CompTia SY0-701 Sybex Study Guide Flashcards

When would cross-site scripting attacks occur?

Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.

What are four security control categories?

Technical controls, operational controls, managerial controls, and physical controls

What is a data controller?

The entity who determines the reasons for processing personal information and directs the methods of processing that data.

Organizations that want to determine what software and configurations are used on mobile devices should deploy what type of solution?

Mobile device management (MDM)

What are two decision points for VPN implementation?

Whether the VPN will be used for remote access, or if it will be a site-to-site VPN; and whether they will be a split-tunnel VPN or a full-tunnel VPN

Name five common access control schemes.

Attribute-based access control (ABAC), role-based access control (RBAC), rule-based access control (RBAC or RuBAC), mandatory access control (MAC), and discretionary access control (DAC)

What is a bollard?

Bollards are posts or other obstacles that prevent vehicles from moving through an area. Bollards may look like posts, pillars, or even planters, but their purpose remains the same: preventing vehicle access.

Give three examples of personnel management practices.

Least privilege, separation of duties, job rotation and mandatory vacations, clean desk space, onboarding and offboarding, nondisclosure agreements (NDAs), social media, and user training.

What is a nation-state actor?

Nation-state actors are sponsored by or supported by nations and are typically sophisticated and highly resourced.

What's the difference between Trojans and worms?

Trojans require user interaction, whereas worms are self-installed and spread themselves.

What are some examples of managerial controls?

Periodic risk assessments, security planning exercises, and the incorporation of security into the organization's change management, service acquisition, and project management practices

List the order of volatility.

From most volatile to least volatile: CPU cache and register; ephemeral data such as the process table, kernel statistics, the system's ARP cache, and similar information; the content of RAM; swap and pagefile information; files and data on a disk; the operating system (Windows Registry); data on devices such as smartphones, tables, IoT devices, and embedded or specialized systems; firmware; snapshots from VMs; network traffic and logs; and artifacts like devices, printouts, media, and other items.

What is the function of a web application firewall?

A web application firewall (WAF) plays an important role in protecting web applications against attacks. It sits in front of a web server and receives all network traffic headed to that server. It then scrutinizes the input headed to the application, performing input validation before passing the input to the web server.

What is a VPN?

A virtual private network (VPN) is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.

What is the function of segmentation?

It allows network engineers to place systems of differing security levels and functions on different network subnets.

What are common elements in a typical forensic report?

A summary of the forensic investigation and findings; an outline of the forensic process, including tools used and any assumptions that were made about the tools or process; a series of sections detailing the findings for each device or drive—accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail; and recommendations or conclusions in more detail than the summary included.

What are cryptographic key management systems used for?

Cryptographic key management systems are used to store keys and certificates as well as to manage them centrally.

What is typosquatting?

When attackers use misspelled and slightly off but similar to the legitimate site URLs and rely on the fact that people will mistype URLs and end up on their sites to drive up sales.

Give some ways that an attacker might obtain a cookie.

Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website; installing malware on the user's browser that retrieves cookies and transmits them back to the attacker, and engaging in an on-path attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user's behalf and obtain the cookie.

Describe EDR.

Endpoint detection and response (EDR) tools combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Key features of EDR systems are the ability to search and explore the collected data and to use it for investigations as well as the ability to detect suspicious data.

What type of attacker has a malicious intent?

An unauthorized attacker

What are two types of access restrictions?

Geographic restrictions and permission restrictions

What are microwave sensors?

Microwave sensors use a baseline for a room or space that is generated by detecting normal responses when the space is at a baseline. When those responses to the microwaves sent out by the sensor change, they will trigger. They can detect motion through materials that infrared sensors cannot.

Describe how RFID cloning attacks work.

RFID cloning attacks work by cloning an RFID tag or card.

What ensures that acquired images are intact?

Hashing and validating

What is static code analysis and what is dynamic code analysis?

Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Static analysis does not run the program, instead it focuses on understanding how the program is written and what the code is intended to do. Dynamic code analysis relies on execution of the code while providing it with input to test the software.

List four standard agreements used in third-party risk management.

Master service agreements (MSA), service level agreements (SLAs), memorandum of understanding (MOU), memorandum of agreement (MOA), and business partners agreements (BPAs).

What are three tools that can be used in the data obfuscation process?

Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. Tokenization replaces sensitive values with a unique identifier using a lookup table. Data masking partially redacts sensitive information by replacing some or all of sensitive fields with blank characters.

What do you call a document that provides best practices and recommendations related to a given concept, technology, or task?

A guideline

What is SDN?

Software-defined networking (SDN) uses software-based network configuration to control networks. SDN designs rely on controllers that manage network devices and configurations, centrally managing the software-defined network.

What are HSMs?

Hardware security modules (HSMs) are typically external devices or plug-in cards used to create, store, and manage digital keys for cryptographic functions and authentication, as well as to offload cryptographic processing.

What is a data processor?

A service provider that processes personal information on behalf of a data controller.

What is the best way to detect a rootkit?

The best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn't possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits.

Name all five risk categories.

Financial, reputational, strategic, operational, and compliance

What are filesystem permissions?

They determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files.

List and explain the five key cloud roles.

Cloud service providers offer cloud computing services; cloud consumers purchase cloud services from cloud service providers; cloud partners and brokers offer ancillary products that support or integrate with the offerings of a cloud service provider; cloud auditors are independent organizations that provide assessments of cloud services and operations; cloud carriers serve provide connectivity that allows the delivery of cloud services from providers to consumers.

What is the difference between misinformation and disinformation?

Misinformation is incorrect information, often resulting from getting facts wrong. Disinformation is incorrect, inaccurate, or outright false information that is intentionally provided to serve an individual or organization's goals.

Describe the continuous integration (CI) and continuous deployment (CD) pipeline.

Developer commits change, build process is triggered, build report is delivered, tests run against build, test report is delivered, and if successful, code is deployed.

What are security zones?

Network segments, physical or virtual network segments, or other components of an infrastructure that are able to be separate from less secure zones through logical or physical means.

How do organizations determine where to place access points to handle poor coverage areas?

They conduct site surveys and create heat maps showing where coverage is relative to existing access points.

Give three valuable information sources for reconciling scan results.

Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities; security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence; and configuration management systems that provide information on the operating system and applications installed on a system.

What is open source threat intelligence?

Open source threat intelligence is threat intelligence that is acquired from publicly available sources.

What are two primary models for generation of one-time passwords?

TOTP, or time-based one-time passwords and HMAC-based one-time password (HOTP)

Name two different environments that DLP systems work in.

Agent-based DLP and agentless DLP

Name two mechanisms of action of DLP systems.

Pattern matching and watermarking

What is one of the fastest ways to decrease the attack surface of a system?

Reducing the number of open ports and services that it provides by disabling ports and protocols.

What is frequency analysis?

Frequency analysis involves looking at the blocks of an encrypted message to determine if any common patterns exist.

What is a zero-day attack?

Attacks that exploit vulnerabilities that are not yet disclosed.

What defines an unskilled attacker?

The term unskilled attacker is a term used for people who use hacking techniques and premade tools but have limited skills.

What are the benefits of penetration testing?

Penetration testing provides us with knowledge that we can't obtain elsewhere; in the event that attackers are successful, penetration testing provides us with an important blueprint for remediation; and penetration tests can provide us with essential, focused information on specific attack targets.

What does blind SQL injection (SQLi) mean and what are two forms of blind SQL injection?

Attackers use a technique called blind SQL injection to conduct an attack even when they don't have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based.

Give some types of configuration settings recommended by CIS benchmark for Windows.

Setting the password history to remember 24 or more passwords and setting maximum passwords age to "60 or fewer days, but not 0," preventing users from simply changing their passwords 24 times to get back to the same password while requiring password changes every 2 months. Setting the minimum password length to 14 or more characters. Requiring password complexity. Disabling the storage of passwords using reversible encryption

What are the 9 stages in the EDRM model?

Information governance

Identification of electronically stored information

Preservation of the information

Collection of the information

Processing of the data

Review of the data

Analysis of the information

Production of the data

Presentation for testimony in court and for further analysis

Describe how zero trust works.

Zero trust presumes that there is no trust boundary and no network edge. Each action is validated when requested as part of a continuous authentication process and access is only allowed after policies are checked, including elements like identity, permissions, system configuration and security status, threat intelligence data review, and security posture.

Name two choices you need to make when you implement encryption

The algorithm to use to perform encryption and decryption; the encryption key to use with that algorithm

What are three major functions provided by TPM chips?

Trusted Platform Module (TPM) chips are frequently used to provide built-in encryption, and they provide three major functions: remote attestation, allowing hardware and software configurations to be verified; binding, which encrypts data; and sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption.

How does FDE work?

Full disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.

What should we do if we can't completely remove data from a dataset?

We can transform it into a format where the original sensitive information is deidentified. The deidentification process removes the ability to link data back to an individual, reducing its sensitivity. An alternative to deidentifying data is transforming it into a format where the original information can't be retrieved. This is a process called data obfuscation.

What are three techniques to verify the authenticity of certificates and identify revoked certificates?

Certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP), and certificate stapling

What are the three major types of exercises that incident response teams use to prepare?

Tabletop, walkthroughs, simulations

How do you calculate the exploitability score for a vulnerability under CVSS?

Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired × UserInteraction

What are three key objectives of cybersecurity programs?

Confidentiality, integrity, and availability

What characteristics differentiate the types of cybersecurity threat actors?

Internal vs. external, level of sophistication/capability, resources/funding, intent/motivation

What are some examples of physical controls?

Fences, perimeter lighting, locks, fire suppression systems, and burglar alarms

What term describes an attack where an attacker uses websites that targets frequent to attack them?

A watering hole attack

Name the phases of the software development life cycle (SDLC).

Planning, requirements definition, design, coding, testing, training and transition, ongoing operations and maintenance, and end-of-life decommissioning

What are two types of advanced security camera capabilities?

Motion recognition and object detection

List and explain two principles we need to apply in application resilience.

● Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand; elasticity goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.

What do you call a geographic view of threat intelligence?

A threat map.

List at least three key elements of the rules of engagement for a penetration test.

The timeline for the engagement and when testing can be conducted; valid targets; data handling requirements; what behaviors to expect from the target; what resources are committed to the test; legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in-scope, and when and how communications will occur.

What are pressure sensors?

They detect a change in pressure. While not commonly deployed in most environments, they may be used when an organization needs to detect an object being moved or when someone is moving through an area using a pressure plate or pad.

What actor is most commonly associated with corporate espionage?

Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.

What is a data subject?

An individual whose personal data is being processed.

What is the process of conducting a digital investigation intended to find artifacts related to criminal activity or for litigation called?

E-discovery

What type of attacker acts without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities?

A semi-authorized attacker

Name eight threat vectors.

Message-based threat vectors, wired networks, wireless networks, systems, files and images, removable devices, cloud, and supply chain

How do environmental attacks work?

Environmental attacks include attacks like targeting an organization's heating and cooling systems, maliciously activating a sprinkler system, and similar actions.

What are some examples of technical controls?

Firewall rules, access control lists, intrusion prevention systems, and encryption

List all eight CVSS metrics and describe what kinds of measurements they evaluate.

The eight Common Vulnerability Scoring System (CVSS) metrics are attack vector metric, attack complexity metric, privileges required metric, user interaction metric, confidentiality metric, integrity metric, availability metric, and scope metric. The first four measures evaluate the exploitability of the vulnerability, whereas the next three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability.

List three techniques that support removing systems, devices, or even entire network segments or zones.

Isolation, containment, segmentation

Name three endpoint protection solutions.

Host-based firewall, host intrusion prevention system (HIPS), and host intrusion detection system (HIDS)

Name some sources you can use when you build your threat research toolkit.

Vendor security information websites, vulnerability and threat feeds from vendors, government agencies, and private organizations, academic journals and technical publications, professional conferences and local industry group meetings, and social media accounts of prominent security professionals

What are five basic requirements for a cryptographic hash function?

They accept an input of any length; they produce an output of a fixed length; the hash value is relatively easy to compute; the hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output); and the hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).

What are three areas for capacity planning?

Three areas for capacity planning are people, technology, and infrastructure.

List at least five connectivity methods.

Cellular, Wi-Fi, Bluetooth, NFC, RFID, Infrared, GPS, USB

What are bots and what are botnets?

Bots are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions ranging from additional compromises and infection to denial-of-service (DoS) attacks or acting as spam relays.

What are the three major components of a security assessment?

Security tests, security assessments, and security audits

Explain true positive, false positive, true negative, and false negative

When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).

Name four use cases for forensics.

Forensics may be used for investigations, incident response, intelligence, and counterintelligence.

Name at least three types of viruses.

Memory-resident viruses, non-memory resident viruses, boot sector viruses, macro viruses, and email viruses

What are access restrictions?

Access restrictions are security measures that limit the ability of individuals or systems to access sensitive information or resources.

What is the Linux dd command? Give an example to copy a drive mounted as /dev/sda to a file called example.img.

The Linux dd command is a command-line utility that allows you to create disk images for forensic or other purposes.

Example: dd if=/dev/sda of=example.img conv=noerror,sync

What is parameter pollution?

Parameter pollution is one technique that attackers have successfully used to defeat input validation controls.

What are two important roles served by risk assessment in the risk management process?

The risk analysis provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first. Quantitative risk analyses help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach.

What are three main methods used to exchange secret keys securely?

Offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm

What control should organizations put in place to ensure that successful ransomware infections do not incapacitate the company?

One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware.

What does the social engineering principle of intimidation rely on?

Intimidation relies on scaring or bullying an individual into taking a desired action.

What is homomorphic encryption?

Homomorphic encryption technology allows encrypting data in a way that preserves the ability to perform computation on that data.

List and explain all three primary rules of role-based access control (RBAC).

Role assignment, which states that subjects can use only permissions that match a role they have been assigned; role authorization, which states that the subject's active role must be authorized for the subject—this prevents subjects from taking on roles they shouldn't be able to; and permission authorization, which states that subjects can only use permissions that their active role is allowed to use.

What is an evil twin?

A malicious fake access point that is set up to appear to be a legitimate, trusted network.