Ron Sharon (www.ronsharon.

com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

1. What is the primary purpose of a firewall in network security?

A. Encrypting data
B. Monitoring network traffic
C. Controlling access to network resources
D. Detecting malware

2. What type of attack involves intercepting and modifying communication between two parties?
A. Phishing
B. Man-in-the-middle
C. DDoS
D. Brute force

3. Which of the following encryption algorithms is symmetric?

A. RSA
B. AES
C. Diffie-Hellman
D. ECC

4. What is the primary purpose of a VPN (Virtual Private Network)?

A. Anonymize browsing
B. Secure communication over public networks
C. Filter out malicious content
D. Monitor network traffic

5. Which of the following is a secure protocol for transferring files?

A. FTP
B. SFTP
C. TFTP
D. SNMP

1
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

6. Which of the following is NOT a type of access control?

A. DAC
B. MAC
C. RBAC
D. HAC

7. What is the primary purpose of an Intrusion Detection System (IDS)?

A. Encrypting data
B. Monitoring and alerting on potential security breaches
C. Controlling access to network resources
D. Detecting malware

8. Which of the following is a form of social engineering?

A. SQL injection
B. DDoS
C. Phishing
D. Cross-site scripting

9. What type of vulnerability assessment actively attempts to exploit vulnerabilities?

A. Passive scanning
B. Active scanning
C. Penetration testing
D. Baseline reporting

10. What is the primary purpose of a digital signature?

A. Ensure confidentiality
B. Verify sender identity and data integrity
C. Encrypt data
D. Authenticate users

11. Which of the following is a common method for securely erasing data on a hard drive?
A. Overwriting
B. Degaussing
C. Shredding
D. All of the above

2
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

12. Which of the following best describes a risk assessment?

A. A method for identifying vulnerabilities in a system
B. A process for prioritizing risks based on likelihood and impact
C. A framework for managing risks
D. A tool for quantifying risks

13. Which of the following is a type of biometric authentication?

A. Password
B. Smart card
C. Fingerprint scan
D. PIN

14. Which of the following is a public key infrastructure (PKI) component?

A. Certificate authority (CA)
B. Intrusion detection system (IDS)
C. VPN
D. Firewall

15. What is a zero-day vulnerability?

A. A vulnerability that is known but unpatched
B. A vulnerability that is unknown and unpatched
C. A vulnerability that has been patched
D. A vulnerability that is actively being exploited

16. What type of malware typically spreads itself through network connections?
A. Worm
B. Virus
C. Trojan
D. Spyware

17. Which of the following best describes a honeypot?

A. A decoy system used to attract and detect attackers
B. A type of firewall
C. A secure storage location for sensitive data
D. A tool for scanning network vulnerabilities

3
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

18. What is the primary purpose of a Security Information and Event Management (SIEM) system?
A. Encrypting data
B. Centralizing and analyzing log data from various sources
C. Controlling access to network resources
D. Detecting malware

19. Which of the following is a type of physical security control?

A. Firewall
B. Intrusion detection system (IDS)
C. Mantrap
D. Security policy

20. What does the principle of least privilege (POLP) dictate?

A. Users should only have the permissions necessary to perform their job functions
B. Users should have full access to all systems and resources
C. Users should share login credentials to streamline work processes
D. Users should have different levels of access based on seniority

21. Which of the following is an example of a security incident?

A. Software malfunction
B. Unauthorized access to sensitive data
C. Hardware failure
D. Scheduled system maintenance

22. What is the primary purpose of a Data Loss Prevention (DLP) solution?
A. Detecting and preventing unauthorized data transfers
B. Encrypting data at rest and in transit
C. Monitoring network traffic
D. Scanning for malware

23. What type of attack involves overwhelming a target system with traffic or requests?
A. Man-in-the-middle
B. DDoS
C. Brute force
D. Phishing

4
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

24. Which of the following is a best practice for secure password management?
A. Use of complex, unique passwords for each account
B. Sharing passwords with trusted colleagues
C. Writing passwords on sticky notes for easy access
D. Using the same password for all accounts

25. What type of attack involves an attacker sending malformed or malicious data to a target application?
A. Buffer overflow
B. SQL injection
C. Cross-site scripting (XSS)
D. Brute force

26. Which security concept ensures that data is only accessible to authorized users?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation

27. What type of backup strategy involves creating a copy of only the data that has changed since the last full
backup?
A. Incremental backup
B. Differential backup
C. Full backup
D. Snapshot backup

28. Which of the following is a secure email protocol that encrypts both messages and attachments?
A. SMTP
B. IMAP
C. POP3
D. S/MIME

5
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

29. Which of the following is a type of hardware-based security technology that isolates and protects sensitive data
on a device?
A. HSM
B. TPM
C. BIOS
D. UTM

30. What type of attack involves an attacker sending unsolicited messages to a large number of recipients?
A. DDoS
B. Brute force
C. Spam
D. Phishing

31. What is the primary purpose of two-factor authentication (2FA)?

A. Increase security by requiring two different authentication methods
B. Encrypt data in transit
C. Monitor network traffic
D. Detect malware

32. Which of the following is an example of a network segmentation technique?

A. DMZ
B. VLAN
C. Subnetting
D. All of the above

33. Which type of cryptography uses two keys, one for encryption and one for decryption?
A. Symmetric-key cryptography
B. Asymmetric-key cryptography
C. Hash function
D. Digital signature

34. What is the primary purpose of a Security Operations Center (SOC)?

A. Encrypt data
B. Monitor and respond to security incidents
C. Control access to network resources
D. Detect malware

6
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

35. Which of the following is an example of a wireless security protocol?

A. WEP
B. WPA2
C. WPA3
D. All of the above

36. What is the primary purpose of a Network Access Control (NAC) system?
A. Encrypt data
B. Monitor network traffic
C. Control access to network resources based on device compliance
D. Detect malware

37. Which type of malware typically requires user interaction to execute and spread?
A. Worm
B. Virus
C. Trojan
D. Ransomware

38. Which of the following is a common method for detecting a rootkit?

A. Signature-based detection
B. Heuristic analysis
C. Behavior monitoring
D. All of the above

39. What is the primary purpose of a patch management process?

A. Detect and prevent unauthorized data transfers
B. Encrypt data at rest and in transit
C. Maintain system security and stability by applying updates
D. Scan for malware

40. Which type of security testing involves a tester with limited knowledge of the target system?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

7
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

41. What is the primary purpose of an incident response plan?

A. Detect security incidents
B. Provide a structured approach for managing security incidents
C. Prevent security incidents
D. Recover from security incidents

42. Which of the following is an example of a security control that provides redundancy?

A. Firewall
B. Intrusion detection system (IDS)
C. Backup generator
D. VPN

43. What is the primary purpose of a port scanner?

A. Encrypt data
B. Identify open network ports and services
C. Control access to network resources
D. Detect malware

44. What type of disaster recovery strategy involves running systems and applications at a secondary site after a
disaster?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site

45. What is the primary purpose of an antivirus software?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Detect and remove malware

46. Which type of attack involves exploiting a vulnerability in a system or application before the developer can fix it?
A. Brute force
B. DDoS
C. Zero-day exploit
D. Man-in-the-middle

8
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

47. What is the primary purpose of a password manager?

A. Encrypt data
B. Store and manage user passwords securely
C. Control access to network resources
D. Detect malware

48. Which of the following is a type of secure web communication protocol?

A. HTTP
B. FTP
C. HTTPS
D. Telnet

49. What type of attack involves an attacker repeatedly attempting to guess a user's login credentials?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

50. What type of security control is a security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

51. Which of the following best describes an Information Security Management System (ISMS)?
A. A hardware device for securing data
B. A software tool for detecting security incidents
C. A framework for managing and protecting information assets
D. A set of guidelines for responding to security incidents

52. Which of the following is an example of a physical access control?

A. Encryption
B. Antivirus software
C. Keycard lock
D. Firewall

9
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

53. What type of security control is an intrusion prevention system (IPS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

54. Which of the following is a best practice for securing wireless networks?
A. Using weak encryption protocols
B. Disabling SSID broadcasting
C. Allowing open guest networks
D. Not using a pre-shared key

55. What is the primary purpose of a vulnerability scanner?

A. Encrypt data
B. Monitor network traffic
C. Identify potential security weaknesses in systems and networks
D. Detect malware

56. Which of the following is an example of a cloud computing deployment model?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. All of the above

57. Which type of authentication factor category does a fingerprint scanner belong to?
A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are

58. What type of security control is a security awareness training program?

A. Physical
B. Technical
C. Administrative
D. Preventative

10
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

59. Which of the following is an example of a network security monitoring tool?

A. HIDS
B. NIDS
C. DLP
D. All of the above

60. What type of attack involves an attacker gaining unauthorized access to a system by exploiting a vulnerability?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Exploit

61. What type of malware is designed to encrypt a victim's files and demand a ransom for decryption?
A. Worm
B. Virus
C. Trojan
D. Ransomware

62. Which of the following is a standard for securely exchanging authentication and authorization data between
parties?
A. OAuth
B. SAML
C. OpenID Connect
D. All of the above

63. What is the primary purpose of a data classification policy?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Identify and protect sensitive data based on its value and risk

11
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

64. Which of the following is a type of security control that deters attackers by increasing the perceived effort or risk
of an attack?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

65. What type of security testing involves a tester with full knowledge of the target system?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

66. What is the primary purpose of a business continuity plan (BCP)?

A. Detect security incidents
B. Ensure the continued operation of an organization during and after a disruptive event
C. Prevent security incidents
D. Recover from security incidents

67. Which of the following is a type of encryption algorithm that provides both authentication and encryption?
A. RSA
B. AES-GCM
C. DES
D. 3DES

68. What type of attack involves the unauthorized use of a user's session identifier to gain access to their account?
A. Session hijacking
B. Brute force
C. DDoS
D. Phishing

12
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

69. What type of network security device combines multiple security functions into a single appliance?
A. Intrusion Detection System (IDS)
B. Firewall
C. Unified Threat Management (UTM)
D. Data Loss Prevention (DLP)

70. What is the primary purpose of a key management system?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Securely generate, store, and manage cryptographic keys

71. Which of the following is an example of a secure remote access technology?

A. Remote Desktop Protocol (RDP)
B. Secure Shell (SSH)
C. Telnet
D. Virtual Network Computing (VNC)

72. What type of cybersecurity incident involves an attacker exploiting a web application to send malicious code to a
user's browser?
A. SQL injection
B. Cross-site scripting (XSS)
C. CSRF
D. Buffer overflow

73. What is the primary purpose of a digital certificate?

A. Encrypt data
B. Verify the identity of an entity and establish trust
C. Control access to network resources
D. Detect malware

74. Which of the following is a best practice for managing vendor risks?
A. Assessing vendors' security controls and practices
B. Providing vendors with unrestricted access to systems and data
C. Ignoring vendor risks
D. Relying solely on the vendor's reputation

13
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

75. Which of the following is an example of an Information Security Framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. CIS Critical Security Controls
D. All of the above

76. Which of the following is an example of an email security best practice?

A. Disabling email filtering
B. Using digital signatures
C. Opening all email attachments
D. Trusting all email links

77. What type of security testing involves a simulated attack on an organization's systems to assess their security
posture?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

78. Which of the following is an example of a host-based intrusion detection system (HIDS)?
A. Snort
B. OSSEC
C. Suricata
D. Bro

79. What type of biometric authentication method involves analyzing a user's typing rhythm and patterns?
A. Fingerprint recognition
B. Iris recognition
C. Voice recognition
D. Keystroke dynamics

80. Which of the following is an example of a network-based intrusion detection system (NIDS)?
A. Snort
B. OSSEC
C. Suricata
D. Bro

14
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

81. What is the primary purpose of a Security Information and Event Management (SIEM) system?
A. Encrypt data
B. Aggregate, analyze, and correlate security event data from multiple sources
C. Control access to network resources
D. Detect malware

82. Which type of security control involves creating a baseline of normal system behavior and alerting when
deviations occur?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

83. What type of security control is a firewall?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

84. What is the primary purpose of a risk assessment?

A. Encrypt data
B. Identify and evaluate potential risks and vulnerabilities
C. Control access to network resources
D. Detect malware

85. Which of the following is an example of a secure file transfer protocol?

A. FTP
B. TFTP
C. SFTP
D. SCP

86. What type of attack involves an attacker intercepting and altering communication between two parties without
their knowledge?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

15
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

87. Which of the following is a type of incident that typically triggers the activation of a disaster recovery plan?
A. Hardware failure
B. Natural disaster
C. Cyberattack
D. All of the above

88. What is the primary purpose of a demilitarized zone (DMZ) in a network architecture?
A. Encrypt data
B. Monitor network traffic
C. Create a buffer zone between an organization's internal network and the internet
D. Detect malware

89. Which type of security control is a security camera?

A. Physical
B. Technical
C. Administrative
D. Preventative

90. What type of malware often disguises itself as legitimate software or is included in legitimate software that has
been tampered with?
A. Worm
B. Virus
C. Trojan
D. Ransomware

91. Which of the following is an example of an encryption key exchange protocol?

A. RSA
B. Diffie-Hellman
C. AES
D. Blowfish

92. What is the primary purpose of a honeypot?

A. Encrypt data
B. Attract and monitor attackers to gain insights and improve security
C. Control access to network resources
D. Detect malware

16
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

93. What type of security control is a user awareness training program?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

94. Which type of attack involves an attacker flooding a network with malformed packets?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Fragmentation attack

95. What type of security control is an audit log?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

96. Which of the following is an example of a data loss prevention (DLP) solution?
A. Digital Rights Management (DRM)
B. Encryption
C. Network monitoring
D. All of the above

97. What is the primary purpose of a secure software development lifecycle (SDLC) process?
A. Encrypt data
B. Monitor network traffic
C. Ensure that security is integrated throughout the software development process
D. Detect malware

98. What type of security control is a security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

17
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

99. Which of the following is an example of a mobile device management (MDM) solution?
A. Apple Configurator
B. Microsoft Intune
C. MobileIron
D. All of the above

100. What is the primary purpose of a network intrusion detection system (NIDS)?
A. Encrypt data
B. Monitor network traffic for signs of malicious activity
C. Control access to network resources
D. Detect malware

101. Which of the following is an example of a network access control (NAC) solution?
A. Cisco ISE
B. Microsoft Intune
C. MobileIron
D. Apple Configurator

102. What type of security control is a backup and restore solution?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

103. What is the primary purpose of a digital signature?

A. Encrypt data
B. Verify the integrity and authenticity of a message or document
C. Control access to network resources
D. Detect malware

104. Which type of attack involves an attacker sending unsolicited messages to a large number of recipients, often
for the purpose of spreading malware or phishing?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Spam

18
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

105. Which of the following is a type of network segmentation used to isolate different types of network traffic?
A. Subnetting
B. VLAN
C. DMZ
D. All of the above

106. What type of security control is an intrusion detection system (IDS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

107. What is the primary purpose of an incident response plan (IRP)?

A. Encrypt data
B. Prepare for, respond to, and recover from security incidents
C. Control access to network resources
D. Detect malware

108. Which of the following is an example of a secure communication protocol for remote administration?
A. Telnet
B. RDP
C. SSH
D. VNC

109. What type of security control involves restricting access to sensitive information based on a user's role or job
function?
A. Access control
B. Role-based access control (RBAC)
C. Discretionary access control (DAC)
D. Mandatory access control (MAC)

110. Which type of attack involves an attacker attempting to gain unauthorized access to an account by guessing or
cracking the password?
A. Password attack
B. Brute force
A. DDoS
B. Phishing

19
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

111. What is the primary purpose of an endpoint protection platform (EPP)?

A. Encrypt data
B. Monitor, detect, and prevent threats on endpoints
C. Control access to network resources
D. Detect malware

112. Which of the following is an example of a secure email protocol?

A. SMTP
B. IMAP
C. POP3
D. STARTTLS

113. What is the primary purpose of a threat intelligence platform?

A. Encrypt data
B. Collect, analyze, and share threat information to improve security defenses
C. Control access to network resources
D. Detect malware

114. Which type of security control is a secure coding guideline?

A. Physical
B. Technical
C. Administrative
D. Preventative

115. What type of attack involves an attacker exploiting a DNS server to redirect traffic to a malicious site?
A. Man-in-the-middle
B. DNS poisoning
C. DDoS
D. Phishing

116. Which of the following is an example of a secure password hashing algorithm?

A. MD5
B. SHA-1
C. bcrypt
D. DES

20
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

117. What is the primary purpose of a security operations center (SOC)?

A. Encrypt data
B. Monitor, detect, and respond to security incidents
C. Control access to network resources
D. Detect malware

118. What type of security control is a firewall rule?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

119. Which of the following is an example of a secure voice communication protocol?

A. H.323
B. SIP
C. RTP
D. SRTP

120. What is the primary purpose of a web application firewall (WAF)?

A. Encrypt data
B. Protect web applications from attacks and vulnerabilities
C. Control access to network resources
D. Detect malware

121. Which type of security control involves the implementation of physical barriers to prevent unauthorized
access to a facility?
A. Physical
B. Technical
C. Administrative
D. Preventative

122. What type of security control is a security group in a cloud environment?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

21
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

123. Which of the following is an example of a zero-day vulnerability?

A. A vulnerability that has been publicly disclosed but not yet patched by the vendor
B. A vulnerability that has been known for more than 30 days
C. A vulnerability that is actively being exploited before the vendor is aware of its existence
D. A vulnerability that has been patched by the vendor

124. What is the primary purpose of a virtual private network (VPN)?

A. Encrypt data
B. Create a secure, encrypted connection over a public network
C. Control access to network resources
D. Detect malware

125. Which of the following is an example of a defense-in-depth security strategy?

A. Implementing a single layer of security controls
B. Relying solely on a firewall for security
C. Implementing multiple layers of security controls to protect against a variety of threats
D. Focusing on perimeter security only

126. What type of security control is multi-factor authentication (MFA)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

127. Which of the following is an example of a cloud deployment model?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. All of the above

128. What type of attack involves an attacker intercepting and forwarding network traffic between two parties?
A. Man-in-the-middle
B. Replay attack
C. DDoS
D. Phishing

22
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

129. Which of the following is an example of an IT governance framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. COBIT
D. ITIL

130. What is the primary purpose of a vulnerability assessment?

A. Encrypt data
B. Identify, quantify, and prioritize vulnerabilities in an organization's systems
C. Control access to network resources
D. Detect malware

131. Which type of security control is a security awareness training program?

A. Physical
B. Technical
C. Administrative
D. Preventative

132. What type of security control is a secure boot process?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

133. Which of the following is an example of a network monitoring tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

23
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

134. What is the primary purpose of a security policy?

A. Encrypt data
B. Define an organization's security requirements, expectations, and responsibilities
C. Control access to network resources
D. Detect malware

135. Which of the following is an example of a secure coding best practice?

A. Input validation
B. Hardcoding passwords
C. Using deprecated functions
D. Ignoring error handling

136. What type of security control is an antivirus software?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

137. What is the primary purpose of a data classification policy?

A. Encrypt data
B. Organize and protect data according to its sensitivity and value
C. Control access to network resources
D. Detect malware

138. Which of the following is an example of a network vulnerability scanner?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

139. What type of security control is a security incident and event management (SIEM) system?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

24
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

140. What type of attack involves an attacker flooding a network with an excessive amount of traffic,
overwhelming its resources and causing a denial of service?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

141. What is the primary purpose of a digital forensics investigation?

A. Encrypt data
B. Collect, preserve, analyze, and present digital evidence in a legally admissible manner
C. Control access to network resources
D. Detect malware

142. Which of the following is an example of a host-based firewall?

A. pfSense
B. Windows Defender Firewall
C. Cisco ASA
D. Fortinet FortiGate

143. What is the primary purpose of an identity and access management (IAM) system?
A. Encrypt data
B. Manage and control user access to resources and data within an organization
C. Monitor network traffic
D. Detect malware

144. Which type of security control is a log analysis tool?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

145. What type of attack involves an attacker encrypting a victim's data and demanding payment in exchange for
the decryption key?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Ransomware

25
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

146. Which of the following is an example of a secure wireless communication protocol?

A. WEP
B. WPA
C. WPA2
D. WPA3

147. What is the primary purpose of a certificate authority (CA)?

A. Encrypt data
B. Issue and manage digital certificates for secure communication
C. Control access to network resources
D. Detect malware

148. Which type of security control is a data loss prevention (DLP) solution?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

149. What type of security control is a network segmentation?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

150. Which of the following is an example of a social engineering attack?

A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

151. What type of security control is a biometric authentication system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

26
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

152. Which of the following is an example of a privacy-enhancing technology?

A. Tor
B. VPN
C. HTTPS
D. All of the above

153. What type of attack involves an attacker sending a large number of SYN packets to a target system, causing it
to allocate resources for connections that will never be completed?
A. Man-in-the-middle
B. SYN flood
C. DDoS
D. Phishing

154. Which of the following is an example of a risk management framework?

A. NIST SP 800-37
B. ISO/IEC 27005
C. FAIR
D. All of the above

155. What is the primary purpose of a firewall?

A. Encrypt data
B. Control incoming and outgoing network traffic based on predetermined rules
C. Monitor network traffic
D. Detect malware

156. Which type of security control is a patch management system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

157. What type of security control is a password policy?

A. Physical
B. Technical
C. Administrative
E. Preventative

27
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

158. Which of the following is an example of a network traffic analysis tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

159. What is the primary purpose of a business continuity plan (BCP)?

A. Encrypt data
B. Ensure the continued operation of an organization during and after a disruption or disaster
C. Control access to network resources
D. Detect malware

160. Which of the following is an example of a cybersecurity framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. CIS Critical Security Controls
D. All of the above

161. What type of security control is a host-based intrusion detection system (HIDS)?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

162. What is the primary purpose of a security information and event management (SIEM) system?
A. Encrypt data
B. Aggregate, analyze, and correlate log data from various sources to detect and respond to security
incidents
C. Control access to network resources
D. Detect malware

163. Which of the following is an example of a cloud access security broker (CASB)?
A. Microsoft Cloud App Security
B. McAfee MVISION Cloud
C. Netskope
E. All of the above

28
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

164. What type of security control is a secure software development lifecycle (SDLC) process?
A. Physical
B. Technical
C. Administrative
D. Preventative

165. Which type of attack involves an attacker compromising a legitimate website to serve malicious content or
exploit user vulnerabilities?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Watering hole

166. What is the primary purpose of a public key infrastructure (PKI)?

A. Manage and distribute public and private cryptographic keys for secure communication
B. Detect and prevent network intrusions
C. Control access to network resources
E. Detect malware

167. Which of the following is an example of a secure file transfer protocol?

A. FTP
B. TFTP
C. SFTP
D. SCP

168. What type of security control is a log retention policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

169. Which type of security control is a user access review?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

29
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

170. What is the primary purpose of a data encryption standard (DES)?

A. Provide symmetric-key encryption for secure communication
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

171. Which of the following is an example of a cryptographic hash function?

A. AES
B. RSA
C. SHA-256
D. 3DES

172. What type of security control is a network intrusion detection system (NIDS)?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

173. What is the primary purpose of a key management system?

A. Generate, store, distribute, and revoke cryptographic keys
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

174. Which of the following is an example of a secure web communication protocol?

A. HTTP
B. HTTPS
C. FTP
D. SSH

175. What type of security control is a hardware security module (HSM)?

A. Physical
B. Technical
C. Administrative
D. Preventative

30
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

176. Which of the following is an example of a containerization technology?

A. Docker
B. Kubernetes
C. OpenStack
D. VMware

177. What type of attack involves an attacker sending a large number of ICMP echo request packets to a target
system, causing it to respond with an equal number of echo reply packets, overwhelming its resources?
A. Ping flood
B. SYN flood
C. DDoS
D. Phishing

178. Which of the following is an example of a secure email communication protocol?

A. POP3
B. IMAP
C. SMTP
D. SMTPS

179. What is the primary purpose of a threat intelligence platform?

A. Encrypt data
B. Collect, analyze, and share threat intelligence data for improved security decision-making
C. Control access to network resources
D. Detect malware

180. Which type of security control is an intrusion prevention system (IPS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

181. What type of security control is an information security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

31
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

182. Which of the following is an example of a network scanning tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

183. What is the primary purpose of a disaster recovery plan (DRP)?

A. Encrypt data
B. Define the procedures for restoring an organization's critical systems and data after a disruption or
disaster
C. Control access to network resources
D. Detect malware

184. Which of the following is an example of a mobile device management (MDM) solution?
A. AirWatch
B. MobileIron
C. Microsoft Intune
D. All of the above

185. What type of security control is an intrusion detection system (IDS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

186. What is the primary purpose of a risk assessment?

A. Encrypt data
B. Identify and evaluate the potential impact of threats and vulnerabilities to an organization's assets
C. Control access to network resources
D. Detect malware

187. Which of the following is an example of a virtual private network (VPN) protocol?
A. PPTP
B. L2TP
C. IPSec
D. All of the above

32
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

188. What type of security control is an incident response plan?

A. Physical
B. Technical
C. Administrative
D. Preventative

189. Which type of attack involves an attacker using multiple systems to target a single system with a flood of
network packets?
A. Man-in-the-middle
B. Brute force
C. Distributed denial of service (DDoS)
D. Phishing

190. What is the primary purpose of an authentication, authorization, and accounting (AAA) system?
A. Ensure that users are who they claim to be, grant appropriate access, and track user activities
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

191. Which of the following is an example of a secure shell (SSH) client?

A. PuTTY
B. WinSCP
C. FileZilla
D. All of the above

192. What type of security control is a security operations center (SOC)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

193. What is the primary purpose of a honeypot?

A. Encrypt data
B. Attract and observe attackers to gain insight into their tactics, techniques, and procedures
C. Control access to network resources
D. Detect malware

33
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

194. Which of the following is an example of a network access control (NAC) solution?
A. Cisco ISE
B. Forescout CounterACT
C. Aruba ClearPass
D. All of the above

195. What type of security control is an asset management system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

196. What is the primary purpose of a secure socket layer (SSL) certificate?
A. Encrypt data and authenticate the identity of a website
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

197. Which of the following is an example of a symmetric encryption algorithm?

A. RSA
B. Diffie-Hellman
C. AES
D. ElGamal

198. What type of security control is a web application firewall (WAF)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

199. Which type of attack involves an attacker attempting to gain unauthorized access to a system by trying every
possible combination of characters until the correct password is found?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

34
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

200. What is the primary purpose of a demilitarized zone (DMZ)?

A. Encrypt data
B. Separate an organization's internal network from the internet while allowing specific services to be
accessible
C. Control access to network resources
D. Detect malware

35
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

1. C 51. C 101.A 151.A

2. B 52. C 102.C 152.D
3. B 53. A 103.B 153.B
4. B 54. B 104.D 154.D
5. B 55. C 105.D 155.B
6. D 56. D 106.B 156.C
7. B 57. C 107.B 157.C
8. C 58. C 108.C 158.A
9. C 59. D 109.B 159.B
10. B 60. D 110.B 160.D
11. D 61. D 111.B 161.B
12. B 62. D 112.D 162.B
13. C 63. D 113.B 163.D
14. A 64. D 114.D 164.D
15. B 65. A 115.B 165.D
16. A 66. B 116.C 166.A
17. A 67. B 117.B 167.C
18. B 68. A 118.A 168.C
19. C 69. C 119.D 169.B
20. A 70. D 120.B 170.A
21. B 71. B 121.A 171.C
22. A 72. B 122.A 172.B
23. B 73. B 123.C 173.A
24. A 74. A 124.B 174.B
25. A 75. D 125.C 175.D
26. A 76. B 126.A 176.A
27. A 77. D 127.D 177.A
28. D 78. B 128.A 178.D
29. B 79. D 129.C 179.B
30. C 80. A 130.B 180.A
31. A 81. B 131.C 181.C
32. D 82. B 132.A 182.B
33. B 83. A 133.A 183.B
34. B 84. B 134.B 184.D
35. D 85. C 135.A 185.B
36. C 86. A 136.C 186.B
37. B 87. D 137.B 187.D
38. D 88. C 138.C 188.C
39. C 89. A 139.B 189.C
40. B 90. C 140.C 190.A
41. B 91. B 141.B 191.D
42. C 92. B 142.B 192.B
43. B 93. A 143.B 193.B
44. C 94. D 144.B 194.D
45. D 95. B 145.D 195.A
46. C 96. D 146.D 196.A
47. B 97. C 147.B 197.C
48. C 98. C 148.A 198.A
49. B 99. D 149.A 199.B
50. C 100.B 150.D 200.B

36
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

1. What is the primary purpose of a firewall in network security?

A. Encrypting data
B. Monitoring network traffic
C. Controlling access to network resources
D. Detecting malware

2. What type of attack involves intercepting and modifying communication between two parties?
A. Phishing
B. Man-in-the-middle
C. DDoS
D. Brute force

3. Which of the following encryption algorithms is symmetric?

A. RSA
B. AES
C. Diffie-Hellman
D. ECC

4. What is the primary purpose of a VPN (Virtual Private Network)?

A. Anonymize browsing
B. Secure communication over public networks
C. Filter out malicious content
D. Monitor network traffic

5. Which of the following is a secure protocol for transferring files?

A. FTP
B. SFTP
C. TFTP
D. SNMP

1
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

6. Which of the following is NOT a type of access control?

A. DAC
B. MAC
C. RBAC
D. HAC

7. What is the primary purpose of an Intrusion Detection System (IDS)?

A. Encrypting data
B. Monitoring and alerting on potential security breaches
C. Controlling access to network resources
D. Detecting malware

8. Which of the following is a form of social engineering?

A. SQL injection
B. DDoS
C. Phishing
D. Cross-site scripting

9. What type of vulnerability assessment actively attempts to exploit vulnerabilities?

A. Passive scanning
B. Active scanning
C. Penetration testing
D. Baseline reporting

10. What is the primary purpose of a digital signature?

A. Ensure confidentiality
B. Verify sender identity and data integrity
C. Encrypt data
D. Authenticate users

11. Which of the following is a common method for securely erasing data on a hard drive?
A. Overwriting
B. Degaussing
C. Shredding
D. All of the above

2
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

12. Which of the following best describes a risk assessment?

A. A method for identifying vulnerabilities in a system
B. A process for prioritizing risks based on likelihood and impact
C. A framework for managing risks
D. A tool for quantifying risks

13. Which of the following is a type of biometric authentication?

A. Password
B. Smart card
C. Fingerprint scan
D. PIN

14. Which of the following is a public key infrastructure (PKI) component?

A. Certificate authority (CA)
B. Intrusion detection system (IDS)
C. VPN
D. Firewall

15. What is a zero-day vulnerability?

A. A vulnerability that is known but unpatched
B. A vulnerability that is unknown and unpatched
C. A vulnerability that has been patched
D. A vulnerability that is actively being exploited

16. What type of malware typically spreads itself through network connections?
A. Worm
B. Virus
C. Trojan
D. Spyware

17. Which of the following best describes a honeypot?

A. A decoy system used to attract and detect attackers
B. A type of firewall
C. A secure storage location for sensitive data
D. A tool for scanning network vulnerabilities

3
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

18. What is the primary purpose of a Security Information and Event Management (SIEM) system?
A. Encrypting data
B. Centralizing and analyzing log data from various sources
C. Controlling access to network resources
D. Detecting malware

19. Which of the following is a type of physical security control?

A. Firewall
B. Intrusion detection system (IDS)
C. Mantrap
D. Security policy

20. What does the principle of least privilege (POLP) dictate?

A. Users should only have the permissions necessary to perform their job functions
B. Users should have full access to all systems and resources
C. Users should share login credentials to streamline work processes
D. Users should have different levels of access based on seniority

21. Which of the following is an example of a security incident?

A. Software malfunction
B. Unauthorized access to sensitive data
C. Hardware failure
D. Scheduled system maintenance

22. What is the primary purpose of a Data Loss Prevention (DLP) solution?
A. Detecting and preventing unauthorized data transfers
B. Encrypting data at rest and in transit
C. Monitoring network traffic
D. Scanning for malware

23. What type of attack involves overwhelming a target system with traffic or requests?
A. Man-in-the-middle
B. DDoS
C. Brute force
D. Phishing

4
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

24. Which of the following is a best practice for secure password management?
A. Use of complex, unique passwords for each account
B. Sharing passwords with trusted colleagues
C. Writing passwords on sticky notes for easy access
D. Using the same password for all accounts

25. What type of attack involves an attacker sending malformed or malicious data to a target application?
A. Buffer overflow
B. SQL injection
C. Cross-site scripting (XSS)
D. Brute force

26. Which security concept ensures that data is only accessible to authorized users?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation

27. What type of backup strategy involves creating a copy of only the data that has changed since the last full
backup?
A. Incremental backup
B. Differential backup
C. Full backup
D. Snapshot backup

28. Which of the following is a secure email protocol that encrypts both messages and attachments?
A. SMTP
B. IMAP
C. POP3
D. S/MIME

5
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

29. Which of the following is a type of hardware-based security technology that isolates and protects sensitive data
on a device?
A. HSM
B. TPM
C. BIOS
D. UTM

30. What type of attack involves an attacker sending unsolicited messages to a large number of recipients?
A. DDoS
B. Brute force
C. Spam
D. Phishing

31. What is the primary purpose of two-factor authentication (2FA)?

A. Increase security by requiring two different authentication methods
B. Encrypt data in transit
C. Monitor network traffic
D. Detect malware

32. Which of the following is an example of a network segmentation technique?

A. DMZ
B. VLAN
C. Subnetting
D. All of the above

33. Which type of cryptography uses two keys, one for encryption and one for decryption?
A. Symmetric-key cryptography
B. Asymmetric-key cryptography
C. Hash function
D. Digital signature

34. What is the primary purpose of a Security Operations Center (SOC)?

A. Encrypt data
B. Monitor and respond to security incidents
C. Control access to network resources
D. Detect malware

6
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

35. Which of the following is an example of a wireless security protocol?

A. WEP
B. WPA2
C. WPA3
D. All of the above

36. What is the primary purpose of a Network Access Control (NAC) system?
A. Encrypt data
B. Monitor network traffic
C. Control access to network resources based on device compliance
D. Detect malware

37. Which type of malware typically requires user interaction to execute and spread?
A. Worm
B. Virus
C. Trojan
D. Ransomware

38. Which of the following is a common method for detecting a rootkit?

A. Signature-based detection
B. Heuristic analysis
C. Behavior monitoring
D. All of the above

39. What is the primary purpose of a patch management process?

A. Detect and prevent unauthorized data transfers
B. Encrypt data at rest and in transit
C. Maintain system security and stability by applying updates
D. Scan for malware

40. Which type of security testing involves a tester with limited knowledge of the target system?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

7
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

41. What is the primary purpose of an incident response plan?

A. Detect security incidents
B. Provide a structured approach for managing security incidents
C. Prevent security incidents
D. Recover from security incidents

42. Which of the following is an example of a security control that provides redundancy?

A. Firewall
B. Intrusion detection system (IDS)
C. Backup generator
D. VPN

43. What is the primary purpose of a port scanner?

A. Encrypt data
B. Identify open network ports and services
C. Control access to network resources
D. Detect malware

44. What type of disaster recovery strategy involves running systems and applications at a secondary site after a
disaster?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site

45. What is the primary purpose of an antivirus software?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Detect and remove malware

46. Which type of attack involves exploiting a vulnerability in a system or application before the developer can fix it?
A. Brute force
B. DDoS
C. Zero-day exploit
D. Man-in-the-middle

8
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

47. What is the primary purpose of a password manager?

A. Encrypt data
B. Store and manage user passwords securely
C. Control access to network resources
D. Detect malware

48. Which of the following is a type of secure web communication protocol?

A. HTTP
B. FTP
C. HTTPS
D. Telnet

49. What type of attack involves an attacker repeatedly attempting to guess a user's login credentials?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

50. What type of security control is a security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

51. Which of the following best describes an Information Security Management System (ISMS)?
A. A hardware device for securing data
B. A software tool for detecting security incidents
C. A framework for managing and protecting information assets
D. A set of guidelines for responding to security incidents

52. Which of the following is an example of a physical access control?

A. Encryption
B. Antivirus software
C. Keycard lock
D. Firewall

9
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

53. What type of security control is an intrusion prevention system (IPS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

54. Which of the following is a best practice for securing wireless networks?
A. Using weak encryption protocols
B. Disabling SSID broadcasting
C. Allowing open guest networks
D. Not using a pre-shared key

55. What is the primary purpose of a vulnerability scanner?

A. Encrypt data
B. Monitor network traffic
C. Identify potential security weaknesses in systems and networks
D. Detect malware

56. Which of the following is an example of a cloud computing deployment model?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. All of the above

57. Which type of authentication factor category does a fingerprint scanner belong to?
A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are

58. What type of security control is a security awareness training program?

A. Physical
B. Technical
C. Administrative
D. Preventative

10
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

59. Which of the following is an example of a network security monitoring tool?

A. HIDS
B. NIDS
C. DLP
D. All of the above

60. What type of attack involves an attacker gaining unauthorized access to a system by exploiting a vulnerability?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Exploit

61. What type of malware is designed to encrypt a victim's files and demand a ransom for decryption?
A. Worm
B. Virus
C. Trojan
D. Ransomware

62. Which of the following is a standard for securely exchanging authentication and authorization data between
parties?
A. OAuth
B. SAML
C. OpenID Connect
D. All of the above

63. What is the primary purpose of a data classification policy?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Identify and protect sensitive data based on its value and risk

11
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

64. Which of the following is a type of security control that deters attackers by increasing the perceived effort or risk
of an attack?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

65. What type of security testing involves a tester with full knowledge of the target system?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

66. What is the primary purpose of a business continuity plan (BCP)?

A. Detect security incidents
B. Ensure the continued operation of an organization during and after a disruptive event
C. Prevent security incidents
D. Recover from security incidents

67. Which of the following is a type of encryption algorithm that provides both authentication and encryption?
A. RSA
B. AES-GCM
C. DES
D. 3DES

68. What type of attack involves the unauthorized use of a user's session identifier to gain access to their account?
A. Session hijacking
B. Brute force
C. DDoS
D. Phishing

12
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

69. What type of network security device combines multiple security functions into a single appliance?
A. Intrusion Detection System (IDS)
B. Firewall
C. Unified Threat Management (UTM)
D. Data Loss Prevention (DLP)

70. What is the primary purpose of a key management system?

A. Encrypt data
B. Monitor network traffic
C. Control access to network resources
D. Securely generate, store, and manage cryptographic keys

71. Which of the following is an example of a secure remote access technology?

A. Remote Desktop Protocol (RDP)
B. Secure Shell (SSH)
C. Telnet
D. Virtual Network Computing (VNC)

72. What type of cybersecurity incident involves an attacker exploiting a web application to send malicious code to a
user's browser?
A. SQL injection
B. Cross-site scripting (XSS)
C. CSRF
D. Buffer overflow

73. What is the primary purpose of a digital certificate?

A. Encrypt data
B. Verify the identity of an entity and establish trust
C. Control access to network resources
D. Detect malware

74. Which of the following is a best practice for managing vendor risks?
A. Assessing vendors' security controls and practices
B. Providing vendors with unrestricted access to systems and data
C. Ignoring vendor risks
D. Relying solely on the vendor's reputation

13
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

75. Which of the following is an example of an Information Security Framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. CIS Critical Security Controls
D. All of the above

76. Which of the following is an example of an email security best practice?

A. Disabling email filtering
B. Using digital signatures
C. Opening all email attachments
D. Trusting all email links

77. What type of security testing involves a simulated attack on an organization's systems to assess their security
posture?
A. White box testing
B. Gray box testing
C. Black box testing
D. Red team testing

78. Which of the following is an example of a host-based intrusion detection system (HIDS)?
A. Snort
B. OSSEC
C. Suricata
D. Bro

79. What type of biometric authentication method involves analyzing a user's typing rhythm and patterns?
A. Fingerprint recognition
B. Iris recognition
C. Voice recognition
D. Keystroke dynamics

80. Which of the following is an example of a network-based intrusion detection system (NIDS)?
A. Snort
B. OSSEC
C. Suricata
D. Bro

14
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

81. What is the primary purpose of a Security Information and Event Management (SIEM) system?
A. Encrypt data
B. Aggregate, analyze, and correlate security event data from multiple sources
C. Control access to network resources
D. Detect malware

82. Which type of security control involves creating a baseline of normal system behavior and alerting when
deviations occur?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

83. What type of security control is a firewall?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

84. What is the primary purpose of a risk assessment?

A. Encrypt data
B. Identify and evaluate potential risks and vulnerabilities
C. Control access to network resources
D. Detect malware

85. Which of the following is an example of a secure file transfer protocol?

A. FTP
B. TFTP
C. SFTP
D. SCP

86. What type of attack involves an attacker intercepting and altering communication between two parties without
their knowledge?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

15
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

87. Which of the following is a type of incident that typically triggers the activation of a disaster recovery plan?
A. Hardware failure
B. Natural disaster
C. Cyberattack
D. All of the above

88. What is the primary purpose of a demilitarized zone (DMZ) in a network architecture?
A. Encrypt data
B. Monitor network traffic
C. Create a buffer zone between an organization's internal network and the internet
D. Detect malware

89. Which type of security control is a security camera?

A. Physical
B. Technical
C. Administrative
D. Preventative

90. What type of malware often disguises itself as legitimate software or is included in legitimate software that has
been tampered with?
A. Worm
B. Virus
C. Trojan
D. Ransomware

91. Which of the following is an example of an encryption key exchange protocol?

A. RSA
B. Diffie-Hellman
C. AES
D. Blowfish

92. What is the primary purpose of a honeypot?

A. Encrypt data
B. Attract and monitor attackers to gain insights and improve security
C. Control access to network resources
D. Detect malware

16
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

93. What type of security control is a user awareness training program?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

94. Which type of attack involves an attacker flooding a network with malformed packets?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Fragmentation attack

95. What type of security control is an audit log?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

96. Which of the following is an example of a data loss prevention (DLP) solution?
A. Digital Rights Management (DRM)
B. Encryption
C. Network monitoring
D. All of the above

97. What is the primary purpose of a secure software development lifecycle (SDLC) process?
A. Encrypt data
B. Monitor network traffic
C. Ensure that security is integrated throughout the software development process
D. Detect malware

98. What type of security control is a security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

17
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

99. Which of the following is an example of a mobile device management (MDM) solution?
A. Apple Configurator
B. Microsoft Intune
C. MobileIron
D. All of the above

100. What is the primary purpose of a network intrusion detection system (NIDS)?
A. Encrypt data
B. Monitor network traffic for signs of malicious activity
C. Control access to network resources
D. Detect malware

101. Which of the following is an example of a network access control (NAC) solution?
A. Cisco ISE
B. Microsoft Intune
C. MobileIron
D. Apple Configurator

102. What type of security control is a backup and restore solution?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

103. What is the primary purpose of a digital signature?

A. Encrypt data
B. Verify the integrity and authenticity of a message or document
C. Control access to network resources
D. Detect malware

104. Which type of attack involves an attacker sending unsolicited messages to a large number of recipients, often
for the purpose of spreading malware or phishing?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Spam

18
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

105. Which of the following is a type of network segmentation used to isolate different types of network traffic?
A. Subnetting
B. VLAN
C. DMZ
D. All of the above

106. What type of security control is an intrusion detection system (IDS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

107. What is the primary purpose of an incident response plan (IRP)?

A. Encrypt data
B. Prepare for, respond to, and recover from security incidents
C. Control access to network resources
D. Detect malware

108. Which of the following is an example of a secure communication protocol for remote administration?
A. Telnet
B. RDP
C. SSH
D. VNC

109. What type of security control involves restricting access to sensitive information based on a user's role or job
function?
A. Access control
B. Role-based access control (RBAC)
C. Discretionary access control (DAC)
D. Mandatory access control (MAC)

110. Which type of attack involves an attacker attempting to gain unauthorized access to an account by guessing or
cracking the password?
A. Password attack
B. Brute force
A. DDoS
B. Phishing

19
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

111. What is the primary purpose of an endpoint protection platform (EPP)?

A. Encrypt data
B. Monitor, detect, and prevent threats on endpoints
C. Control access to network resources
D. Detect malware

112. Which of the following is an example of a secure email protocol?

A. SMTP
B. IMAP
C. POP3
D. STARTTLS

113. What is the primary purpose of a threat intelligence platform?

A. Encrypt data
B. Collect, analyze, and share threat information to improve security defenses
C. Control access to network resources
D. Detect malware

114. Which type of security control is a secure coding guideline?

A. Physical
B. Technical
C. Administrative
D. Preventative

115. What type of attack involves an attacker exploiting a DNS server to redirect traffic to a malicious site?
A. Man-in-the-middle
B. DNS poisoning
C. DDoS
D. Phishing

116. Which of the following is an example of a secure password hashing algorithm?

A. MD5
B. SHA-1
C. bcrypt
D. DES

20
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

117. What is the primary purpose of a security operations center (SOC)?

A. Encrypt data
B. Monitor, detect, and respond to security incidents
C. Control access to network resources
D. Detect malware

118. What type of security control is a firewall rule?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

119. Which of the following is an example of a secure voice communication protocol?

A. H.323
B. SIP
C. RTP
D. SRTP

120. What is the primary purpose of a web application firewall (WAF)?

A. Encrypt data
B. Protect web applications from attacks and vulnerabilities
C. Control access to network resources
D. Detect malware

121. Which type of security control involves the implementation of physical barriers to prevent unauthorized
access to a facility?
A. Physical
B. Technical
C. Administrative
D. Preventative

122. What type of security control is a security group in a cloud environment?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

21
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

123. Which of the following is an example of a zero-day vulnerability?

A. A vulnerability that has been publicly disclosed but not yet patched by the vendor
B. A vulnerability that has been known for more than 30 days
C. A vulnerability that is actively being exploited before the vendor is aware of its existence
D. A vulnerability that has been patched by the vendor

124. What is the primary purpose of a virtual private network (VPN)?

A. Encrypt data
B. Create a secure, encrypted connection over a public network
C. Control access to network resources
D. Detect malware

125. Which of the following is an example of a defense-in-depth security strategy?

A. Implementing a single layer of security controls
B. Relying solely on a firewall for security
C. Implementing multiple layers of security controls to protect against a variety of threats
D. Focusing on perimeter security only

126. What type of security control is multi-factor authentication (MFA)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

127. Which of the following is an example of a cloud deployment model?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. All of the above

128. What type of attack involves an attacker intercepting and forwarding network traffic between two parties?
A. Man-in-the-middle
B. Replay attack
C. DDoS
D. Phishing

22
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

129. Which of the following is an example of an IT governance framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. COBIT
D. ITIL

130. What is the primary purpose of a vulnerability assessment?

A. Encrypt data
B. Identify, quantify, and prioritize vulnerabilities in an organization's systems
C. Control access to network resources
D. Detect malware

131. Which type of security control is a security awareness training program?

A. Physical
B. Technical
C. Administrative
D. Preventative

132. What type of security control is a secure boot process?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

133. Which of the following is an example of a network monitoring tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

23
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

134. What is the primary purpose of a security policy?

A. Encrypt data
B. Define an organization's security requirements, expectations, and responsibilities
C. Control access to network resources
D. Detect malware

135. Which of the following is an example of a secure coding best practice?

A. Input validation
B. Hardcoding passwords
C. Using deprecated functions
D. Ignoring error handling

136. What type of security control is an antivirus software?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

137. What is the primary purpose of a data classification policy?

A. Encrypt data
B. Organize and protect data according to its sensitivity and value
C. Control access to network resources
D. Detect malware

138. Which of the following is an example of a network vulnerability scanner?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

139. What type of security control is a security incident and event management (SIEM) system?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

24
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

140. What type of attack involves an attacker flooding a network with an excessive amount of traffic,
overwhelming its resources and causing a denial of service?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

141. What is the primary purpose of a digital forensics investigation?

A. Encrypt data
B. Collect, preserve, analyze, and present digital evidence in a legally admissible manner
C. Control access to network resources
D. Detect malware

142. Which of the following is an example of a host-based firewall?

A. pfSense
B. Windows Defender Firewall
C. Cisco ASA
D. Fortinet FortiGate

143. What is the primary purpose of an identity and access management (IAM) system?
A. Encrypt data
B. Manage and control user access to resources and data within an organization
C. Monitor network traffic
D. Detect malware

144. Which type of security control is a log analysis tool?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

145. What type of attack involves an attacker encrypting a victim's data and demanding payment in exchange for
the decryption key?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Ransomware

25
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

146. Which of the following is an example of a secure wireless communication protocol?

A. WEP
B. WPA
C. WPA2
D. WPA3

147. What is the primary purpose of a certificate authority (CA)?

A. Encrypt data
B. Issue and manage digital certificates for secure communication
C. Control access to network resources
D. Detect malware

148. Which type of security control is a data loss prevention (DLP) solution?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

149. What type of security control is a network segmentation?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

150. Which of the following is an example of a social engineering attack?

A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

151. What type of security control is a biometric authentication system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

26
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

152. Which of the following is an example of a privacy-enhancing technology?

A. Tor
B. VPN
C. HTTPS
D. All of the above

153. What type of attack involves an attacker sending a large number of SYN packets to a target system, causing it
to allocate resources for connections that will never be completed?
A. Man-in-the-middle
B. SYN flood
C. DDoS
D. Phishing

154. Which of the following is an example of a risk management framework?

A. NIST SP 800-37
B. ISO/IEC 27005
C. FAIR
D. All of the above

155. What is the primary purpose of a firewall?

A. Encrypt data
B. Control incoming and outgoing network traffic based on predetermined rules
C. Monitor network traffic
D. Detect malware

156. Which type of security control is a patch management system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

157. What type of security control is a password policy?

A. Physical
B. Technical
C. Administrative
E. Preventative

27
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

158. Which of the following is an example of a network traffic analysis tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

159. What is the primary purpose of a business continuity plan (BCP)?

A. Encrypt data
B. Ensure the continued operation of an organization during and after a disruption or disaster
C. Control access to network resources
D. Detect malware

160. Which of the following is an example of a cybersecurity framework?

A. NIST Cybersecurity Framework
B. ISO/IEC 27001
C. CIS Critical Security Controls
D. All of the above

161. What type of security control is a host-based intrusion detection system (HIDS)?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

162. What is the primary purpose of a security information and event management (SIEM) system?
A. Encrypt data
B. Aggregate, analyze, and correlate log data from various sources to detect and respond to security
incidents
C. Control access to network resources
D. Detect malware

163. Which of the following is an example of a cloud access security broker (CASB)?
A. Microsoft Cloud App Security
B. McAfee MVISION Cloud
C. Netskope
E. All of the above

28
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

164. What type of security control is a secure software development lifecycle (SDLC) process?
A. Physical
B. Technical
C. Administrative
D. Preventative

165. Which type of attack involves an attacker compromising a legitimate website to serve malicious content or
exploit user vulnerabilities?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Watering hole

166. What is the primary purpose of a public key infrastructure (PKI)?

A. Manage and distribute public and private cryptographic keys for secure communication
B. Detect and prevent network intrusions
C. Control access to network resources
E. Detect malware

167. Which of the following is an example of a secure file transfer protocol?

A. FTP
B. TFTP
C. SFTP
D. SCP

168. What type of security control is a log retention policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

169. Which type of security control is a user access review?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

29
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

170. What is the primary purpose of a data encryption standard (DES)?

A. Provide symmetric-key encryption for secure communication
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

171. Which of the following is an example of a cryptographic hash function?

A. AES
B. RSA
C. SHA-256
D. 3DES

172. What type of security control is a network intrusion detection system (NIDS)?
A. Preventative
B. Detective
C. Corrective
D. Deterrent

173. What is the primary purpose of a key management system?

A. Generate, store, distribute, and revoke cryptographic keys
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

174. Which of the following is an example of a secure web communication protocol?

A. HTTP
B. HTTPS
C. FTP
D. SSH

175. What type of security control is a hardware security module (HSM)?

A. Physical
B. Technical
C. Administrative
D. Preventative

30
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

176. Which of the following is an example of a containerization technology?

A. Docker
B. Kubernetes
C. OpenStack
D. VMware

177. What type of attack involves an attacker sending a large number of ICMP echo request packets to a target
system, causing it to respond with an equal number of echo reply packets, overwhelming its resources?
A. Ping flood
B. SYN flood
C. DDoS
D. Phishing

178. Which of the following is an example of a secure email communication protocol?

A. POP3
B. IMAP
C. SMTP
D. SMTPS

179. What is the primary purpose of a threat intelligence platform?

A. Encrypt data
B. Collect, analyze, and share threat intelligence data for improved security decision-making
C. Control access to network resources
D. Detect malware

180. Which type of security control is an intrusion prevention system (IPS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

181. What type of security control is an information security policy?

A. Physical
B. Technical
C. Administrative
D. Preventative

31
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

182. Which of the following is an example of a network scanning tool?

A. Wireshark
B. Nmap
C. Nessus
D. Metasploit

183. What is the primary purpose of a disaster recovery plan (DRP)?

A. Encrypt data
B. Define the procedures for restoring an organization's critical systems and data after a disruption or
disaster
C. Control access to network resources
D. Detect malware

184. Which of the following is an example of a mobile device management (MDM) solution?
A. AirWatch
B. MobileIron
C. Microsoft Intune
D. All of the above

185. What type of security control is an intrusion detection system (IDS)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

186. What is the primary purpose of a risk assessment?

A. Encrypt data
B. Identify and evaluate the potential impact of threats and vulnerabilities to an organization's assets
C. Control access to network resources
D. Detect malware

187. Which of the following is an example of a virtual private network (VPN) protocol?
A. PPTP
B. L2TP
C. IPSec
D. All of the above

32
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

188. What type of security control is an incident response plan?

A. Physical
B. Technical
C. Administrative
D. Preventative

189. Which type of attack involves an attacker using multiple systems to target a single system with a flood of
network packets?
A. Man-in-the-middle
B. Brute force
C. Distributed denial of service (DDoS)
D. Phishing

190. What is the primary purpose of an authentication, authorization, and accounting (AAA) system?
A. Ensure that users are who they claim to be, grant appropriate access, and track user activities
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

191. Which of the following is an example of a secure shell (SSH) client?

A. PuTTY
B. WinSCP
C. FileZilla
D. All of the above

192. What type of security control is a security operations center (SOC)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

193. What is the primary purpose of a honeypot?

A. Encrypt data
B. Attract and observe attackers to gain insight into their tactics, techniques, and procedures
C. Control access to network resources
D. Detect malware

33
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

194. Which of the following is an example of a network access control (NAC) solution?
A. Cisco ISE
B. Forescout CounterACT
C. Aruba ClearPass
D. All of the above

195. What type of security control is an asset management system?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

196. What is the primary purpose of a secure socket layer (SSL) certificate?
A. Encrypt data and authenticate the identity of a website
B. Detect and prevent network intrusions
C. Control access to network resources
D. Detect malware

197. Which of the following is an example of a symmetric encryption algorithm?

A. RSA
B. Diffie-Hellman
C. AES
D. ElGamal

198. What type of security control is a web application firewall (WAF)?

A. Preventative
B. Detective
C. Corrective
D. Deterrent

199. Which type of attack involves an attacker attempting to gain unauthorized access to a system by trying every
possible combination of characters until the correct password is found?
A. Man-in-the-middle
B. Brute force
C. DDoS
D. Phishing

34
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

200. What is the primary purpose of a demilitarized zone (DMZ)?

A. Encrypt data
B. Separate an organization's internal network from the internet while allowing specific services to be
accessible
C. Control access to network resources
D. Detect malware

35
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

1. C 51. C 101.A 151.A

2. B 52. C 102.C 152.D
3. B 53. A 103.B 153.B
4. B 54. B 104.D 154.D
5. B 55. C 105.D 155.B
6. D 56. D 106.B 156.C
7. B 57. C 107.B 157.C
8. C 58. C 108.C 158.A
9. C 59. D 109.B 159.B
10. B 60. D 110.B 160.D
11. D 61. D 111.B 161.B
12. B 62. D 112.D 162.B
13. C 63. D 113.B 163.D
14. A 64. D 114.D 164.D
15. B 65. A 115.B 165.D
16. A 66. B 116.C 166.A
17. A 67. B 117.B 167.C
18. B 68. A 118.A 168.C
19. C 69. C 119.D 169.B
20. A 70. D 120.B 170.A
21. B 71. B 121.A 171.C
22. A 72. B 122.A 172.B
23. B 73. B 123.C 173.A
24. A 74. A 124.B 174.B
25. B 75. D 125.C 175.D
26. A 76. B 126.A 176.A
27. B 77. D 127.D 177.A
28. D 78. B 128.A 178.D
29. B 79. D 129.C 179.B
30. C 80. A 130.B 180.A
31. A 81. B 131.C 181.C
32. D 82. B 132.A 182.B
33. B 83. A 133.A 183.B
34. B 84. B 134.B 184.D
35. D 85. C 135.A 185.B
36. C 86. A 136.C 186.B
37. B 87. D 137.B 187.D
38. D 88. C 138.C 188.C
39. C 89. A 139.B 189.C
40. B 90. C 140.C 190.A
41. B 91. B 141.B 191.D
42. C 92. B 142.B 192.B
43. B 93. A 143.B 193.B
44. C 94. D 144.B 194.D
45. D 95. B 145.D 195.A
46. C 96. D 146.D 196.A
47. B 97. C 147.B 197.C
48. C 98. C 148.A 198.A
49. B 99. D 149.A 199.B
50. C 100.B 150.D 200.B

36
 Ron Sharon (www.ronsharon.com)
200 SECURITY PLUS QUESTIONS AND ANSWERS

37
 Security+ Cheat Sheet
Chapter 1: Introduction to Security
CIA : Confidentiality, Integrity, Availability
- Confidentiality : Prevents disclosure of information to outside party
- Integrity : Guarantees data has not been tampered with
- Availability : Resources can be accessed when needed
AAA : Authentication, Authorization, Accounting(non-repudiation)
- Authentication : Confirms one’s identity
e.g.) username/password, biometrics, signature etc
- Authorization : Allows one to access certain materials
e.g.) ACL(Access Control Lists), Linux permission bits etc
- Accounting : Tracking of data/comp./netwrk resources usage for individuals
e.g.) Logging, auditing, data/network monitoring
Types of Threats
- Malicious Software
- Unauthorized Access
- System Failure
- Social Engineering
Physical, Technical, Administrative Security plans
- Physical : Physical security systems such as alarms, ID cards, CCTV etc
- Technical : Smart cards, ACLs, encryption etc
- Administrative : Policies, procedures, DRP(Disaster recovery plan) etc
Protection Methods
- User Awareness
- Authentication
- Anti-malware
- Data Backups
- Encryption
- Data Removal
*Good security plan + Good protection method = Solid defense (Defense in depth)
Types of Hackers
- White Hat
- Black Hat
- Grey Hat
- Blue Hat (Bounty Hunters)
- Elites (Zero day discoverers)
Types of Attackers
- Script Kiddie
- Hacktivist
- Organized Crime
- APT(Advanced Persistent Threat aka Nation state attacker)
Chapter 2 : Computer Systems Security Part 1 (Malware)
Types of Malware
- Viruses
Malicious code executed by the user, lives on a file
> Boot Sector : Placed in first hard drive sector
> Macro : Placed into documents
> Program : Infects executables
> Encrypted : Avoids detection through encryption
> Polymorphic : Decryption module changes with every infection
> Metamorphic : Whole virus code changes with every infection
> Stealth
> Armored : Misdirects antivirus away from its actual location
> Multipartite : Hybrid of boot sector and program
- Worms
Malicious code that replicates, standalone program, may spread automatically
- Trojans
Appear to be beneficial but contain malicious code
> Keygens
> RAT Trojans
- Ransomware
Encrypts files and data and demands payment to unlock
Often propagates as a Trojan or a worm
- Spyware
Usually hidden inside third party applications
Logs various user activities and sends it to attacker
Also associated with Adware and Grayware
- Rootkits
Designed to gain administrative control over a machine
Hard to detect b/c it targets low level(UEFI/BIOS, kernel etc)
Activates before Antivirus/OS
- Spam
Abuse of electronic messaging system

Malware Delivery
Treat Vector vs Attack Vector
- Software, Messaging and Media
> Emails, FTP, P2P/torrent file downloads
> Removable Media
- Typosquatting
 - Exploit kit
- Botnets and Zombies
> Also used for DDOS or financial gain
- Active Interception (MITM)
- Privilege Escalation
- Backdoor
> Authentication bypass mechanisms built into the program itself
- Logic Bombs
> Triggers malware on certain condition(date, OS type etc)
Malware Prevention / Troubleshooting
Common Symptoms : Slow computer speed, crashes, incorrect home page, popups
Common Prevention
> Antivirus : Regular updates and scans
Detects : worms, viruses and Trojans
Does not detect : Botnet activity, rootkits, logic bombs
> Firewalls and Regular OS updates
> Separation of OS and data
> Hardware + Software based firewall (e.g. router + Windows Firewall)
> Encryption for confidentiality (Windows EFS)
Common Steps to Malware Removal
1. Identify Symptoms
2. Quarantine infected system / drive to clean machine
3. Disable System Restore
4. Remediate affected system
> Update AV / Scan and removal
5. Schedule scans and run update
6. Enable system restore and set new restore point
7. Educate end user
Worms and Trojans
> Antivirus, Regular maintenance and vigilance
Spyware
> Antivirus, browser security settings, remove unnecessary application
> End user education
Rootkits
> Antivirus, Rootkit detectors (USB bootable OS)
> Use UEFI over BIOS (GPT over MBR)
> Wipe the entire drive & reinstall OS
Spam
> Spam filter, whitelisting/blacklisting, close open mail relays
Chapter 3 : Computer Systems Security Part 2
Security Applications
- Personal Firewalls (Host based firewalls)
> Windows Firewall
> ZoneAlarm
> Packet Filter and IP Firewall (Mac OSX)
> iptables (Linux)
- IDS (Intrusion Detection System)
Host Based : Loaded onto individual machine
Analyzes and monitors that one machine state
Can interpret encrypted traffic
Network Based : Either loaded onto a machine or standalone device
Monitors every packet going through network interface
Monitors multiple devices, less expensive
Cannot monitor what happens in an OS
Monitoring Types – Statistical Anomaly vs Signature
> Statistical Anomaly
Establishes baseline and compares current performance
> Signature
Network traffic analyzed to find predetermined patterns
HIDS examples
> Trend Micro OSSEC (freeware)
> Verisys (Commercial, Windows)
> Tripwire (Commercial)
* Make sure to protect HIDS database with encryption and access control
- Popup Blockers
Ad filtering & Content filtering
- DLP (Data Loss Prevention)
Monitors data in use / in motion / at rest
Prevents unauthorized use and leakage of data
Types of DLP
> Endpoint DLP : Runs on single machine, software based
> Network DLP : Software/hardware, installed on network perimeter
> Storage DLP : Installed in data centers/server rooms
Securing Computer Hardware and Peripherals
Examples of peripherals: USB flash drives, SATA external HDD, optical disks
Securing BIOS
- Flashing (Updating) BIOS firmware
- BIOS password
 - Configure BIOS Boot order
- Secure boot (disables unsigned device drivers, UEFI)
* UEFI and Root of Trust, secure/measured boot, attestation
Securing Storage Devices
- Removable Storage
> Typically prohibits all removable storage besides specific ones
> Removable Media Controls
USB Lockdown (BIOS), limit USB use, malware scans, audits
- NAS (Network Attached Storage)
> Built for high availability (no downtime)
> Commonly implemented as RAID array (levels depend on situation)
> Use encryption, authentication, secure logging etc
- Whole Disk Encryption
> Requires either self encrypting or full disk encryption SW
> Windows BitLocker requirements
1) TPM or External USB key with encrypted keys
2) Hard drive with 2 volumes(1 for boot, 1 to be encrypted)
> Double Encryption – BitLocker + EFS
- HSM (Hardware Security Modules)
Vs TPM
TPM handles key storage with limited cryptographic function
HSM handles mainly quick crypto functions with key storage
Found in USB attachment or network attached device
Securing Wireless Peripherals
- Force devices to use AES or WPA2 encryption for data transmission
Securing Mobile Devices
General Security
- Keep phone number secure and do not respond to unsolicited calls
- Update mobile device OS
- Complex password and limit downloads to device
Malware
- Install & update mobile device AV
- Take use of built in security features
- Avoid following links, don’t store information on device
- Don’t post info on social media
Botnet Activity
- Follow anti-malware procedures
- Avoid rooting / jailbreaking phones
SIM Cloning
- A cloned SIM redirects all calls and texts to its own device
 - Able to hijack messages intended for original SIM card owner
Wireless Attacks
- Bluejacking
- Bluesnarfing

Theft
- Full device encryption(FDE)
- Set up GPS tracking
- Remote lock & Remote wipe technology
Mobile Application
- Mobile key management : use Third party software (Verisign)
- Application whitelisting / blacklisting
- Strong SMS application and endpoint security
- Mobile payment : avoid public networks, user education
- Geotagging : Disable GPS depending on situation
- BYOD concerns
> Storage Segmentation : divide corporate vs private data storage
> Mobile Device Management systems for corporations
Chapter 4 : OS Hardening and Virtualization
OS Hardening
Motivation : Out of the box OS is vulnerable by default,
Need to customize settings to make it more secure
Concept of Least Functionality
- Restrict and remove any functionality not required for operation
- NIST CM-7 control procedures
- Target features
> Applications
> Ports
> Services (daemons)
- Consider backwards compatibility when removing obsolete applications
- SCCM (System Center Configuration Manager) for multiple machines
- Application blacklisting / whitelisting
- Service configuration commands
> Windows : services.msc, net stop, sc stop
> Linux : /etc/init.d/<service> stop, service <service> stop etc
> OSX : kill command
Update, Patches, Hotfixes
- TOS (Trusted Operating System)
: Certified OS considered secure by gov standards
- Update Categories
> Security Update : Product specific, security related
> Critical Update : critical, non security related bug fix
> Service Pack : Cumulative set of updates, now discontinued
> Windows Update : Noncritical fixes, new features and updates
> Driver Update : Beware driver shimming / refactoring
- Hotfixes and patches are now used interchangeably
* Disable automatic updates to synchronize versions and updates
Patch Management
- Process of planning, testing, implementing and auditing patches
> Planning : Deciding which patches are required
Checking Compatibility
Plan how the patch will be tested / deployed
> Testing : Test the patch on one machine / small system
> Implement : Patch deployment to all machines
Use SCCM or other centralized management system
> Auditing : Confirm patch is live on system
Check for any failures or changes due to the patch
 Group Policies, Security Templates, Configuration Baselines
Group Policy : Used in Windows to set group configurations
* gpedit.msc
Hardening File Systems and Hard Drives
a) Use a secure file system
> NTFS for Windows, allows encryption, ACLs, logging
Use chkdsk and convert commands
> ext4 for Linux
Use fdisk –l or df –T
b) Hide important files (System files, personal etc)
c) Manage hard drives
> Delete temp files
> Periodically verify system files integrity
> Defrag hard drives
> Backup data
> Restore points
> Whole disk encryption
> Separate OS system and personal data
Virtualization
Virtualization : Creation of virtual machines housed in an OS
VM(Virtual Machines) and VDE(Virtual Desktop Environment)
- Pros
> Flexible and portable
> Safe testing of malware in a controlled environment
- Cons
> Resource intensive
> Vulnerable to hardware failures
VM Categories
1. System virtual machine : Runs an entire OS
2. Process virtual machine : Runs a single application (browser)
* Virtualization ↔ Emulation ↔ Simulation
* Virtual Appliance ↔ Image ↔ Virtual Machine
Other forms of virtualization
> VPN (Virtual Private Network)
> VDI (Virtual Desktop Infrastructure)
> VLAN (Virtual Local Area Network)
Hypervisor (Virtual Machine Manager)
 - Allows multiple virtual OS to run concurrently
Type 1 vs Type 2 Hypervisor
- Type 1 - Native
> Runs directly on host hardware
> Flexible and efficient
> Strict hardware/software restrictions, less common
- Type 2 – Hosted
> One level removed from host hardware
> More available to most OS and hardware
> Resource intensive
Application Containerization
- Runs distributed applications w/o running an entire VM
- Efficient but less secure
Securing Virtual Machines
Generally equivalent to securing regular OS, but with little more work
1. Update virtual machine software (e.g. VirtualBox)
2. Be wary of VM-VM and VM-host network connections
3. Protect NAS and SAN from virtual hosts
4. Disable unnecessary USB and external ports on VMs
5. Alter boot priority for virtual BIOS
6. Limit and monitor VM resource usage to prevent DOS attacks
7. Protect raw virtual machine image
> Snapshots, Encryption, Access permission and signatures
Virtualization Sprawl : When there are too many VMs to manage at once
> Employ a VMLM (Virtual Machine Lifecycle Management) tool
Chapter 5 : Application Security

Securing Web Browsers

- Avoid newest versions and disable auto update (new versions are unstable)

- Consider organizational requirements and OS

- General Browser Security Procedures

> Implement Policies

Hand written, browser settings, GPO(Windows), OS setting etc

> Train Users

> Use proxy and content filter

Proxy serves as an intermediate cache between server and client

Configured in browser settings / domain controller

Beware of malicious proxy configurations

> Secure against malicious code

Configure Java, ActiveX, Javascript, Flash media etc

- Web Browser Concerns and Security Methods

Basic Methods

> Timely Updates

> Adblock, pop up blocking

> Implement security zones

> Control ActiveX/Java/Plugins

> Avoid jailbreaking (mobile)

Cookies

> Configure and control through browser settings

> Related threat : Session Hijacking

LSO(Locally Shared Objects - Flash)

> Flash version of cookies, may be used to track users

> Configure and control in Flash Player Settings Manager

Addons / Plugins

> Inherent security risk, disable all

 > Most IE plugins made with vulnerable ActiveX

Advanced Browser Security

> Browser temp files – configure to automatically flush

> Disable saved passwords

> Configure a minimum version limit on TLS/SSL

> Disable all 3rd party plugins

> Consider using a VPN or virtual machine for extra separation

Securing Other Applications

Principle of Least Functionality – don’t give tools users don’t need

User Account Control (Windows)

- Keeps everyone on regular user level of access by default

- Prompts required to access any admin right required things

Create Policies (Prioritize app. Whitelisting over blacklisting)

Securing common Windows programs

1. Outlook

> Install latest update, upgrade to newer version of Office

> Use email whitelisting to remove junk email

> Read email in text format instead of HTML

> Enable attachment blocking

> Use encryption - SPA (Secure Password Authentication), PGP, SSL

2. Word

> Using passwords for opening/modifying documents

> Read only settings

> Digital certificates

3. Excel

> Password protected worksheets, no macro

> Excel encryption

Mobile Applications

- Disable GPS
 - Configure strong passwords

Server Applications

- e.g. FTP, Email, Web, SQL database

- Change default username / passwords

- Don’t consolidate multiple services into single machine

Secure Programming

SDLC (Software Development Life Cycle)

- Waterfall

> Traditional method

> Requirements are decided before development

- Agile

> RAD (Rapid Application Development) approach

> Relatively new, Breaks development down to incremental changes

> Requires high dedication from members

- DevOps

> Deployment tool, often used together with Agile method

Core SDLC and DevOps Principles

- Preserving CIA of software development

- Secure code review

> In depth code review for security bugs

> Included before fuzzing or penetration testing

- Threat Modeling

> Identifying and prioritizing potential threats

- Common Security Principles

1. Least Privilege

2. Defense in Depth

3. Never trust user input

4. Minimizing attack surface

5. Secure defaults
 6. Provide authenticity and integrity (program signatures)

7. Fail securely (Error handling)

8. Thorough testing of security fixes and patches

Program Testing Methods

1. White box vs Black box testing

> white box, black box, gray box, stress testing, pentesting etc

2. Compile time vs runtime errors

> Reminder that both software and hardware has runtime errors

> SHE (Structured Exception Handling) deals with both SW/HW

3. Input Validation

> Perform on both client and server side

> Key factor of SQL injections and XSS

4. Static vs Dynamic code analysis

> Static : No code execution, examines code with automated tools

> Dynamic : Runtime examination of code behavior for bugs

* Fuzzing is a form of dynamic code analysis

5. Fuzz Testing

> Input of large amounts of random data until code errors

Program Vulnerability and Attacks

1. Backdoors

> Preprogrammed authentication bypasses built into system

> Updates usually remove these, job rotation, code cross checking

2. Memory / Buffer Vulnerabilities

> Buffer overflows (Stack, heap)

> Integer overflows (integer wrapping)

> Memory leaks : Degrades system performance

> Nullptr dereference

> ASLR and DEP is common defense against buffer overflows

3. Arbitrary and Remote Code Execution

 > Shellcode injections

> Strong input validation, fuzz testing

4. XSS / XSRF

> Common browser based attacks, uses HTML code injection

5. Other Code injections

> SQL Injection

> LDAP Injection

> XML Injection

6. Directory Traversal

7. Zero Days
Chapter 6 : Network Design Elements

Network Design

OSI Model

- Goals

1. Explain network connection between hosts on LAN/WAN

2. Present a categorization system for communication protocols

3. Shows how different protocol suits communicate

- Overview

Layer Name Usage Units

1 Physical Physical and Electrical medium Bits

2 Data link Establishes, maintains and decides Frames

how data transfer is accomplished
over the physical layer

3 Network Routing and Switching Packets

4 Transport Manages/ensures error free Segments(TCP)

transmission between hosts through Datagrams(UDP)
logical addressing/port assignment

5 Session Establishment, termination and Messages

synchronization of sessions within
the OS over the network and between
hosts
6 Presentation Sender to receiver data translation, Messages
Code conversion, data compression
and file encryption

7 Application FTP, HTTP and SMTP end user Messages

protocols

Network Devices

- Switch

> Central connection device, replaces hubs and bridges

> Translates MAC and MAC+IP into physical ports to route messages

> Attacks

1. MAC Flooding : Uses up the CAM to force switch into broadcast

2. MAC Spoofing : Masks network adapter MAC with different value

3. Physical Tampering : Vulnerable management ports, Looping

* Use hierarchial router structure or spanning tree

 protocol to prevent looping

- Bridges

> Used to separate physical LAN into two logical networks

> Works on layer 2 (Data link), now obsolete

- Router

> Used to connect two or more networks

> Works on network 3 (Network)

> Various forms : SOHO, servers configures as routers, Cisco black box

> Attacks : DOS, malware intrusions etc

> Defenses

1. Secure configurations

2. Firewalls

3. IPS

4. Secure VPN Connectivity

5. Content filtering

6. ACL (Access Control Lists)

NAT (Network Address Translation), Private vs Public Addresses

- NAT : Process of changing IP in transit

- Motivation

> Allow a large private address space mapped to a smaller public one

> Firewall effect (hides internal IPs)

* Static NAT : Only one machine uses the router that does NAT

- Private IP

> Invisible to public(internet)

> Assigned automatically by SOHO router or DHCP server

> Within predetermined range

- Public IP

> Visible to public, anyone can attempt connection

> Assigned by ISP DHCP servers

* IPv6 Vulnerability
 > By default attempts to automatically connect to other IPv6 addresses

> Make sure to secure both IPv4 and IPv6

Network Zones and Interconnections

- LAN (Local Area Network)

> Group of interconnected computers contained in a small space

> Usually uses private IPs behind a firewall

> By default does not have internet access, but may connect to an

Internet proxy to do so

- WAN (Wide Area Network)

> Network of two or more interconnected LANS

> Covers a larger geographical area

> Requires telecomm/datacomm service company

- Internet

> Worldwide interconnected network

> Must secure all transmission that happens over the internet

- DMZ (Demilitarized Zone)

> Special subnetwork designed for external client access

> Common web/FTP/email/database etc services reside in DMZ

> Can also be accessed by LAN clients

> Often placed in a separate LAN network from the rest of system

> Common 3-leg perimeter configuration

- Intranets & Extranets

> Used to share company data securely through the internet

> One company = intranet, multiple companies involved = extranet

> Never store confidential+ data in these networks

> Crucial to properly implement firewall

NAC (Network Access Control)

- Denies network access until client obtains proper security measures

- Antivirus, system updates etc

- Preinstalled clientside software (agent) or remote scan (agentless)

 - Persistent vs Dissolvable agents

> Persistent : Designed for multiple use

> Dissolvable : Designed for one time authentication

- Agentless offers less control for more flexibility

- Cisco offers hardware solutions

Subnetting

- Process of creating logical subnetworks through IP manipulation

- Benefits

1. Compartmentalizes network, increasing security

2. Efficient use of IP address

3. Reduces IP collision and broadcast signals

- Overview

1. Class A : Large network, 255.0.0.0

2. Class B : Medium network, 255.255.0.0

3. Class C : Small network, 255.255.255.0

Example : 192.168.1.0/28 ​ ​ 28 is total number of bits used

Class C Network

255.255.255.240 ​ ​ 1111 1111 . 1111 1111 . 1111 1111 . 1111 0000

First 3 octets are Class C mask

First 4 bits of last octet is subnet mask, 2^4 = 16 subnets

Last 4 bits of last octet is host ID, 2^4-2 = 14 hosts

VLAN(Virtual LAN)

- Segments various networks sharing the same switch, reduce collision,

Organize network, boost performance and security

- Works on Layer 2 (Data link frames)

- Allows admins to group hosts connected on different switches together

- VLAN Hopping : Methods of gaining access to other VLANs on switch

1. Switch Spoofing

2. Double Tagging

Telephony
 - Provides voice communications, fax etc

- Now computers are involved in telephony as CTI

- Modems

> Still often used to connect to networking equip. via dial up

> Very insecure (War dialing)

> Protections : Callback, username/pw, hide modem number

PBX(Private Branch Exchange)

- Makes internal phone connections, connects to PSTN

- New added features now make them less secure

VoIP

- Broad term for voice data over IP networks

- IP phones exploited the same way as regular computers

- Home VoIP solutions use SIP(Session Initiation Protocol) vulnerable to MiTM

Cloud Security and Server Defense

Definition of Cloud : Any network between two organization borders

Cloud Computing

- A method of offering on demand services normal users don’t have

- SaaS (Software as a Service)

> Allows user to have access to software they don’t have on host

- IaaS (Infrastructure as a Service)

> Offers networking, routing, VM hosting and other networking

- PaaS (Platform as a Service)

> Offers virtual development of application

- SECaaS (Security as a Service)

> Offers security services to be integrated into existing infra.

Different Types of Cloud

- Public Cloud : Full public access, low security

- Private Cloud : Full private access, high security

- Hybrid Cloud : Utilize both private and public depending on handled data

- Community Cloud : Private to specific group, good for collab projects

Cloud Security

- Depends on the amount of security control the admin has

- Defenses for sending data to cloud

1. Passwords : 10 char general case, 15 for confidential data

2. Multifactor authentication

3. Strong data access policy : passwords, multifactor, group policy

4. Encryption : strong PKI encryption on all files

5. Programming standardization

6. Data protection

* Unconventional data channels : Social media, P2P, dark net

Server Defenses

- Servers are most important part of network to secure

- Contains all data and services

1. File Servers

> Stores, transfer, migrate, synchronize and archive files

> Identical vulnerability to malware that target desktop PCs

> Hardening, updates, AV, SW/HW firewall, HIDS, encryption, monitoring

2. Network Controllers

> Central repo of all user and computer accounts

> LDAP injection, Kerberos vulnerabilities ​ ​ privilege escalation

> Updates, hot fixes

3. Email Servers

> Deals with email, texting, fax, chat etc

> May run multiple services and ports, POP3, SMTP, IMAP, Outlook

> XSS, DDOS, SMTP memory exploits, directory traversal etc

> Updates, quarantine, HW/SW spam filter, DLP, encryption (TLS/SSL)

4. Web Servers

> Provide web and website services to users

Ex) Microsoft IIS, Apache HTTP, lighthttp, Oracle iPlanet

> DDOS, overflow attacks, XSS, XSRF, remote code exec., backdoors

> Secure programming, updates, HW firewall, HTTPS

* Darkleech : Apache based attack using malicious Apache modules

5. FTP Servers

> Basic file access (public/private)

> Web shells, weak authentication, bounce attacks, buffer overflow

> Strong password, secure encrypted FTP, dynamic port assignment

Chapter 7 : Networking Protocols and Threats

Ports and Protocols

Port Ranges, Inbound vs Outbound, Common Ports

Ports : Logical communication endpoints

TCP vs UDP

- TCP : Ordered, guaranteed connection oriented sessions

- UDP : Unordered, streaming real time connection

Total of 65536 ports

Port Ranges

- 0 – 1023 : Well known ports

- 1024 – 49151 : Registered ports for proprietary applications

- 49152 – 65535 : Dynamic and private ports, cannot be registered

Inbound vs Outbound Port

Inbound : Usually leaves well known ports on server open

Needs to be secured by an Admin

Outbound : Used to initiate connections to servers

Dynamic Port assignment enhances security

Well Known Ports

Port Protocol TCP/UDP Secure Version Usage

21 FTP TCP FTPS, 989/990 Transfer Files from host to host
22 SSH TCP/UDP Secure Shell Connection
23 Telnet TCP/UDP Remote administration (deprecated)
25 SMTP TCP SMTP w/ TLS, 465/587 Sends Email
49 TACACS+ TCP Remote Authentication
53 DNS TCP/UDP DNSSEC Hostname to IP resolution
69 TFTP UDP Basic version of FTP
80 HTTP TCP HTTPS, 443 Transmit web page data
88 Kerberos TCP/UDP Network Authentication using tickets
110 POP3 TCP POP3 w/ TLS, 995 Receives Email
119 NNTP TCP Transport Usenet Articles
135 RPC TCP/UDP Locate DCOM ports
137-1 NetBIOS TCP/UDP Name quering, sending data, NetBIOS
39 connection
143 IMAP TCP IMAP4 w/ TLS, 993 Email retrieval
161 SNMP UDP Remote network device monitoring
162 SNMPTRAP TCP/UDP Traps/InformRequests sent to SNMP manager
389 LDAP TCP/UDP LDAP w/ TLS, 636 Maintain user and other object directory
445 SMB TCP Shared access to files and resources
514 Syslog UDP Syslog w/ TLS, 6514 Computer message logging
 860 iSCSI TCP IP based protocol for linking data storage
facilities
1433 Ms-sql-s TCP Opens MS SQL server queries
1701 L2TP UDP VPN protocol with no security, used with
IPsec
1723 PPTP TCP/UDP VPN protocol with security
1812/ RADIUS UDP AAA protocol for authentication,
1813 authorization and accounting
3225 FCIP TCP/UDP Encapsulate Fibre channel frames
3389 RDP TCP/UDP Remote Desktop Protocol for Windows
3868 Diameter TCP AAA protocol that can replace RADIUS

Malicious Attacks

DOS – Resource depletion attack

- Flood Attack

> Ping floods : Uses ICMP packets (disable ICMP to protect servers)

> Smurf attack : Redirects ICMP echoes to spoofed IP

> Fraggle : Redirect UDP echoes (port 7 and 19) to spoofed IP

> SYN flood : sends large amount of TCP SYN packets to target

> Xmas flood : Aims to reboot routers

- Ping of Death

Sends oversized/malformed packets to crash services

Mostly automatically blocked by modern OSes

- Teardrop Attack

Sends mangled IP fragments to crash IP reassembly code

- Permanent DOS

Flashes custom images onto routers and network devices

- Fork bomb

Forces numerous processes that saturates processor capacity

DDOS

Utilizes a botnet to flood and DOS a host

Common defenses similar to DOS defenses

ACL routers, firewall, IPS, simulated servers effective

DNS amplification – another reflective spoofed IP attack

Sinkholes & Blackholes

 Sinkhole : DNS server configured to give false data to bots

Abused to maliciously redirect users to false sites

Blackhole : List of domains known to be malicious and blocked

Spoofing

Impersonation of various URI (Uniform Resource Identifier)

MitM attacks, IP spoofing, MAC spoofing, session hijacking etc

WWN spoofing : World Wide Names are unique identifiers to SAN (like MACs)

* SAN (Storage Area Network)

Session Hijacking

- Session Theft

> Typical cookie hijacking in browser (application) level

> Use different nonces for session keys & encryption

- TCP/IP Hijacking

> Predicts next sequence number in a TCP session to inject data

> PKI encrypted traffic to counter TCP/IP Hijacking

- Blind Hijacking

> Randomly injects data hoping it works

- Clickjacking

- MitM

- MitB (Man in the Browser)

> Infected browser modifies user input data when packets are sent

> Third party transaction verification and antivirus counters this

- Watering Hole

> Plants malicious code into high traffic sites

Replay Attacks

Attacker saves and reuses valid packets at a future date

Defenses

> Session tokens, timestamping & synchronization, crypto and nonces

Null Session
 Uses port 139 & 445 (NetBIOS and SMB)

Abuses built in unauthenticated connection enabled by default on old Windows

Transitive Access and Clientside Attacks

Compromising a trusted user of a server in turn compromises the server

* Transitive trust is dangerous, only establish trust in a temporary fashion

DNS Poisoning

Improper modification of DNS information redirects users to malicious sites

Targets DNS server caches

Defenses : TLS, DNSSec, TSIG (Transaction Signature), Server patches

* Unauthorized zone transfers

Attacker gains quick reconnaissance by replicating DNS data

Gains various hostnames and IP addresses

Windows host files are also a common target

> hosts file used to locally resolve hostname to IP addresses

> When compromised can result in data leak or malicious redirection

> When compromise detected delete and remake hosts file w/ read-only

Pharming : A poisoned DNS cache/hosts redirects users to malicious sites

Domain name kiting : Repeatedly reregistering domain name to use it for free

ARP Poisoning

ARP resolves IP to MAC addresses

Use VLAN segmentation and separation to minimize damage

Chapter 8 : Network Perimeter Security

Firewalls and Network Security

Firewalls

- Prevents unwanted access to networks by blocking ports & IP

- ACL (Access Control List) decisde which packets to allow

- Packet Filtering : Inspects and filters unwanted packets

1. Stateless : Does not keep track of previous packets

2. Stateful : Keeps a record of previous packets for cumulative filter

- NAT Filtering : Filters according to matching inbound/outbound ports

- Application Level Gateway : Security measures applied to a specific app

- Circuit Level Gateway : Only checks if a connection is valid

Ignores validity of individual packets

- Firewall Logging : Logs all connection and blocked packets

- Types of Firewalls

1. Packet Filtering

> Most basic form

> Observes packet headers to see if they violate firewall rule

2. Stateful Firewalls

> Keeps track of established sessions

> Filters unwanted request to open new connections

3. Application Firewalls

> Blocks or allows specific applications to communicate

4. Web App Firewalls

> Specifically designed for HTTP sessions

Proxy Servers

Acts as an intermediary between LAN clients and outside servers

Types of Proxies

1. IP Proxy : Uses NAT to hide client IP address. Basic router function

2. Caching : Saves remote server data for efficiency

 Commonly used in HTTP proxies

Disable PAC (proxy auto configuration) files

3. Reverse : Protects LAN servers from outside clients

4. Application : Acts as a remote connection application

Proxies generally modify client requests for anonymity and security.

Those that do not are called ​transparent proxies​.

Internet Content Filtering : Can be installed on each host, but more

efficient to install on a proxy

Web Security Gateways : Active monitoring and filtering of user data streams

* UTM (Unified Threat Management)

Honeypots / Honeynets

Composed in various sizes (1 machine, file to a network of machines)

Used to study and analyze attacker behavior

DLP (Data Loss Prevention)

Stops leakage of confidential information through content inspection

Detects company confidential information and prevents it from exiting network

If data is stored on cloud/BYOD, cloud based DLP is more suitable

NIDS vs NIPS

NIDS (Network Intrusion Detection System)

Attempts to detect malicious network activities (port scans, DDoS)

Common solutions : Snort (open source), Bro (open source)

Placed before a firewall, but also placed in key network locations

* Promiscuous mode on NIDS adapter allows examination of all network packets

Sometimes effective enough to remove most HIDS solutions

Pros

Effective detection of network intrusion

Installed on only a few machines for whole network

Cons

Cannot read encrypted traffic

Cannot monitor individual machine

 Passive (does not prevent attacks)

NIPS (Network Intrusion Prevention System)

Inspects packets and removes/redirects malicious traffic

Application aware device – able to associate packets to specific applications

Pros

Can protect non computer based network devices (routers, switches)

Prevent attackers from entering the network (Active)

Able to read encrypted traffic

Cons

Single point of failure, can bring down entire network if knocked out

Prone to false positive/negatives

Fail open/close

Uses more resources

Protocol Analyzer

Captures and analyzes packets, allowing inspection of packet content

UTM (Unified Threat Management)

Culmination of various network defenses in a single device

All-in-one device or NGFW (Next Generation Firewall)

Can also be a single point of failure

Chapter 9 : Securing Network Media and Devices

Wired Networks

Vulnerabilities

Various types of devices – routers, switches, firewalls, NIDS/NIPS etc

1. Default Accounts

Default username/password of many devices are public knowledge

Make sure to change username/password before connecting device to web

2. Weak Passwords

3. Privilege Escalation

Escalation to kernel, DRM bypass, jailbreaking, malware etc

- Vertical Privilege Escalation

Lower privilege accessing higher privilege, user ​ ​ admin

- Horizontal Privilege Escalation

User access function of another user, user1 ​ ​ user2

4. Backdoors

Bypasses traditional authentication, faulty code, RAT software/rootkit

5. Network Attacks

DOS/DDoS, Spoofing etc (refer to Ch 7)

Cable Media Vulnerabilities

Types of Cables

- Twisted pair

- Fiber optic

- Coax

1. Electromagnetic / Radio Frequency Interference

Creates noise and unwanted signals, use cable shielding

2. Crosstalk

Wires placed in proximity affect one another’s signals

Use twisted pair cables to minimize/eliminate crosstalk

NEXT (Near End Crosstalk)

 Measurement of interference at the point closest to noise source

FEXT (Far End Crosstalk)

Measurement of interference at the point furthest from noise src

3. Data Emanation

Data leakage through EM field generations (side channels)

Use shielded cables or faraday cages to prevent EM field

Refer to US govt. TEMPEST guidelines

4. Wiretapping

a) Employing a butt set to RJ11/punch block

b) Plugging into open twisted pair ports on routers/switch/hub

c) Splitting twisted pair connections and cables

d) Spectral Analyzers to detect electric signals on cables

e) Passive optical splitter (fiber optics wiretapping)

* Wiring Closets

1. IDF (Intermediate Distribution Frame) : one per each floor

2. MDF (Main Distribution Frame) : All IDFs connect to the MDF

One for building, connects to ISPs

3. SNMP monitored devices(PDU, UPS etc) can be used by attackers to

bypass security measures to attack IDF/MDF

Securing Wireless Networks

Vulnerabilities

1. Administration Interface(Romming)

Default username/password on administration consoles

2. SSID Broadcasting

Disable it under normal circumstances, enable only when connecting

new device

3. Rogue Access Point

Keep track of all legitimate access points with graphing tools

Investigate any undocumented AP showing up

 4. Evil Twin

Rogue AP that uses same SSID as legitimate AP

Use VPN that requires another authentication step

5. Weak Encryption

Current standard is WPA2, PSK wireless transport layer security

Protocol Description Key Size

WEP Wired Equivalent Privacy (Deprecated) 64 bit
WPA WiFi Protected Access 128 bit
WPA2 WiFi Protected Access version 2 256 bit
TKIP Temporal Key Integrity Protocol (Deprecated) 128 bit
CCMP Counter Mode with CBC-MAC Protocol 128 bit
AES Advanced Encryption Standard 128/192/256 bit
WTLS Wireless Transport Layer Security Based on TLS

6. WPS (Wireless Protected Setup)

Should be disabled in all cases, can easily be brute forced and broken

7. Ad Hoc Networks

Wireless connection between clients without central control

Obviously massively insecure, should be disallowed in all cases

8. VPN over Open Wireless

All wireless VPN should be accompanied by suitable encryption protocol

(PPTP, IPSec etc)

Wireless Access Point Security Strategy

- Minimize external signal bleeding and employ EM shielding

- Wireless site survey to gauge various signal strength / locate interference

- Employ WAP built in firewall and NAT and MAC filtering if possible

- AP isolation – Segment each client on the WAP, prevent client-client comms

- Encryption on application layer as well

 - WLAN controller to centralize WAP management

Wireless Transmission Attacks

1. War Driving/War chalking

2. IV attack

3. MAC Spoofing

4. Deauth

5. Dictionary/Brute Force WAP passwords

Bluetooth and Other Devices

Bluetooth and NFC (Near Field Communicator) can also be an attack vector

Bluejacking : Unsolicited Bluetooth messages

Bluesnarfing : Unauthorized access of information from Bluetooth devices

RFID

- Generally used in authentication

- Up to date chips have better encryption and shielding, more secure

- Uses very close range NFC (4 cm) to communicate/authenticate

Other Wireless Technologies

Cell Signals : Generally disabled within company premises

Chapter 10 : Physical Security and Authentication Models

Identification : Something that identifies a person

Authentication : When a person’s identity is confirmed or verified

Authorization : When a user is given permission to access certain materials

Happens after authentication

Physical Security

1. Perimeter security : Ample lighting, no hidden corners, CCTV/guards etc

2. Server Room

- Position on elevated levels, avoid water damage

- Cables and physical locks to deter theft/tampering

3. Door Access

- Should be implemented according to local crime rate and data within

- Use electronic keycards and cardkey controllers

* Hardware based tokens and OTP generators also secure

- Smart cards for authentication

Eg) PIV (Personal Identity Verification, government employees)

CAC (Common Access Card, DoD/military personnel)

- Also employ mantraps to avoid tailgating

4. Biometrics

- Beware of false acceptance/rejection rates

- Crossover Error Rate should be minimized

(When False Acceptance Rate = False Rejection Rate)

Authentication Models and Components

1. Authentication Models

a) Username/Password

b) Multifactor Authentication (MFA), more secure but also costly

c) Context Aware Authentication

d) Single Sign On (SSO)

e) Federated Identity Management

 f) Web based SSO

2. Localized Authentication Technology

Ways to authenticate users connecting to a LAN

1. 802.1X and EAP

Way of ensuring port security, uses data link layer protocols

1 – ​Authenticator​ detects new ​client​, initiates 802.1X

2 – ​Authenticator​ sends EAP requests to new ​client​, ​client

responds with EAP responses which are forwarded to

​Authentication Server

3 – ​Authentication Server​ responds with request for an EAP method

which is forwarded to the ​client

4 – EAP request/responses are sent between server and client

until authentication is successful

Types of EAP Methods

a) EAP-MD5

b) EAP-TLS

c) EAP-TTLS

d) EAP-FAST

e) PEAP

802.1X is often used as port layer security along with VLANs

3. LDAP (Lightweight Directory Access Protocol)

Used most often in MS Active Directory

Protocol used to access and maintain directory servers

Default port 389, SSL enabled secure port 636

4. Kerberos and Mutual Authentication

Used in client-server model for mutual authentication

Protection against eavesdropping/replay attacks

Builds off of symmetric key crypto and trusted third parties

Relies on a central server (could become single point of failure)

 5. Remote Desktop Services

Remote control of a Windows machine from a client

Well known port, weak encryption, no multifactor authentication

More secure third party options exist, adding security costs $$$

3. Remote Authentication Servers

Examples : RAS, VPN, RADIUS, TACACS+, CHAP

1. RAS (Remote Access Service)

Def : Any combination of HW/SW that allows remote access tools

Common measures to secure RAS

- Deny access to those who don’t need it

- Monitor daily usage logs

- Set up RAS authentication

2. CHAP (Challenge-Handshake Authentication Protocol)

1 – ​Authenticator​ sends challenge to ​client

2 – ​Client​ responds with hash of challenge + secret(password)

3 – If correct maintain connection, else terminate

MS-CHAPv2 is recommended b/c it provides mutual authentication

3. VPN

Connects two computers through hostile network via tunneling

Common Protocols : PPTP, L2TP

VPN remote access vs Site to site configuration

* Split Tunneling

Allows a client to connect to both WAN & LAN-via-VPN

May bypass higher level security measures placed on LAN

GRE(Generic Routing Encapsulation) by Cisco

Sometimes used to encapsulate PPTP/IPSec for VPN

4. RADIUS vs TACACS+

RADIUS

Provides centralized authentication for dialup VPN/wireless

EAP/802.1X compatible
 Network of RADIUS servers called a federation is also used

TACACS+

Mainly used on UNIX environments as a daemon

Chapter 11 : Access Control Methods and Models

Access Control Models : How admission to physical areas and computer systems are managed

1. Discretionary Access Control (DAC)

- Determined by owner of file/folder

- Owner decides how each user/group accesses his file

2. Mandatory Access Control (MAC)

- Strictest form of access control, need to know basis

- Each user is given clearance level and can only access files within level

Eg) FOUO, Confidential, Secret, Top Secret

- Rule based access control

Access determined by comparing label to clearance level

- Lattice based access control

More complex, involves set mathematics

3. Role Based Access Control (RBAC)

- Access controlled by a central authority

- Various roles that have overlapping privileges are assigned to users

4. Attribute Based Access Control (ABAC)

- Dynamic and context aware access control

Basic Access Control Practices

1. Implicit Deny

2. Least Privilege

3. Separation of Duties

4. Job Rotation

Rights, Permissions and Policies

Users, Groups and Permissions

Windows Active Directory

- Users can be added to specific OUs or Users folder

- Logon times and valid login dates can also be configured

- Consolidate multiple accounts with Federated Identity Management/SSO

 - Group users with similar permissions together

- NTFS Permissions

1) Full Control

2) Modify

3) Read & Execute

4) List Folder Contents

5) Read

6) Write

Permission Inheritance and Propagation

- Default behavior is child folder inherits parent folder permissions

- Cannot change without disabling permission inheritance

- Moving vs Copying data

Copy : Inherits permission of destination folder

Move : Retains original permission

Username and Passwords

- Weak and old pw is common avenue for data exfiltration

- Never use default username/pw for admin (or anything)

- Disable guest and unnecessary accounts

- Ctrl + Alt + Delete to log in, ensures users are using keyboard

Vs network connection

- Use policy management

Policies

- Enforced rules configured either on individual machine or network

- Password Policies

1. Enforce password history

2. Min – Max password age

3. Minimum pw length

4. Complexity requirements

- Most are configured on OS level with AD domain controller

UAC (User Account Control)

- By default keeps all non-admin users without full admin rights

Chapter 12 : Vulnerability and Risk Assessment

Conducting Risk Assessment

General Risk Management Strategies

1. Transfer risk to third party

2. Avoid the risk by not using specific tech/equipment

3. Reduce risk by minimizing damage and attack surface, implement defense

4. Accept the consequence

Risk Assessment

1. Identify company assets

2. Identify vulnerabilities

3. Identify threats and likelihood

4. Identify monetary impact

* Risk Register : Record of risk assessment, often referenced and updated

Qualitative vs Quantitative Risk Assessment

Qualitative Risk Assessment

Assigns numeric values to probability of risk and impact

Difficult to estimate exact values, must rely on history and survey

Quantitative Risk Assessment

Attempts to measure risk using exact monetary losses

1) Single Loss Expectancy (SLE)

2) Annual Rate of Occurrence (ARO)

3) Annual Loss Expectancy (ALE) = SLE X ARO

4) Mean time between failures (MTBF)

Average # of failures in a million hours of operations

Active vs Passive Security Analysis (Active vs Passive Reconnaissance)

Active Security Analysis

Employs actual testing (may interfere with regular operations)

Active Scanning

Passive Security Analysis

 Analyzing network documentation

Passive fingerprinting

Security Controls

Categorical

1. Management : Focus on executive level decisions and risk management

2. Operational : Focus on individuals

User awareness, incident handling, fault tolerance

3. Technical : Focus on the system, firewall configurations, IPS/IDS

Definitive

4. Preventative : Employed before an event, designed to prevent

5. Detective : Employed during an event to find malicious activity

6. Corrective : Employed after an event to minimize damage

Vulnerability Management

Five step process

1. Define a desired state of security

2. Create a baseline

3. Vulnerability prioritization

4. Mitigate vulnerability

5. Monitor environment

Penetration Testing

A demonstration of vulnerabilities found in step 3 through exploits

Black box (no knowledge), Gray box(limited knowledge), Glass box

Pivot – Launching additional exploits after gaining network foothold

Persistence and Backdoors

Race Conditions

Basic Methodologies

1. OSSTMM

2. NIST Pen Testing Standard

OVAL – Standardized secure transfer of information on security

Assessing Vulnerabilities with Security Tools

Network Mapping

Draw out the physical and logical connections of the network

Use Network Topology Mapper

AirMagnet(WiFi)

Things to include in the diagram

- Devices

- IP Address

- Role

- Connections

Vulnerability Scanning

Nessus – Basic vulnerability scanner

Nmap – Basic port scanner

Network Enumeration and Banner Grabbing

Network Sniffing

Process of capturing and analyzing packets on a network

Wireshark – Basic packet analyzer

Fluke Networks – Hardware based network tester

Password Analysis

Use password crackers to test strength of passwords

Cain and Abel – Basic password cracker

John the Ripper, Hydra, Aircrack-ng suite etc

Password Storage locations

Windows – SAM hive, encrypted binary

Linux - /etc/passwd or /etc/shadow, encrypted

Chapter 13 : Monitoring and Auditing

Monitoring Methodologies

Focus on Automated Monitoring

1. Signature based monitoring

Matches predetermined attack patterns and packets/frames

Vulnerable to false negatives, need constant updates

2. Anomaly based monitoring

Establishes a baseline and detects deviations from this baseline

Inaccurate baseline leads to false positives

3. Behaviour based monitoring

Compare previous application behavior and detects current anomalies

Prone to false positive due to application diversity

Using Tools to Monitor Systems and Networks

Performance Baselining

Baseline vs Baseline reporting

Security posture vs Security Poster Assessment

Protocol Analyzer

Promiscuous vs Non-promiscuous mode for network adapters

Broadcast Storm Analysis

Header Manipulation Detection

TCP Handshake Analysis

Wireshark : Promiscuous mode capturing vs port mirroring vs network tap

Tcpdump for Unix/Linux

SNMP (Simple Network Management Protocol)

TCP/IP, helps monitor network attached machines

Typical usage scenarios

a) Managed Devices

b) Agents

c) Network Management System

 Inbound vs Outbound management

Analytical Tools

compmgmt.msc & openfiles, net file & suite/netstat (Windows)

lsof(list openfiles) & netstat (Linux)

Static and Dynamic Tools

Static : openfiles, netstat that takes snapshot of network

Dynamic : Task Monitor, wireshark that captures packets over time

Conducting Audits

Manual Assessment

Review of security logs, ACLs, user rights, permissions, group policy

Vulnerability scans

Personnel Interviews

Overall Process

1. Define audit target

2. Create backups

3. Scan, analyze and create a list of vulnerabilities/issues

4. Calculate risk

5. Develop a plan to minimize risk and fix issues

Auditing Files

Able to set auditing and logging for file, folder and user

Review logs to ensure non-repudiation & beware of permission hierarchy

Logging

compmgmt.msc in Windows allows viewing of security logs

Also pay attention to system and application logs

Syslog centralized log monitoring

Log File Maintenance and Security

Logfile size, configuration and encryption

Backups and manually clear log files

Auditing System Security Settings

Manage shared folders and user privileges in compmgmt.msc
Chapter 14 : Encryption and Hashing Concepts

Types of Data

a) Data in Use

b) Data at Rest

c) Data in Transit

Symmetric vs Asymmetric Algorithms

Symmetric : Uses same key for encryption/decryption

ex) DES, AES, RC, Kerberos (Key distribution center)

Stream vs Block Cipher modes

Suited for large volumes of data, fast and efficient

Asymmetric : Uses different keys for encryption/decryption

ex)RSA, Diffie-Hellman, Elliptic curve

Public and private keys are created for asymmetric key scheme

Key Management : Generation and secure storage of strong passwords

Steganography : Art of hiding information in various file formats, usually image files

Encryption Algorithms

DES/3DES

DES – 64 bit block cipher with 56 bit key

3DES – 64 bit block cipher with 168 bit key

AES

128 bit block size, variable key length (128, 192, 256 bit)

Current standard, fast and suited for hardware acceleration

RC

Widely used stream cipher, but vulnerable

Currently up to RC6

Blowfish/Twofish

128 bit block size with ~256 bit key size

RSA

1024/2048 bit key size

 Slow, suited for signing or specific encryption

Vulnerable to MitM attacks, reliant on PKI and digital certificates

Diffie-Hellman

Secure key exchange algorithm

Also vulnerable to MitM attack, reliant on authentication methods

Used in TLS

Can also employ Ephemeral keys (EDH) for perfect forward secrecy

Elliptic Curve Crypto (ECC)

Used in similar fashion to DH but faster and more compact

Can be adopted into other algorithms

Used in VoIP, IPSec

Vulnerable to side channel and fault injection

Other Encryption Algorithms

One time pads

Fast, theoretically pefect information secrecy

Practically dependent on security of PRNG

PGP

Uses various ciphers but mainly employs RSA

Requires same versions to communicate properly, limitation

PRNG

Written in C or Java for efficiency

Serves as a foundation for many cryptosystems

Weak PRNGs are often a vulnerability

Emerging : AI, Genetic algorithms and stylometry

Hashing Basics

Provides message integrity

Cryptographic Hash Functions

MD5

Used commonly for file integrity

Prone to MD5 hash collision attacks

 SHA

Current standard is 256/512 bit SHA-2

RIPEMD & HMAC

LANMAN, NTLM, NTLMv2

Series of password hashing algorithms

LANMAN

Old Windows password hash based on DES

Deprecated and now considered a liability

Disable on either registry or local security policy

NTLM/NTLMv2

NTLM : Based on RC4, now broken

NTLMv2 : Based on HMAC-MD5

However, most Windows opt to use Kerberos instead

Hashing Attacks

Pass the Hash

Uses the saved password hash value to create an authenticated session

Mostly targets Windows/Kerberos for SSO function abuse

Use unique session tokens, multifactor, least privilege

Birthday Attack

Attempt to create a message with hash collision to original message

Targets hashes with weak hash collision resistance

Additional hashing concepts

Key Stretching / Salting

Chapter 15 : PKI and Encryption Protocols

PKI (Public Key Infrastructure)

A system of trust that uses public key crypto to bind a certificate to an identity

Certificates

Digitally signed electronic documents that binds a public key with an entity

Mostly based on X.509 format to facilitate SSO

Contains the following

a) User information and public key

b) Certificate authority information

- Name, digital signature, serial number, issue/expiration date

Mostly used for HTTPS connections, but can also be used for local encryption

Types of SSL Certificates

- Domain Validation

- Organizational Validation

- Extended Validation

- Wildcard Certificates

Single sided vs Double sided certificates

Single sided – validates the server to its user/clients

Double sided – Both server and user validates to each other

Certificate Chain of Trust

Used to validate different pieces of hardware & software

Also provides scalability and flexibility

Certificate Formats

Identifying certificate formats by extension and encoding

X.609 Encoding Rules

a) BER (Basic Encoding Rule)

b) CER (Canonical Encoding Rule)

c) DER (Distinguished Encoding Rule)

Certificate Formats and Extensions

 1. PEM

ASCII encoded, contains “Begin/End Certificate” stmts

.pem/.crt/.cer/.key extensions

Uses DER, .der is in pure binary

2. P12/PFX

Pure binary encoding

.pfx/.p12 extensions

Used to import/export certificates and private keys

Certificate Authorities

Entity : Server that issues certificates to users

Trust third party, often used in HTTPS connections

Clicking on HTTPS padlock allows one to view cert details

Invalid certs are placed on certification revocation list

SSL pinning – attempts to prevent MitM

Online certificate status protocol

Key escrow

Key recovery agent

CA hierarchy w/ offline root CA

Web of Trust

Decentralized, self sign/publishing certificate system

Used by PGP

Security Protocols

Overview

Email : S/MIME, PGP

Web Login : SSL, TLS

Direct Conn. : SSH

Virtual Conn. : PPTP, L2TP

S/MIME

Used for authentication, message integrity and non-repudiation

Requires a digital ID certificate in MS Outlook to use

SSL/TLS

Used for secure internet communication such as browser, VoIP, email etc

Relies on PKI for obtaining and validating certificates

Asymmetric encryption (public key) ​ ​ Symmetric encryption (session key)

Can employ SSL/TLS accelerator

Also heavily used in E-commerce in HTTPS

Downgrade attack (FREAK & DROWN)

SSH

Uses public key crypto to establish remote authenticated connections

Also serves as basis for SFTP, SCP

PPTP, L2TP, IPSec

PPTP

Protocol used for VPNs

Supports PPP packets, designed for dial up but no security

Considered insecure in most cases

L2TP

By default has no encryption or security, but powerful when combined -

- with IPSec

Uses PKI when installed on Windows servers

IPSec

Authenticates and encrypts IP packets

Operates on lower levels of OSI (Network)

Made of 3 different protocols

1. Security Association (SA)

2. Authentication header

3. Encapsulating Security Payload

2 Modes of Implementation

1. Transport mode

Secure transfer of data, encrypted packet payload

Used within LAN or private network

2. Tunnel mode

Entire packet is encrypted

Facilitates VPN through internet

Chapter 16 : Redundancy and Disaster Recovery

Redundancy Planning

Redundancy is key to avoiding single points of failure

Redundant Power

Keep servers and networks alive in failures

Keep accessibility and minimize damage

Common electrical problems

1. Power Surges & Spikes

2. Sags, brownouts and blackouts

3. Power supply failure

Redundant Power Supplies

Enclosure that contains two or more power supplies

Common Vendors : HP, Cisco, Termaltake, Enlight

UPS(Uninterruptable Power Supplies)

Combined surge protector and backup battery (decoupling capacitors)

Cleans up dirty/noisy power like line conditioners

Considered temporary 5-30 min solution to resupply main or backup power

SPS(Standby power supply) vs UPS(Uninterruptable power supply)

Backup Generators

Serves as emergency power supply for an entire system

Standby Generators – automatically operates in a power outage

Types of Generators

a) Portable Gas Engine

b) Permanently Installed

c) Battery Inverter

Considerations

1. Price

2. Manual vs Automatic Operation

3. Uptime / Capacity, Power Output

 4. Fuel Source

Common Vendors : Generac, Gillette, Kohler

Redundant Data

RAID Arrays

RAID 0 – Data Striping

RAID 1 – Data Mirroring

RAID 5 – Striping with parity

RAID 6 – Striping with double parity

RAID 10 – 2 RAID 1 mirrors striped

RAID Classification

a) Failure Resistant

b) Failure Tolerant

c) Disaster tolerant

* a < b < c in terms of protection scope

Redundant Networking

Server Network Adapters

Plan to install multiple redundant adapters

Consider centralized network adapter management software

Main switch/router connection

Always have spare switches/routers

Avoid pure star topologies and single points of failures

Internet Connection

Dual and redundant ISP internet connections

Consider mirror sites for web content

Redundant Servers

Goal : Minimize server downtime in failure and maximize throughput

Failover clusters

Designed so that secondary server takes over when primary fails

Provides high availability

Load balancing clusters

 Several servers share CPU, RAM, hard disk resources

Commonly used in DNS, IRC and FTP servers

Can also employ failover measures by replicating data between servers

Redundant Sites (Physical locations)

Hot site – Complete replication of entire network, servers & phone lines

Warm site – Partial replication with some data recovery

Cold site – Minimal equipment replication

Redundant people

Employ role takeover & primary/secondary personnel protocols

Disaster Recovery Plans and Procedures

Data Backup

Tape Backup

1. Full backup

2. Incremental backup

3. Differential backup

Backup Schemes

1. 10 tape rotation

2. Grandfather-father-son scheme (Daily, weekly, monthly)

3. Tower of Hanos scheme

Snapshot backups

DR Planning

Types of Disasters

1. Fire

2. Flood

3. Long term power loss

4. Theft and attack

5. Loss of building access

Disaster Recovery Plans

Only include necessary information

Things to Include
- Contact Info

- Impact Evaluation : Asset loss and replacement costs

- Recovery Plan

- Business continuity plan

- Copies of various agreements

- Disaster recovery drills

- Critical system and data list

Chapter 17 : Social Engineering, User Education and Facilities Security

Social Engineering Scenarios

1. Pretexting

2. Malicious Insider

3. Diversion Theft

4. Phishing

- Spearphishing

- Whaling

5. Hoax

6. Shoulder Surfing

7. Eavesdropping

8. Dumpster Diving

9. Baiting

10. Piggybacking/tailgating

- employ mantraps

11. Watering Hole attack

Facilities Security

Fire Suppression

a) Fire extinguishers

Fires are classified according to their source

Most fire extinguishers will also cause damage to electronics

1. Class A : Solid combustibles Green Triangle

2. Class B : Flammable liquid and gas Red Square

3. Class C : Electrical (use CO2 extinguisher) Blue Circle

4. Class D : Metals (Magnesium, lithium etc) Yellow Decagon

5. Class K : Cooking oil Black Hexagon

Currently most electronics friendly extinguisher use FE-36 Halotron

b) Sprinkler
 Wet pipe : Most common type

Dry pipe : Supply water only when needed

Pre-Action : Prevents accidental water discharges

c) Special Hazard Protection Systems

Uses special liquid FM-200

Electronics safe

d) HVAC (Heating, Ventilation and Air Conditioning)

Manages temperature and humidity

Hot and cold aisles

SCADA Industrial Control Systems

e) Shielding

STP wires to prevent cable interference

HVAC shielding

Faraday cages

TEMPEST guidelines

Vehicles

Disable mobile tethering in vehicles

CAN (Control Area Network, vehicle’s onboard network) vulnerabilities

GPS systems vulnerabilities

Airgapped Control Systems

Drones
 SKILLCERTPRO

COMPTIA Security Plus+ Master

Cheat Sheet
1.0 Threats, Attacks and Vulnerabilities

1. Given a scenario, analyze indicators of compromise and determine the type of malware.

1. Viruses: An unsolicited and unwanted malicious program.

2. Crypto-malware: A malicious program that encrypts programs and files on the computer in order to
extort money from the user.
3. Ransomware: Denies access to a computer system or data until a ransom is paid. Can be spread
through a phishing email or unknowingly infected website.
4. Worm: A self-contained infection that can spread itself through networks, emails, and messages.
5. Trojan: A form of malware that pretends to be a harmless application.
6. Rootkit: A backdoor program that allows full remote access to a system.
7. Keylogger: A malicious program that saves all of the keystrokes of the infected machine.
8. Adware: A program that produces ads and pop ups using your browser, may replace the original
browser and produce fake ads to remove the adware in order to download more malware.
9. Spyware: Software that installs itself to spy on the infected machine, sends the stolen information
over the internet back to the host machine.
10. Bots: AI that when inside an infected machine performs specific actions as a part of a larger entity
known as a botnet.
11. RAT (Remote Access Trojan): A remotely operated Trojan.
12. Logic bomb: A malicious program that lies dormant until a specific date or event occurs.
13. Backdoor: Allows for full access to a system remotely.

2. Compare and contrast types of attacks.

1. Social engineering: Gathering information on an attack by exploiting the weakest part of security,
people.

1. Phishing: Sending a false email pretending to be legitimate to steal valuable information

from the user.
2. Spear phishing: Attacks that target specific users.
3. Whaling: An attack on a powerful or wealthy individual.
4. Vishing: An attack through a phone or voice communications.
5. Tailgating: Closely following individuals with keys to get access to secure areas.
6. Impersonation: Taking on the identity of an individual to get access into the system or
communications protocol.
7. Dumpster diving: Going through a business’s or person’s trash to find thrown away valuable
information or possessions.
8. Shoulder surfing: Watching as a person enters information.
9. Hoax: False information that deceives the user into compromising security by making them
believe they are at risk.
10. Watering hole attack: A security attack that targets a specific highly secured group by
infecting a commonly visited website by the group’s members.
11. Principles (reasons for effectiveness):

1. Authority: The actor acts as an individual of authority.

2. Intimidation: Frightening or threatening the victim.
3. Consensus: Influenced by what others do, everyone else does it.

1|Page
 SKILLCERTPRO

4. Scarcity: Limited resources and time to act.

5. Familiarity: The victim is well known.
6. Trust: Gain their confidence, be their friend.
7. Urgency: Limited time to act, rush the victim.

2. Application/service attacks:

1. DoS (Denial of Service): Flooding a target machine or resource with many requests to
overload the system and prevent use of its resources.
2. DDoS (Distributed Denial of Service): Multiple different sources attack one victim.
3. Man-in-the-middle: The attacker alters the communication between two parties who believe
they are directly communicating.
4. Buffer overflow: A program attempts to write more data than can be held in fixed block of
memory.
5. Injection: Occurs from processing invalid data, inserts code into the vulnerable computer
program and changes the course of execution.
6. Cross-site scripting (XXS): Found in web applications, allows for an attacker to inject client-
side scripts in web pages.
7. Cross-site request forgery (XSRF): Unauthorized commands are sent from a user that is
trusted by the website. Allows the attacker to steal cookies and harvest passwords.
8. Privilege escalation: An attack that exploits a vulnerability that allows them to gain access to
resources that they normally would be restricted from accessing.
9. ARP poisoning: The act of falsifying the IP-to-MAC address resolution system employed by
TCP/IP.
10. Amplification: The amount of traffic sent by the attacker is originally small but then is
repeatability multiplied to place a massive strain on the victim’s resources, in an attempt to
cause it to fail or malfunction.
11. DNS poisoning: Is a type of attack that exploits vulnerabilities in the domain name system
(DNS) to divert Internet traffic away from legitimate servers and towards fake ones.
12. Domain hijacking: The act of changing the registration of a domain name without the
permission of the victim.
13. Man-in-the-browser: A proxy Trojan horse that infects web browsers and capture browser
session data
14. Zero day: The aim is to exploit flaws or vulnerabilities in targeted systems that are unknown
or undisclosed to the world in general. Meaning that there is no direct or specific defense to
the attack; which puts most systems vulnerable assets at risk.
15. Replay: Is a network-based attack where a valid data transmission is rebroadcasted,
repeated, or delayed.
16. Pass the hash: An authentication attack that captures and uses the hash of a password. The
attacker then attempts to log on as the user with the stolen hash. This type of attack is
commonly associated with the Microsoft NTLM (New Technology LAN Manager) protocol.
17. Hijacking and related attacks:

1. Clickjacking: Deceives the user into clicking on a malicious link by adding the link
to a transparent layer over what appears to be a legitimate web page.
2. Session hijacking: An attack in which an attacker attempts to impersonate the
user by using their legitimate session token.
3. URL hijacking: Redirects the user to a false website based on misspelling the
URL, and is also referred to typosquatting.
4. Typosquatting: An alternate name for URL hijacking.

18. Driver manipulation:

1. Shimming: The process of injecting alternate or compensation code into a system

in order to alter its operations without changing the original or existing code.

2|Page
 SKILLCERTPRO

2. Refactoring: Rewrites the internal processing of code without changing its

behavior.

19. MAC spoofing: The attacker falsifies the MAC address of a device.
20. IP spoofing: An intruder uses another site's IP address to masquerade as a legitimate site.

3. Wireless attacks:

1. Replay: This is a passive attack where the attacker captures wireless data, records it, and
then sends it on to the original recipient without them being aware of the attacker's
presence.
2. IV (Initialization Vector): A random number used to increase security by reducing
predictability and repeatability.
3. Evil twin: Has same SSID (Service Set Identifier) as a proper access point (AP). Once a user
connects to it, all wireless traffic goes through it instead of the real AP.
4. Rogue AP (Access Point): An unauthorized WAP (Wireless Access Point) or Wireless Router
that allows for attackers to bypass many of the network security configurations and opens
the network and its users to attacks.
5. Jamming: Disabling a wireless frequency with noise to block the wireless traffic.
6. WPS (WiFi Protected Setup): Allows users to easily configure a wireless network, sometimes
by using only a PIN. The PIN can be found through a brute force attack.
7. Bluejacking: Sending unauthorized messages to a Bluetooth device.
8. Bluesnarfing: Gaining unauthorized access to, or stealing information from a Bluetooth
device
9. RFID (Radio Frequency Identifier): Communicates with a tag placed in or attached to an
object using radio signals. Can be jammed with noise interference, the blocking of radio
signals, or removing/disabling the tags themselves.
10. NFC (Near Field Communication): A wireless technology that allows for smartphones and
other devices to establish communication over a short distance.
11. Disassociation: Removes clients from a wireless network.

4. Cryptographic attacks

1. Birthday: Used to find collisions in hashes and allows the attacker to be able to create the
same hash as the user. Exploits that if the same mathematical function is performed on two
values and the result is the same, then the original values are the same.
2. Known plain text/cipher text:

1. Plain text: The attacker has both the plaintext and its encrypted version.
2. Cipher text: The attacker has access only to the encrypted messages.

3. Rainbow tables: Large pregenerated data sets of encrypted passwords used in password
attacks.
4. Dictionary: A password attack that creates encrypted versions of common dictionary words
and then compares them against those in a stolen password file. Guessing using a list of
possible passwords.
5. Brute force: A password-cracking program that tries every possible combination of
characters through A to Z.
6. Online vs. offline:

1. Online: Is against a live logon prompt.

2. Offline: The attack is working on their own independent computers to
compromise a password hash.

7. Collision: When two different inputs produce the same hash value.

3|Page
 SKILLCERTPRO

8. Downgrade: Forces a system to lessen its security, this allows for the attacker to exploit the
lesser security control. It is most often associated with cryptographic attacks due to weak
implementations of cipher suites. Example is TLS > SSL, a man-in-the-middle POODLE attack
exploiting TLS v1.0 - CBC mode.
9. Replay: The attacker captures network packets and then retransmits them back onto the
network to gain unauthorized access.
10. Weak implementations: The main cause of failures in modern cryptography systems are
because of poor or weak implementations instead of a failure caused by the algorithm itself.

3. Explain threat actor types and attributes.

1. Script kiddies: A person who uses pre-existing code and scripts to hack into machines, because they
lack the expertise to write their own.
2. Hacktivist: An individual who is someone who misuses computer systems for a socially or
politically motivated agenda. They have roots in the hacker culture and ethics. Hacker on a mission.
3. Organized crime: These are professionals motivated ultimately by profit. They have enough money to
buy the best gear and tech. Multiple people perform specific roles: gathering data, managing exploits,
and one who actually writes the code.
4. Nation states/APT: An APT is an advanced persistent threat, these are massive security risks that can
cost companies and countries millions of dollars. Nation states have very sophisticated hacking teams
that target the security of other nations. They often attack military organizations or large security
sites, they also frequently attack power plants.
5. Insiders: Someone who is inside the company who has intricate knowledge of the company and how
its network works. They can pinpoint a specific vulnerability and may even have access to multiple
parts of the network.
6. Competitors: Rival companies, can bring down your network or steal information through espionage.
7. Internal/external: Internal is inside the company, can be intentional, unintentional, or an act of God.
External is someone outside the company trying to get in.
8. Level of sophistication: Is the skill of the hacker and the complexity of the attack.
9. Resources/funding: The amount of money and the value of the tech and gear being used.
10. Intent/motivation: The reason for the attack, can be for political, monetary, or social reasons.
11. Use of open-source intelligence (OSINT): Data that is collected through publicly available information.
This can be used to help make decisions. Can be used by threat actors to help find their next target or
how to best attack their target. OSINT is also incredibly helpful for mitigating risks and for identifying
new threat actors.

4. Explain penetration testing concepts.

1. Active reconnaissance: Is the use of tools to send data to systems and then understanding their
responses. Usually starts with various network and vulnerability scanners. Can be incredibly illegal
and should not be engaged without being prepared and proper authorization.
2. Passive reconnaissance: You are not touching any of the target’s equipment. Instead you are going
through and gathering that is already available. Forums and social media are great sources for
gathering information about the company and its employees.
3. Pivot: In penetration testing it is using a compromised machine to attack other machines on the same
network. Attacking and gaining access to an area of lower security in order to be more likely to have a
successful attack on an area of greater security. Is also referred to as island hopping.
4. Initial exploitation: Usually the hardest part. A vulnerability is taken advantage of to get into the
network or system.
5. Persistence: Installing backdoors or methods to keep access to the host or networks.
6. Escalation of privilege: Allows for a user to get a higher-level access than what authentication allows
for. Can be resolved through patching and updating. Typically related to a bug or vulnerability
7. Black box: You know nothing of the network, you have no prior knowledge.
8. White box: You are given a network map and you have full knowledge of the configurations allowing
you to perform specific tests.
9. Gray box: Knowledge of the network but not incredibly detailed.

4|Page
 SKILLCERTPRO

10. Penetration testing vs. vulnerability scanning: Penetration testing is an active attack on the network
to exploit vulnerabilities, can assess potential damages and the potential of the exploits being found.
Is done by a human. Vulnerability scans passively scans and identifies vulnerabilities. Is automated.

5. Explain vulnerability scanning concepts.

1. Passively test security controls: Uses an automated vulnerability scanner. Observes and reports
findings. Does not take down systems, applications, or services, and doesn’t disrupt business.
2. Identify vulnerability: Understanding common attacks and taking inventory of vulnerabilities.
Scanners can report: missing updates, misconfigured security settings, and known exploits.
3. Identify lack of security controls: Vulnerability scanners can identify missing patches or antivirus.
4. Identify common misconfigurations: Weak passwords, default usernames and passwords, and open
ports.
5. Intrusive vs. non-intrusive: Intrusive testing can interrupt service, is much more detailed, and exploits
vulnerabilities. Non-intrusive is more passive, does not exploit vulnerabilities, and does not disrupt
service.
6. Credentialed vs. non-credentialed: Credentialed are done as though it is inside the network, emulates
an insider attack. Non-credentialed are done as though it is outside the network, emulates an outside
attack. Shows what would be found if the network was scanned.
7. False positive: A result which shows incorrectly that a condition or attribute is present. A false
vulnerability.

6. Explain the impact associated with types of vulnerabilities

1. Race conditions: The behavior of a software, electronic, or another system’s output is dependent on
the timing, sequence of events, or a factor out of the user’s control.
2. Vulnerabilities due to:

1. End-of-life systems: No longer receives updates, and at a high risk to compromise.

2. Embedded systems: Programs added for automation and/or monitoring. Can allow for
malicious programs to gain access through the added programs.
3. Lack of vendor support: Vendor does not support the product: does not update, improve, or
protect the product.

3. Improper input handling: The system does not properly validate data, allows for an attacker to create
an input that is not expected. Allows for parts of the system vulnerable to unintended data.
4. Improper error handling: The error messages display sensitive or private information that give the
user too much data.
5. Misconfiguration/weak configuration:
6. Default configuration: Uses the unsecure out-of-box settings.
7. Resource exhaustion: A denial of service occurs, the amount of resources to execute an action are
expended, making it unable for the action to be performed.
8. Untrained users: Users are not properly informed on how to use the systems. This means that
mistakes will more likely occur and that the system’s resources may be abused.
9. Improperly configured accounts: Users should only be allowed to access the parts that they need to
complete their work.
10. Vulnerable business processes: All tasks, procedures, and functions should be properly assessed and
the most valuable and vulnerable should be heavily protected.
11. Weak cipher suites and implementations: Use of older and less robust cryptographic algorithms. EX.
DES, WEP
12. Memory/buffer vulnerability:

1. Memory leak: Leaves the system unresponsive.

2. Integer overflow: Large integer exceeds data storage capacity.
3. Buffer overflow: Too much data for the computer’s memory to buffer.

5|Page
 SKILLCERTPRO

4. Pointer dereference: Failed deference can cause memory corruption and the application to
crash.
5. DLL injection: Allows for the running of outside code.

13. System sprawl/undocumented assets: Lack of internal inventory and allowing unsecure devices and
systems to connect to the network.
14. Architecture/design weaknesses: An insecure and poorly designed network. Ex. Not segmenting the
systems or internal network.
15. New threats/zero day: A zero-day threat, is a flaw that is unknown to the teams patching and fixing
flaws.
16. Improper certificate and key management: Allowing for unauthorized access to certificates and keys,
which allows for sensitive data to be decrypted. And allowing for certificates to expire.

2.0 Technologies and Tools Install and configure network components,

1. Hardware and software-based, to support organizational security.

1. Firewall: A network security system that monitors and controls incoming and outgoing network traffic
based on predetermined security rules.

1. ACL (Access control lists): A list of rules that can be used to control traffic based on networks,
subnets, IP addresses, ports, and some protocols.
2. Application-based vs. network-based:

1. Application-based: Protects the user from applications and services by monitoring

and potentially blocking the input, output, or system service calls that do not
meet the configured policy of the firewall.
2. Network-based: Filtering traffic based on firewall rules and allows only authorized
traffic to pass in and out of the network

3. Stateful vs. stateless:

1. Stateful: Stateful firewalls block traffic based on the state of the packet within a
session. It adds and maintains information about a user's connections in a state
table, referred to as a connection table.
2. Stateless: Stateless firewalls uses rules within an ACL to identify allowed and/or
block traffic through packet filtering.

4. Implicit deny: The last rule in an ACL that indicates that, "all traffic that isn't explicitly allowed
is implicitly denied".

2. VPN concentrator: A type of router device that allows for the secure creation of VPN connections and
for the safe delivery of messages between VPN nodes. Allows for the handling of a large quantity of
VPN tunnels.

1. Remote access vs. site-to-site:

1. Remote access: A user-to-LAN connection used by remote users.

2. Site-to-site: Allows multiple sites to connect to remote sites over the internet.

2. IPSec: A protocol suite for securing Internet Protocol (IP) communications. Encrypts and
authenticates all of the packets in a session between hosts or networks. Secures more
applications than SSL and TLS.
3. Tunnel mode: The default mode for IPSec, the entire pack is protected.

6|Page
 SKILLCERTPRO

4. Transport mode: Used for end-to-end communications in IPSec. Ex. encrypted Telnet or
Remote Desktop session from a workstation to a server.
5. Authentication Header (AH): IPsec protocol that authenticates that the packets received
were sent from the source identified in the header.
6. ESP (Encapsulating Security Payload): IPSec component that provides the same services as
AH and also ensures confidentiality when sending data.
7. Split tunnel vs. full tunnel:

1. Split tunnel: Only some traffic over the secure VPN while the rest of the traffic
directly accesses the internet.
2. Full tunnel: All of the traffic is sent over the secure VPN.

8. TLS: The replacement of SSL to encrypt data-in-transit. Uses certificates issued by CAs.
9. Always-on VPN: The user does not connect and disconnect and instead is always connected.

3. NIPS (Network Intrusion Prevention System)/NIDS (Network Intrusion Detection System):

1. Signature-based: Detects attacks based on known attack patterns documented as attack

signatures.
2. Heuristic/behavioral: It detects attacks by comparing traffic against a baseline to find any
anomalies.
3. Anomaly: Abnormal packets or traffic.
4. Inline vs. passive:

1. Inline: Connected directly to the network and monitors the flow of data as it
occurs.
2. Passive: Connected through a switch or port on the network and receives a copy
of the flow of data as it occurs.

5. In-band vs. out-of-band:

1. In-band: Sits in the network, can quickly warn of or prevent malicious traffic.
2. Out-of-band: Out the can only warn of malicious traffic.

6. Rules: Standards set to differentiate good traffic from suspicious traffic.

7. Analytics: Shows the amount, type and history of traffic coming through.
8. False positive: NIPS blocks legitimate incoming traffic.
9. False negative: NIPS allows harmful incoming traffic.

4. Router: A device that directs data traffic along specific routes.

1. ACLs (Access Control List): A list of permit or deny rules detailing what can or can't enter or
leave the interface.
2. Anti-Spoofing: A device with the intent of excluding packets that have invalid source
addresses.

5. Switch: A networking device that connects devices together on a computer network

1. Port security: Requires a username and a password and authenticate before gaining access
to any of the switch interfaces.
2. Layer 2 vs. Layer 3:

1. Layer 2: Packets are sent to a specific switch port based on destination MAC
addresses.

7|Page
 SKILLCERTPRO

2. Layer 3: Packets are sent to a specific next-hop IP address, based on destination IP

address.

3. Loop prevention: Spanning-tree algorithms can determine the best path to a host while
blocking all other paths to prevent loops. Loops can cause a denial of service.
4. Flood guard: Configuration that sets the maximum number of MAC addresses that could
possibly be seen on any particular interface.

6. Proxy: Acts as an intermediary for requests from clients seeking resources from servers that provide
those resources.

1. Forward and reverse proxy:

1. Forward proxy: Forwards requests from internal clients to external servers.

2. Reverse proxy: Takes in requests from the Internet and forwards them to an
internal web server.

2. Transparent: Accepts and forwards requests without performing any modifications on them.
3. Application/multipurpose: A type of proxy server that knows the application protocols that it
supports.

7. Load balancer: A reverse proxy that distributes network or application traffic across a number of
servers designed to increase capacity of concurrent users and reliability of applications.

1. Scheduling: Sends requests to servers using set rules.

2. Affinity: Sends client requests to the same server based on the client's IP address.
3. Round-robin: Sends requests in a predefined order.
4. Active-passive: Some servers are not active and only go active to take excess traffic or if an
active server fails.
5. Active-active: All servers are actively processing requests
6. Virtual IPs: An IP address and a specific port number that can be used to reference different
physical servers. Provides IP addresses that can float between two or more physical network
nodes and provide redundancy.

8. Access point:

1. SSID: Name of a wireless network.

2. MAC filtering: A method of controlling access on a wired or wireless network by denying
unapproved MAC address access to a device.
3. Signal strength: The quality and distance of a signal.
4. Band selection/width: Can be set between 2.4 GHz and 5 GHz depending on which 802.11
protocol is being used.
5. Antenna types and placement:
6. Fat vs. thin:

1. Fat: Has everything necessary to handle wireless clients. If end-user deploys

several Fat Wireless Access Points, each one needs to be configured individually.
2. Thin: Acts as a radio and antenna that is controlled by a wireless switch. If
multiple thin wireless access points are deployed, the entire configuration takes
place at the switch. This is the far cheaper option.

7. Controller-based vs. standalone:

1. Controller-based: Require a controller for centralized management and are not

manually configured.

8|Page
 SKILLCERTPRO

2. Standalone: Do not require a controller and are generally used in smaller

environments.

9. SIEM (Security Information and Event Management):

1. Aggregation: The gathering of log and event data from the different network security devices
used on the network.
2. Correlation: Relating various events to identifiable patterns. If those patterns threaten
security, then action must be taken.
3. Automated alerting and triggers: Sends messages based on configured rules based on events
that occur within the log files.
4. Time synchronization: Ensures that the time is the same across devices so that all security
events are recorded at the same time using Network Time Protocol.
5. Event deduplication: Trimming event logging so that the same event is not recorded over and
over again, overflowing log space.
6. Logs/WORM: Prevents alteration of logs and archives the source logs with write protection.

10. DLP (Data Loss Prevention): Policies and technologies that protect data loss through theft or
destruction.

1. USB blocking: Prevents the use of USBs

2. Cloud-based: Prevents sensitive data from being stored on the cloud without proper
encryptions and authorization.
3. Email: Protects against email fraud and from valuable data from being sent through email.

11. NAC (Network Access Control): Enforces security policies on devices that access networks to increase
network visibility and reduce risk.

1. Dissolvable vs. permanent:

1. Dissolvable: Disappears after reporting information to the NAC device.

2. Permanent: Resides on end devices until uninstalled.

2. Host health checks: Reports sent by network access control to gather information on
installed devices.
3. Agent vs. agentless:

1. Agent: Is installed on the end device.

2. Agentless: Is not installed on the device itself but instead is embedded within a
Microsoft Windows Active Directory domain controller.

12. Mail gateway: Examines and processes all incoming and outgoing email.

1. Spam filter: An on-premises software solution for filtering, well spam emails.
2. DLP (Data Loss Prevention): Prevents certain information leaving the organization via email.
3. Encryption: Encrypt and decrypts emails being sent and received across networks.

13. Bridge: Provides interconnection with other bridge networks using the same protocol.
14. SSL/TLS accelerators: The process of offloading processor-intensive public-key encryption for TLS or
its SSL to a hardware accelerator.
15. SSL decryptors: Allows for the user to view inside of passing Secure HTTP traffic.
16. Media gateway: Converts media streams between disparate telecommunications technologies.
17. Hardware security module: Safeguards and manages digital keys for strong authentication and
provides cryptoprocessing.

9|Page
 SKILLCERTPRO

2. Given a scenario, use appropriate software tools to assess the security posture of an organization.

1. Protocol analyzer: Hardware or software that captures packets to decode and analyze their contents.
Allows for you to easily view traffic patterns, identify unknown traffic, and verify packet filtering and
security controls.

1. Big data analytics: Allows for the user to store large amounts of data and then easily go
through it.

2. Network scanners: A computer program used for scanning

networks to obtain user names, host names, groups, shares, and services.

1. Rogue system detection: Find devices that are not supposed to be on the network, such
as rogue AP’s.
2. Network mapping: Identifying all devices on a network along with a list of ports on those
devices.

3. Wireless scanners/cracker:

1. Wireless scanners: Is for wireless monitoring, it scans wireless frequency bands in order to
help discover rogue APs and crack passwords used by wireless APs.
2. Wireless cracker: Uses wireless attacks to test if an attacker could find the passwords to gain
access to parts of your network.

1. • WEP - Cryptographic vulnerabilities, is relatively straightforward.

2. • WPA1 PSK and WPA2 PSK, uses dictionary brute force and rainbow tables
attacks.

4. Password cracker: A program that uses the file of hashed passwords, such as a rainbow table, and
then attempts to break the hashed passwords of the network. Getting the hashes is the hardest part.
5. Vulnerability scanner: Attempts to identify vulnerabilities, misconfigured systems, and the lack of
security controls such as up-to-date patches. They can be passive or active, either way they have little
impact on a system during the test.
6. Configuration compliance scanner: A vulnerability scanner that verifies systems are configured
correctly and meet the minimum-security configurations, it typically does this by comparing the
system to a file that has the proper configurations. This is an ongoing task and can be integrated with
the logon process.
7. Exploitation frameworks: An already created set of exploits that already have all the major
components designed, the user just needs to figure out how to inject them into the network. These
toolsets can be used offensively by hackers or defensively by pen testers.
8. Data sanitization tools: Tools that overwrite data on hard drives so that it is unrecoverable, this only
needs to be done once but some may do it multiple times to feel safe.
9. Steganography tools: Allows for the user to embed data into an image, video, sound files, or packets.
It is security through obscurity.
10. Honeypot: Decoy systems or networks to gather information on the attacker.
11. Backup utilities: Important to protect data from being lost, downtime, or corrupted.
12. Banner grabbing: The process of capturing the initial message (the banner) from a network service.
Often the banner discloses the application's identity, version information, and other sensitive
information.
13. Passive vs. active:

1. Passive: You are observing.

2. Active: You are interacting with the network by sending traffic and trying to access parts of
the network.

10 | P a g e
 SKILLCERTPRO

14. Command line tools:

1. ping: The name is based on the sound made by sonar. Tests reachability, it is a primary
troubleshooting tool.
2. netstat (Network statistics):

1. netstat -a: Show all active connections.

2. netstat -b: Show binaries, for Windows.
3. netstat -n: Does not resolve names.

3. tracert (Windows)/traceroute (MacOS/Linux): Uses the ICMP (Internet Control Message

Protocol) time to live (TTL) error message to map the path of a packet. Time in TTL is
measured in hops, TTL = 1 for the first router, and 2 refers to the second router.
4. nslookup/dig (Domain Information Groper):

1. nslookup: Used to gather information from DNS servers, lookups names and IP
addresses. Was replaced by dig.
2. dig (Domain Information Groper): More advanced than nslookup and shows more
detailed domain information. Is for Linux but can be downloaded for windows.

5. arp (Address Resolution Protocol): Used to view MAC addresses.

1. Arp -a: Views the local arp table.

6. ipconfig/ip/ifconfig:

1. ipconfig: Shows the Windows TCP/IP configuration.

2. ip: Used to replace ifconfig on Linux. Shows and manipulates settings on the
network interface card (NIC).
3. ifconfig: Shows the Linux interface configuration.

7. tcpdump: A command-line packet analyzer that allows to capture packets from the
command line.
8. nmap: It is designed to scan a network and create a map, this is useful as a vulnerability
scanner because it can find open ports and unsecured access points.
9. netcat: Is used to safely connect to remote systems using command line instead of a front-
end application. Can also be used for banner grabbing.

3. Given a scenario, troubleshoot common security issues.

1. Unencrypted credentials/clear text: All authentication must be encrypted. Unencrypted credentials

can allow for the attacker to: elevate privileges, establish a foothold, maintain persistence, and move
to other networks.
2. Logs and events anomalies: Block all outside access until the issue is fixed, backup and preserve the
current logs, and if possible, restrict access to more sensitive data till the issue is fixed.
3. Permission issues: Determine how much access a specific user needs to be able to complete their job.
Confirm permissions on initial configurations, perform periodic audits, and provide a process for
changes and updates.
4. Access violations: Segmentation fault, OS locks you out, or prevents access to restricted memory. A
user is able to properly logon and then access systems they don’t have proper authorization for.
5. Certificate issues: Certificates should be signed by someone trusted, be up to date, and be properly
checked.
6. Data exfiltration: Data is your most important asset to and attackers.
7. Misconfigured devices:

11 | P a g e
 SKILLCERTPRO

1. Firewall: Provide too much access, and to audit when using a large rule base,
2. Content filter: URLs are not specific, and some protocols are not filtered.
3. Access points: No encryption mechanisms and Open configurations from the wireless side.

8. Weak security configurations: Make sure to regularly upgrade equipment and update firmware. Using
hash algorithms that are susceptible to collisions.
9. Personnel issues: The weakest link

1. Policy violation: Transferring private data or visiting unsafe websites.

2. Insider threat: Authenticated users have free reign. Assign correct user rights and
permissions.
3. Social engineering: Deceit can cause employees to give up personal or valuable data.
4. Social media: Sharing private data or personal information.
5. Personal email: Uses company resources and leaves the network vulnerable.

10. Unauthorized software: Don’t know what it is: could conflict with company software, could be
malware, or could be useful for work.
11. Baseline deviation: Everything is well documented, any changes to the norm should be noted, and no
remote access until it matches the baseline.
12. License compliance violation (availability/integrity): Make sure licenses are up to date and valid.
13. Asset management: Identify and track assets to respond faster to security risks. Keep detailed records
of the most valuable assets. Usually automated.
14. Authentication issues: The more factors the safer, makes sure the user is actually the correct person.

4. Given a scenario, analyze and interpret output from security technologies.

1. HIDS/HIPS:

1. HIDS (Host-based intrusion detection system): Runs on a single computer and alerts of
potential threats to help warn of attacks against that host.
2. HIPS (Host-based intrusion prevention system: Runs on a single computer and intercepts
potential threats to help prevent attacks against that host.

2. Antivirus: Software that is specifically designed to detect viruses and protect a computer and files
from harm.
3. File integrity check: An application that can verify that the files have not been modified using hash
algorithms to authenticate the file.
4. Host-based firewall: A firewall that is on a single host that only restricts incoming and outgoing
network activity for that host.
5. Application whitelisting: The practice of allowing only approved programs to run on a computer,
computer network, or mobile device.
6. Removable media control: Blocks users from using USB drives, CD/DVD drives or portable hard
drives/flash drives to help prevent the installation of viruses, malware, and exfiltration of data.
7. Advanced malware tools: Block malware from running by blocking file signature,
heuristics/Anomalous behavior, sandboxing, virtualizing. Need to be routinely updated with the latest
definitions to be secure and protect against current threats.
8. Patch management tools: Tools that aid in the: monitoring, evaluating, testing, and installing of the
most current software patches and updates.
9. UTM (Unified Threat Management): A group of security controls combined in a single solution that
can inspect data streams for malicious content and block it.
10. DLP (Data Loss Prevention): Systems that identify, monitor, and protect data: from unauthorized use,
transfers, modification, or destruction.
11. Data execution prevention (DEP): Memory regions are marked as non-executable which prevents
code from being executed. This protects against memory abuse attacks such as buffer overflows.

12 | P a g e
 SKILLCERTPRO

12. Web application firewall: A firewall that looks monitors and filters packets carrying HTTP traffic using
a set of communication rules.

5. Given a scenario, deploy mobile devices securely.

1. Connection methods

1. Cellular: Network used for mobile phones.

1. Potential Risks: Cellular devices are susceptible to traffic monitoring, location

tracking, and gain access to the device from anywhere in the world.

2. WiFi: A local area network that uses high frequency radio signals to transmit and receive data
over distances of a few hundred feet.

1. Potential Risks: If the Wi-Fi connection is not encrypted it is vulnerable to

eavesdropping. Jamming frequencies or interferences can cause a denial of
service.

3. SATCOM: Satellite Communications that is used for communications in remote areas and
during natural disasters.

1. Potential Risks: SATCOM devices are at risk of leaking geopositioning data and
remote code execution, and are not easily updated remotely.

4. Bluetooth: Allows electronic devices like cell phones and computers to exchange data over
short distances using radio waves.
5. NFC (Near Field Communication): Enable two electronic devices in short proximity to
each other. Typically used as a payment system, but can also be used as an identity token
and to help pair Bluetooth devices.

1. Potential Risks: Active devices can perform a remote capture up to a ten meter
range. Jamming frequencies or interferences can cause a denial of service. Can be
vulnerable to relay and replay attacks.

6. ANT: A wireless sensor protocol that uses a 2.4 GHz ISM (industrial, scientific, and medical)
band to communicate. Used in heart monitors, sports and fitness sensors.

1. Potential Risks: At risk of jamming band, and eavesdropping because encryption is

vulnerable.

7. Infrared: Electromagnetic waves of frequencies lower than the red of visible light. Used to
control entertainment devices and other IR devices.
8. USB (Universal Serial Bus): A cable used to connect mobile devices to other devices. Is
comparatively safer than wireless because it requires a physical connection and data is not
allowed to be transferred without being unlocked first.

1. Potential Risks: Mobile devices can appear as storage devices allowing for the
exfiltration and theft of data.

2. Mobile device management concepts:

1. Application management: Limiting which applications can be installed on a device.

13 | P a g e
 SKILLCERTPRO

2. Content management: Limiting access to content hosted on company systems, and

controlling access to company data stored on mobile devices.
3. Remote wipe: Allows for the deletion of all data and possibly even configuration settings
from a device remotely.
4. Geofencing: Using GPS to define geographical boundaries where the app can be used.
5. Geolocation: The location of a device identified by GPS.
6. Screen locks: Prevents someone from being able to pick up and use a mobile device.
7. Push notification services: Using SMS texts to send messages to selected users or groups.
8. Passwords and pins: Keep the device safe with something you know.
9. Biometrics: Keep the device safe with something you are.
10. Context-aware authentication: Uses multiple elements to authenticate a user and a mobile
device.
11. Containerization: isolating and protecting the application, including any data used by the
application.
12. Storage segmentation: Separates the information on a device into partitions.
13. Full device encryption: Protects against loss of confidentiality

3. Enforcement and monitoring for:

1. Third-party app stores: Anything that isn’t from the Apple's App Store or Google Play. More
likely to be a risk to security.
2. Rooting/jailbreaking:

1. Rooting: Android, the process of modifying the device to gain root-level (full
administrator) access.
2. Jailbreaking: Apple, the process removing all software restrictions from the
device.

3. Sideloading: The process of copying an application package to a mobile device.

4. Custom firmware: The removal of the pre-installed firmware and replacing it. This may
remove bloatware included by the vendor or telco, add or remove features, and streamline
the OS to optimize performance.
5. Carrier unlocking: Means the device can be used by any carrier. Most cellular devices only
work with specific carriers.
6. Firmware OTA updates: The downloading of: upgrades, patches, and improvements to the
existing firmware.
7. Camera use: A cable used to connect mobile devices to other devices.
8. SMS/MMS: Sending alerts through text messages.
9. External media: Disable it to prevent the transferring of files through physical ports.
10. USB OTG (Universal Serial Bus On-The-Go):
11. A cable used to connect mobile devices to other devices. It is one of many methods that you
can use to connect a mobile device to external media.
12. Recording microphone: Disable it to prevent people from being able to listen in on
conversations.
13. GPS tagging: Adding GPS information to the video, photo giving its location
14. WiFi direct/ad hoc: Means for wireless devices to connect directly to each other without a
wireless access point.
15. Tethering: The process of sharing an Internet connection from one mobile device to another.
16. Payment methods:

4. Deployment models:

1. BYOD (Bring Your Own Device): Employees to connect their own personal devices to the
corporate network to work.
2. COPE (Corporate Owned, Personally Enabled): Are owned by the organization, but can be
used personally by employees.

14 | P a g e
 SKILLCERTPRO

3. CYOD (Choose Your Own Device): Employees can purchase devices on the list and bring them
to work. The company then supports, monitors, and manages the device.
4. Corporate-owned: Company owns and controls all aspects, no personal info at all, most
secure for company.
5. VDI (Virtual Desktop Infrastructure): A virtual desktop that is created so users can access
their desktop from a mobile device.

6. Given a scenario, implement secure protocols.

1. Protocols:

1. DNS (Domain Name Service): Does not have any security in its original design. The
hierarchical and decentralized naming system for computers, services, or other resources
connected to a private network or the internet.
2. DNSSEC (Domain Name Service Security Extensions): Primary purpose is to provide a reliable
authorization service between devices when performing operations on the DNS. Must be
digitally signed.
3. SSH (Secure Shell): Replaces Telnet. TCP (Transmission Control Protocol) over Port 22. Allows
for a securely encrypted terminal connection.
4. S/MIME (Secure/Multipurpose Internet Mail Extensions): Digitally signed email content using
public key encryption.
5. SRTP (Secure Real-time Transport Protocol): Protected and encrypted voice communications.
6. LDAPS (Lightweight Directory Access Protocol Secure): TCP ports 389 and 636. Protocol used
for reading and writing directories over an IP network. Uses the X.500 specifications written
by the International Telecommunications Union (ITU) over SSL/TLS.
7. FTPS (File Transfer Protocol Secure): TCP Ports 989/990. File transfer using SSL/TLS.
8. SFTP (Secure File Transfer Protocol): TCP Port 22. FTP over an SSH channel.
9. SNMPv3 (Simple Network Management Protocol Version 3): Ports 161/162. Encrypted
statistics gathering from a router.
10. SSL (Secure Sockets Layer)/TLS (Transport Layer Security):

1. SSL (Secure Sockets Layer): Encryption technology developed for web and email
over the transport layer. Uses public keys to exchange symmetric keys.
2. TLS (Transport Layer Security): The replacement for SSL, is sometimes called SSL
still. Used to encrypt the communication of servers in an organization.

11. HTTPS (Hypertext Transfer Protocol Secure): TCP port 443. HTTP over SSL/TLS provides a
secure connection between the server and web browser.
12. Secure POP (Post Office Protocol)/IMAP (Internet Message Access Protocol):

1. Secure POP (Post Office Protocol): Sends from port 110 to 995. Encrypted email
communications used for retrieving email from a mail server over SSL/TLS.
2. Secure IMAP (Internet Message Access Protocol): Sends from port 143 to 993. Is
standard email protocol for storing email messages on a mail server over SSL/TLS.

2. Use cases:

1. Voice and video: SRTP.

2. Time synchronization: NTPsec.

1. NTPsec (Secure network time protocol): Used to securely sync all the devices’
clocks on the network.

3. Email and web: S/MIME and HTTPS.

4. File transfer: FTPS or SFTP.

15 | P a g e
 SKILLCERTPRO

5. Directory services: LDAPS or SASL.

1. SASL (Simple Authentication and Security Layer): Provides a source of additional

authentication using many different methods, such as Kerberos or client
certificates.

6. Remote access: SSH.

7. Domain name resolution: DNSSec.
8. Routing and switching: SNMPv3, SSH, or HTTPS.

1. SNMPv3: Provides continentality, integrity, and authentication.

2. HTTPS: Allows for browser-based management.

9. Network address allocation: DHCP, there is no secure version it.

1. DHCP starvation attack: Using spoofed MAC addresses to exhaust the amount of
DHCP’s pool. Can configure a switch to limit the number of MAC addresses on an
interface.

10. Subscription services: Anti-viruses and anti-malware are subscription based. Must check
regularly for updates. Set up integrity checks to verify the updates are coming from the
correct source.

3.0 Architecture and Design

1. Explain use cases and purpose for frameworks, best practices and secure configuration guides.

1. Industry-standard frameworks and reference architectures:

1. Framework: Is a collection of standardized policies, procedures and guides, meant to direct a:

user, firm, or any organization.
2. Regulatory: Is a framework that is based on mandated laws and regulations. HIPAA is an
example of this.
3. Non-regulatory: The common standards and best practices that the organization follows.
4. National vs. international:

1. National: Framework based on the laws of a single country.

2. International: Framework based on the laws of multiple countries.

5. Industry-specific frameworks: Frameworks based on the standards and regulations of a

certain industry.

2. Benchmarks/secure configuration guides: Instructions that have been developed over years that are
designed to give organizations the best and most secure configurations for a particular system.

1. Platform/vendor-specific guides: Hardening guides that are specific to the software or

platform, also you can get feedback from the manufacturer or internet interest groups.
System default configurations are unsecured and at high risk for exploits.
2. Web server: Web application firewall (WAF), DMZ, Reverse Proxy for incoming
communication from the internet to the server.
3. Operating system: Implement a change management policy.
4. Application server: Securing an application server means using industry standard guides,
vendor specific, locking down the server to only the ports it needs for its specific role.

16 | P a g e
 SKILLCERTPRO

5. Network infrastructure devices: Use national vs international guides, regulatory/non-

regulatory and general purpose guides for securing.
6. General purpose guides: Security configuration guides that are generic in scope.

3. Defense-in-depth/layered security:

1. Vendor diversity: The practice of implementing security controls from different vendors to
increase security. Reduces the impact of company specific vulnerabilities.
2. Control diversity: The use of technical controls, administrative controls, and physical controls
to harden security.
3. Administrative: Mandated standards set by organizational policies or other guidelines.
4. Technical: Technologies that reduce vulnerabilities, examples of this are: encryption,
antivirus software, IDSs/IPS, and firewalls.
5. User training: Providing regular training to users on common threats, emerging threats, and
social engineering in to raise awareness and help avoid attacks.

2. Given a scenario, implement secure network architecture concepts.

1. Zones/topologies:

1. DMZ: Demilitarized Zone, additional layer of protection to protect one from the internet.
2. Extranet: Private network that can only be accessed by authorized individuals. Links a
company with its suppliers and customers.
3. Intranet: Network that exclusively for the use of the members of the organization, cannot be
accessed by anyone outside the organization.
4. Wireless: Generally, requires a login, an example is an internal wireless network at work.
5. Guest: Network with access to the internet but no access to the internal network. Is useful in
congested areas and is generally unsecured.
6. Honeynets: Dummy Network to attract and fool attackers.
7. NAT (Network Address Translation): Translates private IP addresses in to public and public IP
addresses to private.
8. Ad hoc: A wireless network without an access point, the connected devices communicate
directly.

2. Segregation/segmentation/isolation: Separation for performance, security, or compliance

1. Physical: Devices are separate and cannot directly communicate unless physically connected.
Does not scale well.
2. Logical (VLAN): Separate areas are segmented for different networks, but still housed on the
same switch. To connect them you need a layer 3 device, such as a router.
3. Virtualization: The hardware to separate networks is virtualized, including routers, switches,
and other devices apart from the infrastructure. Easier to manage from a security standpoint
and everything can be segmented.
4. Air gaps: Network where the devices are physically separate from another and don’t share
any components to communicate. Great for security but be careful with removable media.

3. Tunneling/VPN:

1. Site-to-site: Send data between two sites in an encrypted form. Done by installing a VPN on
both sides. Data will reach the VPN and encrypt and then the other VPN will decrypt it for the
receiving end.
2. Remote access (Host to Site): Software is installed on the device that wants the VPN tunnel,
then the encrypted tunnel is created to connect to the specific network.

4. Security device/technology placement:

17 | P a g e
 SKILLCERTPRO

1. Sensors: Can give transactions, logs, or other raw data. Can be integrated or built-into
switches, servers, firewalls, routers, or other network devices.
2. Collectors: Could be a console or SIEM. Gathers all the data from sensors into one place and
attempts to make sense of it.
3. Correlation engines: Can be built in SIEM, tries to compare and correspond data collected
from the sensors to determine if an attack is present.
4. Filters: Follow the logical path, does not follow a state set of rules for traffic. Blocks harmful
traffic.
5. Proxies: Intermediary point between the client and the service. Ensures that the response
arrives safely and that the traffic flow is correct.
6. Firewalls: Is state-based so that it can filter by content and more specific perimeters. Placed
on the outgoing and inward edges of the network.
7. VPN concentrators: Authenticates VPN clients and establishes between tunnels.
8. SSL accelerators: Offloads the SSL process to a hardware accelerator. SSL handshake is
complicated and time consuming.
9. Load balancers: Takes requests from the internet, and spreads the requests over multiple
servers, can also determine the health of servers.
10. DDoS mitigator: Sits between the network and the internet. Identifies and blocks DDOS
attacks in real time.
11. Aggregation switches:
12. Taps and port mirror: Physical tap sees what is happening in traffic packets, and software
port mirror sends a copy of the traffic packets. Is better for light traffic.

5. SDN: Aims to separate the hardware layer from the control. The network is fully virtualized with
software, and then separated into the control (configuration) and data plane (forwarding and
firewalling). Directly programmable from a central location, often automatically.

3. Given a scenario, implement secure systems design.

1. Hardware/firmware security:

1. FDE (Full Disk Encryption)/SED (Self Encryption Drives): Programs and technologies that
encrypt everything on the storage drive.
2. TPM (Trusted Platform Module): A chip on the motherboard designed to protect hardware
through integrated cryptographic keys.
3. HSM (Hardware Security Module): Accelerates cryptographic operations and manages
cryptographic keys, can be implemented as a physical device and used to accelerate RSA-
based operations.
4. UEFI (Unified Extensible Firmware Interface)/BIOS (Basic Input/Output System):

1. UEFI (Unified Extensible Firmware Interface): A method used to boot some

systems and is intended to succeed BIOS. Improves upon the BIOS design by:
allowing support for larger hard drives, having faster boot times, providing
enhanced security features, and giving the user the ability to use a mouse when
making system changes.
2. BIOS (Basic Input/Output System): Basic low-end firmware or software that
provides a computer with the basic instructions on how to start.

5. Secure boot and attestation: Processes that checks and validates system files during the boot
process.
6. Supply chain: The process of getting a product or a service from the beginning supplier to the
user.
7. Hardware root of trust: Shows that there was a secure starting point, this is proved by TPMs
having a private key burned into the hardware.
8. EMI (Electromagnetic Interference)/EMP (Electromagnetic Pulse):

18 | P a g e
 SKILLCERTPRO

1. EMI (Electromagnetic Interference): Electromagnetic interferences caused by

devices that can corrupt data or prevent data from being transferred.
2. EMP (Electromagnetic Pulse): A short burst of electromagnetic energy

2. Operating systems:

1. Types:

1. Network: Supports servers, workstations, and other network-connected devices.

2. Server: Designed to function as a server.
3. Workstation: Optimized for user applications such as email and office apps.
4. Appliance: A system designed to serve a purpose.
5. Kiosk: A system or computer with a touch screen designed to provide information
or directions.
6. Mobile OS: The OS of phones, tablets, and other handheld devices.

2. Patch management: Keeping systems up to date to help improve stability and security.
3. Disabling unnecessary ports and services: Disabling unnecessary ports improves security by
preventing the users from being able to steal important data through physical storage or
injecting viruses through USB. Unnecessary services leave the system vulnerable to viruses
and exploits.
4. Least functionality: Limiting the operating system to be able to perform what is necessary.
5. Secure configurations: Changing the unsecure default setting to protect the system.
6. Trusted operating system (TOS): provides sufficient support for multilevel security and
evidence of correctness to meet high security standards.
7. Application whitelisting/blacklisting: Protects the system from potentially dangerous
applications.

1. Whitelisting: Applications allowed on the system.

2. Blacklisting: Applications blocked by the system.

8. Disable default accounts/passwords: Are easily guessable and must be changed immediately
to prevent unauthorized access.

3. Peripherals:

1. Wireless keyboards: Operate in the clear allowing for the capturing of keystrokes with a
receiver to be controlled remotely.
2. Wireless mice: Operate in the clear allowing for the capturing of movements or to be
controlled remotely.
3. Displays: Vulnerable to shoulder surfing, firmware hacks, and eavesdropping.
4. WiFi-enabled MicroSD cards: Portable storage device that has access to 802.11 Wi-Fi file
transfers.
5. Printers/MFDs (Multi-Function Devices): Reconnaissance can be performed by going through
the saved logs.
6. External storage devices: No authentication allows for anyone to read, write and move files.
7. Digital cameras: Easy to steal data.

4. Explain the importance of secure staging deployment concepts.

1. Sandboxing: Virtualizes a deployment process, allows for machines to be completely isolated from
each other, and is similar to the environment that will be used.

1. Environment: Usually tested in the actual environment that the product will be used in.

19 | P a g e
 SKILLCERTPRO

2. Development: Uses a development environment, version control and change management

control to track development.
3. Test: Rigid tests are performed to find bugs and errors. Does not simulate the full product.
4. Staging: Uses data that the real product would use. Late stage testing.
5. Production: Application is now live, and the updates will be rolled out.

2. Secure baseline: Defines the core of what the development team must do. Lays out what will need to
be updated in the future.
3. Integrity measurement: Tests against the baseline to keep it secure.

5. Explain the security implications of embedded systems.

1. SCADA (Supervisory Control and Data Acquisition)/ICS (Industrial Control System): An ICS is a type of
computer-management deceive that controls industrial procedures and machines. A SCADA is a
system used over multiple industries. SCADAs can be protected with VLANs and NIPS, and they
require extensive network segmentation.
2. Smart devices/IoT (Internet of Things): A mobile device that allows the user: customizable options,
applications to help make daily activities easier, and an AI to assist in tasks. The IoT is the class of
devices that help provide automation and remote control of appliances and devices in the home or
office.

1. Wearable technology: Contains personal and health information on a person.

2. Home automation: Technology in the home is not updated frequently and are susceptible to
attacks.

3. HVAC: Heating, ventilation, and air conditioning.

4. SoC (System on a Chip): An embedded device where the entire system is on the chip.
5. RTOS (Real Time Operating System): Attempts to use predictability to see what happens to meet real
time requirements, the guesses must be secured.
6. Printers/MFDs: Contains logs, documents, and sensitive information that can be accessed and stolen.
7. Camera systems: Videos recorders and cameras are IP devices. The risk is that they can be hacked.
8. Special purpose:

1. Medical devices: Can be attacked leaving patients at risk.

2. Vehicles: Contains onboard Wi-Fi vulnerable to threats.
3. Aircraft/UAV: Can have communications intercepted.

6. Summarize secure application development and deployment concepts.

1. Development life-cycle models:

1. Waterfall vs. Agile:

1. Waterfall: Not flexible, done in stages, and cannot go back to a previous stage
once the next stage is started.
2. Agile: Flexible: allows for collaboration between groups, and can go back and fix
previous iterations.

2. Secure DevOps:

1. Security automation: Tools that automatically tests security functions, penetration, and for
vulnerabilities.
2. Continuous integration: The basic set of security checks while developing.
3. Baselining: Comparing current performance to previously set metric

20 | P a g e
 SKILLCERTPRO

4. Immutable systems: Are locked and unable to change. To update the entire platform must be
updated.
5. Infrastructure as code: Turns the devices into code to allow for focusing on the application
needs instead of based on available infrastructure.

3. Version control and change management: The ability to track change and ability to revert to previous
versions.
4. Provisioning and deprovisioning: The adding and removing of assets over time. Installing new devices
and uninstalling old ones.
5. Secure coding techniques:

1. Proper error handling: Errors do not crash the system, allow for elevated privileges, or
expose private information.
2. Proper input validation: Sanitizing data to make sure it is correct and secure before using.
3. Normalization: Applying rules to a database design to ensure that the proper information
goes in the proper places.
4. Stored procedures: A program in the database that enforces the business rules.
5. Code signing: Assigning a digitally signed certificate to code.
6. Encryption: Converting readable code to unreadable garbage to make it secure.
7. Obfuscation/camouflage: Making code difficult to read.
8. Code reuse/dead code: Reusing code in multiple contexts. Code that cannot be executed.
9. Server-side vs. client-side:

1. Server-Side: Code runs on the server.

2. Client-Side: Code runs in the browser, is highly vulnerable to attacks.

6. execution and validation:

1. Memory management: Checking and ensuring that the program does not use too much
memory.
2. Use of third-party libraries and SDKs: Commonly used so is better understood by attackers.
3. Data exposure: Disclosing private information to attackers.

7. Code quality and testing:

1. Static code analyzers: Checks source code for: conformance to coding standards, quality
metrics, and for data flow anomalies.
2. Dynamic analysis (e.g., fuzzing): Providing unexpected inputs to cause the application to
crash.
3. Stress testing: Seeing how many users a program can handle at a time.
4. Sandboxing: Using a virtual machine to run the program in a simulated environment to
determine if it will properly run. Does not affect production equipment.
5. Model verification: Ensuring the program meets specifications and performs its purpose.

8. Compiled vs. runtime code:

1. Compiled Code: Code that is optimized by an application and converted into an executable.
2. Runtime Code: The code that is interpreted as it runs.

7. Summarize cloud and virtualization concepts.

1. Hypervisor: A software, firmware or hardware that creates, manages, and operates virtual machines.

1. Type I: Known as bare metal, runs on the hardware.

2. Type II: Known as hosted, runs on top of the operating system.

21 | P a g e
 SKILLCERTPRO

3. Application cells/containers: Abstracting applications from the platform into containers

allowing for applications to run without launching an entire virtual machine. This provides
portability and isolation, and less overhead than VM.

2. VM sprawl avoidance: The avoiding of a VM getting too large for the admin to properly manage. To
avoid the admin should: enforce a strict process for deploying VMs, have a library of standard VM
images, archive or recycle under-utilized VMs, and implement a Virtual Machine Lifecycle
management Tool.
3. VM escape protection: why is this empty?
4. Cloud storage: The process of storing data in an off-site location that is leased from a provider.
5. Cloud deployment models:

1. SaaS (Software as a Service): The customer uses software that is not locally stored, instead,
all of that service is being provided in the cloud. Ex. Google docs or Gmail.

1. Everything is managed by the provider.

2. PaaS (Platform as a Service): Also known as software as a service.

3. Managed by customer: Data, applications, and making sure apps run on the OS

1. Managed by Provider: Runtime, middleware, OS, virtualization, servers, storage,

and networking.

4. IaaS (Infrastructure as a Service): Also known as hardware as a service,

1. Managed by customer: Software (applications, data, Runtime, middleware, and

operating system).
2. Managed by Provider: Hardware (virtualization, servers, storage, and networking).

5. Private: Deployed within the organization by the organization for the organization.
6. Public: Cloud is deployed by the provider within their organization for other organizations to
use.
7. Hybrid: A combination of public and private replication.
8. Community: Private or public but only shared between trusted groups.

6. On-premise vs. hosted vs. cloud:

1. On-premise: Built and managed by the company’s data center. Allows for complete control
over it. Has a high investment cost and operational cost.
2. Hosted: Leasing the network and storage that is off site. Access and availability depends on
the design. Has No investment cost, and a moderate operational cost
3. Cloud: Leasing the network and storage that can be on or off site. Has no investment cost,
and a low operational cost. Can be accessed anywhere, anytime and has high mobility.

7. VDI (Virtual Desktop Infrastructure)/VDE (Virtual Desktop Environment): The virtualization of a user's
desktop where the applications are running in the cloud or in a data center, the user runs as little of
the application as possible on the local device.
8. Cloud access security broker: Allows for the integration of security policies across all cloud-based
applications. Let’s the provider see that applications are in use and users associated with them. Can
be installed on premise or on the cloud server.
9. Security as a service (SECaaS): The provider implements their security services into your environment
via the cloud, such as: authentication anti-virus, anti-malware, IDS, and event management.

8. Explain how resiliency and automation strategies reduce risk.

22 | P a g e
 SKILLCERTPRO

1. Automation/scripting:

1. Automated courses of action: Automated scripts that give a basis for secured configuration
with a secured template. Can be configured to accommodate for constant changes or can be
launched on a specific schedule.
2. Continuous monitoring: Monitors IDS/ logs, networks, SIEMs, and other systems for changes
and threats.
3. Configuration validation: Reviewing the settings of the system to ensure that its security
settings are configured correctly.

2. Templates: Gives a basis for secured configuration with a standard secured configuration.
3. Master image: Is crafted configuration of a software or entire system. Created after the target system
is installed, patched, and configured.
4. Non-persistence: Changes are possible. Due to risks of unintended changes, multiple protection and
recovery options must be established.

1. Snapshots: A copy of the live current operating environment.

2. Revert to known state: Is a recovery process that goes back to a previous snapshot.
3. Rollback to known configuration: Just a collection of settings. Does not usually include
software elements.
4. Live boot media: A portable storage device that can boot a computer. Is read-to-run or a
portable version of the OS.

5. Elasticity: The ability for the system to adapt to a workload by allocating and providing resources in an
automatic manner.
6. Scalability: The ability to handle an ever-increasing workload and able to accommodate future
growth.
7. Distributive allocation: Is providing resources across multiple services or servers as necessary instead
of preallocation or concentrated resources based on physical system location.
8. Redundancy: Secondary or alternate solutions, it’s an alternate means to complete tasks. Helps
reduce single points of failure and boosts fault tolerance.
9. Fault tolerance: The ability for the: network, system, or computer to provide a service while
withstanding a certain level of failures. Aids in avoiding a single point of failure, a SPoF is anything that
is mission critical.
10. High availability: Refers to a system that is able to function for extended periods of time with little to
no downtime.
11. RAID (Redundant Array of Independent Disks): Is a high availability solution. Employs multiple hard
drives in a storage volume with a level of drive loss protection, except for RAID 0.

9. Explain the importance of physical security controls.

1. Lighting: If the perimeter is properly lit it can deter thieves, break-ins, and other criminal activity.
2. Signs: Allows for controlled entry point, is a psychological deterrent, and helps new and visitors find
their way. Informs of security cameras, safety warnings, and that an area is restricted.
3. Fencing/gate/cage: A fence sets the boundaries of the property and protects against casual intruders.
Gates allow for controlled entry and exit. Cages protect assets from being accessed by unauthorized
individuals.
4. Security guards: Humans are adaptable, can adjust to live events, and can react to real time intrusion
events. Can intervene and control the security devices.
5. Alarms: Notify security personnel and the authorities of unauthorized activities.
6. Safe: Protects valuables from thieves and natural disasters.
7. Secure cabinets/enclosures: Restricts unauthorized personnel from accessing cabinets.
8. Protected distribution/Protected cabling: Is a standard on how to safely transmit unencrypted data.
Protects from wire-taps.
9. Airgap: Ensure secure networks are physically isolated from unsecure networks.

23 | P a g e
 SKILLCERTPRO

10. Mantrap: Area between two doorways to identify and authenticate individuals.
11. Faraday cage: Metal screen to protect equipment from electrostatic and electromagnetic influences.
12. Lock types: Can use a key, key-pad, cards, or biometrics.
13. Biometrics: Uses physical characters to identify the individual.
14. Barricades/bollards: Stops and guides traffic, it can also prevent the entrance of vehicles.
15. Tokens/cards: Items necessary to gain access to secured areas of the building. Can contain
information that can identify and authorize an individual.
16. Environmental controls:

1. HVAC: Keeps servers from overheating and shutting down.

2. Hot and cold aisles: Allows for air flow control and for the air to move through the data
center strategically.
3. Fire suppression: Protects the equipment from fire, smoke, corrosion, heat, and water
damage. Early fire detection is vital for protecting personal and equipment from harm.

17. Cable locks: Protects small equipment from theft.

18. Screen filters: Reduces the range of visibility to prevent shoulder suffering.
19. Cameras: Deters criminal activity and creates a record of events.
20. Motion detection: Senses movement and sound in a specific area.
21. Logs: Document visitor access, allows for the identifying and record keeping of everyone who has
access to the premise.
22. Infrared detection: Detects and monitors changes in the temperature.
23. Key management: Ensure only authorized individuals only have access to the areas they need to
complete their work

4.0 Identity and Access Management

1. Compare and contrast identity and access management concepts

1. Identification, authentication, authorization and accounting (AAA):

1. Identification: Finding the unique individual on the system.

2. Authentication: The ability to tell if an individual is actually who they claim they are.
3. Authorization: Determining what an individual can and cannot access on a system.
4. Accounting: The tracking of an individual’s actions on the system.

2. Multifactor authentication: Uses at least two of the factors of authentication.

1. Something you are

2. Something you have
3. Something you know
4. Somewhere you are
5. Something you do

3. Federation: The authenticating and authorizing between two parties. Ex. Logging onto Facebook with
Google account.
4. Single sign-on: Only uses one of the factors of authentication.
5. Transitive trust: There are more than two entities, one entity is trusted because they are trusted by
someone the company trusts.

2. Given a scenario, install and configure identity and access services.

1. LDAP (Lightweight Directory Access Protocol):

24 | P a g e
 SKILLCERTPRO

Queries information about the directory. Is a hierarchical structure; CN = Common Name, OU = Organizational
Unit, DC = Domain Controller. Utilizes TCP/IP, TCP/UDP ports 389.

6. Secure LDAP: LDAP over SSL/TLS, uses TCP on port 636. Does not send queries in plain text.

2. Kerberos: Developed by MIT, for mutual authorization between client and server. It uses a ticket
granting system for authorization. Is a government standard.
3. TACACS+ (Terminal Access Controller Access Control System): Runs TCP over port 49, encrypts all
parts of communication. Does not suffer due to security issues caused by RADIUS. Authorization and
Authentication are separated for granular control.
4. CHAP (Challenge Handshake Authentication Protocol): Authenticates PPP clients to the server. Uses a
one-way hash based on a shared secret that is compared on the client and server end. Does not send
plaintext over the wire.
5. PAP (Password Authentication Protocol): Username and password are sent as plaintext and are no
longer used.
6. MS-CHAP (Microsoft CHAP): Delivers a two-way, mutual authentication between the server and
client. Separate keys are created for sent and received data. Is seen as weak due to it using a 5-bit
encryption system, same as NTLM.
7. RADIUS (Remote Authentication and Dial-in User service): Combines authentication and
authorization, only encrypts the passwords, each network device must contain an authorization
configuration. There is no command logging, and minimal vendor support. Uses ports 1812 for
authentication and authorization and port 1813 for accounting functions.
8. SAML (Security Association Markup Language): Authenticates through a third-party source to gain
access, the resource is not responsible for the authentication. The request is passed through a trusted
third-party server.

1. The three roles are: Principle (the user or client), identity provider (the one who assures the
identity of the principle), and service provider (a web service of some type.)

9. OpenID Connect: OpenID Connect handles the authentication part of the identification process and
uses OAuth for authorization.
10. OAUTH (Open Standard for Authorization): Token authorization happens in the background. Uses a
logon from a larger trusted service.
11. Shibboleth: An open-source software that uses SAML to provide a third-party federated SSO
authentication.
12. Secure token: An authentication mechanism that can be used to identify and authenticate, and to
deny and allow access.
13. NTLM (New Technology LAN Manager): Used for authenticating in a Windows domain, was replaced
by Kerberos for the most part.

1. NTMLv2: Is the most common form used, is somewhat insecure.

3. Given a scenario, implement identity and access management controls.

1. Access control models:

1. MAC (Mandatory Access Control): Based on classification rules. Objects are given sensitivity
labels, subjects given clearance labels, and users obtain access by having the correct
clearance. The classifications are hierarchical.
2. DAC (Discretionary Access Control): Is based on user identity. Users are granted access
through ACLs placed on objects through the object’s owner or creator.

1. ACL (Access Control List): A security logical device attached to all objects and
resources, it defines which users are granted or denied access.

25 | P a g e
 SKILLCERTPRO

3. ABAC (Attribute Based Access Control): Assigning access and privileges through a scheme of
attributes. Relations and criteria determine access; time of day, location, and/or IP address.
4. Role-based access control: Access is based on the job and position of the user.
Changing permissions of a group changes the permissions for all of the members. Not good
for companies with high turn-over rates.
5. Rule-based access control: Rules are created by the admin to monitor usage and if a user
needs access they must meet the requirements of the rules. Rules are enforced regardless of
the user.

2. Physical access control:

1. Proximity cards: A smart card that does not require direct contact.
2. Smart cards: Cards that contain identification/authentication information in an integrated
circuit chip. Often uses dual factor authentication; something you have (the card), and
something you know (a pin or password).

3. Biometric factors: Verifies identity through physical features.

1. Fingerprint scanner: Scans the unique patterns of the fingerprint to grant access.
2. Retinal scanner: Blood vessels in the back of the retina.
3. Iris scanner: Scans the Iris.
4. Voice recognition: The identification and translation of spoken language for authorization of
a user. Is vulnerable to impersonation.
5. Facial recognition: The identification of an individual from a digital image or a video frame. Is
vulnerable to impersonation.
6. False acceptance rate (FAR): Incorrectly identifies an unauthorized user as an authorized
user. Type 2 error.
7. False rejection rate (FRR): Incorrectly identifies an authorized user as an unauthorized user.
Type 1 error.
8. Crossover error rate (CER): The point on a graph where the FAR and FRR meet. The lowest
CER point is the most accurate biometric device for a body part.

4. Tokens

1. Hardware: A device that displays and constantly generates a pin or password.

2. Software: An app or software that generates a token.
3. HOTP/TOTP: Open source standards to generate one-time use passwords.

1. HOTP (HMAC-based One-Time Password): Can be used only once before it

expires.
2. TOTP (Time-based One-time Password): Only last for around 30 seconds before it
expires.

5. Certificate-based authentication:

1. PIV/CAC/smart card: Cards that have embedded certificates and a photo ID for
authorization. The US DOD uses CAC/PIV.
2. PIV (Personal identity verification): Is for civilians working for the federal
government.
3. CAC (Common access card): Is for Department of Defense members.

4. IEEE 802.1x: Offers port-based authentication to wireless and wired networks to prevent
rogue devices from connecting to secured ports.

26 | P a g e
 SKILLCERTPRO

6. File system security: The means of ensuring that files are encrypted and can only be used by properly
authorized users have access to them or modify them.
7. Database security: MS and Oracle allow for the DB to be encrypted.

4. Given a scenario, differentiate common account management practices.

1. Account types:

1. User account: An account that is a collection of information that identifies an individual and
grants them specific areas of the network or system.
2. Shared and generic: Multiple individuals sign into a single account. No workplace should have
these, cannot distinguish the actions of the user.

2. accounts/credentials:

1. Guest accounts: An anonymous shared logon account.

2. Service accounts: Performs specific maintenance actions, such as a backup, account and
server operators.
3. Privileged accounts: Access is set to access rights, generally referred to as system or network
administrative accounts.

3. General Concepts:

1. Least privilege: Rights and permission are set to bare minimum.

2. Onboarding/offboarding:

1. Onboarding: Helps new employees learn all of the facets of their new job.
2. Offboarding: Helps leaving employees learn how to properly leave and potentially
return to the company.

3. Permission auditing and review:

4. Usage auditing and review:
5. Time-of-day restrictions: Certain privileges are permitted or restricted based on the time of
day.
6. Recertification: The action of regaining a certification due to the certification being expired.
7. Standard naming convention: Allows for the easier identification of resource location and
purpose. Reduces the amount of time needed for troubleshooting and training.
8. Account maintenance: Making sure that accounts have the proper privileges, and unused
accounts are deleted. Generally done through scripts to save time and money.
9. Group-based access control: Every user in a group has the same privileges.
10. Location-based policies: Grants and denies access based on the user’s location.
11. Account policy enforcement:
12. Credential management: Stores, manages, and tracks user credentials.
13. Group policy: Sets different privileges of the system and allows for these to be managed or
set those across entire groups or even through the entire network and every computer
within it.
14. Password complexity: The enforcing of complex and difficult to guess passwords.
15. Expiration: The amount of time that passes before a password is required to be changed.
16. Recovery: The ability to find lost passwords and usernames in case an employee forgets
them.
17. Disablement: Disabling an account.
18. Lockout: Prevents login from specific individual after a set of failed login attempts, for a set
period of time.
19. Password history: Remembers past passwords and prevents the reuse of passwords.
20. Password reuse: The ability to ever use the same password again.

27 | P a g e
 SKILLCERTPRO

21. Password length: The minimum amount of characters that can be used in a password.
22. Password age: A policy that sets how long a user can have a password before they are forced
to change it.

6.0 Cryptography and PKI

1. Compare and contrast basic concepts of cryptography.

1. Symmetric algorithms: A shared secret key used by the sender and receiver to encrypt and decrypt.
2. Modes of operation:
3. Asymmetric algorithms: There is a shared public key and a private secret key. Public key encrypts and
the private key decrypts, private key to sign and public key verify.
4. Hashing: An algorithm that creates a unique one-way encryption, not plaintext.
5. Salt, IV, nonce:

1. Salt: The adding of input to random data to function to make it more complicated. A small
piece of data added to the end of a password when creating a hash
2. IV (Initialization Vector): A random value used with an encryption key.
3. Nonce: One-time use random value used for authentication.

6. Elliptic curve (ECC): Great for low powered machines. Uses curves for encryption instead of large
prime numbers.
7. Weak/deprecated algorithms: Weak due to vulnerabilities (WEP) or weak key length (DES is on 56-
bits) which is easy to brute force through.
8. Key exchange: Securely sending keys back and forth. Out-of-Band where the key is sent over the
phone, in person, or any other way offline. In-Band is sent over the internet encrypted.
9. Digital signatures: Provides integrity, verifies that the original sender is actually the one who sent it.
This can be done through asymmetric encryption, where there is a hash message then they will
encrypt the hash using their private key, creating a digital signature that can only originate from
them. To verify, the signature is decrypted with the public key, and the message is then hashed. If the
two hashes match, then the digital signature is valid
10. Diffusion: Changing one character causes the plaintext to drastically change the outputted cipher.
11. Confusion: The cipher doesn’t look anything like the plain text.
12. Collision: Two completely different pieces of data have the exact same hash.
13. Steganography: Hides messages or code inside of an image or another type of data. Impossible to
decipher without the correct tools.
14. Obfuscation: Taking something and making it difficult for a human to understand, however it is not
impossible to convert it back to the original form.
15. Stream vs. block:
16. Key strength: Larger keys and more bits are signs of better encryption and stronger keys.
17. Session keys: Symmetric keys used to provide a secure and fast online connection. The server’s public
key is paired with a random key to produce a symmetric key, that the server uses to encrypt and the
user to decrypt.
18. Ephemeral key: Session keys that only last temporarily and change frequently.
19. Secret algorithm: Is a symmetric encryption. Uses the same key for the sender to encrypt and the
receiver to decrypt.
20. Data-in-transit: Data being transmitted over a network. Should be encrypted using TLS and IPSec.
21. Data-at-rest: Data in a storage device.
22. Data-in-use: Data being ran through RAM or CPU, is almost always decrypted to make it easier to use.
23. Random/pseudo-random:

1. Number generation: Used to create random keys and salts, a computer is never truly
random, so it relies on outside factors such as user input to create a more random number.

28 | P a g e
 SKILLCERTPRO

24. Key stretching: Hashing a password, and then hashing that hashed value. Protects a weak password
from brute force attacks.
25. Implementation vs. algorithm selection:

1. Crypto service provider: A library of cryptographic standards and algorithms.

2. Crypto modules: Hardware, firmware or software that provides the hash, HMAC, cipher,
decipher, sign, and verify methods.

26. Perfect forward secrecy (PFS): Prevents point of failure where a stolen private key can decrypt all
connections by generating a new key each session. Protects past sessions against future compromises
of secret keys.
27. Security through obscurity: Relying on secrecy to protect and secure data.
28. Common use cases:

1. Low power devices: Mobile phones and portable devices.

2. Low latency: Low amount of time occurs between input and output.
3. High resiliency: Larger key sizes and encryption algorithm quality.
4. Supporting confidentiality: Secrecy and privacy.
5. Supporting integrity: Preventing modification of data and validating contents with hashes.
6. Supporting obfuscation:
7. Supporting authentication: Password hashing and protecting the original password.
8. Supporting non-repudiation: Digital signature provides: authenticity, integrity, and non-
repudiation.
9. Resource vs. security constraints: Limitations in providing strong cryptography due to the
amount of available resources (time and energy) vs the security provided by cryptography.

2. Explain cryptography algorithms and their basic characteristics.

1. Symmetric algorithms:

1. AES (Advanced Encryption Standard): Symmetric, block cipher with 128-bit blocks, key sizes
of 128-bit, 192-bit and 256-bit. It utilizes the Rijndael algorithm and is the U.S. government
standard for the secure exchange of sensitive but unclassified data. It is also the encryption
standard used today with WPA2.
2. DES (Data Encryption Standard): Symmetric, was common until replaced by AES, the block
cipher is 64-bit and the key is 56-bit (very small), this means it can easily be brute forced.
3. 3DES: Symmetric, very secure and upgrade over DES with three separate keys and three
passes over data. Not used in modern day either.
4. RC4: Symmetric, part of the original WEP standard with SSL, removed from TLS, key sizes of
40-bit to 2048-bit. Deprecated from biased output.
5. Blowfish/Twofish:

1. Blowfish: Symmetric, fast and has variable key-lengths from 1-bit to 448-bits, uses
64-bit block cipher. Not limited by patents.
2. Twofish: Symmetric, uses a very complex key structure up to 256-bits but still
similar to predecessor, works using 128-bit blocks. Again, not limited by patents.

2. Cipher modes:

1. CBC (Cipher Block Chaining): Symmetric, uses IV for randomization. Encryption that is
dependent on the block before it. Slow.
2. GCM (Galois Counter Mode): Used by many. Provides data authenticity/integrity, hashes as
well. Widely used.
3. ECB (Electronic Code Book): Mode of operation, simplest cipher mode, not recommended.
4. CTR (Counter Mode): Converts block into stream, uses IV. Widely used.

29 | P a g e
 SKILLCERTPRO

5. Stream vs. block:

3. Asymmetric algorithms:

1. RSA (Rivest, Shamir, Adleman): First practical use of public key cryptography, uses large
prime numbers as the basis for encryption.
2. DSA (Digital Signature Algorithm): Standard for digital signatures and modifies Diffie-
Hellman, follows usage of elliptic curves to create ECDSA.
3. Diffie-Hellman: An asymmetric standard for exchanging keys. Primarily used to send private
keys over public (unsecured) networks.

1. Groups: Diffie-Hellman (DH) groups determine the strength of the key used in the
key exchange process. Higher group numbers are more secure, but require
additional time to compute the key.
2. DHE (Diffie-Hellman Ephemeral): A Diffie-Hellman key exchange that uses
different keys.
3. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): Key agreement protocol that
allows 2 parties, each having an elliptic curve public-private key pair, to establish
a shared secret over an insecure channel.

4. Elliptic curve cryptography (ECC): Asymmetric, uses smaller key sizes and curve algorithms to
secure data, useful in portable devices because it uses less CPU power.
5. PGP (Pretty Good Privacy)/GPG (GNU Privacy Guard):

1. PGP (Pretty Good Privacy): Asymmetric, used by many for emails and is used by
IDEA algorithm.
2. GPG (GNU Privacy Guard): A free, open-source version of PGP that provides
equivalent encryption and authentication services.

4. Hashing algorithms: Hashing provides integrity and authenticity.

1. MD5 (Message-Digest Algorithm v5): Hashing algorithm, 128-bit hash with strong security,
collision was found in 1996 so it is not used as much nowadays.
2. SHA (Secure Hash Algorithm): Hashing algorithm, one-way 160-bit hash value with
encryption protocol. Standard hash algorithm today, went from SHA-1 (160-bit digest,
deprecated) to SHA-2 (512-bit digest, still used).
3. HMAC (Hash-Based Message Authentication Code): Hashing algorithm that combines itself
with a symmetric key. Provides data integrity as well as authenticity, but is faster than
asymmetric encryption.
4. RIPEMD (RACE Integrity Primitives Evaluation Message Digest): Hashing algorithm that is
based on MD4, collisions were found so it now exists in versions of 160-bits, 256-bits, and
320-bits.

5. Key stretching algorithms: Lengthen key to make brute-force attacks harder.

1. Bcrypt: Key Stretching that helps protect passwords by repeating Blowfish cipher.
2. PBKDF2 (Password-Based Key Derivation Function 2): Key Stretching, applies RSA function to
password to create stronger key.

6. Obfuscation: Making something unclear to read, but can still reverse it.

1. XOR (Exclusive OR): Mathematical operation that's a part of all symmetric operations, done
by comparing bits of plaintext and a key (same=0, different=1). Can be reversed to get
plaintext back.
2. ROT13 (Rotate by 13): Common substitution cipher, rotates each letter 13 places.

30 | P a g e
 SKILLCERTPRO

3. Substitution ciphers: Cipher that changes one symbol for another, like the Caesar Cipher.
Easy to decrypt.

3. Given a scenario, install and configure wireless security settings.

1. Cryptographic protocols:

1. WPA (Wi-Fi Protected Access): Uses RC4 with TKIP. Was replaced by WPA2.
2. WPA2 (Wi-Fi Protected Access v2): Uses CCMP for encryption.
3. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): Is
based on 128-bit AES is more secure than TKIP. Was advanced for its time.
4. TKIP (Temporal Key Integrity Protocol): Protocol that mixes a root key with an initialization
vector, a new key for each packet.

2. Authentication protocols:

1. EAP (Extensible Authentication Protocol): Is an authentication framework that provides

general guidance for authentication methods.
2. PEAP (Protected Extensible Authentication Protocol): An extension of EAP that is sometimes
used with 802.1x, a certificate is required on the 802.1x server.
3. EAP-FAST (EAP Flexible Authentication with Secure Tunneling): A Cisco-designed replacement
for Lightweight EAP, supports certificates but are not required.
4. EAP-TLS (EAP Transport Layer Security): This is one of the most secure EAP standards and is
widely implemented on many networks. It uses PKI, so certificates are required on the 802.1x
server and on the clients.
5. EAP-TTLS (EAP Tunneled Transport Layer Security): Allows for systems to use older
authentication methods such as PAP within a TLS tunnel. Certificate is required on the 802.1x
server but not on the clients.
6. IEEE 802.1x: An authentication protocol used in VPNs, wired and wireless networks. In VPNs
it is used as a RADIUS server, wired use it as a port-based authentication, and wireless use it
in Enterprise mode. Can be used with certificate-based authentication.
7. RADIUS Federation: Members of one organization can authenticate to the network of
another network using their normal credentials.

3. Methods:

1. PSK vs. Enterprise vs. Open:

1. PSK (Pre-Shared Key): Uses WPA2 encryption along with a key that everyone
needs to know to access the network.
2. Enterprise: Users to authenticate using a username and password, and uses
802.1X to provide authentication, server handles distribution of keys/certificates.
3. Open: Does not apply any security.

2. WPS: Allows users to easily configure a wireless network, often by using only a PIN. Are
susceptible to brute force attacks because they can discover the PIN.
3. Captive portals: Forces clients using a web browser to complete a task before being able to
access the network.

4. Given a scenario, implement public key infrastructure.

1. Components:

31 | P a g e
 SKILLCERTPRO

1. CA (Certificate Authority): A trusted third-party agency that is responsible for issuing digital
certificates.
2. Intermediate CA (Intermediate Certificate Authority): An entity that processes the CSR and
verifies the authenticity of the user on behalf of a CA.
3. CRL (Certificate Revocation List): A list of certificates that are: no longer valid, expired, or that
have been revoked by the issuer.
4. OCSP (Online Certificate Status Protocol): A request and response protocol that obtains the
serial number of the certificate that is being validated and reviews revocation lists for the
client.
5. CSR (Certificate Signing Request): A user request for a digital certificate
6. Certificate: Digitally signed statement that associates a public key to the corresponding
private key.
7. Public key: A key that is provided by the sender, used by anyone to encrypt with asymmetric.
8. Private key: Key used to decrypt a message, only used by the person opening the message.
9. Object identifiers (OID): A serial number that authenticates a certificate.

2. Concepts:

1. Online vs. offline CA:

1. Online CA: Is directly connected to a network, most common.

2. Offline CA: Is not directly connected to a network, often used for root certificates.

2. Stapling: Combining related items in order to reduce communication steps. The device that
holds the certificate will also be the one to provide status of any revocation.
3. Pinning: The application has hard-coded the server’s certificate into the application itself.
4. Trust model: A complex structure of: systems, personnel, applications, protocols,
technologies, and policies working together to provide protection.
5. Key escrow: Private keys are kept by the users and a 3rd party as back-ups.
6. Certificate chaining: Certificates are handled by a chain of trust, the trust anchor for the
digital cert is the root CA.

3. Types of certificates:

1. Wildcard: A Certificate that can be used with multiple subdomains of a given domain, by
covering the all subordinate certificates to the root.
2. SAN (Subject Alternative Name): The certificate has several uses, allows a certificate to be
valid for multiple domains using multiple names.
3. Code signing: Digitally signs written application code and makes sure that it adheres to policy
restriction and usage.
4. Self-signed: The root CA creates its own certificate.
5. Machine/computer: Certificates that are assigned to a specific machine.
6. Email: Secures emails, is used by S/MIME.
7. User: Often for authentication or to access resources.
8. Root: Used for root authorities, they usually are self-signed.
9. Domain validation: Provides a secure communication with a specific domain
and provides TLS, this is the most common form of certificate.
10. Extended validation: Are more secure because they require more validation from the
certification holder.

4. Certificate formats:

1. DER (Distinguished Encoding Rules): Are common and designed for X.509 certificates, they
are used to extend binary encoded certificates. Cannot be edited by a plain text editor. Used
with java commonly.

32 | P a g e
 SKILLCERTPRO

2. PEM (Privacy Enhanced Mail): Most common format in which certificates are issued. Multiple
certificates and the private key can be included in one file. The file is encoded ASCII. PEM file
extensions include .pem, .crt, .cer, and .key. Apache servers typically use PEM-format files.
3. PFX: A precursor to P12, has the same usage. Administrators often use this to format on
Windows to import and export certificates.
4. CER (Certificate File): May be encoded as binary DER or as ASCII PEM.
5. P12: Is a PFX extension used in windows

1. PKS 12 (Public Key Cryptography Standards #12): Is part of the RFC standard.
Stores many types of certificates and can be password protected.
2. RFC (Remote Function Call): A formal document describes the specifications for a
particular technology, was drafted by the Internet Engineering Task Force.

6. P7B: Is stored in Base64 ASCII, containing certificates and chains but not the private key.

33 | P a g e