CompTIA Security+: Ports, Documents, and Protocols

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/394

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 10:21 PM on 7/6/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

395 Terms

1
New cards

ISMS

Information Security Management System. The complete management framework for governing information security in an organization. Defined by ISO 27001.

2
New cards

ISO 27001

Certifiable standard defining requirements for an ISMS. Process-based, not a technical checklist. Third-party auditors verify compliance and issue certification.

3
New cards

ISO 27002

Companion to ISO 27001. Detailed implementation guidance for each control in 27001's Annex A. Not certifiable on its own.

4
New cards

ISO 31000

General risk management framework. Not security-specific, not certifiable. Applies to all organizational risk types.

5
New cards

NIST CSF

Voluntary cybersecurity framework organized into 6 functions: Govern, Identify, Protect, Detect, Respond, Recover. Widely adopted outside federal government.

6
New cards

NIST SP 800-53

Categorizes security controls into different groups and acts as a catalog of them

7
New cards

NIST SP 800-171

Security requirements for protecting CUI in non-federal systems. Applies to DoD contractors. Basis for CMMC certification.

8
New cards

CUI

Controlled Unclassified Information. Government data that requires protection but isn't classified. Handled by contractors under 800-171.

9
New cards

NIST RMF

Federal process for authorizing IT systems to operate. Six steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

10
New cards

ATO

Authority to Operate. Authorization granted by an Authorizing Official allowing a federal system to process government data. Typically valid 3 years.

11
New cards

FISMA

Federal Information Security Modernization Act. Requires federal agencies to implement NIST-based security programs and obtain ATOs for systems.

12
New cards

PCI DSS

Payment Card Industry Data Security Standard. 12 requirements for any organization storing, processing, or transmitting cardholder data. Contractually mandatory, not law.

13
New cards

GDPR

EU regulation protecting personal data of EU residents. Applies globally to any org handling EU data. 72-hour breach notification, right to erasure, fines up to 4% global revenue.

14
New cards

HIPAA

US law protecting PHI. Three rules: Privacy, Security, Breach Notification. Applies to covered entities and business associates.

15
New cards

PHI

Protected Health Information. Individually identifiable health information. 18 defined identifiers make health data PHI under HIPAA.

16
New cards

SOC 2

Auditing framework for service organizations. Based on Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy.

17
New cards

SOC 2 Type I

Point-in-time audit verifying controls are designed correctly. Less rigorous than Type II.

18
New cards

SOC 2 Type II

Audit covering a period (6-12 months) verifying controls operated effectively throughout. What enterprise customers require.

19
New cards

SOX

Sarbanes-Oxley Act. US law requiring public companies to maintain effective internal controls over financial reporting. Executives personally liable. Key IT impacts: audit log retention (7 years), access controls, separation of duties, change management.

20
New cards

RFC 3227

IETF guidelines for digital evidence collection. Defines order of volatility and chain of custody requirements.

21
New cards

Order of Volatility

Sequence for evidence collection: CPU/cache → RAM → network state → running processes → disk cache → disk → remote logs → archival media. Most volatile first.

22
New cards

Chain of Custody

Documentation proving evidence integrity from collection through legal proceedings. Every person who touched evidence, when, and what they did.

23
New cards

ALE

Annual Loss Expectancy. Expected yearly loss from a risk. ALE = SLE × ARO.

24
New cards

SLE

Single Loss Expectancy. Cost of one occurrence of a risk event. SLE = Asset Value × Exposure Factor.

25
New cards

ARO

Annual Rate of Occurrence. How many times per year a risk event is expected. Once per 10 years = 0.1.

26
New cards

Exposure Factor

Percentage of asset value lost in a single risk event. Total destruction = 1.0.

27
New cards

Risk Transference

Shifting loss responsibility to another party. Insurance, outsourced security providers.

28
New cards

OSI Model

7-layer network model: Physical, Data Link, Network, Transport, Session, Presentation, Application.

29
New cards

Layer 1 Physical

OSI layer - Cables, hubs, radio waves. Raw bit transmission.

30
New cards

Layer 2 Data Link

OSI Layer - Ethernet, MAC addresses, switches, ARP. Frame transmission within a network.

31
New cards

Layer 3 Network

OSI Layer - IP, ICMP, IPSec, routing. Packet transmission across networks.

32
New cards

Layer 4 Transport

TCP, UDP. Ports live here. End-to-end communication, segmentation.

33
New cards

Layer 5 Session

Session establishment and management. NetBIOS.

34
New cards

Layer 6 Presentation

Encryption, compression, format translation. TLS/SSL operates here.

35
New cards

Layer 7 Application

HTTP, DNS, SMTP, FTP, SNMP. User-facing protocols.

36
New cards

TCP

Transmission Control Protocol. Connection-oriented, reliable, ordered delivery. Three-way handshake (SYN, SYN-ACK, ACK). Layer 4.

37
New cards

UDP

User Datagram Protocol. Connectionless, no guaranteed delivery, fast. Used for DNS, VoIP, streaming. Layer 4.

38
New cards

IPSec

Suite of Layer 3 protocols providing confidentiality, integrity, and authentication for IP packets. Used in site-to-site VPNs.

39
New cards

AH

Authentication Header. IPSec protocol providing integrity and authentication only. No encryption.

40
New cards

ESP

Encapsulating Security Payload. IPSec protocol providing encryption, integrity, and authentication. Almost always preferred over AH.

41
New cards

IPSec Tunnel Mode

Encrypts entire original IP packet including headers. Used in VPNs. Hides source/destination.

42
New cards

IPSec Transport Mode

Encrypts payload only. Original IP headers visible. Used for end-to-end host communication.

43
New cards

IKE

Internet Key Exchange. Negotiates IPSec security associations. Runs on UDP port 500. Phase 1 establishes secure channel; Phase 2 negotiates IPSec parameters.

44
New cards

TLS

Transport Layer Security. Successor to SSL. Encrypts communications at Layer 6. Current standard is Version 1.3.

45
New cards

SSL

Secure Sockets Layer. Predecessor to TLS. All versions broken. SSL 3.0 vulnerable to POODLE. Never use.

46
New cards

TLS Handshake

Negotiation process: Client Hello → Server Hello → Certificate verification → Key exchange → Session key derivation → Finished.

47
New cards

Forward Secrecy

Property where session keys are temporary and not derived from the server's long-term private key. Compromising the private key later cannot decrypt past sessions. Provided by ECDHE.

48
New cards

Diffie-Hellman

Key exchange protocol allowing two parties to establish a shared secret over a public channel without transmitting the secret. Basis for forward secrecy.

49
New cards

PKI

System of CAs, certificates, and policies enabling trusted public key distribution and identity verification.

50
New cards

Certificate Authority (CA)

Trusted third party that issues and signs digital certificates, vouching for identity.

51
New cards

Root CA

Top of the certificate hierarchy. Self-signed, pre-installed in OS/browsers. Private key kept offline. Never signs end-entity certs directly.

52
New cards

Intermediate CA

Signed by Root CA. Used for day-to-day certificate signing. Compromise can be contained without touching the root.

53
New cards

Chain of Trust

Verification path from end-entity certificate up through intermediate CAs to a trusted root CA. Verified locally using math, not network requests.

54
New cards

Digital Certificate

Public key + identity information, signed by a CA. Contains subject, issuer, public key, validity dates, serial number, signature, SANs.

55
New cards

Self-Signed Certificate

Signed by its own private key rather than a CA. No third-party trust. Browser warnings. Acceptable for internal use only.

56
New cards

Certificate Revocation List (CRL)

CA-published list of revoked certificate serial numbers. Periodically downloaded by clients. Can be stale.

57
New cards

OCSP

Online Certificate Status Protocol. Real-time query to CA: is this certificate still valid? Adds latency, creates CA dependency.

58
New cards

OCSP Stapling

Server periodically fetches its own OCSP response and attaches it to the TLS handshake. Client gets freshness proof without separate CA request.

59
New cards

Certificate Pinning

Application hardcodes which certificate or CA it accepts for a server. Rejects valid certs from other CAs. Strong MITM defense.

60
New cards

DV Certificate

Domain Validation. CA only verifies domain control. Automated, cheap, fast. No identity verification beyond domain ownership.

61
New cards

OV Certificate

Organization Validation. CA verifies domain and organization identity. Requires documentation.

62
New cards

EV Certificate

Extended Validation. Strictest identity verification. Historically showed green bar in browsers.

63
New cards

Wildcard Certificate

Covers a domain and all direct subdomains. *.example.com covers mail.example.com but not sub.mail.example.com.

64
New cards

SAN Certificate

Subject Alternative Names. Single certificate covering a specific list of multiple domains.

65
New cards

Key Escrow

Copy of a private key held by a third party. Backup mechanism, but means someone else has your private key.

66
New cards

Registration Authority (RA)

Handles identity verification on behalf of a CA. CA still does the actual signing.

67
New cards

Hash Function

One-way function producing fixed-size output from arbitrary input. Deterministic, collision-resistant, avalanche effect.

68
New cards

SHA-256

Current standard hash algorithm. 256-bit output. Part of SHA-2 family. No practical collision attacks known.

69
New cards

SHA-1

160-bit hash. Broken. Practical collisions demonstrated in 2017 (SHAttered). Deprecated.

70
New cards

MD5

128-bit hash. Completely broken. Collisions findable in seconds. Never use for security. Acceptable for non-security checksums.

71
New cards

SHA-3

Hash algorithm using Keccak sponge construction. Entirely different design from SHA-2. NIST backup if SHA-2 is ever broken.

72
New cards

Collision Attack

Finding two different inputs that produce the same hash output.

73
New cards

Birthday Attack

Exploiting a paradox probability to find hash collisions. Effective search space is square root of output size.

74
New cards

Asymmetric Cryptography

Two mathematically linked keys: public and private. What one encrypts only the other decrypts. Basis for PKI and digital signatures.

75
New cards

Digital Signature

Hash of content encrypted with private key. Recipient decrypts with public key and compares hashes. Proves authenticity and integrity.

76
New cards

Symmetric Cryptography

Same key encrypts and decrypts. Fast, but key distribution problem.

77
New cards

Forward Proxy

Sits between clients and internet. Hides/anonymizes clients. Can filter content.

78
New cards

Reverse Proxy

Sits between internet and backend servers. Hides servers, handles load balancing and caching.

79
New cards

Load Balancer

Distributes traffic across multiple servers. Algorithms: round robin, least connections, IP hash. Increases availability.

80
New cards

SDN

Software-Defined Networking. Separates control plane (where to send traffic) from data plane (actually moving traffic) into centralized software. Network-wide visibility vs. traditional per-device routing.

81
New cards

IDS

Intrusion Detection System. Passive, out-of-band monitoring. Detects and alerts on threats. Cannot block traffic.

82
New cards

IPS

Intrusion Prevention System. Inline, in the traffic stream. Detects threats and can take action to block them.

83
New cards

WAF

Web Application Firewall. Analyzes HTTP traffic including queries and APIs. Can act as IPS for web-layer attacks.

84
New cards

UTM

Unified Threat Management. All-in-one security device combining firewall, IPS, IDS, anti-malware, VPN, DLP, analytics.

85
New cards

NGFW

Next-Generation Firewall. Combines packet inspection, IPS, IDS, firewall, antivirus beyond traditional firewall capabilities.

86
New cards

Jump Server

Provides access between security zones for authorized users. Must be secured, monitored, and maintain separate audit logs.

87
New cards

Air Gap

Physical separation between networks requiring physical media to transfer data. Strongest isolation measure.

88
New cards

VLAN

Virtual Local Area Network. Logical network segmentation using software. Isolates traffic without separate physical hardware.

89
New cards

VPN

Virtual Private Network. Encrypted logical connection over public network. Two types: IPSec (Layer 3, site-to-site) and SSL/TLS (Layer 6, remote access).

90
New cards

Split Tunnel VPN

Only predefined traffic goes through VPN tunnel. Other traffic travels normally. More efficient, less secure.

91
New cards

Full Tunnel VPN

All traffic routes through VPN regardless of destination. More bandwidth, more secure.

92
New cards

Site-to-Site VPN

Permanent VPN connection between two locations. Always on. Typically uses IPSec tunnel mode.

93
New cards

Remote Access VPN

On-demand VPN for individual users. SSL/TLS most common. Not always on.

94
New cards

802.1X

IEEE standard for port-based network access control. Uses EAP framework to authenticate devices to a RADIUS server before granting network access.

95
New cards

EAP-TLS

Certificate-based mutual authentication. Certificates required on both client and server. Most secure, hardest to manage at scale.

96
New cards

EAP-TTLS

Only server-side certificate required. Reduces management overhead. May require client software.

97
New cards

EAP-FAST

Cisco protocol for fast re-authentication of roaming devices. Uses symmetric shared secret key after initial auth.

98
New cards

RADIUS

Remote Authentication Dial-In User Service. Centralized authentication server. Used with 802.1X.

99
New cards

Fail-Open

Device failure mode where all traffic is allowed through. Prioritizes availability over security.

100
New cards

Fail-Closed

Device failure mode where all traffic is blocked. Prioritizes security over availability.