and the CA that issued the certificate. Certificate

G

owners share their public key by sharing a copy of their certificate. Compare with PKI. share their public key by sharing a copy of their certificate. certificate chaining—A process that combines all certificates within a trust model. It includes all

the certificates in the trust chain from the root CA down to the certificate issued to the end user. Compare with certificate authority and intermediate CA. Copyright 2021 YCDA, LLC v0.1

certification revocation list (CRL)—A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. certificate signing request (CSR)—A method of requesting a certificate from a CA. It starts by

d

creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10

ea

specification.

chain of custody—A process that provides assurances that evidence has been controlled and

Ah

handled properly after collection. Forensic experts establish a chain of custody when they first collect evidence.

change management—The process used to prevent unauthorized changes. Unauthorized changes often result in unintended outages.

et

CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a server challenges a client. Compare with MS-CHAPv2 and PAP.

G

checksum—A type of a hash that is quick but not necessarily cryptographically secure. It is often used to validate the integrity of data. RAID-5 disks use checksum bits to verify that data on disks aren’t corrupt.

d

Choose your own device (CYOD)—A mobile device deployment model. Employees can connect

ie

their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.

er tif

CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

C

CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO focuses on using methods within the organization to answer relevant questions and solve problems. ciphertext—The result of encrypting plaintext. Ciphertext is not in an easily readable format until it is

et

decrypted. Compare with plaintext.

clean desk space—A security policy requiring employees to keep their areas organized and free of

G

papers. The goal is to reduce threats of security incidents by protecting sensitive data. closed-circuit television (CCTV)—A detective control that provides video surveillance. Video

surveillance provides reliable proof of a person’s location and activity. It is also a physical security control, and it can increase the safety of an organization’s assets.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

cloud access security broker (CASB)—A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies. cloud deployment models—Cloud model types that identify who has access to cloud resources.

d

Public clouds are for any organization, and private clouds are for a single organization. Community clouds are shared among community organizations. A hybrid cloud is a combination of two or more

ea

clouds.

code reuse—Code reuse refers to reusing code instead of re-creating code that already exists. A

Ah

primary benefit is that existing code has already been tested, while new code may introduce new bugs.

code signing—The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.

et

cold site—An alternate location for operations. A cold site will have power and connectivity needed for activation, but little else. Compare with hot site and warm site.

G

collision—A hash vulnerability that can be used to discover passwords. A hash collision occurs when two different passwords create the same hash. A collision attack attempts to find two different passwords that create the same hash.

ie

vulnerabilities and exposures.

d

Common Vulnerabilities and Exposures (CVE)—A dictionary of publicly known security compensating controls—Security controls that are alternative controls used when a primary

er tif

security control is not feasible. Compare with preventive, detective, corrective, deterrent, and physical security controls.

confidential data—Data meant to be kept secret among a certain group of people. As an example, salary data is meant to be kept secret and not shared with everyone within a company.

C

confidentiality—One of the core goals of information security sometimes referred to as the CIA security triad. Confidentiality ensures that unauthorized entities cannot access data. Encryption and access controls help protect against the loss of confidentiality. Compare with availability and

et

integrity.

containerization—A method used to isolate application and data in mobile devices. It isolates and

G

protects the application, including any data used by the application. It is useful when using the BYOD model because the container can be encrypted without encrypting the user’s data.

containers—A method used to isolate services or applications in virtual machines. Container

virtualization runs services or applications within isolated containers or application cells

Copyright 2021 YCDA, LLC v0.1

context-aware authentication—An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more. Continuity of operations planning (COOP)—Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment,

d

software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a

ea

compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. control diversity—The use of different security control types, such as technical controls,

Ah

administrative controls, and physical controls. Compare with vendor diversity, technology diversity, and crypto diversity.

COOP—Continuity of operations planning. Continuity of operations planning sites provide an alternate location for operations after a critical outage. A hot site includes personnel, equipment,

et

software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a

G

compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD.

d

corporate-owned, personally enabled (COPE)—A mobile device deployment model. The

ie

organization purchases and issues devices to employees. Compare with BYOD and CYOD. corrective controls—Security controls that attempt to reverse the impact of a security incident.

er tif

Compare with preventive, detective, deterrent, compensating, and physical security controls. Compare with preventive, detective, corrective, deterrent, compensating, and physical security controls.

CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has

C

revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. crossover error rate—The point where the false acceptance rate (FAR) crosses over with the false

et

rejection rate (FRR). A lower CER indicates a more accurate biometric system.

cross-site request forgery (XSRF)—A web application attack. Attackers use XSRF attacks to trick

G

users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords. cross-site scripting (XSS)— A web application vulnerability that allows attackers to inject scripts into

webpages. Attackers use XSS to capture user information such as cookies. Input validation

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting. crypto diversity—Using different methods to protect cryptographic keys. Compare with control diversity, vendor diversity, and technology diversity.

d

cryptomalware—A type of ransomware that encrypts the user’s data. CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the

ea

private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and

Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits

Ah

the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most

et

CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

G

CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.

CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs

d

focus on technology and evaluate new technologies.

ie

custom firmware—Mobile device firmware other than the firmware provided with the device. People sometimes use custom firmware to root Android devices.

er tif

CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security vulnerabilities and exposures.

Cybersecurity Framework (CSF)—A framework that aligns with the RMF and can be used in the private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and

C

Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

et

cybersecurity resilience—A system’s ability to continue to operate even after an adverse event.

Resilience is similar to availability. However, availability tries to keep systems operational 100

G

percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with

availability.

Copyright 2021 YCDA, LLC v0.1

CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that the device is purchased by and owned by employees. Compare with BYOD and COPE.

d

D

ea

DAC—Discretionary access control. An access control scheme. All objects (files and folders) have

owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.

Ah

data at rest—Any data stored on media. It’s common to encrypt sensitive data-at-rest.

data bias—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative

et

Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced twice as many false positives for black offenders (45%) than white offenders (23%). Compare with

G

tainted data.

data controller—A GDPR data role. The data controller determines how and why personal data

d

should be processed and typically delegates the data processing to a data processor. data custodian/steward—A GDPR data role. The data custodian (sometimes called a data steward)

ie

performs routine daily tasks such as storing and backing up data.

er tif

data owner—A GDPR data role. The data owner is most responsible for protecting privacy and user rights for any data owned by an organization. data processor—A GDPR data role. The data processor uses and manipulates data on behalf of the data controller.

data protection officer (DPO)—A GDPR data role. The DPO is responsible for ensuring the

C

organization complies with all relevant laws and acts as an independent advocate for customer data. Data Execution Prevention (DEP)—A security feature in some operating systems. DEP prevents

et

an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

G

data exfiltration—The unauthorized transfer of data outside an organization. data in transit/motion—Any data sent over a network. It’s common to encrypt sensitive data in transit.

data in use—Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

data loss prevention (DLP)— A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

d

data masking—Modifying the data to hide the original content. Data masking replaces data with other data that looks valid but is inaccurate. For example, Homer can be replaced with Fred. Data

ea

masking creates data sets that used for testing. Compare with anonymization, pseudo-anonymization, and tokenization.

Ah

data minimization—A principle requiring organizations to limit the information they collect and use. Compare with data retention.

data retention policy—A security policy specifying how long data should be kept or retained. data sanitization—The process of destroying or removing all sensitive data from systems and

et

devices. Data sanitization methods include burning, shredding, pulping, pulverizing, and degaussing. data sovereignty—A term that refers to the legal implications of data stored in different countries. It

G

is primarily a concern related to backups stored in alternate locations via the cloud. DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically

d

include sustained, abnormally high network traffic. Compare to DoS.

ie

denial-of-service (DoS)—An attack from a single source. A DoS attack that attempts to disrupt the services provided by the attacked system. Compare to DDoS.

er tif

dead code—Code that is never executed or used. It is often caused by logic errors. defense in depth—The use of multiple layers of security to protect resources. Control diversity and vendor diversity are two methods organizations implement to provide defense in depth. degaussing—A data sanitization process. Degaussing removes data from magnetic media using a

C

powerful electronic magnet. Degaussing is sometimes used to remove data from backup tapes or to destroy hard disks. Compare with burning, shredding, pulping, and pulverizing. deny list— A list of applications that a system denies or blocks. Users are unable to install or run any

et

applications on the list. Also called block list. Compare with allow list.

DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an

G

application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER.

Copyright 2021 YCDA, LLC v0.1

detective controls—Security controls that attempt to detect security incidents after they have occurred. Compare with preventive, corrective, deterrent, compensating, and physical security controls. deterrent controls—Security controls that attempt to discourage individuals from causing a security

d

incident. Compare with preventive, detective, corrective, compensating, and physical security controls.

ea

DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH

Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE

Ah

(ECDHE) uses elliptic curve cryptography to generate encryption keys.

DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

et

DHCP snooping—A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP

G

discover message) to trusted ports.

DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each

d

new session. Sometimes listed as EDH.

ie

Dictionary attack—A password attack that uses a file of words and character combinations. The attack tries every entry within the dictionary file when trying to guess a password.

er tif

differential backup—A type of backup. A differential backup will back up all the data that has changed or is different since the last full backup. Compare with incremental backup. Diffie-Hellman (DH)—An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE

C

(ECDHE) uses elliptic curve cryptography to generate encryption keys. dig—A Linux command-line tool. It is used to test DNS on Linux systems. Compare with nslookup. digital signature—An encrypted hash of a message, encrypted with the sender’s private key. It

et

provides authentication, non-repudiation, and integrity. Digital Signature Algorithm (DSA)—The algorithm used to create a digital signature. A digital

G

signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online

transactions and prevents the sender from later denying he sent the email.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

directory traversal attack—An attack that attempts to access a file or folder by entering the directory path. It is often used as part of an HTTP GET command. For example, the passwd file on Linux systems is within the ../etc/passwd path, and directory traversal attacks include some form of the ../etc/passwd path in the GET command.

d

disablement policy—A policy that identifies when administrators should disable user accounts. Accounts are disabled or deleted when an employee leave a company.

ea

disassociation attack—An attack that removes wireless clients from a wireless network. It forces wireless clients to connect with an AP again and allows attackers to capture the authentication

Ah

process.

disaster recovery plan (DRP)—A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery

et

includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.

G

discretionary access control (DAC)—An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, rolebased access control, and rule-based access control.

d

dissolvable agent—A NAC agent that runs on a client, but deletes itself later. It checks the client for

ie

health and is the same as agentless. Compare with permanent agent. distributed denial-of-service (DDoS)—An attack on a system launched from multiple sources.

er tif

DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically include sustained, abnormally high network traffic. Compare to DoS. DLL—Dynamic-link library. A compiled set of code that can be called from other programs. DLL injection—An attack that injects a Dynamic Link Library (DLL) into memory and runs it.

C

Attackers rewrite the DLL, inserting malicious code. DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP systems can prevent users from copying or printing sensitive data. Network-based DLP systems

et

monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in the cloud.

G

DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network. CompTIA is using the term screened subnet to replace DMZ. Compare with screened subnet. Copyright 2021 YCDA, LLC v0.1

DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone transfers. Compare with DNS poisoning and pharming.

d

DNS poisoning—An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning. protect the integrity of DNS records and prevent some DNS attacks.

ea

DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to

from the owner.

Ah

domain hijacking—An attack that changes the registration of a domain name without permission DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS.

et

downgrade attack—A type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control.

G

DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery

ie

with BCP and BIA.

d

includes a review to identify any lessons learned and may include an update of the plan. Compare DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A A digital

er tif

signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online

C

transactions and prevents the sender from later denying he sent the email. dumpster diving—The practice of searching through trash looking for information from discarded documents. Shredding or burning papers helps prevent the success of dumpster diving.

G

et

dynamic-link library (DLL)—A compiled set of code that can be called from other programs.

E

EAP—Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with EAP, EAP-TLS, EAP-TTLS, and PEAP. EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP

d

sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X

ea

server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP.

EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of

Ah

EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller

et

wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

G

ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session. elasticity—The ability of a system to handle an increased workload by dynamically scaling up or scaling

d

out as the need arise. A system may add more resources (such as more memory) when it suddenly

ie

experiences high demand. Scalability requires rebooting a server to add the resources, but elasticity dynamically adds the resources without rebooting the server. Compare with scalability.

er tif

electromagnetic interference (EMI)—Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

elliptic curve cryptography (ECC)—An asymmetric encryption algorithm commonly used with smaller

C

wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods.

Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)—A version of Diffie-Hellman that uses ECC to

et

generate encryption keys. Ephemeral keys are re-created for each session.

embedded system—Any device that has a dedicated function and uses a computer system to

G

perform that function. It includes a CPU, an operating system, and one or more applications.

EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.

Copyright 2021 YCDA, LLC v0.1

Encapsulating Security Protocol (ESP)—A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

d

encryption—A process that scrambles, or ciphers, data to make it unreadable. Encryption normally includes a public algorithm and a private key. Compare with asymmetric and symmetric encryption. with a username and password. Compare with Open and PSK modes.

ea

Enterprise—A wireless mode that uses an 802.1X server for security. It forces users to authenticate

Ah

entropy—The randomness of a cryptographic algorithm. A higher level of randomness results in a higher level of security when using the algorithm. A lack of entropy results in a weaker algorithm and makes it much easier for the algorithm to be cracked.

ephemeral key—A type of key used in cryptography. Ephemeral keys have short lifetimes and are

et

re-created for each session. In contrast, static keys are semi-permanent and stay the same over a long period of time.

G

error handling—A programming process that handles errors gracefully.

ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity,

d

and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50. Compare with rogue AP.

ie

evil twin—A type of rogue AP. An evil twin has the same or similar SSID as a legitimate AP.

er tif

exit interview—An interview conducted with departing employees just before they leave an organization.

exploitation frameworks—Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.

C

Extensible Authentication Protocol (EAP)—An authentication framework that provides general guidance for authentication methods. Compare with EAP-TLS, EAP-TTLS, EAP-FAST, and PEAP. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)—An extension of EAP

et

sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X

G

server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP. Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)—. An

extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

Extensible Markup Language (XML)—A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data. extranet—The part of an internal network shared with outside entities. Extranets are often used to provide access to authorized business partners, customers, vendors, or others. Compare with

ea

d

intranet.

F

Ah

facial recognition— A biometric authentication system. Facial recognition systems identify people based on facial features.

factors of authentication—The different methods used for authentication. The common

authentication factors are something you know, such as a password or personal identification number

et

(PIN), something you have, such as a smart card, a phone, or a USB token, and something you are, such as a fingerprint or other biometric identification. Compare with authentication attributes,

G

something you know, something you have, and something you are.

false acceptance—A biometric error. It indicates a biometric system incorrectly accepted an result in a true acceptance.

d

unknown user as if the user was known. If the biometric system was working correctly, it would

ie

false acceptance rate (FAR)—Also called the false match rate. A rate that identifies the percentage

er tif

of times a biometric authentication system incorrectly indicates a match. false negative—A security incident that isn’t detected or reported. As an example, a NIDS false negative occurs if an attack is active on the network, but the NIDS does not raise an alert. A false negative on a vulnerability scanner indicates a vulnerability exists, but the vulnerability scanner didn’t detect it.

C

false positive—An alert on an event that isn’t a security incident. As an example, a NIDS false positive occurs if the NIDS raises an alert but activity on the network is normal. A false positive on a

et

vulnerability scanner indicates a vulnerability scanner detected a vulnerability, but a vulnerability doesn’t exist.

G

false rejection—A biometric error. It indicates a biometric system incorrectly rejected a valid user. If the biometric system was working correctly, it would result in a true acceptance. As an example, a NIDS false negative occurs if an attack is active on the network but the NIDS does not raise an alert. A false negative in a biometric system

Copyright 2021 YCDA, LLC v0.1

FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match. Faraday cage—A room or enclosure that prevents signals from emanating beyond the room or enclosure. way, the system can tolerate the fault as if it never occurred.

ea

FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.

d

fault tolerance—The capability of a system to suffer a fault, but continue to operate. Said another

federation—Two or more members of a federated identity management system. Used for single

Ah

sign-on.

File Transfer Protocol (FTP)—Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

et

File Transfer Protocol Secure (FTPS)—An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

G

fingerprint scanners—A biometric authentication system. Fingerprint scanners scan fingerprints for authentication.

firewall—A software or a network device used to filter traffic. Firewalls can be host-based (running as an

d

application on a host) or network-based. Stateless firewalls filter traffic using rules within an ACL.

ie

firmware OTA updates—Over-the-air updates for mobile device firmware that keep them up to date. These are typically downloaded to the device from the Internet and applied to update the device.

er tif

forward proxy server—A server used to forward requests for services such as HTTP or HTTPS. All internal clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A forward proxy server is commonly called a proxy server. Compare with reverse proxy

C

server.

framework—A structure used to provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts and provide guidance to professionals on how to implement security.

et

FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage

of times a biometric authentication system incorrectly rejects a valid match.

G

FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic. Some implementations of FTPS use TCP ports 989 and 990.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

full backup—A type of backup that backs up all the selected data. A full backup could be considered a normal backup. full disk encryption (FDE)—A method to encrypt an entire disk. Compare with SED. full tunnel—An encrypted connection used with VPNs. When a user is connected to a VPN, all Pass the First Time with Quality Practice Test Questions

ea

https://gcgapremium.com/sy0-601-practice-test-questions/

d

traffic from the user is encrypted. Compare with split tunnel.

Ah

G

gamification—A training method that increases participation and interaction. Gamification intertwines game-design elements within user training methods. Some gamification techniques

et

include a sense of competition, such as capture the flag competitions.

GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter

G

(CTM) mode with hashing techniques for data authenticity and confidentiality. GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that

d

clarifies requirements to protect the personal data of anyone living in the EU. It also defines the roles protection officer (DPO).

ie

of data owners, data controllers, data processors, data custodians or data stewards, and the data

er tif

General Data Protection Regulation—A European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It defines the roles of data owners,

data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO).

C

geofencing—A virtual fence or geographic boundary. It uses GPS to create the boundary. Apps can then respond when a mobile device is within the virtual fence.

et

geolocation—The location of a device identified by GPS. It can help locate a lost or stolen mobile

device.

G

Global Positioning System (GPS)—A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.

GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a

device or vehicle. Mobile devices often incorporate GPS capabilities.

Copyright 2021 YCDA, LLC v0.1

GPS tagging—A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created. group-based access control—A role-based access control method that uses groups as roles. Guest account—A pre-created account in Windows systems. It is disabled by default.

ea

d

H

hacktivist—An attacker who launches attacks as part of an activist movement or to further a cause.

hardware root of trust—A known secure starting point for an operating system. A TPM ships with

Ah

a matched key pair used for encryption, and this key pair provides a hardware root of trust.

hardware security module (HSM)—A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM.

et

hash—A number created by executing a hashing algorithm against data, such as a file or message. Hashing is commonly used for integrity. Common hashing algorithms are MD5, SHA-3, and

G

HMAC.

heat map—A graph that plots risks onto a graph or chart using color-coding. Compare with risk

d

matrix.

heuristic/behavioral—A type of monitoring on intrusion detection and intrusion prevention

ie

systems. It detects attacks by comparing traffic against a baseline. It is also known as anomaly

er tif

detection.

HIDS—Host-based intrusion detection system. Software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.

C

high availability—A term that indicates a system or component remains available close to 100 percent of the time. Five nines indicates a system is up and operation 99.999 percent of the time.

et

Compare with availability and resilience.

HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to

G

react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.

HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity

and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

HMAC-based One-Time Password (HOTP)—An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Compare with TOTP.

d

hoax—A message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.

ea

homomorphic encryption—A processes that allows data to remain encrypted while it is being

processed. Most homomorphic encryption methods work best when data is stored and manipulated

Ah

as integers.

honeyfile—A file designed to attract an attacker. As an example, a file named passwords.text might attract the attention of an attacker. It doesn’t contain valid passwords. Compare with honeypot and honeynet.

et

honeynet—A group of honeypots in a network. Honeynets are often configured in virtual networks. Honeypots within a honeynet have weakened security and are designed to attact attackers. Compare

G

with honeypot and honeyfile.

honeypot—A server designed to attract an attacker. It typically has weakened security encouraging attackers to investigate it. Compare with honeyfile and honeynet.

d

host-based intrusion detection system (HIDS)—Software installed on a system to detect attacks. A

ie

HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by

er tif

antivirus software. Compare with HIPS, NIDS, and NIPS. host-based intrusion prevention system (HIPS)—An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS. hot and cold aisles—A method commonly used in data centers to keep equipment cool. Cool air

C

flows from the front of the cabinets to the back, making the front aisle cooler and the back aisle warmer.

HOTP—HMAC-based One-Time Password. An open standard used for creating one-time

et

passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until

G

they are used. Compare with TOTP.

hot site—An alternate location for operations. A hot site typically includes everything needed to be

operational within 60 minutes. Compare with cold site and warm site.

Copyright 2021 YCDA, LLC v0.1

HSM—Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM. HTML—Hypertext Markup Language. Language used to create webpages. HTML documents are

d

displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than and greater-than characters (< and >) to create tags. Many sites use input validation to block these

ea

tags and prevent cross-site scripting attacks.

HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP

Ah

uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS.

HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS encrypts HTTP traffic with TLS using TCP port 443.

HVAC—Heating, ventilation, and air conditioning. A physical security control that increases

et

availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity

G

controls to reduce the potential damage from condensation.

Hypertext Markup Language (HTML)—Language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-

d

than and greater-than characters (< and >) to create tags. Many sites use input validation to block

er tif

ie

these tags and prevent cross-site scripting attacks.

I

IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent

C

access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.

et

ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity

G

to a server succeeds, it indicates that ICMP is blocked.

ICS—Industrial control system. A system that controls large systems such as power plants or water

treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA. identification—The process that occurs when a user claims an identity, such as with a username.

Users prove their identity with other credentials, such as with a password.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with

d

IPS. IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with

ea

a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.

Ah

IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS.

et

ifconfig—A command-line tool. The ifconfig tool is used on Linux systems to show and manipulate settings on a network interface card (NIC). Sit is similar to ipconfig used on Windows systems.

G

IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address. IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with

d

Microsoft Windows Server products. Linux systems use Apache as a web server.

ie

IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4

er tif

traffic on TCP port 993.

impact—The magnitude of harm related to a risk. It is the negative result of an event, such as the loss of confidentiality, integrity, or availability of a system or data. Compare with likelihood of occurrence and qualitative risk assessment.

C

implicit deny—A rule in an ACL that blocks all traffic that hasn’t been explicitly allowed. The implicit deny rule is the last rule in an ACL. incident—An adverse event or series of events that can negatively affect the confidentiality,

et

integrity, or availability of an organization’s information technology (IT) systems and data.

Sometimes referred to as a security incident.

G

incident response. The process of responding to a security incident. Organizations often create an

incident response plan that outlines the procedures to be used when responding to an incident. incident response plan—A formal, coordinated plan that personnel can use when responding to an incident. It typically includes definitions of incident types, details on an incident response team, and team members’ roles and responsibilities. Copyright 2021 YCDA, LLC v0.1

incident response process—The phases of incident response. It includes preparation, identification, containment, eradication, recovery, and lessons learned. incident response team—A group of experts who respond to security incidents. It includes employees with expertise in different areas. changed since the last full or incremental backup. Compare with differential backup.

d

incremental backup—A type of backup. An incremental backup backs up all the data that has

ea

Infrastructure as a Service (IaaS)—A cloud computing model. IaaS allows an organization to rent access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS

Ah

system up to date. Compare to PaaS, SaaS, and XaaS.

initialization vector (IV)—An IV provides randomization of encryption keys to help ensure that keys are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.

et

initialization vector (IV) attack—A wireless attack that attempts to discover the IV. Legacy wireless security protocols are susceptible to IV attacks.

G

injection attack—An attack that injects code or commands. Common injection attacks are dynamic link library (DLL) injection, command injection, and SQL injection, and XML injection attacks. inline—A configuration that forces traffic to pass through a device. A NIPS is placed inline, allowing

d

it to prevent malicious traffic from entering a network. Sometimes called in-band. Compare with out-of-

ie

band.

input validation—A programming process that verifies data is valid before using it. Input validation

er tif

prevents many web-based attacks such as buffer overflow attacks, SQL injection attacks, and crosssite scripting attacks.

insider threat—An attacker who launches attacks from within an organization, typically as an employee.

C

integer overflow—An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack. integrity—One of the core goals of information security sometimes referred to as the CIA security

et

triad. Integrity provides assurance that data or system configurations have not been modified. Audit logs and hashing are two methods used to ensure integrity. Compare with availability and

G

confidentiality.

intermediate CA—intermediate certificate authority. A CA created by a root CA that can issue

certificates and/or create child CAs that issue certificates. Compare with certificate authority and

certificate chaining.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

Internet Message Access Protocol v4 (IMAP4)—Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.

Internet of things (IoT)—The network of physical devices connected to the Internet. It typically refers

d

to smart devices with an IP address, such as wearable technology and home automation systems. intranet—An internal network. People use an intranet to communicate and share content with each

ea

other on an internal network. Compare with extranet.

IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to

Ah

smart devices with an IP address, such as wearable technology and home automation systems. IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6.

ipconfig—A command-line tool. It is used on Windows systems to show the configuration settings on a NIC.

et

IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data

G

streams, detect malicious content, and stop attacks in progress. It can be used internally to protect private networks, such as those holding SCADA equipment. Compare with IDS. IPsec—Internet Protocol security. A suite of protocols used to encrypt data-in-transit. IPSec can

d

operate in both Tunnel mode and Transport mode. IPsec is built into IPv6, but can also work with

ie

IPv4. Both versions support AH and ESP. AH provides authentication and integrity using HMAC, and ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES.

er tif

Compare with AH, ESP, tunnel mode, and transport mode. IP spoofing—An attack that changes the source IP address. IP spoofing makes an attack appear as though it’s coming from a different source.

IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in

C

dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1. IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly larger address space than IPv4. IPsec is built in to IPv6 and can encrypt any type of IPv6 traffic.

et

iris scanners—A biometric system. Iris scanners scan the iris of an eye for authentication. ISP—Internet Service Provider. A company that provides Internet access to customers.

G

IT—Information technology. Computer systems and networks used within organizations. IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys

are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to analyze and discovers the encryption key.

Copyright 2021 YCDA, LLC v0.1

J allows a user to install software from any third-party source. Compare with rooting.

d

jailbreaking—The process of modifying an Apple mobile device to remove software restrictions. It

by a wireless network.

ea

jamming—A DoS attack against wireless networks. It transmits noise on the same frequency used

job rotation—A process that ensures employees rotate through different jobs to learn the processes and

Ah

procedures in each job. It can sometimes detect fraudulent activity.

Pass the First Time with Quality Practice Test Questions

et

https://gcgapremium.com/sy0-601-practice-test-questions/

G

K

KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.

d

Kerberos—A network authentication mechanism used with Windows Active Directory domains and

ie

some Unix environments known as realms. It uses a KDC to issue tickets. kernel—The central part of the operating system. In container virtualization, guests share the kernel.

er tif

key escrow—The process of placing a copy of a private key in a safe environment. If the original key is lost, an organization can retrieve a copy of the key to access the data. key exchange—A cryptographic method used to share cryptographic keys. asymmetric encryption uses key exchange to share a symmetric key.

C

keylogger—Software or hardware used to capture a user’s keystrokes. Keystrokes are stored in a file and can be manually retrieved or automatically sent to an attacker. key stretching—A technique used to increase the strength of stored passwords. It adds additional bits

et

(called salts) and can help thwart brute force and rainbow table attacks. known environment test—A type of penetration test. Testers have full knowledge of the

G

environment prior to starting the test. This was previously known as a white box test. Compare with unknown environment test and partially known environment test.

known plaintext—A cryptographic attack that decrypts encrypted data. In this attack, the attacker

knows the plaintext used to create ciphertext. Compare with ciphertext and plaintext.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

L L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701. can be physical labels, such as on backup tapes, or digital labels embedded in files.

d

labeling—The process of ensuring data is tagged clearly so that users know its classification. Labels

ea

Layer 2 Tunneling Protocol (L2TP)—Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.

Ah

LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS.

et

LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes

G

referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.

least privilege—A security principle that minimizes privileges given to individuals. The lease

d

privilege principle specifies that individuals and processes are granted only the rights and permissions

ie

needed to perform assigned tasks or functions, but no more. legal hold—A court order to maintain data for evidence.

er tif

lightweight cryptography—Cryptography deployed to smaller devices. Many Internet of Things (IoT) devices use lightweight cryptography.

Lightweight Directory Access Protocol (LDAP)—A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes

C

such as CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS. Lightweight Directory Access Protocol over SSL (LDAPS)—A protocol used to encrypt LDAP

et

traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with

G

TLS over TCP port 636. Compare with LDAP.

likelihood of occurrence—The probability that something will occur. It is used with impact in a

qualitative risk assessment. Compare with impact and qualitative risk assessment. load balancer—Hardware or software that balances the load between two or more servers. Load

balancers add redundancy and fault tolerance and can help eliminate single points of failure. Copyright 2021 YCDA, LLC v0.1

logic bomb—A type of malware that executes in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program. loop prevention—Methods used to prevent switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.

ea

d

M

MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know.

Ah

Compare with ABAC, DAC, role-based access control, and rule-based access control.

MAC—media access control. A 48-bit address used to identify network interface cards. It is also called a hardware address or a physical address. and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.

et

MAC cloning attack—An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized

G

MAC addresses, and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.

d

MAC filtering—A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.

ie

MAC flooding—An attack against a switch that attempts to overload it. Most ports on a switch have

er tif

only a single host connected to them, with only a single MAC address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.

malware—Malicious software. It includes a wide range of software that has malicious intent, such as viruses, worms, ransomware, rootkits, logic bombs, and more.

C

managerial controls— Security controls implemented via managerial or administrative or methods. They are typically documented in an organization’s security policy and focus on managing risk.

et

Compare with technical and operational controls. Mandatory Access Control (MAC)—An access control scheme. MAC uses sensitivity labels

G

assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know. Compare with ABAC, DAC, role-based access control, and rule-based access control. mandatory vacation—A policy that forces employees to take a vacation. The goal is to deter

malicious activity, such as fraud and embezzlement, and detect malicious activity when it occurs.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a

d

checksum in some situations. MDM—Mobile device management. A group of applications and technologies used to manage

ea

mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.

Ah

measured boot—A process that verifies the integrity of the boot process. It completes these checks before allowing the user to interact with the system.

media access control (MAC) flooding—An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC address.

et

A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch operates as a hub instead of as a switch.

G

Memorandum of understanding (MOU)—A type of agreement that defines the responsibilities of each party. Sometimes called a memorandum of agreement.

memory leak—An application flaw that consumes memory without releasing it. In extreme cases,

d

the application can consume so much memory that the operating system crashes

ie

Message Digest 5 (MD5)—A hashing function used to provide integrity. MD5 creates 128-bit hashes, which are also referred to as MD5 checksums. A hash is simply a number created by

er tif

applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations. MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include

C

multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images. Compare with SMS and Rich Communication Services. Mobile device management (MDM)—A group of applications and technologies used to manage

et

mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with security policies.

G

MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of

CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication. MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP. Copyright 2021 YCDA, LLC v0.1

MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures. Higher MTBF numbers indicate a higher reliability of a product or system. MTTF—Mean time to failure. The length of time you can expect a device to remain in operation

d

before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair

ea

a device after it fails.

MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a

Ah

failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.

multifactor authentication—A type of authentication that uses methods from more than one factor of authentication. Compare with something you know, something you have, and something you are.

et

Multimedia Message Service (MMS)—An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images.

G

Compare with SMS and Rich Communication Services.

d

N

NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy

ie

clients are granted access to the network, and unhealthy clients are redirected to a remediation

er tif

network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses. National Institute of Standards and Technology (NIST)—NIST is a part of the U.S. Department

C

of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available to anyone. They can found at

et

http://csrc.nist.gov/publications/PubsSPs.html. NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing

G

proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

Netcat (nc)—A command-line tool. Netcat is used to connect to remote systems. netstat—A command-line tool. Netstat is used to show network statistics on a system.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

network access control (NAC)—A system that inspects clients to ensure they are healthy. Healthy clients are granted access to the network, and unhealthy clients are redirected to a remediation network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

d

Network Address Translation (NAT)—A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses.

ea

network-based intrusion detection system (NIDS)—A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It

Ah

can detect network-based attacks.

network-based intrusion prevention system (NIPS)—A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.

et

network interface card (NIC)—Provides connectivity to a network. A NIC is typically built into a circuit board and includes a connector, such as an RJ-45 connector.

G

network scanner—A tool used to discover devices on a network, including their IP addresses, their operating system, along with services and protocols running on the devices. near field communication (NFC)—A group of standards used on mobile devices that allow them to

d

communicate with other nearby mobile devices. Many credit card readers support payments using

ie

NFC technologies with a smartphone.

network interface card (NIC) teaming—A group of two or more network adapters acting as a

er tif

single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities. NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using NFC technologies with a smartphone.

C

NFC attack—An attack against mobile devices that use near field communication (NFC). NFC is a group of standards that allow mobile devices to communicate with nearby mobile devices. NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a

et

circuit board and includes a connector, such as an RJ-45 connector.

NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters

G

acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.

NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks. Copyright 2021 YCDA, LLC v0.1

NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress. NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of publications related to security that are freely available to anyone. They can found at

ea

http://csrc.nist.gov/publications/PubsSPs.html.

d

Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special

nmap—A command-line tool. Nmap is used to scan networks, and it is a type of network scanner.

Ah

nonce—A number used once. Cryptography elements frequently use a nonce to add randomness. non-disclosure agreement (NDA)—An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

et

non-persistence—A method used in virtual desktops where changes made by a user are not saved. Most (or all) users have the same desktop. When users log off, the desktop reverts to its original state. access logs provide non-repudiation.

G

non-repudiation—The ability to prevent a party from denying an action. Digital signatures and normalization—The process of organizing tables and columns in a database. Normalization reduces

d

redundant data and improves overall database performance.

ie

nslookup—A command-line tool. The nslookup tool is used to test DNS on Microsoft systems. Compare with dig.

er tif

NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.

NTP—Network Time Protocol. Protocol used to synchronize computer times.

C

Pass the First Time with Quality Practice Test Questions

et

https://gcgapremium.com/sy0-601-practice-test-questions/

G

O

OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0 Authorization Framework,” describes it. obfuscation—An attempt to make something unclear or difficult to understand. Steganography methods use obfuscation to hide data within data. Sometimes referred to as camouflage.

d

OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

ea

offboarding—The process of removing an individuals access to an organization’s computing

resources leaving the company. It also includes collecting any equipment (such as smartphones,

Ah

tablets, or laptops), security badges, or proximity cards the organization issued to the employee. Compare with onboarding.

offline brute force password attack—A password attack against a database downloaded from a site. An offline attack can repeatedly guess passwords without ever getting locked out. Compare

et

with online brute force password attack.

onboarding—The process of granting individuals access to an organization’s computing resources permissions. Compare with offboarding.

G

after being hired. It typically includes giving the employee a user account with appropriate online brute force password attack—A password attack against an online system. Online systems

d

typically have account lockout capabilities, so online password attacks often use different methods password attack.

ie

(such as a spraying attack) to guess passwords. Compare with spraying attack and offline brute force

er tif

Online Certificate Status Protocol (OCSP)—An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

on-path attack—A form of active interception or active eavesdropping. It uses a separate computer

C

that accepts traffic from each party in a conversation and forwards the traffic between the two. An on-path attack is sometimes referred to as a man-in-the-middle or man-in-the-broser attack. open—A wireless mode that doesn’t use security. Compare with Enterprise and PSK modes.

et

OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID.

G

OpenID Connect (OIDC)—An open source standard used for identification on the Internet. It

builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation (JSON) Web Token (JWT), sometimes called an ID token. open-source intelligence (OSINT)—A method of gathering data using public sources, such as

social media sites and news outlets. Copyright 2021 YCDA, LLC v0.1

OpenSSL—An open source software library used with Transport Layer Security (TLS) and the legacy Secure Sockets Layer (SSL) protocols. Many Linux distributions include access to OpenSSL via the command line. operational controls—Controls used to handle the day-to-day operations of an organization.

d

Operational controls help an organization comply with the security policy, and people implement them. Compare with managerial and technical controls.

ea

order of volatility—A term that refers to the order in which you should collect evidence. For example, data in memory is more volatile than data on a disk drive, so it should be collected first.

Ah

OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.

OSINT—A method of gathering data using public sources, such as social media sites and news outlets.

et

out-of-band—A configuration that allows a device to collect traffic without the traffic passing through it. Sometimes called passive. Compare with inline.

G

Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/

d

P

ie

P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often

er tif

hold certificates with the private key. They are commonly encrypted. P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.

PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform,

C

meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.

et

PAM—Privileged access management. A method of protecting access to privileged accounts. PAM

implements the concept of just-in-time administration, giving users elevated privileges only when

G

they need them and only for a limited time. PAM is sometimes called privileged account management. PAP—Password Authentication Protocol. An older authentication protocol where passwords or PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

partially known environment test—A type of penetration test. Testers have some knowledge of the environment prior to starting the test. This was previously known as a gray box test. Compare with known environment test and unknown environment test. passive reconnaissance—A penetration testing method used to collect information. It typically uses

d

open-source intelligence. Compare with active reconnaissance. pass the hash—A password attack that captures and uses the hash of a password. It attempts to log

ea

on as the user with the hash and is commonly associated with the Microsoft NTLM protocol. password cracker—A tool used to discover passwords. includes evaluating and testing patches before deploying them.

Ah

patch management—The process used to keep systems up to date with current patches. It typically PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks.

et

Compare with Bcrypt and Argon2.

PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware

G

in PDFs.

PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X.

ie

EAP-FAST.

d

PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER

er tif

(ASCII) or DER (binary) formats and can be used for almost any type of certificates. penetration testing—A method of testing targeted systems to determine if vulnerabilities can be exploited. Penetration tests are intrusive.

perfect forward secrecy—A characteristic of encryption keys ensuring that keys are random.

C

Perfect forward secrecy methods generate random public keys for each session, and do not use deterministic algorithms. permanent agent—A NAC agent that is installed on a client. It checks the client for health.

et

Compare with agentless or dissolvable agent. Personal Identity Verification card (PIV)—A specialized type of smart card used by U.S. federal

G

agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC. Personally Identifiable Information (PII)—Information about individuals that can be used to trace

a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a

Copyright 2021 YCDA, LLC v0.1

Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it. PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.

d

pharming—A type of DNS poisoning attack. Pharming attacks redirect a website’s traffic to another PHI—Personal Health Information. PII that includes health information.

ea

website.

phishing—The practice of sending spam to users with the purpose of tricking them into revealing links.

Ah

personal information or clicking on a link. Phishing often includes malicious attachments or malicious physical controls—Security controls that you can physically touch. Compare with preventive, detective, corrective, deterrent, and, compensating controls.

et

PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a

G

Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies such as encrypting it. PIN—Personal identification number. A number known by a user and entered for authentication.

d

PINs are often combined with smart cards to provide dual-factor authentication.

ie

ping—A command-line tool. Ping is used to test connectivity with remote systems. pinning—A security mechanism used by some websites to prevent website impersonation. Websites website.

er tif

provide clients with a list of public key hashes. Clients store the list and use it to validate the PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and

C

non-repudiation for the users. Compare with CAC. pivoting—Process of using various tools to gain additional information on a system or network. After escalating privileges, a penetration tester (or attacker) uses the exploited computer to gain

et

additional information on other systems within the network. PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store,

G

distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most trust models are hierarchical and centralized with a central root CA.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

plaintext—Text displayed in a readable format. Encryption converts plaintext to ciphertext, and plaintext is unencrypted. Compare with ciphertext. Platform as a Service (PaaS)—A cloud computing model. PaaS provides cloud customers with a preconfigured computing platform they can use as needed. PaaS is a fully managed platform,

d

meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS, SaaS and XaaS.

ea

playbooks—Used with SOAR. A automated response to a potential checklist. Playbooks are derived from runbooks. Compare with SOAR and runbooks.

Ah

pointer dereference—A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.

POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections

et

port mirror—A monitoring port on a switch. All traffic going through the switch is also sent to the port mirror.

G

port taps—Monitoring ports on a network device. IDSs use taps to capture traffic. post-quantum cryptography—Cryptographic algorithms that are likely to be resistant to attacks from attackers using a quantum computer. NIST is expected to release a draft of selected standards

d

by 2024.

ie

posturing—A method of verifying a device complies with security policies. Some mobile device management (MDM) systems use device posturing to check the status of a device, such as the

er tif

operating system version and whether the screen lock is enabled or not. potentially unwanted programs (PUPs)—Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, such as Trojans. Compare with spyware.

C

preshared key (PSK)—A secret shared among different systems. Wireless networks using WPA2 support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

et

preventive controls—Security controls that attempt to prevent a security incident from occurring. Compare with detective, corrective, deterrent, compensating, and physical security controls.

G

private data—Information about an individual that should remain private. Personally Identifiable

Information (PII) and Personal Health Information (PHI) are two examples. private key—Part of a matched key pair used in asymmetric encryption. The private key always

stays private. Compare with public key. privileged account—An account with elevated privileges, such as an administrator account. Copyright 2021 YCDA, LLC v0.1

privileged access management (PAM)—A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when they need them and only for a limited time. PAM is sometimes called privileged account management.

d

privilege escalation—The process of gaining elevated rights and permissions. Attackers and malware typically uses a variety of techniques to gain elevated privileges.

ea

proprietary data—Data that is related to ownership. Common examples are information related to patents or trade secrets.

Ah

Protected Extensible Authentication Protocol (PEAP)—An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAPTTLS, and EAP-FAST.

et

protocol analyzer—A tool used to capture network traffic. Both professionals and attackers use text.

G

protocol analyzers to examine packets. A protocol analyzer can be used to view data sent in clear proximity card readers—Devices that sense when proximity cards are close. They are often used by authorized personnel to open doors.

d

proximity cards—Small credit card-sized cards that activate when they are in close proximity to a

ie

proximity card reader. They are often used by authorized personnel to open doors. proxy server— A server used to forward requests for services such as HTTP or HTTPS. All internal

er tif

clients send their outgoing requests to the proxy server, and the proxy server sends the requests to the Internet server. Proxy servers increase performance by caching web pages and can filter URLs. A proxy server is commonly called a forward proxy server. Compare with reverse proxy server. pseudo-anonymization—The process of replacing PII data with pseudonyms. The data set appears

C

anonymous, but the owner of the data maintains a database that matches the pseudonyms back to the original data. Compare with anonymization, data masking, and tokenization. PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2

et

support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

G

public data—Data that is available to anyone. It might be in brochures, in press releases, or on

websites. public key—Part of a matched key pair used in asymmetric encryption. The public key is publicly

available. Compare with private key.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

public ledgers—A record of transactions such as deposits and withdrawals. Blockchain uses public ledgers used to track transactions while keeping the transactions anonymous. Some ransomware transactions can be viewed by viewing the public ledgers, but the transactions are still anonymous. Compare with blockchain.

d

Public Key Infrastructure (PKI)—Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the

ea

owner of the certificate, and on the CA that issued the certificate. Certificate owners share their

public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most

Ah

trust models are hierarchical and centralized with a central root CA.

pulping—A data sanitization process. Pulping is performed after shredding papers, and it reduces the shredded paper to a mash or puree. Compare with burning, shredding, pulverizing, and degaussing.

et

PUPs—Potentially unwanted programs. Software installed on users’ systems without their such as Trojans. Compare with spyware.

G

awareness or consent. Some of these unwanted programs are legitimate, but some are malicious, pulverizing— A data sanitization process. A process used to physically destroy items such as optical degaussing.

d

discs that can’t be erased by a degausser. Compare with burning, shredding, pulping, and

ie

purging—A data sanitization process. A general sanitization term indicating that all sensitive data has been removed from a device. Compare with burning, shredding, pulping, pulverizing, and

er tif

degaussing.

purple team—Personnel involved in cybersecurity readiness that can join either a red team or a blue team. Compare with red team, blue team, white team and capture the flag. push notification services—The services that send messages to mobile devices. Many mobile

et

Q

C

device applications push notification messages to users.

qualitative risk assessment—A risk assessment that uses judgment to categorize risks. It is based

G

on impact and likelihood of occurrence. quantitative risk assessment—A risk assessment that uses specific monetary amounts to identify

cost and asset value. It then uses the SLE and ARO to calculate the ALE. quantum computing—Cryptography that uses quantum mechanical properties to perform

cryptographic tasks. Copyright 2021 YCDA, LLC v0.1

quantum cryptography—An example of quantum computing. It uses quantum computing standards to create a cryptographic key.

R

d

RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the

ea

context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some

situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.

Ah

RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process

et

using TCP. Compare with TACACS+.

race condition—A programming flaw that occurs when two sets of code attempt to access the same

G

resource. The first one to access the resource wins, which can result in inconsistent results. RAID—Redundant array of inexpensive disks. Multiple disks added together to increase

d

performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.

ie

RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance.

er tif

RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance. RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It can survive the failure of a single drive.

RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.

C

RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has

et

an even number of drives.

rainbow table—A file containing precomputed hashes for character combinations. Rainbow tables

G

are used to discover passwords. PBKDF2, Bcrypt, and Argon2 thwart rainbow table attacks.

RAM—Random access memory. Volatile memory within a computer that holds active processes,

data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

ransomware—A type of malware used to extort money from individuals and organizations. Ransomware typically encrypts the user’s data and demands a ransom before decrypting the data. Rapid Spanning Tree Protocol (RSTP)—An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports

d

of a switch are connected together. RAS—Remote Access Service. Provides access to an internal network from an outside source

ea

location using dial-up or a VPN.

RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a

Ah

remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in TCP 3389 or UDP 3389.

et

different services such as Remote Desktop Services and Remote Assistance. RDP uses either port real-time operating system (RTOS)—An operating system that reacts to input within a specific

G

time. Many embedded systems include an RTOS.

reconnaissance—A penetration phase where testers gather information on a target. Compare with active reconnaissance and passive reconnaissance.

d

recovery agent (RA)—A designated individual who can recover or restore cryptographic keys. In

ie

the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can

er tif

recover the private key from a key escrow.

recovery point objective (RPO)—A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.

C

recovery site—An alternate location for business functions after a major disaster. Compare with cold site, warm site, and hot site. recovery time objective (RTO)—The maximum amount of time it should take to restore a system

et

after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

G

red team—Personnel involved in cybersecurity readiness that are experts in attacking systems. Red team members emulate the techniques used by potential attackers. Compare with blue team, purple team, white team, and capture the flag.

redundancy—The process of adding duplication to critical system components and networks. Redunancy and fault-tolerance methods increase increase availability supporting resiliency. Copyright 2021 YCDA, LLC v0.1

redundant array of inexpensive disks (RAID)—Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10. refactoring—A driver manipulation method. Developers rewrite the code without changing the

d

driver’s behavior. registration authority (RA)—An entity that can collect registration information for a certificate

ea

authority (CA). An RA never issues certificates, but instead only assists the CA. All CAs don’t use an RA. Compare with certificate authority.

Ah

remote access Trojan (RAT)—Malware that allows an attacker to take control of a system from a remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

Remote Authentication Dial-In User Service (RADIUS)—Provides central authentication for

et

remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses

G

TCP. RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+.

Remote Desktop Protocol (RDP)—Used to connect to remote systems. Microsoft uses RDP in

ie

TCP 3389 or UDP 3389.

d

different services such as Remote Desktop Services and Remote Assistance. RDP uses either port remote wipe—The process of sending a signal to a remote device to erase all data. It is useful when a

er tif

mobile device is lost or stolen.

replay attack—An attack where the data is captured and replayed. Attackers typically modify data before replaying it.

resilience—A system’s ability to continue to operate even after an adverse event. Resilience is

C

similar to availability. However, availability tries to keep systems operational 100 percent of the time, which isn’t possible. In contrast, resilience expects systems to have outages and seeks to restore the system to full operation as soon as possible after the outage. Compare with availability.

et

resource exhaustion—The malicious result of many DoS and DDoS attacks. The attack overloads a

computer’s resources (such as the processor and memory), resulting in service interruption.

G

retina scanners—A biometric authentication system. Retina scanners scan the retina of an eye for authentication. Some people object to using these scanners for authentication because they can identify medical issues and because you typically need to have physical contact with the scanner.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

reverse proxy server—A server used to accept requests from the Internet and forward them to a Web server. It appears to clients as a web server but is forwarding the requests to the web server and serving the pages returned by the web server. Compare with forward proxy server. RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters.

d

RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

ea

RFID—Radio frequency identification. RFID methods are often used for inventory control.

RFID attacks—Attacks against radio-frequency identification (RFID) systems. Some common

Ah

RFID attacks are eavesdropping, replay, and DoS.

Rich Communication Services (RCS)— An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and Multimedia Message Service.

et

risk—The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. Compare with threat and vulnerability.

G

risk assessment—A process used to identify and prioritize risks. It includes quantitative risk assessments and qualitative risk assessments. Compare with quantitative assessment and qualitative assessment.

d

risk management—The practice of identifying, monitoring, and limiting risks to a manageable assessments.

ie

level. It includes risk response techniques, qualitative risk assessments, and quantitative risk

er tif

Risk Management Framework (RMF)—A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.

C

risk matrix—A graph that plots risks onto a graph or chart. A risk matrix typically plots the likelihood of occurrence against the impact of a risk. Compare with heat map. risk mitigation—The process of reducing risk by implementing security controls. Security controls

et

reduce risk by reducing vulnerabilities associated with a risk or by reducing the impact of a threat.

risk register—A document listing information about known risks. It typically includes risk scores

G

along with recommended security controls to reduce the risk scores.

risk response techniques—Methods used to manage risks. Common risk response techniques are

accept, avoid, mitigate, transfer, and cybersecurity insurance. RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Copyright 2021 YCDA, LLC v0.1

Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls. rogue AP—An unauthorized AP. It can be placed by an attacker or an employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a

d

legitimate AP. ROI—Return of investment or return on investment. A performance measure used to identify when

ea

an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.

Ah

role-based access control—An access control scheme. Role-based access control uses roles based on jobs and functions to define access. It is often implemented with groups (providing group-based privileges) and uses a matrix as a planning document to match roles with the required privileges. Compare with ABAC, DAC, MAC, and rule-based access control.

et

root certificate—A PKI certificate identifying a root CA. access. Compare with jailbreaking.

G

rooting—The process of modifying an Android device, giving the user root-level, or administrator, rootkit—A type of malware that has system-level access to a computer. Rootkits are often able to hide themselves from users and antivirus software.

d

ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each

ie

letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces. router—A network device that connects multiple network segments together into a single network. ACLs.

er tif

They route traffic based on the destination IP address and do not pass broadcast traffic. Routers use RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare

C

with RTO.

RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a

et

public key and a private key in a matched pair.

RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are

G

enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together. RTO—Recovery time objective. The maximum amount of time it should take to restore a system

after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS. rule-based access control—An access control scheme. Rule-based access control is based on a set of approved instructions, such as an access control list, or rules that trigger in response to an event

d

such as modifying ACLs after detecting an attack. Compare with ABAC, DAC, MAC, and role-based access control.

ea

runbooks—Used with SOAR. A checklist of things to check in response to a suspected incident. Runbooks are used when creating playbooks. Compare with SOAR and playbooks.

Ah

S

SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the up-to-date. Compare with IaaS, PaaS and XaaS.

et

Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and salt—A random set of data added to a password when creating the hash. PBKDF2, Bcrypt, and

G

Argon2 are some protocols that use salts. These help thwart rainbow table attacks. salting—The process of adding a random set of data to a password when creating the hash. PBKDF2,

d

Bcrypt, and Argon2 are three protocols that use salts.

SAML—Security Assertions Markup Language. An XML-based standard used to exchange

er tif

web-based applications.

ie

authentication and authorization information between different parties. SAML provides SSO for SAN—Storage Area Network. A specialized network of high-speed storage devices. sandboxing—The use of an isolated area on a system, typically for testing. Virtual machines are often used to test patches in an isolated sandbox. Application developers sometimes use sandboxes to create isolated systems for testing. Antivirus software uses sandboxes to check suspicious

C

software before allowing it to run on a system. sanitize—The process of destroying or removing all sensitive data from systems and devices. Data

et

sanitization methods include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping.

G

SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS. scalability—A system's ability to handle increased workload either by scaling up or by scaling out. Copyright 2021 YCDA, LLC v0.1

Scaling up adds additional resources (such as more RAM) to a server, and scaling out adds additional servers. Compare with elasticity. SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.

d

screened subnet—A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services

ea

hosted on servers in the screened subnet, but the screened subnet provides a layer of protection for the internal network. A screened subnet was previously known as a demilitarized zone (DMZ).

Ah

Compare with DMZ.

screen filter—A physical security device used to reduce visibility of a computer screen. Screen filters help prevent shoulder surfing.

script kiddie—An attacker with little expertise or sophistication. Script kiddies use existing scripts

et

to launch attacks.

SDN—Software defined network. A method of using software and virtualization technologies to

G

replace hardware routers. SDNs separate the data and control planes.

SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.

d

Secure Hash Algorithm (SHA)—A hashing function used to provide integrity. Versions include

ie

SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3

er tif

(previously known as Keccak) was selected as the next version after a public competition. Secure/Multipurpose Internet Mail Extensions (S/MIME)—Used to secure email. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and

C

private keys for encryption and decryption, and depends on a PKI for certificates. Secure Orchestration, Automation, and Response (SOAR)—Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and

et

playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

G

Secure Real-time Transport Protocol (SRTP)—A protocol used to encrypt and provide

authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

Secure Shell (SSH)—A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure alternative than Telnet when connecting to remote servers. Secure Sockets Layer (SSL)—The predecessor to TLS. SSL is used to encrypt data in transit with

d

the use of certificates. Security Assertions Markup Language (SAML)—An XML-based standard used to exchange

ea

authentication and authorization information between different parties. SAML provides SSO for web-based applications.

Ah

security incident—An adverse event or series of events that can negatively affect the

confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. Sometimes referred to as an incident.

Security information and event management (SIEM)—A system that provides a centralized logs to the SIEM system, and it aggregates the logs.

et

solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send

G

SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive.

d

Compare with FDE.

ie

self-encrypting drive (SED)—A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically

er tif

encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.

SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating

C

systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log

et

anything related to the policy. separation of duties—A security principle. The separation of duties principle prevents any single

G

person or entity from controlling all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.

service account—An account used by a service or application. service level agreement (SLA)—An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations Copyright 2021 YCDA, LLC v0.1

use SLAs when contracting services from service providers such as Internet Service Providers (ISPs). session hijacking—An attack that attempts to impersonate a user by capturing and using a session ID. Session IDs are stored in cookies.

d

Service Set Identifier (SSID)—The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it

ea

with a wireless sniffer. It’s recommended to change the SSID from the default name.

SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP

Ah

traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3

et

(previously known as Keccak) was selected as the next version after a public competition. shadow IT—Unauthorized systems or applications installed on a network. Users sometimes install

G

systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.

shimming—A driver manipulation method. It uses additional code to modify the behavior of a driver.

d

Simple Network Management Protocol, version 3 (SNMPv3)—Used to manage and monitor

ie

network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

er tif

single loss expectancy (SLE)—The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with ALE and ARO.

shoulder surfing—The practice of looking over someone’s shoulder to obtain information, such as

C

on a computer screen. A screen filter placed over a monitor helps reduce the success of shoulder surfing.

shredding—A method of destroying data or sanitizing media. Cross-cut paper shredders cut papers

et

into fine particles. File shredders remove all remnants of a file by overwriting the contents multiple times.

G

sideloading—The process of copying an application package to a mobile device. It is useful for

developers when testing apps, but can be risky if users sideload unauthorized apps to their device. SIEM—Security information and event management. A system that provides a centralized solution

for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

signature-based—A type of monitoring used on intrusion detection and intrusion prevention systems. It detects attacks based on known attack patterns documented as attack signatures. SIM—Subscriber Identity Module. A small card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or networks the device

d

will use. simulation exercise—Functional exercises that allow personnel to test plans in a simulated

ea

operational environment. Personnel go through the actual steps of an exercise but in a simulated environment.

Ah

single point of failure (SPOF)—Any component whose failure results in the failure of an entire

system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

single sign-on (SSO)—Authentication method where users can access multiple resources on a

et

network using a single account. SSO can provide central authentication against a federated database for different operating systems.

G

SLA—Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers

d

(ISPs).

ie

SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare

er tif

with ALE and ARO.

smart card—A credit card-sized card that has an embedded microchip and a certificate. It is used for authentication in the something you have factor of authentication. S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides

C

confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

et

smishing—A mashup of SMS and phishing. The practice of sending spam to users via text. SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS.

G

Compare with Multimedia Message Service and Rich Communication Services. SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and

between email servers and other email servers. SMTP uses TCP port 25.

Copyright 2021 YCDA, LLC v0.1

snapshot—A copy of a virtual machine (VM) at a moment in time. If you later have problems with the VM, you can revert it to the state it was in when you took the snapshot. Some backup programs also use snapshots to create a copy of data at a moment in time. SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices

d

such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

ea

SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and

Ah

playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC.

et

social engineering—The practice of using social tactics to gain information. Social engineers attempt to gain information from people, or get people to do things they wouldn’t normally do.

G

Software as a Service (SaaS)—A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS, and XaaS.

d

software defined network (SDN)—A method of using software and virtualization technologies to

ie

replace hardware routers. SDNs separate the data and control planes. software-defined visibility (SDV) —Technologies used to view all network traffic. SDV technologies

er tif

ensure that all cloud-based traffic is viewable and can be analyzed. solid state drive (SSD)—A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

C

someone you know— An authentication attribute. The someone you know attribute indicates that someone is vouching for you. Compare with somewhere you are, something you can do, something you exhibit, and authentication factors.

et

something you are—An authentication factor. The something you are factor of authentication uses

biometrics, such as a fingerprint scanner. Compare with something you know and something you

G

have.

something you can do— An authentication attribute. The something you can do attribute indicates action, such as gestures on a touch screen. Compare with somewhere you are, something you exhibit,

someone you know, and authentication factors.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

something you exhibit— An authentication attribute. The something you exhibit attribute indicates something someone wears, such as an identification badge. Compare with somewhere you are, something you can do, someone you know, and authentication factors. something you have—An authentication factor. The something you have factor of authentication

d

refers to something a user possesses, such as a smart card. Compare with something you know and something you are.

ea

something you know—An authentication factor. The something you know factor of authentication

refers to something a user knows, such as a password or PIN. Compare with something you have and

Ah

something you are.

somewhere you are—An authentication attribute. The somewhere you are attribute identifies a user’s location using geolocation technologies. Compare with something you can do, something you exhibit, someone you know, and authentication factors.

et

spam—Unwanted or unsolicited email. Attackers often launch attacks using spam. spam filter—A method of blocking unwanted email. By blocking email, it often blocks malware.

G

spam over Internet messaging (SPIM)—A form of spam using instant messaging. SPIM targets instant messaging users.

Spanning Tree Protocol (STP)—Protocol enabled on most switches that protects against switching

d

loops. A switching loop is caused when two ports of a switch are connected together.

ie

spear phishing—A targeted form of phishing. Spear phishing attacks attempt to target specific groups of users, such as those within a specific organization or even a single user.

er tif

SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.

split tunnel—An encrypted connection used with VPNs. A split tunnel only encrypts traffic going to private IP addresses used in the private network. Compare with full tunnel.

C

SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

et

spraying attack—A password attack that loops through a list of targeted user accounts. It picks a

password and then tries it against each of the accounts in the list. These targeted user accounts can be

G

on multiple systems. Once it gets through the list, it picks another password and loops through the list again. This bypasses account lockout policies because it takes a long time before it guesses a password for the same account again.

Copyright 2021 YCDA, LLC v0.1

spyware—Software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Compare with potentially unwanted programs. SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server.

d

Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP

ea

port 1433 by default.

SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication

Ah

for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

et

SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure

G

alternative than Telnet when connecting to remote servers.

SSH File Transfer Protocol (SFTP)—An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

d

SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users

ie

can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it

with a wireless sniffer. It’s recommended to change the SSID from the default name.

er tif

SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

stapling—The process of appending a digitally signed OCSP response to a certificate. It reduces the

C

overall OCSP traffic sent to a CA.

stateful firewall— A firewall that filters traffic based on the state of the traffic within a session. A stateful firewall inspects traffic and makes decisions based on the traffic context or state.

et

stateless firewall—A firewall that filters traffic based on the contents of each packet. Stateless firewalls

filter traffic based on IP addresses, ports, and protocols.

G

steganography—The practice of hiding data within data. For example, it’s possible to embed text files within an image, hiding them from casual users. Other methods include hiding data with audio and video files. Steganography can obscure data to hide it. Storage Area Network (SAN)—A specialized network of high-speed storage devices.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

storage segmentation—A method used to isolate data on mobile devices. It allows personal data to be stored in one location and encrypted corporate data to be stored elsewhere. stored procedures—A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks. loops. A switching loop is caused when two ports of a switch are connected together.

d

STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching

ea

stream cipher—An encryption method that encrypts data as a stream of bits or bytes. Compare with block cipher.

Ah

Structured Query Language (SQL)—Used by SQL-based databases, such as Microsoft SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input

validation with forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.

et

Subscriber Identity Module (SIM)—A small smart card that contains programming and information for small devices such as cell phones. The SIM card identifies what countries or

G

networks the device will use.

substitution cipher—An encryption method that replaces characters with other characters. Supervisory control and data acquisition (SCADA)—Supervisory control and data acquisition. A

d

system used to control an ICS such as a power plant or water treatment facility. Ideally, a SCADA is

ie

within an isolated network without direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.

er tif

supply chain—All the elements required to produce and sell products and services. If the supply chain is disrupted, it impacts an organization’s ability to produce and sell products and services. switch—A network device used to connect devices. Layer 2 switches send traffic to ports based on their MAC addresses. Layer 3 switches send traffic to ports based on their IP addresses and support

C

VLANs.

symmetric encryption—A type of encryption using a single key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption Compare with asymmetric encryption.

et

SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this packet, but don’t complete the handshake after receiving the SYN/ACK packet.

G

system on chip (SoC)—An integrated circuit that includes a computing system within the hardware.

Many mobile devices include an SoC.

Copyright 2021 YCDA, LLC v0.1

Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/

ea

d

T

tabletop exercise—A discussion-based exercise where participants talk through an event while

sitting at a table or in a conference room. It is often used to test business continuity plans (BCPs) and

Ah

disaster recovery plans (DRPs).

TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It

et

encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.

G

tainted data—A risk associated with machine learning and AI-enabled systems. People write algorithms, and sometimes people inadvertently insert their bias into their code and data used by their code. As an example, the Correctional Offender Management Profiling for Alternative

d

Sanctions (COMPAS) algorithm used in US court systems to predict recidivism reportedly produced

ie

twice as many false positives for black offenders (45%) than white offenders (23%). Compare with data bias.

er tif

tailgating—A social engineering attack where one person follows behind another person without using credentials. Access control vestibules help prevent tailgating. TCO—Total cost of ownership. A factor considered when purchasing new products and services. TCO attempts to identify the cost of a product or service over its lifetime.

C

TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP. TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols

et

used on the Internet and most internal networks. tcpdump—A command-line protocol analyzer. Administrators use it to capture packets.

G

tcprelay—A command-line protocol tool. Tcpreplay is a suite of utilities used to edit packet captures

and then send the edited packets over the network. technical controls—Security controls implemented through technology. This includes hardware, software, and firmware technical controls. Compare with managerial and operational controls.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

technology diversity—The practice of using different technologies to protect an environment Compare with control diversity, vendor diversity, and crypto diversity. Terminal Access Controller Access-Control System+ (TACACS+)—Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP

d

port 49. It encrypts the entire authentication process, compared with the default RADIUS, which only encrypts the password. It uses multiple challenges and responses. Compare with RADIUS.

ea

tethering—The process of sharing an Internet connection from one mobile device to another.

TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In

Ah

contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped tickets that expire after a certain time period.

third-party app store—An app store other than the primary source for mobile device apps. It refers

et

to an app store other than the App Store or Google Play for Apple and Android devices, respectively.

G

threat—Any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Compare with risk and vulnerability.

time-based logins—An account restriction that prevents users from logging on at certain times.

d

Time-based One-Time Password (TOTP)—An open standard used for creating one-time

ie

passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP.

er tif

time offset—An offset used by logs to provide consistency in timestamps. As an example, many logs use Greenwich Mean Time (GMT) for log entries, but a time offset needs to be applied to determine the local time for log entries.

TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and

C

like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAPTTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

et

token—An authentication device or file. A hardware token is a physical device used in the something

you have factor of authentication. A software token is a small file used by authentication services

G

indicating a user has logged on. tokenization—A practice of replacing sensitive data with a token which is a string of characters.

Point of sale (POS) terminals use tokenization to replace credit card data with tokens. Only a thirdparty entity (such as the credit card processor) can convert the token into the original data (the credit card data in this example). Copyright 2021 YCDA, LLC v0.1

TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP. TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer

d

laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM

ea

provides full disk encryption. Compare with HSM.

tracert—A command-line tool. It is used to trace the route between two systems.

Ah

Transport Layer Security (TLS)—Used to encrypt data in transit. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAP-TTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

et

Trivial File Transfer Protocol (TFTP)—Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

G

Trojan—Malware also known as a Trojan horse. A Trojan often looks useful, but is malicious. Trusted Platform Module (TPM)—A hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root

d

key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM

ie

provides full disk encryption. Compare with HSM.

Twofish—A symmetric key block cipher. It encrypts data in 128-bit blocks and supports 128-, 192-,

er tif

or 256-bit keys. Compare with Blowfish.

typo squatting—The purchase of a domain name that is close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called URL

U

C

hijacking.

et

UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers. UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is

G

not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP. UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS.

Uniform Resource Locator (URL) redirection—A technique used to redirect traffic to a different page or a different site.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

uninterruptible power supply (UPS)—A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time to shut down smoothly or transfer to generator power. Generators provide long-term power in

d

extended outages.

ea

unknown environment test—A type of penetration test. Testers have zero knowledge of the

environment prior to starting the test. This was previously known as a black box test. Compare with

Ah

known environment test and partially known environment test.

UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time outages.

et

to shut down smoothly or transfer to generator power. Generators provide long-term power in extended URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the

G

protocol such as http://GetCertifiedGetAhead.com.

URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are

d

allowed.

ie

URL hijacking—The purchase of a domain name that is close to a legitimate domain name. squatting.

er tif

Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash drives, and external hard disk drives. Data on USB drives can be protected against loss of confidentiality with encryption. Attackers have spread malware through Trojans.

C

USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media. use case—A methodology used in system analysis and software engineering to identify and clarify

et

requirements to achieve a goal. For example, a use case of supporting confidentiality can help an organization identify the steps required to protect the confidentiality of data.

G

UTM—Unified threat management. A security appliance that combines multiple security controls

into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering, malware inspection, and content inspection components.

Copyright 2021 YCDA, LLC v0.1

V VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops

d

from desktop PCs or mobile devices. vendor diversity—The practice of implementing security controls from different vendors to increase

ea

security. Compare with control diversity, technology diversity, and crypto diversity.

version control—A method of tracking changes to software as it is updated.Virtualization Desktop

Ah

Infrastructure (VDI)—Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops from desktop PCs or mobile devices.

virtualization—A technology that allows you to host multiple virtual machines on a single physical

et

system.

virtual local area network (VLAN)—A method of segmenting traffic. A VLAN can logically

G

group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

d

virtual machine (VM) escape—An attack that allows an attacker to access the host system from

ie

within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. Compare with virtual machine sprawl.

er tif

virtual machine (VM) sprawl—A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches. Compare with virtual machine escape.

virtual private network (VPN)—Provides access to a private network over a public network such

C

as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs. virus—Malicious code that attaches itself to a host application. The host application must be

et

executed to run, and the malicious code executes when the host application is executed. vishing—A phishing attack using phones.Vishing attacks often use Voice over IP (VoIP)

G

technologies.

VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group

several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power. Voice over IP (VoIP)—A group of technologies used to transmit voice over IP networks. Vishing is a

d

form of phishing that sometimes uses VoIP. voice recognition— A biometric authentication system. Voice recognition systems identify who is

ea

speaking using speech recognition.

VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a

Ah

form of phishing that sometimes uses VoIP.

VPN—Virtual private network. Provides access to a private network over a public network such as the Internet. VPNs can provide access to internal networks for remote clients, or provide access to other networks via site-to-site VPNs.

et

vulnerability—A weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating the system. Compare with risk and threat.

G

vulnerability scanner—A tool used to detect vulnerabilities. A scan typically identifies vulnerabilities, misconfigurations, and a lack of security controls. It passively tests security controls.

d

W

ie

WAF—Web application firewall—A firewall specifically designed to protect a web application. A

er tif

WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

walkthrough exercise—workshops or orientation seminars that train team members about their roles and responsibilities. Walkthroughs familiarize personnel with an organization’s business continuity plans and their roles and responsibilities.

C

WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).

et

warm site—An alternate location for operations. A compromise between an expensive hot site and a

cold site. Compare with cold site and hot site.

G

watering hole attack—An attack method that infects websites that a group is likely to trust and visit.

wearable technology—Smart devices that a person can wear or have implanted.

Copyright 2021 YCDA, LLC v0.1

web application firewall (WAF)—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it. whaling—A form of spear phishing that attempts to target high-level executives. When successful,

d

attackers gain confidential company information that they might not be able to get anywhere else. purple team, and capture the flag.

ea

white team—Personnel involved in cybersecurity readiness Compare with red team, blue team,

WiFi analyzers—A device used to identify activity on the wireless spectrum. WiFi analyzers are

Ah

commonly used with site surveys. Compare with wireless scanner.

WiFi Direct—A standard that allows devices to connect without a wireless access point. Compare with ad hoc.

WiFi Protected Access 2 (WPA2)—Security protocol used to protect wireless transmissions. It

et

supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.

G

WiFi Protected Access 3 (WPA3)—Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.

d

WiFi Protected Setup (WPS)—Allowed users to easily configure a wireless network, often by

ie

using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2. wildcard certificate—A certificate that can be used for multiple domains with the same root

er tif

domain. It starts with an asterisk.

wiping—The process of completely removing all remnants of data on a disk. A bit-level overwrite writes patterns of 1s and 0s multiple times to ensure data on a disk is unreadable. wireless access point (WAP)—A device that connects wireless clients to wireless networks.

C

Sometimes called an access point (AP).

wireless scanners—A network scanner that scans wireless frequency bands. Scanners can help discover rogue APs and crack passwords used by wireless APs. Sometimes called WiFi analyzers.

et

Wireshark—A free protocol analyzer. Wireshark is a windows-based application used to capture and analyze packets sent over a network.

G

worm—Self-replicating malware that travels through a network. Worms do not need user interaction

to execute. WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK. WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the

d

newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange.

ea

WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2.

Ah

WPS attack—An attack against an AP. A WPS attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.

Pass the First Time with Quality Practice Test Questions

et

https://gcgapremium.com/sy0-601-practice-test-questions/

G

X

XaaS—Anything as a Service. A cloud computing model. XaaS refers to any cloud computing model

d

not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS. XML—Extensible Markup Language. A language used by many databases for inputting or

ie

exporting data. XML uses formatting rules to describe the data.

er tif

XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords. XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into webpages. Attackers use XSS to capture user information such as cookies. Input validation

C

techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags.

et

Many sites prevent the use of < and > characters to block cross-site scripting.

G

Z

zero-day vulnerability—A vulnerability or bug that is unknown to trusted sources but can be

exploited by attackers. Zero-day attacks take advantage of zero-day vulnerabilities.

Copyright 2021 YCDA, LLC v0.1

zero trust—A network that doesn’t trust any devices by default. This helps reduce attacks by coming from compromised internal clients. Zero trust isn’t a technology, but instead, it’s a security

Ah

ea

d

model based on the principle of zero trust.

G

et

C

er tif

ie

d

G

et

Version 0.1 May 11 2021

Security+ Practice Test Questions

https://gcgapremiumpass.com/sy0-601-practice-test-questions/

Appendix F—Acronyms This acronym list is derived from the SY0-601 objectives and The CompTIA Security+ Get Certified

d

Get Ahead: SY0-601 Study Guide. By knowing the acronyms, many questions on the live exam will be much easier.

ea

CompTIA often spells out acronyms in the objectives. However, they tend to use acronyms in many test questions. As an example, Objective 5.4 includes these terms: Business impact analysis (BIA) o

Recovery time objective (RTO)

o

Recovery point objective (RPO)

Consider this potential question on the Security+ exam:

Ah

•

et

Q. Lisa is reviewing an organization’s BIA. It indicates that a key website can tolerate a maximum of three hours of downtime. Administrators have identified several systems that require redundancy

B. MTTR C. MTBF D. RTO

ie

A. RPO

d

maximum of three hours of downtime?

G

additions to meet this maximum downtime requirement. Of the following choices, what term refers to the

er tif

If you know that RTO is an acronym for recovery time objective and understand that “three hours of downtime” refers to time, this question is trivial. The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. Because the business impact analysis (BIA) states that the website can only

C

tolerate three hours of downtime, this identifies the RTO. The recovery point objective (RPO) identifies a point in time where data loss is acceptable, but it doesn’t refer to downtime. The mean time to repair (MTTR) metric and mean time between failures (MTBF) metric refer to an average or arithmetic mean.

et

While the RTO is used to identify the MTTR, MTTR refers to how long it’ll take to repair a system or

G

component, not the maximum amount of downtime for a system or component.

Replace Acronyms with Words When doing practice test questions, it’s best to read all acronyms as words instead of letters. As an example, read this sentence “Lisa is reviewing an organization’s BIA” as Lisa is reviewing an

organization’s business impact analysis. Also, instead of reading the answers as letters, read them as words. If you see the following: A. RPO B. MTTR

d

C. MTBF

ea

D. RTO Read them as the following in your head: A. Recovery point objective

C. Mean time between failures D. Recovery time objective

et

If you forget what an acronym represents, come back here.

Ah

B. Mean time to repair

G

Numbers

3DES—Triple Digital Encryption Standard. A symmetric algorithm is used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks. It was initially

ed

designed to replace DES and is still used in some applications, such as when hardware doesn’t support AES.

tif i

A

AAA—Authentication, Authorization, and Accounting. AAA protocols are used in remote access

er

systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user’s identification. Authorization determines if a user

C

should have access. Accounting tracks a user’s access with logs. ABAC—Attribute-based access control. An access control scheme. ABAC grants access to

et

resources based on attributes assigned to subjects and objects. Compare with DAC, MAC, role-based access control, and rule-based access control.

G

ACE—Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS. ACK—Acknowledge. A packet in a TCP handshake. In a SYN flood attack, attackers send the SYN packet but don’t complete the handshake after receiving the SYN/ACK packet. ACL—Access control list. Lists of rules used by routers and stateless firewalls. These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

address resolution protocol (ARP) poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates. AES—Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide

d

confidentiality. AES is a block cipher, and it encrypts data in 128-bit blocks. It is quick, highly

bits, or 256 bits.

ea

secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192

AES-256—Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used

Ah

in the encryption keys, and AES-256 uses 256-bit encryption keys.

AH—Authentication Header. An option within IPsec to provide authentication and integrity. IPsec includes uses AH to provide authentication and integrity using HMAC. ESP provides confidentiality, integrity, and authentication using HMAC and AES or 3DES. AH is identified with protocol ID

et

number 51. Compare with IPSec and ESP.

ALE—Annualized (or annual) loss expectancy. The expected loss for a year. The ALE identifies the

G

expected annual loss and is used to measure risk with ARO and SLE in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare with SLE and ARO.

wireless access point (WAP).

d

AP—Access point. A device that connects wireless clients to wireless networks. Sometimes called a

ie

API—Application programming interface. A software module or component. An API gives developers access to features or data within another application, service, or operating system. APIs

er tif

are often used with web applications, Internet of Things (IoT) devices, and cloud-based services. API attacks—Application programming interface attacks. Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.

APT—Advanced persistent threat. A group that has both the capability and intent to launch

C

sophisticated and targeted attacks. A nation state (such as a foreign government) sponsors APTs. ARO—Annualized (or annual) rate of occurrence. The number of times a loss is expected to occur in a year. The ARO is used to measure risk with ALE and SLE in a quantitative risk assessment. The

et

calculation is SLE × ARO = ALE. Compare with SLE and ALE. ARP—Address Resolution Protocol. Resolves IPv4 addresses to MAC addresses. Compare with arp.

G

ARP poisoning—An attack that misleads systems about the actual MAC address of a system. ARP poisoning attacks can redirect traffic through an attacker’s system by sending false MAC address updates. ASCII—American Standard Code for Information Interchange. Code used to display characters.

Copyright 2021 YCDA, LLC

AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access

them, and the responsibilities of users when accessing the systems.

d

B

ea

BCP—Business continuity plan. A plan that helps an organization predict and plan for potential

outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA

Ah

drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

BIA—Business impact analysis. A process that helps an organization identify critical systems and

et

components that are essential to the organization’s success. It identifies various scenarios that can impact these systems and components, maximum downtime limits, and potential losses from an

G

incident. The BIA helps identify RTOs and RPOs. Compare with BCP, BIA, DRP, RTO, and RPO. BIND—Berkeley Internet Name Domain. BIND is DNS software that runs on Linux and Unix servers. Most Internet-based DNS servers use BIND.

d

BIOS—Basic Input/Output System. A computer’s firmware that is used to manipulate different

ie

settings such as the date and time, boot drive, and access password. UEFI is the designated replacement for BIOS. Compare with UEFI.

er tif

BPDU guard—Bridge Protocol Data Unit guard. A technology that detects false BPDU messages. False BPDU messages can indicate a switching loop problem and shut down switch ports. The BPDU guard detects false BPDU messages and blocks the BPDU attack. BYOD—Bring your own device. A mobile device deployment model. A BYOD model allows

C

employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies causing organizations to consider

Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/

G

et

CYOD or COPE models. Compare with COPE and CYOD.

C

CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI. CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart. Technique used to prevent automated tools from interacting with a website. Users must type in text

d

often from a slightly distorted image. CASB—Cloud access security broker. A software tool or service that enforces cloud-based

ea

security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.

Ah

CBC—Cipher Block Chaining. A mode of operation used by some symmetric encryption ciphers. It uses an IV for the first block, and each subsequent block is combined with the previous block. CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES and used with WPA2 for wireless security.

et

CCTV—Closed-circuit television. A detective control that provides video surveillance. Video surveillance provides reliable proof of a person’s location and activity. It is also a physical security

G

control, and it can increase the safety of an organization’s assets.

CER—Canonical Encoding Rules. A base format for PKI certificates. They are ASCII encoded files. Compare with DER.

d

CERT—Computer Emergency Response Team. A group of experts who respond to security

ie

incidents.

CHAP—Challenge Handshake Authentication Protocol. An authentication mechanism where a

er tif

server challenges a client. Compare with MS-CHAPv2 and PAP. CIA—Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are

C

available when needed.

CIO—Chief Information Officer. A “C” level executive position in some organizations. A CIO

et

focuses on using methods within the organization to answer relevant questions and solve problems. COOP—Continuity of operations planning. Continuity of operations planning sites provide an

G

alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site. Compare with hot site, cold site, and warm site. COPE—Corporate-owned, personally enabled. A mobile device deployment model. The organization purchases and issues devices to employees. Compare with BYOD and CYOD. Copyright 2021 YCDA, LLC

CRL—Certification revocation list. A list of certificates that a Certificate Authority (CA) has revoked. Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization. The CA that issued the certificate publishes a CRL, and a CRL is public. CSF—Cybersecurity Framework. A framework that aligns with the RMF and can be used in the

d

private sector. NIST SP 800-37, “Risk Management Framework for Information Systems and

ea

Organizations” is targeted toward federal government agencies. The CSF is an alternative that fits the private sector. It includes three components: the framework core, the framework implantation tiers, and the framework profiles.

Ah

CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by

creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

The combined result is used to encrypt blocks.

et

CTM—Counter mode. A mode of operation used for encryption that combines an IV with a counter.

G

CTO—Chief Technology Officer. A “C” level executive position in some organizations. CTOs focus on technology and evaluate new technologies.

vulnerabilities and exposures.

d

CVE—Common Vulnerabilities and Exposures. A dictionary of publicly known security

ie

CYOD—Choose your own device. A mobile device deployment model. Employees can connect their personally owned device to the network as long as the device is on a preapproved list. Note that

er tif

the device is purchased by and owned by employees. Compare with BYOD and COPE.

D

C

DAC—Discretionary access control. An access control scheme. All objects (files and folders) have owners, and owners can modify permissions for the objects. Compare with ABAC, MAC, role-based access control, and rule-based access control.

et

DDoS—Distributed denial-of-service. An attack on a system launched from multiple sources. DDoS attacks consume a system’s resources resulting in resource exhaustion. DDoS attacks typically

G

include sustained, abnormally high network traffic. Compare to DoS. DEP—Data Execution Prevention. A security feature in some operating systems. DEP prevents an application or service from executing in memory regions marked as nonexecutable. DEP can block some malware.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

DER—Distinguished Encoding Rules. A base format for PKI certificates. They are BASE64 binary encoded files. Compare with CER. DH—Diffie-Hellman. An asymmetric algorithm used to privately share symmetric keys. DH Ephemeral (DHE) uses ephemeral keys, which are re-created for each session. Elliptic Curve DHE

d

(ECDHE) uses elliptic curve cryptography to generate encryption keys.

ea

DHCP—Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP

configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

Ah

DHCP snooping—Dynamic Host Configuration Protocol (DHCP) snooping. A preventive measure used to prevent unauthorized DHCP servers. It is enabled on Layer 2 switch ports. When enabled, the switch only sends DHCP broadcast traffic (the DHCP discover message) to trusted ports. DHE—Diffie-Hellman Ephemeral. An alternative to traditional Diffie-Hellman. Instead of using

et

static keys that stay the same over a long period, DHE uses ephemeral keys, which change for each new session. Sometimes listed as EDH.

G

DLL—Dynamic-link library. A compiled set of code that can be called from other programs. DLL injection— Dynamic-link library injection. An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite the DLL, inserting malicious code.

d

DLP—data loss prevention. A group of technologies used to prevent data loss. End-point DLP

ie

systems can prevent users from copying or printing sensitive data. Network-based DLP systems

the cloud.

er tif

monitor outgoing email to detect and block unauthorized data transfers and monitor data stored in

DMZ—demilitarized zone. A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal

C

network. CompTIA is using the term screened subnet to replace DMZ. DNS—Domain Name System. Used to resolve hostnames to IP addresses. DNS zones include

et

records such as A records for IPv4 addresses, AAAA records for IPv6 addresses, and MX records to identify mail servers. DNS uses UDP port 53 for DNS client queries and TCP port 53 for zone

G

transfers. Compare with DNS poisoning and pharming. DNS poisoning— Domain Name System poisoning. An attack that modifies or corrupts DNS results. DNSSEC helps prevent DNS poisoning. DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks.

Copyright 2021 YCDA, LLC

DoS—denial-of-service. An attack from a single source. A DoS attack attempts to disrupt the services provided by the attacked system. Compare to DDoS. DRP—disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes

d

services to restore after an outage. Testing validates the plan. The final phase of disaster recovery

ea

includes a review to identify any lessons learned and may include an update of the plan. Compare with BCP and BIA.

DSA—Digital Signature Algorithm. The algorithm used to create a digital signature. A digital

Ah

signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the

message to create the digital signature. The recipient decrypts the hash with the sender’s public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online

et

transactions and prevents the sender from later denying he sent the email.

G

E

EAP—Extensible Authentication Protocol. An authentication framework that provides general

d

guidance for authentication methods. Variations include EAP-TLS, EAP-TTLS, and PEAP.

ie

EAP-FAST—EAP-Flexible Authentication via Secure Tunneling. A Cisco-designed protocol sometimes used with 802.1X. EAP-FAST supports certificates, but they are optional. Compare with

er tif

EAP, EAP-TLS, EAP-TTLS, and PEAP.

EAP-TLS—Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1X. This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X

C

server and on each of the wireless clients. Compare with EAP, EAP-TTLS, EAP-FAST, and PEAP. EAP-TTLS—Extensible Authentication Protocol-Tunneled Transport Layer Security. An extension of EAP sometimes used with 802.1X. It allows systems to use some older authentication methods such as

et

PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not on the clients. Compare with EAP, EAP-TLS, EAP-FAST, and PEAP.

G

ECC—Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods. ECDHE—Elliptic Curve Diffie-Hellman Ephemeral. A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

EMI—Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable. ESP—Encapsulating Security Protocol. A part of IPsec that provides encryption. IPsec includes both AH

d

and ESP. AH provides authentication and integrity using HMAC. ESP provides confidentiality, integrity,

ea

and authentication using HMAC and AES or 3DES. ESP is identified with protocol ID number 50.

F

Ah

FAR—False acceptance rate. Also called the false match rate. A rate that identifies the percentage of times a biometric authentication system incorrectly indicates a match.

FDE—Full disk encryption. A method to encrypt an entire disk. Compare with SED.

et

FRR—False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage of times a biometric authentication system incorrectly rejects a valid match.

G

FTP—File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses TCP ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on TCP port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

d

FTPS—File Transfer Protocol Secure. An extension of FTP that uses SSL to encrypt FTP traffic.

ie

Some implementations of FTPS use TCP ports 989 and 990. Pass the First Time with Quality Practice Test Questions

er tif

https://gcgapremium.com/sy0-601-practice-test-questions/

G

C

GCM—Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.

et

GDPR—General Data Protection Regulation. The GDPR is a European Union (EU) regulation that clarifies requirements to protect the personal data of anyone living in the EU. It also defines the

G

roles of data owners, data controllers, data processors, data custodians or data stewards, and the data protection officer (DPO). GPS—Global Positioning System. A satellite-based navigation system that identifies the location of a device or vehicle. Mobile devices often incorporate GPS capabilities.

Copyright 2021 YCDA, LLC

GPS tagging—Global Positioning System tagging. A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the photo was taken, or the file was created.

d

H

ea

HIDS—Host-based intrusion detection system. HIDS is software installed on a system to detect

attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on

by antivirus software. Compare with HIPS, NIDS, and NIPS.

Ah

the host such as the operating system files, and in some cases, it can detect malicious activity missed

HIPS—Host-based intrusion prevention system. An extension of a host-based IDS. It is designed to react in real time to detect, and prevent, an attack in action. Compare with HIDS, NIDS, and NIPS.

et

HMAC—Hash-based Message Authentication Code. A hashing algorithm used to verify integrity and authenticity of a message with the use of shared secret. When used with TLS and IPsec, HMAC

G

is combined with MD5 and SHA-1 as HMAC-MD5 and HMAC-SHA1, respectively. HOTP—HMAC-based One-Time Password. An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing

ie

they are used. Compare with TOTP.

d

counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until

HSM—Hardware security module. A removable or external device that can generate, store, and

er tif

manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of TLS sessions. Compare with TPM. HTML—Hypertext Markup Language. A language used to create webpages. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less-than

C

and greater-than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks. HTTP—Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP

et

uses TCP port 80. HTTP is almost always encrypted with TLS and referred to as HTTPS. HTTPS—Hypertext Transfer Protocol Secure. A protocol used to encrypt HTTP traffic. HTTPS

G

encrypts HTTP traffic with TLS using TCP port 443. HVAC—Heating, ventilation, and air conditioning. A physical security control that increases availability by regulating airflow within data centers and server rooms. They use hot and cold aisles to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential damage from condensation.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

I

d

IaaS—Infrastructure as a Service. A cloud computing model. IaaS allows an organization to rent

ea

access to hardware in a self-managed platform. Customers are responsible for keeping an IaaS system up to date. Compare to PaaS, SaaS, and XaaS.

ICMP—Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks

to a server succeeds, it indicates that ICMP is blocked.

Ah

use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity

ICS—Industrial control system. A system that controls large systems such as power plants or water

et

treatment facilities. A SCADA system typically controls an ICS. Compare with SCADA.

IDS—Intrusion detection system. A detective control used to detect attacks after they occur. A

G

network-based IDS (NIDS) monitors a network, and a host-based IDS (HIDS) monitors a host. They both monitor for intrusions and provides ongoing protection against various threats. IDSs include sniffing capabilities. Many IDSs use numbering systems to identify vulnerabilities. Compare with

d

IPS.

ie

IEEE—Institute of Electrical and Electronics Engineers. IEEE is an international organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well

er tif

respected and followed by vendors around the world. IEEE 802.1X—A port-based authentication protocol. An authentication protocol used in VPNs and wired and wireless networks. VPNs often implement it as a RADIUS server. Wired networks use it for port-based authentication. Wireless networks use it in Enterprise mode, and it often uses one of

C

the EAP authentication protocols. Compare with EAP, PEAP, EAP-TLS, and EAP-TTLS. IGMP—Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address.

et

IIS—Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Linux systems use Apache as a web server.

G

IMAP4—Internet Message Access Protocol v4. Used to store email on servers and allow clients to manage their email on the server. IMAP4 uses TCP port 143. Secure IMAP4 uses TLS to encrypt IMAP4 traffic on TCP port 993.

IoT—Internet of things. The network of physical devices connected to the Internet. It typically refers to smart devices with an IP address, such as wearable technology and home automation systems.

Copyright 2021 YCDA, LLC

IP—Internet Protocol. Used for addressing. Compare with IPv4 and IPv6. IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can be used internally to protect

d

private networks, such as those holding SCADA equipment. Compare with IDS.

ea

IPv4—Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1.

IPv6—Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 has a significantly

Ah

larger address space than IPv4. IPsec is built into IPv6 and can encrypt any type of IPv6 traffic. ISP—Internet Service Provider. A company that provides Internet access to customers.

IT—Information technology. Computer systems and networks used within organizations.

IV—Initialization vector. An IV provides randomization of encryption keys to help ensure that keys

et

are not reused. In an IV attack, the attacker uses packet injection to increase the number of packets to

G

analyze and discovers the encryption key.

Pass the First Time with Quality Practice Test Questions

d

https://gcgapremium.com/sy0-601-practice-test-questions/

ie

K

er tif

KDC—Key Distribution Center. Also known as Ticket Granting Ticket (TGT) server. Part of the Kerberos protocol used for network authentication. The KDC issues timestamped tickets that expire.

L

C

L2TP—Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec) and uses UDP port 1701.

et

LDAP—Lightweight Directory Access Protocol. A protocol used to communicate with directories such as Microsoft Active Directory. It identifies objects with query strings using codes such as

G

CN=Users and DC=GetCertifiedGetAhead. LDAP uses TCP port 389. LDAP injection attacks attempt to access or modify data in directory service databases. Compare with LDAPS. LDAPS—Lightweight Directory Access Protocol over SSL. A protocol used to encrypt LDAP traffic with TLS. While it has SSL in the name, TLS has replaced SSL. LDAPS is sometimes referred to as Lightweight Directory Access Protocol Secure. LDAPS encrypts transmissions with TLS over TCP port 636. Compare with LDAP.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

M MAC—Mandatory Access Control. An access control scheme. MAC uses sensitivity labels assigned to objects (files and folders) and subjects (users). MAC restricts access based on a need to know.

d

Compare with ABAC, DAC, role-based access control, and rule-based access control. MAC—media access control. A 48-bit address used to identify network interface cards. It is also

ea

called a hardware address or a physical address. and is commonly displayed as six pairs of

hexadecimal characters. Port security on a switch or an AP can limit access using MAC filtering.

Ah

MAC cloning attack—Media access control cloning attack. An attack that changes the source MAC address to impersonate an authorized system. When MAC filtering is used, attackers can discover the address of authorized MAC addresses and change their address to bypass MAC filtering. This is sometimes called MAC spoofing.

et

MAC filtering—Media access control filtering. A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for

G

wireless security.

MAC flooding—Media access control flooding. An attack against a switch that attempts to overload it. Most ports on a switch have only a single host connected to them, with only a single MAC

d

address. A MAC flooding attack repeatedly spoofs the MAC address. If successful, the switch

ie

operates as a hub instead of as a switch.

MD5—Message Digest 5. A hashing function used to provide integrity. MD5 creates 128-bit hashes,

er tif

which are also referred to as MD5 checksums. A hash is simply a number created by applying the algorithm to a file or message at different times. Comparing the hashes verifies integrity. Experts consider MD5 cracked and discourage its use as a cryptographic hash. However, it is still used as a checksum in some situations.

C

MDM—Mobile device management. A group of applications and technologies used to manage mobile devices. MDM tools can monitor mobile devices and ensure they are in compliance with

et

security policies.

MMS—Multimedia Messaging Service. An extension of SMS. MMS allows users to include multimedia content such as pictures, short videos, audio, or even a slideshow of multiple images.

G

Compare with SMS and Rich Communication Services. MS-CHAP—Microsoft Challenge Handshake Authentication Protocol. Microsoft implementation of CHAP. MS-CHAPv2 improves MS-CHAP by providing mutual authentication.

Copyright 2021 YCDA, LLC

MS-CHAPv2—Microsoft Challenge Handshake Authentication Protocol version 2. Microsoft implementation of CHAP. MS-CHAPv2 provides mutual authentication. Compare with CHAP and PAP. MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually

d

represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures.

ea

Higher MTBF numbers indicate a higher reliability of a product or system.

MTTF—Mean time to failure. The length of time you can expect a device to remain in operation

before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates

Ah

you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.

MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of

et

the contract.

G

N

NAC—Network access control. A system that inspects clients to ensure they are healthy. Healthy

d

clients are granted access to the network, and unhealthy clients are redirected to a remediation

ie

network. Agents inspect clients, and agents can be permanent or dissolvable (also known as agentless). MAC filtering is a form of NAC.

er tif

NAT—Network Address Translation. A service that translates public IP addresses to private IP addresses and private IP addresses to public IP addresses. NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside

C

organizations. It is commonly embedded as a clause in a contract. NFC—Near field communication. A group of standards used on mobile devices that allow them to communicate with other nearby mobile devices. Many credit card readers support payments using

et

NFC technologies with a smartphone. NIC—Network interface card. Provides connectivity to a network. A NIC is typically built into a

G

circuit board and includes a connector, such as an RJ-45 connector. NIC teaming—Network interface card (NIC) teaming. A group of two or more network adapters acting as a single network adapter. NIC teaming provides increased bandwidth and load balancing capabilities.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks. NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in

d

progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor

ea

data streams, detect malicious content, and stop attacks in progress.

NIST—National Institute of Standards and Technology. NIST is a part of the U.S. Department of

Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special

Ah

publications related to security that are freely available to anyone. They can found at http://csrc.nist.gov/publications/PubsSPs.html.

NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and

et

NTLM2 Session.

G

NTP—Network Time Protocol. Protocol used to synchronize computer times.

Pass the First Time with Quality Practice Test Questions

d

https://gcgapremium.com/sy0-601-practice-test-questions/

ie

O

er tif

OAuth—An open source standard used for authorization with Internet-based single sign-on solutions. Many companies such as Google, Facebook, PayPal, Microsoft, and Twitter support OAuth. Users can sign on with their account using one of these companies and gain access to other sites. OAuth focuses on authorization, not authentication, and RFC 6749, “The OAuth 2.0

C

Authorization Framework,” describes it.

OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

et

OIDC - OpenID Connect—An open source standard used for identification on the Internet. It builds on OpenID and uses the OAuth 2.0 framework. OIDC uses a JavaScript Object Notation

G

(JSON) Web Token (JWT), sometimes called an ID token. OpenID—An authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials and websites that support OpenID prompt users to enter their OpenID. OSI—Open Systems Interconnection. The OSI reference model conceptually divides different networking requirements into seven separate layers.

Copyright 2021 YCDA, LLC

OSINT—A method of gathering data using public sources, such as social media sites and news outlets. Pass the First Time with Quality Practice Test Questions

d

https://gcgapremium.com/sy0-601-practice-test-questions/

ea

P

P12—PKCS#12. A common format for PKI certificates. They are DER-based (binary) and often hold certificates with the private key. They are commonly encrypted.

Ah

P7B—PKCS#7. A common format for PKI certificates. They are CER-based (ASCII) and commonly used to share public keys.

PaaS—Platform as a Service. A cloud computing model. PaaS provides cloud customers with a

et

preconfigured computing platform they can use as needed. PaaS is a fully managed platform, meaning that the vendor keeps the platform up to date with current patches. Compare with IaaS,

G

SaaS and XaaS.

PAM—Privileged access management. A method of protecting access to privileged accounts. PAM implements the concept of just-in-time administration, giving users elevated privileges only when

d

they need them and only for a limited time. PAM is sometimes called privileged account

ie

management.

PAP—Password Authentication Protocol. An older authentication protocol where passwords or

er tif

PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2. PBKDF2—Password-Based Key Derivation Function 2. A key stretching algorithm technique that adds additional bits to a password as a salt. It helps prevent brute force and rainbow table attacks. Compare with Bcrypt and Argon2.

C

PDF—Portable Document Format. Type of file for documents. Attackers have embedded malware in PDFs.

PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with

et

802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and

G

EAP-FAST.

PEM—Privacy Enhanced Mail. A common format for PKI certificates. It can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certificates. PFX—Personal Information Exchange. A common format for PKI certificates. It is the predecessor to P12 certificates.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

PHI—Personal Health Information. PII that includes health information. PII—Personally Identifiable Information. Information about individuals that can be used to trace a person’s identity, such as a full name, birth date, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify

d

procedures for handling and retaining PII in data policies such as encrypting it.

ea

PIN—Personal identification number. A number known by a user and entered for authentication. PINs are often combined with smart cards to provide dual-factor authentication.

PIV—Personal Identity Verification card. A specialized type of smart card used by U.S. federal

Ah

agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. Compare with CAC.

PKI—Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the

et

owner of the certificate, and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. A PKI requires a trust model between CAs and most

G

trust models are hierarchical and centralized with a central root CA.

POP3—Post Office Protocol v3. Used to transfer email from mail servers to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections

d

PSK—Preshared key. A secret shared among different systems. Wireless networks using WPA2

ie

support Personal mode, where each device uses the same PSK. WPA3 uses a Simultaneous Authentication of Equals (SAE) instead of a PSK. Compare with Enterprise and Open modes.

er tif

PUPs—Potentially unwanted programs. Software installed on users’ systems without their awareness or consent. Some of these unwanted programs are legitimate, but some are malicious,

R

C

such as Trojans. Compare with spyware.

RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the

et

context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can

G

recover the private key from a key escrow. RADIUS—Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS uses symmetric encryption to encrypt the password packets, and it uses UDP by default. In contrast, TACACS+ encrypts the entire authentication process and uses TCP.

Copyright 2021 YCDA, LLC

RFC 3579 “RADIUS Support for EAP” supports encryption of the entire authentication process using TCP. Compare with TACACS+. RAID—Redundant array of inexpensive disks. Multiple disks added together to increase performance or provide protection against faults. RAID helps prevent disk subsystems from being a

d

single point of failure. Compare with RAID-0, RAID-1, RAID-5, RAID-6, and RAID-10.

ea

RAID-0—Disk striping. RAID-0 improves performance but does not provide fault tolerance. RAID-1—Disk mirroring. RAID-1 uses two disks and provides fault tolerance.

RAID-5—Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance. It

Ah

can survive the failure of a single drive.

RAID-6—Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.

RAID-10—Disk mirroring with striping. RAID-10 combines the features of mirroring (RAID-1) and

et

striping (RAID-0). The minimum number of drives in a RAID-10 is four, and a RAID-10 always has an even number of drives.

G

RAM—Random access memory. Volatile memory within a computer that holds active processes, data, and applications. Data in RAM is lost when the computer is turned off. Memory forensics analyzes data in RAM.

ie

location using dial-up or a VPN.

d

RAS—Remote Access Service. Provides access to an internal network from an outside source

RAT—Remote access Trojan. Malware that allows an attacker to take control of a system from a

er tif

remote location. A RAT gives an attacker full control over a user’s system from a remote location over the Internet.

RDP—Remote Desktop Protocol. Used to connect to remote systems. Microsoft uses RDP in different services such as Remote Desktop Services and Remote Assistance. RDP uses either port

C

TCP 3389 or UDP 3389.

RFI—Radio frequency interference. Interference from RF sources such as AM or FM transmitters.

et

RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

G

RFID—Radio frequency identification. RFID methods are often used for inventory control. RFID attacks— Radio frequency identification attacks. Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS. RCS—Rich Communication Services. An extension of SMS and MMS. RCS supports all of the features of MMS and adds a few additional features. If a system doesn’t support RCS, it can default to SMS or MMS. Compare with SMS and MMS.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

RMF—Risk Management Framework. A framework for identifying and managing risk. NIST published it as SP 800-37, “Risk Management Framework for Information Systems and Organizations.” It includes seven steps: prepare, categorizing information systems, select security controls, assess security controls, authorize information systems, monitor security controls.

d

rogue AP—Rogue access point. An unauthorized AP. It can be placed by an attacker or an

ea

employee who hasn’t obtained permission to do so. An evil twin is a special type of rogue AP with the same or similar SSIS as a legitimate AP.

ROI—Return of investment or return on investment. A performance measure used to identify when

Ah

an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls.

ROT13—A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces.

et

RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare

G

with RTO.

RSA—Rivest, Shamir, and Adleman. An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman. RSA uses both a

d

public key and a private key in a matched pair.

ie

RSTP—Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports

er tif

of a switch are connected together.

RTO—Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

C

RTOS—Real-time operating system. An operating system that reacts to input within a specific time. Many embedded systems include an RTOS.

et

S

G

SaaS—Software as a Service. A cloud computing model. SaaS provides applications over the Internet, such as webmail. The vendor is responsible for keeping the SaaS applications available and up-to-date. Compare with IaaS, PaaS and XaaS.

Copyright 2021 YCDA, LLC

SAML—Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. SAN—Storage Area Network. A specialized network of high-speed storage devices.

d

SCADA—Supervisory control and data acquisition. A system used to control an ICS such as a

ea

power plant or water treatment facility. Ideally, a SCADA is within an isolated network without

direct access to the Internet. NIPS systems and VLANs provide a layer of protection for SCADA systems. Compare with ICS.

Ah

SCP—Secure Copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses TCP port 22.

SDN—Software defined network. A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.

et

SDV—Software-defined visibility. Technologies used to view all network traffic. SDV technologies ensure that all cloud-based traffic is viewable and can be analyzed.

G

SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive.

d

Compare with FDE.

ie

SELinux—Security-Enhanced Linux. An operating system platform that prevents malicious or suspicious code from executing on both Linux and Unix systems. It is one of the few operating

er tif

systems that use the MAC model. Enforcing mode will enforce the SELinux policy and ignore permissions. Permissive mode does not enforce the SELinux policy but instead logs any access that would normally be blocked. Disabled mode does not enforce the SELinux policy and does not log anything related to the policy.

C

SFTP—SSH File Transfer Protocol. An extension of Secure Shell (SSH) used to encrypt FTP traffic. SFTP transmits data using TCP port 22. SFTP is sometimes referred to as secure FTP.

et

SHA—Secure Hash Algorithm. A hashing function used to provide integrity. Versions include SHA-1, SHA-2, and SHA-3. SHA-1 is no longer approved for most cryptographic uses due to

G

weaknesses. SHA-2 has four versions (Sha-256, SHA-512, SHA-224, and SHA-384). SHA-3 (previously known as Keccak) was selected as the next version after a public competition. shadow IT—Shadow information technology. Shadow IT refers to unauthorized systems or applications installed on a network. Users sometimes install systems without approval, often to bypass security controls. Shadow IT increases risks because these systems aren’t managed.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

SIEM—Security information and event management. A system that provides a centralized solution for collecting, analyzing, and managing log data from multiple sources. Log collectors send logs to the SIEM system, and it aggregates the logs. SIM—Subscriber Identity Module. A small card that contains programming and information for

d

mobile devices such, as cell phones. The SIM card identifies what countries or networks the device

ea

will use.

SLA—Service level agreement. An agreement between a company and a vendor that stipulates

performance expectations, such as minimum uptime and maximum downtime levels. Organizations

Ah

use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).

SLE—Single loss expectancy. The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment. The calculation is SLE × ARO = ALE. Compare

et

with ALE and ARO.

S/MIME—Secure/Multipurpose Internet Mail Extensions. Used to secure email. S/MIME provides

G

confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email, including the encryption of email at rest and in transit. It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

d

SMS—Short Message Service. A basic text messaging service. Most mobile devices support SMS.

ie

Compare with Multimedia Message Service and Rich Communication Services. SMTP—Simple Mail Transfer Protocol. Used to transfer email between clients and servers and

er tif

between email servers and other email servers. SMTP uses TCP port 25. SNMPv3—Simple Network Management Protocol. Used to manage and monitor network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps or SNMP device traps. SNMP uses UDP ports 161 and 162.

C

SOAR—Secure Orchestration, Automation, and Response. Tools used to automatically respond to low-level security events. Runbooks are the checklists used to create the automated responses and

et

playbooks are the automated actions created from the runbooks. Compare with playbooks and runbooks.

G

SoC—System on chip. An integrated circuit that includes a computing system within the hardware. Many mobile devices include an SoC. SPIM—Spam over Internet Messaging. A form of spam using instant messaging. SPIM targets instant messaging users.

Copyright 2021 YCDA, LLC

SPOF—Single point of failure. Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure. SQL—Structured Query Language. Used by SQL-based databases, such as Microsoft SQL Server.

d

Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with

ea

forms and stored procedures help prevent SQL injection attacks. Microsoft SQL Server uses TCP port 1433 by default.

SRTP—Secure Real-time Transport Protocol. A protocol used to encrypt and provide authentication

Ah

for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming.

SSD—Solid state drive. A drive used in place of a traditional hard drive. An SSD has no moving parts but instead stores the contents as nonvolatile memory. SSDs are much quicker than traditional hard drives.

et

SSH—Secure Shell. A protocol used to encrypt network traffic. SSH encrypts a wide variety of traffic such as SCP, SFTP, Telnet, and TCP Wrappers. SSH uses TCP port 22. SSH is a more secure

G

alternative than Telnet when connecting to remote servers.

SSID—Service Set Identifier. The name of a wireless network. SSIDs can be set to broadcast so users can easily see the SSID. Disabling SSID broadcast hides it from casual users, but an attacker can discover it

d

with a wireless sniffer. It’s recommended to change the SSID from the default name .

ie

SSL—Secure Sockets Layer. The predecessor to TLS. SSL was used to encrypt data in transit with the use of certificates but is deprecated now.

er tif

SSO—Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

STP—Spanning Tree Protocol. Protocol enabled on most switches that protects against switching

C

loops. A switching loop is caused when two ports of a switch are connected together. SYN—Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this

et

packet, but don’t complete the handshake after receiving the SYN/ACK packet. system on chip (SoC)—An integrated circuit that includes a computing system within the hardware.

G

Many mobile devices include an SoC.

Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

T TACACS+—Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49. It

the password. It uses multiple challenges and responses. Compare with RADIUS.

d

encrypts the entire authentication process, compared with the default RADIUS, which only encrypts

TCO attempts to identify the cost of a product or service over its lifetime.

ea

TCO—Total cost of ownership. A factor considered when purchasing new products and services.

Ah

TCP—Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake. Compare with UDP.

TCP/IP—Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols used on the Internet and most internal networks.

et

TFTP—Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

tickets that expire after a certain time period.

G

TGT—Ticket Granting Ticket. Used with Kerberos. A KDC (or TGT server) issues timestamped

TLS—Transport Layer Security. Used to encrypt data in transit. TLS is the replacement for SSL and

d

like SSL, it uses certificates issued by CAs. HTTPS uses TLS to encrypt web sessions. VPNs can

ie

use TLS to encrypt VPN sessions. Several authentication protocols (such as PEAP, EAP-TLS, EAPTTLS) use TLS to encrypt the authentication process. TLS requires a CA to issue certificates.

er tif

TOTP—Time-based One-Time Password. An open standard used for creating one-time passwords, TOTP is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Compare with HOTP. TPM—Trusted Platform Module. A hardware chip on the motherboard included on many newer

C

laptops. A TPM includes a unique RSA asymmetric key, and when first used, creates a storage root key. TPMs generate and store other keys used for encryption, decryption, and authentication. TPM

et

provides full disk encryption. Compare with HSM.

G

U

UAVs—Unmanned aerial vehicles. Flying vehicles piloted by remote control or onboard computers. UDP—User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism. Compare with TCP.

Copyright 2021 YCDA, LLC

UEFI—Unified Extensible Firmware Interface. A method used to boot some systems and intended to replace Basic Input/Output System (BIOS) firmware. Compare with BIOS. UPS—Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. A UPS provides short-term power to give the system enough time

d

to shut down smoothly or transfer to generator power. Generators provide long-term power in extended

ea

outages.

URI—Uniform Resource Identifier. Used to identify the name of a resource and always includes the protocol such as http://GetCertifiedGetAhead.com.

Ah

URL—Uniform Resource Locator. A type of URI. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are allowed.

URL hijacking— Uniform Resource Locator hijacking. The purchase of a domain name that is

et

close to a legitimate domain name. Attackers often try to trick users who inadvertently use the wrong domain name. Also called typo squatting.

G

URL redirection—Uniform Resource Locator redirection. A technique used to redirect traffic to a different page or a different site.

USB—Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash

d

drives, and external hard disk drives. Data on USB drives can be protected against loss of

ie

confidentiality with encryption. Attackers have spread malware through Trojans. USB On-The-Go (OTG). A cable used to connect mobile devices to other devices. It is one of many

er tif

methods that you can use to connect a mobile device to external media. UTM—Unified threat management. A security appliance that combines multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often

V

C

include URL filtering, malware inspection, and content inspection components.

et

VDI—Virtualization Desktop Infrastructure. Virtualization software designed to reproduce a desktop operating system as a virtual machine on a remote server. Users can access VDI desktops

G

from desktop PCs or mobile devices. VLAN—Virtual local area network. A method of segmenting traffic. A VLAN can logically group several different computers together, or logically separate computers without regard to their physical location. It is possible to create multiple VLANs with a single switch. You can also create VLANs with virtual switches.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/

VM—Virtual machine. A virtual system hosted on a physical system. A physical server can host multiple VMs as servers. Virtualization helps reduce the amount of physical equipment required, reducing overall physical security requirements such as HVAC and power. VM escape—Virtual machine escape. An attack that allows an attacker to access the host system

d

from within a virtual machine. The primary protection is to keep hosts and guests up to date with

ea

current patches. Compare with virtual machine sprawl.

VM sprawl—Virtual machine sprawl. A vulnerability that occurs when an organization has VMs that aren’t properly managed. Unmanaged VMs are not kept up to date with current patches.

Ah

Compare with virtual machine escape.

VoIP—Voice over IP. A group of technologies used to transmit voice over IP networks. Vishing is a form of phishing that sometimes uses VoIP.

VPN—Virtual private network. Provides access to a private network over a public network such as

et

the Internet. VPNs can provide access to internal networks for remote clients, or provide access to

G

other networks via site-to-site VPNs.

W

d

WAF—Web application firewall—A firewall specifically designed to protect a web application. A

ie

WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

er tif

WAP—Wireless access point. A device that connects wireless clients to wireless networks. Sometimes called an access point (AP).

WPA—WiFi Protected Access. A legacy wireless security protocol. WPA2 and WPA3 have superseded WPA.

C

WPA2—WiFi Protected Access 2. Security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES. It uses an 802.1X server for authentication in WPA2 Enterprise mode and a preshared key for WPA2 Personal mode, also called WPA2-PSK.

et

WPA3—WiFi Protected Access 3. Security protocol used to protect wireless transmissions. WPA3 is the newest wireless cryptographic protocol. It uses Simultaneous Authentication of Equals (SAE) instead of

G

the PSK used with WPA2. SAE is based on the Diffie–Hellman key exchange. WPS—WiFi Protected Setup. Allowed users to easily configure a wireless network, often by using only a PIN. WPS brute force attacks can discover the PIN when used with WPA2. WPS attack—An attack against an AP. A WiFi Protected Setup (WPS) attack discovers the eightdigit WPS PIN and uses it to discover the AP passphrase. WPA3 is resistant to WPS attacks.

Copyright 2021 YCDA, LLC

Pass the First Time with Quality Practice Test Questions https://gcgapremium.com/sy0-601-practice-test-questions/

d

X

ea

XaaS—Anything as a Service. A cloud computing model. XaaS refers to any cloud computing model not identified in IaaS, PaaS, or SaaS models. Compare to IaaS, PaaS, and SaaS.

exporting data. XML uses formatting rules to describe the data.

Ah

XML—Extensible Markup Language. A language used by many databases for inputting or

XSRF—Cross-site request forgery. A web application attack. Attackers use XSRF attacks to trick users into performing actions on websites, such as making purchases, without their knowledge. In

et

some cases, it allows an attacker to steal cookies and harvest passwords.

XSS—Cross-site scripting. A web application vulnerability that allows attackers to inject scripts into

G

webpages. Attackers use XSS to capture user information such as cookies. Input validation techniques on the server-side help prevent XSS attacks by blocking HTML and JavaScript tags.

G

et

C

er tif

ie

Version 0.1 May 11 2021

d

Many sites prevent the use of < and > characters to block cross-site scripting.

Security+ (SY0-601) Practice Questions https://gcgapremiumpass.com/sy0-601-practice-test-questions/