FULL D827 flash cards

A law firm encrypts client case files stored on its file server. Which CIA principle?

Confidentiality

A DDoS attack takes an airline booking site offline during a holiday. Which CIA principle failed?

Availability

An auditor verifies a financial report has not been modified by comparing hashes. Which principle?

Integrity

A trader cannot deny placing an order because the system logged it with a tamper-evident timestamp. Which principle?

Non-repudiation

A user scans their fingerprint to unlock their work laptop. Which authentication factor?

Something you are

A user inserts a hardware security key into their laptop to log in. Which authentication factor?

Something you have

A user enters a PIN at an ATM. Which authentication factor?

Something you know

A user logs in with password, SMS code, and fingerprint. What does this combination represent?

Multi-factor authentication

A company grants employees only the minimum access needed for their role. Which principle?

Least privilege

A bank requires two different people to approve a wire transfer above 100000 dollars. Which principle?

Separation of duties

A healthcare billing company replaces patient account numbers with reversible surrogate values. Which technique?

Tokenization

A company stores login passwords using bcrypt with a salt. Which technique?

Hashing

A cardiology clinic stores electronic health records. Which US law governs this?

HIPAA

A public school district discloses student GPAs without consent. Which law was potentially violated?

FERPA

A fintech startup handles customer loan applications. Which US law applies?

GLBA

A French employee personal data is processed by a US parent company. Which regulation applies?

GDPR

A publicly traded company must certify its financial reporting controls annually. Which law?

SOX

A federal civilian agency needs to implement an information security program. Which law?

FISMA

An attacker is prosecuted for unauthorized access to a government system. Which US law applies?

CFAA

A subpoena seeks stored email communications. Which US law governs access?

ECPA

Which NIST publication provides the controls catalog for federal systems?

NIST SP 800-53

Which NIST publication covers controls for contractors handling CUI?

NIST SP 800-171

Which NIST publication is the Secure Software Development Framework?

NIST SP 800-218

Which NIST publication guides VPN configuration?

NIST SP 800-77

Which NIST CSF function covers asset inventory and risk assessment?

Identify

Which NIST CSF function covers implementing safeguards?

Protect

Which NIST CSF function covers monitoring and alerting on events?

Detect

Which NIST CSF function covers forensic analysis after an incident?

Respond

Which NIST CSF function covers restoring services after an incident?

Recover

An international firm wants a certifiable Information Security Management System standard. Which?

ISO IEC 27001

A web app lets any logged-in user edit a URL parameter to view another user profile. Which OWASP category?

Broken Access Control

A banking app transmits credentials over unencrypted HTTP. Which OWASP category?

Cryptographic Failures

An attacker enters malicious SQL code into a search field. Which OWASP category?

Injection

A cloud storage service ships with default demo credentials enabled. Which OWASP category?

Security Misconfiguration

A team uses a six-year-old framework with known vulnerabilities. Which OWASP category?

Vulnerable and Outdated Components

An app allows unlimited password guesses with no account lockout. Which OWASP category?

Identification and Authentication Failures

An app accepts unsigned software updates over the network. Which OWASP category?

Software and Data Integrity Failures

A breach goes undetected for nine months because no logs were retained. Which OWASP category?

Security Logging and Monitoring Failures

An app security is fundamentally flawed at the design level, not a coding bug. Which OWASP category?

Insecure Design

A developer runs a tool against source code before committing. Which testing method?

SAST

A penetration tester attacks a running staging environment. Which testing method?

DAST

A tool generates an SBOM and flags dependencies with known CVEs. Which testing method?

SCA

A QA engineer floods an app with random malformed inputs looking for crashes. Which technique?

Fuzz testing

An attacker overflows a fixed-size input buffer to overwrite memory. Which vulnerability?

Buffer overflow

A vendor uses a certificate to prove software came from them and was not altered. Which practice?

Code signing

A security practice integrates controls across every SDLC phase. What is this called?

Secure SDLC

A branch office connects to headquarters through an encrypted router-to-router tunnel. Which VPN type?

Site-to-site VPN

A traveling sales rep uses a VPN client on their laptop to access HQ. Which VPN type?

Client-to-site remote access VPN

A VPN routes all of a user traffic including web browsing through the corporate tunnel. Which mode?

Full tunnel

A VPN only routes traffic destined for corporate resources and public internet goes direct. Which mode?

Split tunnel

A system passively monitors a copy of network traffic and generates alerts. What is it?

Passive NIDS

A system sits inline and actively drops malicious packets. What is it?

Inline NIPS

An IDS builds a baseline of normal behavior and flags deviations. Which detection method?

Anomaly-based detection

An IDS matches traffic against known attack patterns. Which detection method?

Signature-based detection

An IDS uses adaptive techniques that modify signatures based on learned behavior. Which detection method?

Heuristic-based detection

An attacker overwhelms a switch MAC address table so all traffic is broadcast. Which attack?

MAC flooding

An attacker floods a server with requests to exhaust resources. Which attack?

DoS

Many compromised devices flood a target simultaneously. Which attack?

DDoS

Which protocol combines SPF and DKIM to enforce email authentication policy?

DMARC

Which VPN protocol operates at the data link layer and is often paired with IPSec?

L2TP

A quick targeted fix for a specific software problem is called

Hotfix

A bundled collection of patches and hotfixes is called

Service pack

The process of distributing and applying software updates is called

Patch management

An attacker researches an exec travel and sends a targeted fake invoice. Which attack?

Whaling

An attacker calls an employee pretending to be IT to extract a password. Which attack?

Vishing

An attacker fabricates a believable scenario to deceive a target. Which technique?

Pretexting

An unauthorized visitor slips through a secure door behind an employee. Which attack?

Piggybacking

Malware that disguises itself as legitimate software is called a

Trojan

Malware that secretly monitors user activity is called

Spyware

Malware that hides deep in the OS to maintain persistent access is called a

Rootkit

IP

Internet Protocol

ISO/IEC

International Organization for Standardization / International Electrotechnical Commission

FISMA

Federal Information Security Management Act

PCI DSS

Payment Card Industry Data Security Standard

SQL

Structured Query Language

ARP

Address Resolution Protocol

FERPA

Family Educational Rights and Privacy Act

NIST

National Institute of Standards and Technology

NIST SP 800-53

Security and privacy controls for federal systems

NIST SP 800-77

VPN configuration guidance

NIST SP 800-218

Secure Software Development Framework (SSDF)

NIST SP 800-171

Security controls for contractors handling Controlled Unclassified Information (CUI)

IoT

Internet of Things

ECPA

Electronic Communications Privacy Act

GLBA

Gramm-Leach-Bliley Act

GDPR

General Data Protection Regulation

HIPAA

Health Insurance Portability and Accountability Act

SOX

Sarbanes-Oxley Act

CFAA

Computer Fraud and Abuse Act

DDoS

Distributed Denial of Service

DoS

Denial of Service

ISMS

Information Security Management System

MFA

Multi-Factor Authentication

RBAC

Role-Based Access Control

CWE

Common Weakness Enumeration

CVE

Common Vulnerabilities and Exposures

SSDF

Secure Software Development Framework

SDLC

Software Development Life Cycle

OWASP

Open Worldwide Application Security Project

SAST

Static Application Security Testing