34 SF W - Cybr06 m7rbGD9f7tx4xjzuhkkyXw

CISSP Certiﬁcation
Preparation Guide Kit

TABLE OF CONTENT
Study Guide.......................................................................................................................................... 2
Module 1: Welcome and Introduction ............................................................................................................................................ 13
Module 2: Asset Security .............................................................................................................................................................................. 5
Module 3: Security Engineering and Architecture .................................................................................................................. 17
Module 4: Communications and Network Security ............................................................................................................... 22
Module 5: Identity and Access Management ........................................................................................................................... 30
Module 6: Security Assesment and Testing ............................................................................................................................... 36
Module 7: Security Operations .............................................................................................................................................................. 43
Module 8: Software Development Security ............................................................................................................................... 46
Glossary .............................................................................................................................................. 53
Flashcards ....................................................................................................................................... 103
Review Questions......................................................................................................................... 106
Domain 1: Information Security and Risk Management .................................................................................................. 107
Domain 2: Asset Security ......................................................................................................................................................................... 115
Domain 3 Security Engineering .......................................................................................................................................................... 119
Domain 4 Telecommunications and Network Security ................................................................................................... 140
Domain 5 Identity and Access Management ......................................................................................................................... 153
Domain 6 Security Assessment and Testing ........................................................................................................................... 163
Domain 7 Security Operations PART 1 .......................................................................................................................................... 168
Domain 7 Security Operations PART 2 .......................................................................................................................................... 179
Domain 8 Software Development Security .............................................................................................................................. 188
Review Question Answer Key.................................................................................................. 196

Domain 1 ........................................................................................................................................................................................................... 197
Domain 2 ............................................................................................................................................................................................................. 201
Domain 3 ............................................................................................................................................................................................................. 203
Domain 4 ............................................................................................................................................................................................................. 214
Domain 5 .............................................................................................................................................................................................................. 221
Domain 6 ............................................................................................................................................................................................................ 226
Domain 7 - Part 1 ........................................................................................................................................................................................... 229
Domain 7 - Part 2 .......................................................................................................................................................................................... 234
Domain 8 ............................................................................................................................................................................................................. 239
ENROLL THIS COURSE
Study Guide
CISSP
Created By: Dimitrios Taketzis, Teaching Assistant
Module 1: Welcome and Introduction
Lesson 1.1: Introduction
Skills Learned From This Lesson: Security, Risk Management, Overview
● The 8 Domains of CISSP

● 1st Domain -> the most Important
● 2nd Domain -> how to protect my assets
● 3rd Domain -> 2 Chapters, the 1st is Security Architecture and Design + Software
development Security and the 2nd is Cryptography
● 4th Domain -> Becoming very popular is exam
● 5th Domain -> Comprehensive look on networking
● 6th Domain -> Testing
● 7th Domain -> redundancy + Continuity of Enterprise
● 8th Domani -> Managing the project of creating Software, not writing code
Lesson 1.2: Computer Adaptive Testing (CAT)

Skills Learned From This Lesson: Test Method, Question Format, Domain Weights
● A new method of testing -> going from 250 questions and six hours of testing to max.
150 questions and three hours
● No. of questions 100 - 150
● Question format -> MCQ and advanced innovative questions
● Passing grade 700 - 1000 points
● Different average weight for each domain
● Cannot mark questions for review anymore
● Risk Mgmt to start -> Business Continuity as our ultimate goal
Lesson 1.3: Domain 1 Agenda
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
2
ENROLL THIS COURSE
Skills Learned From This Lesson: Security Principles, Security Governance, Security Program,
Risk Mgmt
● Principles of Security
● Security Governance (Strategy, Blueprints and Frameworks)
● Information Security Program (Policies, Standards, Procedures, Guidelines, Roles and
Responsibilities)
● Information Security Risk Mgmt (Identification,Assessment,Mitigate, Monitoring)
● Legal Consideration
● Knowledge Transfer
Lesson 1.4: Information Security Program Part 1

Skills Learned From This Lesson: Policy Types, Standards, Security Program
● Three types of policy (Why?) (Corporate, System Specific, Issue Specific)
● Standards fill the gaps of policy, they change frequently
● Policies are very broad, not change frequently
● Corporate Policy -> Very broad, Management philosophy and commitment
● System Specific Policy -> eg. Multi factor authentication for system
● Issue Specific Policy -> Nebulous issues that need to be defined so there is no
misunderstanding
● Separation of Duties (Segregation of Duties, Separation of Role) -> Really valuable
control, it forces collision
Lesson 1.5: Information Security Program Part 2

Skills Learned From This Lesson: Policies, Standards, Procedures, Guidelines, Baselines
● Issue specific Policies (...contd)
● Mandatory Vacations -> Detective control
● Job Rotation ->Detective control and redundancy method
● Least Privilege <-> SOD, action, what can you do
● Need to know <-> SOD, about data, permissions to data
● Dual Control -> Prevent abuse of power
● M of N control -> 4 of 9 must be present to do an action
● Standards (what?) -> Mandatory, support or reinforce policy, provide specific details,
directions, can be internal or external
3
ENROLL THIS COURSE
● Procedures (How?) -> Mandatory, step by step directives, detail the how to meet
policies, standards and guidelines
● Guidelines -> Not mandatory, suggestive in nature, recommended actions, best
practices
● Baselines -> Mandatory, the minimum acceptable security configuration for a system or
process, the purpose of security classification is to determine and assign the necessary
configuration to protect data
Lesson 1.6: Roles and Responsibilities

Skills Learned From This Lesson: Security Roles, Responsibilities, Duties
● Senior Mgmt Responsibilities -> Provide oversight, funding, support, ensure testing,
prioritize business functions, establish vision, strategy for the enterprise, sign off on
policy and Business Impact Analysis
● Steering Committee -> oversight of Infosec Program, Liaison between Mgmt, business,
Info Technology and Info Sec, Into the decision making process, compliance
● CISO-> Strategic Planning, Policy Development, Tech Assessments, Process
Improvement, Acquisition, Capital Planning, Security
● Info Sec Manager-> Responsible for determining the how, introduces methodology,
major consultant of senior mgmt
● Business Managers -> customers, responsible for business ops, security enforcement
and operation, day-to-day monitoring, reporting, disciplinary actions and compliance
● Security Practitioners-> responsible for proper implementation of sec requirements in
their IT systems, identify and assess new potential risk and implement new security
controls to safeguard IT systems
● Auditors-> ensure that controls and policies are implemented and they are effective
through Objective Evaluation, they only document, not modify
● Security Trainers->must understand risk mgmt process, training materials, awareness
programs, incorporate risk assessment to training programs, encourage users to report
violations
●
Lesson 1.7: Risk Definitions
Skills Learned From This Lesson: Risk definitions, Risk Mgmt, Security measures
● Information Security Risk Mgmt
4
ENROLL THIS COURSE
● Asset, Vulnerability, Threat, threat agent, exploit, risk, controls (physical, administrative,
technical protections), total risk, residual risk, secondary risk
● Safeguards -> proactive measures, prevent, deter
● Countermeasure -> reactive measure
● Incident-> a risk event that has transpired
●
Lesson 1.8: Risk Identification
Skills Learned From This Lesson: Risk identification, Risk mgmt, Defense lines
● Risk mgmt steps (identification, assessment, mitigation/response, ongoing controls
evaluation)
● Risk identification process
● Methods to identify risks (sources of risk documentation, audit reports, incident reports,
interview with SMEs public media, annual reports, press releases, vuln assessments and
penetration tests, threat intel services)
● Alignment with Business Goals and Objectives -> understand business strategy, meet
with mgmt to support you, look beyond IT
● Organizational Structures and Impact on Risk -> risk context, risk mgmt approach should
be enterprise wide
● Three lines of defense -> business units(perform the work day-to-day), risk and
compliance (guidance and direction), audit (review 1st and 2nd lines)
●
Lesson 1.9: Risk Assessment and Analysis
Skills Learned From This Lesson: Risk Analysis, Qualitative, Quantitative
● Qualitative risk assessment/analysis -> subjective analysis to help prioritize and impact
of risk events (eg. Delphi Technique)
● Probability and impact Matrix -> subjective input, high, medium, low terms and it is a
quick way to begin the prioritization and ranking of risks
● Quantitative risk assessment/analysis provides a dollar value to a particular risk event
● Quantitative requires more experience than Qualitative
● Quantitative analysis allows for good business decisions, provides justification for a
mitigation strategy
● Asset Value, Exposure Factor, Single Loss Expectancy, Annual Rate of Occurrence,
Annual Loss Expectancy, Total Cost of Expectancy, Return of Investment
5
ENROLL THIS COURSE
● I am looking a way to implement a control that has a positive return of investment, that
mitigates a risk to my business to a degree that is acceptable by senior mgmt
●
Lesson 1.10: Risk Mitigation and Response
Skills Learned From This Lesson: Risk mitigation, Risk response , Response means
● Steps for Quantitative Analysis
● AV -> EF -> SLE -> ARO -> ALE -> Perform cost/benefit analysis of countermeasures
● Risk response means (Reduce, Avoidance, Transfer, Accept, Rejection)
● Risk reduction/avoidance -> action taken to lessen the frequency and/or impact of a risk,
the ultimate risk reduction is avoidance (risk is 0)
● Risk elimination is unfeasible
● Risk transference is a decision to reduce loss through sharing risk with another
organization (SLA and contracts establish the degree of transference)
● Risk acceptance -> no active mitigation, based on cost/benefit analysis it is determined
the cost of control is less than loss
● Sometimes acceptance is the only choice and includes due diligence, regular reviews
are needed because level of risk and impact is always changing
● Risk acceptance is different from risk rejection (no liability)
● Risk rejection is unacceptable
● Whatever our risk is, we will mitigate until my residual risk falls within the acceptable
level
●
Lesson 1.11: Risk Monitoring and reporting
Skills Learned From This Lesson: Risk monitoring, Risk reporting, KRIs
● How often should we go back and reevaluate our controls?
● Risk monitoring is an essential step of the risk mgmt life cycle because of the changing
nature of risk and associated controls
● Key Risk Indicators (KRI) is a warning sign, they provide a backward-looking view on risk
events, increase the likelihood of achieving strategic objectives
● Examples of KRIs -> quantity of unauthorized equipment or software detected,
● KRIs support -> risk appetite, identification, mitigation, culture, measurement and
reporting, compliance
● Risk mgmt Process Review (the four steps)
● Risk cannot be totally eliminated, so it must be managed
6
ENROLL THIS COURSE
●
Lesson 1.12: Legal Considerations
Skills Learned From This Lesson: Legal Considerations, Law types, Legal Liabilities
● Liabilities -who is at fault?
● Failure of Mgmt to execute Due Care and/or Due Diligence can be termed negligence
● Due Diligence -> eg. researching industry standards and best practices
● Due Care -> eg. setting and enforcing policy to bring organization into compliance
● Downstream Liabilities -> i can outsource work but i cannot outsource liability
● Types of laws -> criminal, civil, regulatory, Intellectual Property
● Criminal law -> beyond a reasonable doubt, which can be difficult to meet in computer
related crimes
● Goal of criminal penalties is 1) punishment 2)Deterrence
● Civil (Tort) law -> preponderance (predominance) of evidence
● Administrative (regulatory) law -> defines standards of performance and regulates
conduct for specific industries
● Intellectual property law -> protects properties of mind,
● WIPO investigates and pursues copyright violations
● Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate
espionage
● Trade secret -> gives value to a company (secret recipe), must be genuine and not
obvious
●
Lesson 1.14: Knowledge Transfer
Skills Learned From This Lesson: Knowledge Transfer, Security Awareness, Training Benefits
● Knowledge Transfer -> Awareness, Training, Education ->the goal is to modify behavior
● Security awareness training must fit job description
● Knowledge transfer benefits -> modify behavior, improves attitudes towards info sec,
accountability, raises collective security awareness level of organization
● Wrap up of Domain 1
●
Lesson 1.15: The CISSP Mindset Part 1
Skills Learned From This Lesson: CISSP approach, CISSP Mindset,
● I am a risk advisor - I do NOT fix problems
● Who is accountable for security ? -> Everyone
7
ENROLL THIS COURSE
● How much security is enough ? Just enough is enough, a good risk mgmt will drive my
decisions, efficient use of resources
● Everything starts with risk mgmt
●
Lesson 1.16: The CISSP Mindset Part 2
Skills Learned From This Lesson: CISSP approach, CISSP Mindset
● Think “End Game” -> which answer truly satisfies the question??
● Security transcends Technology -> Security must be based on good foundational
principles, it is bigger than technology
● The answers are not too technical or too managerial, they are in the middle
● Incorporate security into the design, as opposed to adding it later
● Layered defense! -> No one device will keep you safe
●
Lesson 1.17: Introduction to Business Continuity and Disaster Recovery Planning
Skills Learned From This Lesson: Business Continuity, Disaster Recovery, incident response
● Minimize impact on business
● Incident Response -> forensics, investigating in a manner that can be presented in a
court of law
● Redundancy -> it has to be comprehensive
●
Lesson 1.18: Business Continuity Planning Part 1
Skills Learned From This Lesson: Business Continuity, Disaster Recovery, Disruption
Categories
● BCP -> focuses on business, sustain operations and protect viability of the business
following a disaster, umbrella term that includes many other plans, long term focused
● DRP -> focuses on IT systems, minimize effects of a disaster, take steps to ensure that
resources, personnel and business are able to resume in a timely manner, short term
focused
● BCP Relationship to Risk Mgmt -> BCP is the safety net to RM, RM is “if then”, BCP is
“whatever” (didn't see that coming->but I have a plan)
● Categories of Disruptions (Non-disaster, emergency/crisis, disaster, catastrophe)
● Incident is a non-disaster
● Emergency/Crisis -> urgent event where there is the potential for loss of life or property
8
ENROLL THIS COURSE
● Disaster -> facility unusable for a day or longer, normal operation are halted, DRP 1st
phase (notify)
● Catastrophe -> destroy facility
● BCP coordinator can only declare a disaster
●
Lesson 1.19: Business Continuity Planning Part 2
Skills Learned From This Lesson: Business Continuity, NIST framework, ISC2 framework
● BCP Frameworks (DRII, NIST 800-34 rev 1, ISO 27031, BCI GPG, ISC2.org four
processes of Business Continuity)
● Don't stick to the terms, stick to the concept and flow
● Standards help solve issues of inconsistency in terms
● NIST 800-34 rev1 -> 7 phases -> BCP Policy, Business Impact Analysis, Identify
Preventive Controls, Create Contingency Strategies, Develop an IS Contingency Plan,
Testing-training-exercises, maintain BCP
● ISC2 four BCP processes -> Project scope and planning, Business Impact Assessment,
Continuity planning, Approval and implementation
●
Lesson 1.20: BCP Step 1: Project Scope and Planning Part 1
Skills Learned From This Lesson: BCP Plan, BCP Methodology, Project Scope
● Step 1 -> - Acquire BCP Policy Statement from Senior mgmt
● - Business Organization Analysis : Structured analysis of the business
organizational assets, it provides the groundwork necessary to help identify potential
members of the BCP team and the foundation for the remainder of the BCP processes,
evaluates operational departments that are responsible for the core services, critical
support services, senior executives and other key individuals essential for the ongoing
viability of the organization
● - BCP Team Creation, including Project Manager -> cross-functional, including
representation of senior mgmt, from each department, IT with technical expertise in
areas covered by BCP
● - Assessment of resources available and commitment to support the BCP
Process from Senior mgmt for Development, Testing-training-maintenance and
Implementation
● - analysis of legal and regulatory landscape iot operate within a legal framework
during an event. Senior mgmt has the ultimate legal responsibility
9
ENROLL THIS COURSE
●
Lesson 1.21: BCP Step 1: Project Scope and Planning Part 2
Skills Learned From This Lesson: BCP Plan, BCP Methodology, Project Scope
● BCP Regulation Examples (Healthcare, Government, Finance)
● Usually, people understand very little the importance of BCP, they only want to be
compliant
●
Lesson 1.22: BCP Step 2: Business Impact Assessment Part 1
Skills Learned From This Lesson: BIA Assessment, MTD/MTO, RTO
● BIA -> identifies and prioritizes all business process/resources based on the criticality
(MTD/MTO, RTO [less than MTD and not only to obtain the hardware but to also restore
its services], RPO [data loss tolerance])
● Risk Identification
● Categorized processes/resources based on criticality
● Defines quantitive metrics to assist with prioritizing recovery focus
● BIA help prioritize recovery priorities
●
Lesson 1.23: BCP Step 2: Business Impact Assessment Part 2
Skills Learned From This Lesson: BIA Assessment, Cloud Risk, Risk Probability
● Critical Resources identification
● Step 2: BIA: Risk Associated with Procurements and the Cloud
○ Evaluate CSP’s BCP -> Examine SLA
○ Verify Controls in place to meet obligations in person or SOC -> Service
Organizational Controls
○ SOC 1 -> financial
○ SOC 2 -> Security and Technology
○ SOC 3-> Security and Technology publicly available
● BIA: Probability and Impact Assessment
○ Total risk
○ Residual risk
○ AV
○ ARO
○ Impact EF
○ SLE
10
ENROLL THIS COURSE
○ ALE
● BIA: Resource Prioritization

○ Qualitative Analysis
○ Quantitive Analysis
Lesson 1.24: BCP Steps 3 and 4: Continuity Planning, Approval and Implementation
Skills Learned From This Lesson: Continuity Planning, BCP Approval, BCP Implementation
● Step 3 -> Examines BIA and maps controls to meet the objectives
○ Determine responses (reduce, assign, accept, reject)
○ Some risks are accepted while others require a more active strategy
● Continuity Planning: Provisions and Processes
○ 3 assets (People -> 1st Priority, facilities -> hardening provisions, alternate sites
[mirrored, leased, cold, warm, hot], Infra )
○ Cold Site -> only building, weeks to operate
○ Warm Site -> furniture, equipment, basic infra, connectivity -> days/hours to
operate
○ Hot Site -> ready to operate, expensive, exclusive use, MOA/MOU from the
provider (because its a leased facility) -> hours/minutes to operate
○ Infrastructure -> supports the critical elements of the business, servers, systems,
routers, switches, processes, architecture
○ High availability (redundancy, resiliency, fault tolerance)
○ mirrored site (belongs to the organization)
○ Cloud changes this overall approach
● Step 4: Plan Approval and Implementation
○ Approval ->CEO or Senior Officer, indicate dedication of the business to the BCP
○ Implement -> Create guide, deploy resources, supervise
○ Train and Educate employees -> distribute plan on need to know basis, everyone
an overview
●
Lesson 1.25: BCP Sub Plans
Skills Learned From This Lesson: BCP Plans, Plan Roles, Plan Responsibilities
● Sub-plans of BCP have 3 purposes -> Protect (Crisis Communication Plan, Occupant
Emergency Plan), Recover (Business Recovery Plan, Disaster Recovery Plan,
11
ENROLL THIS COURSE
Continuity of Support Plan/IT Contingency Plan), Sustain (Continuity of Operations

Plan)
● CCP -> disseminate necessary info
● OEP -> minimize loss of life and protect property damage in response to physical threat
● BRP -> provide procedures for recovering business operations after a disaster
● CSP/IT CP -> provide procedures for recovering a major application or general support
system
● Cyber Incident Response Plan -> Provide strategies against cyber incidents
● DRP -> Provide procedures to facilitate recovery of capabilities
● COOP -> Provide procedures and capabilities to sustain an organization's essential
strategic functions at an alternate site for up to 30 days, not IT focused, in NIST its a part
of BCP not instead of BCP
● Roles and Responsibilities ->
○ Senior Executive Management (approval and support of plans, setting
continuity policy, prioritize critical functions, allocate resources, approves BCP,
review test results, ensures maintenance of a current plan)
○ Senior Functional Management (develop and document maintenance and
testing strategy, identify and prioritize mission-critical systems, monitors progress
of plan development and execution, tests, creates teams to execute plans)
○ BCP Steering Committee -> Conducts the BIA, coordinates with department
representatives, includes Business units, senior mgmt, IT, Security,
Communications, Legal
○ DRP teams -> rescue (deal with the immediacy of disaster), recovery-failover
(getting the alternate facility up and running and restore the most critical services
first), salvage (return of operations to the original or permanent facility)
●
Lesson 1.26: Developing the Teams
Skills Learned From This Lesson: Team Development, Media Communications, Team
Responsibilities
● Who will talk to the media? Somebody who is trained to do so, not necessarily the CEO
● Who will setup alternative communication methods?
● Who will setup the offsite facility?
● Who will work on the primary facility?
●
12
ENROLL THIS COURSE
Lesson 1.27: Types of Tests

Skills Learned From This Lesson: Test Types, Post-Incident Review, Maintain BCP
● Checklist test -> Copies of plan distributed to different departments
● Structured walk-through (tabletop) test -> representatives from each department go over
the plan
● Simulation test -> going through disaster scenario
● Parallel test -> systems move to an alternate site
● Full Interruption test -> original site shut down, all of the processing moved to offsite
facility
● Post-incident review -> focus on how to improve, what should have happened, what
should happen next, not who’s fault it was (unproductive)
● Maintaining the BCP -> keep plan in date -> make it a part of business meetings and
decisions, centralize responsibility for updates, part of job description, Personnel
evaluations, report regularly, Audits
Module 2: Asset Security

Lesson 2.1: Introduction to Asset Security
Skills Learned From This Lesson: Asset Security, Asset Value, Asset Classification
● Agenda -> Asset Value and Classification
○ Data Protection
○ Data Redundancy
○ Secure Data Disposal
Lesson 2.2: Data Classification

Skills Learned From This Lesson: Data Classification, Asset Value, Sensitivity and criticality
● What makes up the value of an asset? -> value to the organization, loss if compromised,
legislative drivers, liabilities, value to the competitors, acquisition costs,
● Data classification -> sensitivity labels for data for the purpose of configuring baseline
security based on value of data
○ Cost -> value of the data
13
ENROLL THIS COURSE
○ Classify -> criteria for classification

○ Controls -> determine the baseline sec config for each
○ Data owner -> determines the classification of data
○ Data custodian -> maintains the data
● Both government and private sector use data classifications

● Sensitivity vs criticality -> Sensitivity describes the amount of damage that would be
done should the information be disclosed and affects confidentiality, Criticality describes
the time sensitivity of the data and affects availability
●
Lesson 2.3: Data Protection
Skills Learned From This Lesson: Data Protection, Data States, Integrated Security
● Location? Where is the data stored/processed/ transmitted -> jurisdiction, audit, threat
landscape, what actors have access to the data, does data move between locations and
how?
● Access -> Who has access to the data? What controls are in place? what devices can
be used to access data?
● States of Data -> At rest (File System Encryption, EFS, TPM), In Process, In Transit
(SSL/TLS)
● Hardware-based encryption -> encrypts the entire drive and not only file system to avoid
mounting drive to another operating system and read data, BitLocker, Trusted Platform
Module (TPM)
● What security is built-in in IPV4? Nothing, so we encapsulate inside another packet like
IPSec, IPV6 is integrated in IPSec so it includes security
●
Lesson 2.4: System Hardening and Baselining
Skills Learned From This Lesson: System Hardening, System Baselining,
● Hardening -> remove unnecessary services, install the latest services and patches,
rename default accounts, change default settings, enable auditing-firewalls-updates,
physical security!!
● Windows OS was easy to use -> big attack surface -> the opposite of security
● Remove unnecessary services through change requests (change control) because I may
use it but not know it
●
14
ENROLL THIS COURSE
Lesson 2.5: Threats to Data Storage

Skills Learned From This Lesson: Data Threats, Cloud security, DRM
● Unauthorized usage/access (Strong auth, encryption, obfuscation, anonymization,
tokenization, masking, policies, layered defense)
● Liability due to noncompliance (due care and due diligence, SLAs)
● DoS and DDoS (redundancy, data dispersion)
● Corruption, modification, destruction of data (hashes/digitally signed files)
● Data leakage and breaches (DLP)
● Theft or accidental media loss (TPM)
● Malware attack (anti-malware)
● Improper treatment or sanitization of data at the end of life cycle
Data Security in the Cloud

● Protect data moving to and within the cloud (SSL/TLS/IPSec)
● Protect data in the cloud (encryption)
● Detection of Data Migration to the Cloud (DAM[Database Activity Monitor]. DLP)
● Data dispersion -> data is replicated in multiple physical locations across your cloud. Is
used for higher availability
● Data fragmentation -> splitting a data set into smaller fragments (or shards) and
distribute them across a large number of machines
Data Loss Prevention -> or Data Leakage Prevention = controls put in place to ensure certain
types of data (SSNs, Account Numbers) remain under organization controls in line with policies,
standards and procedures, detects exfiltration of certain types of data, help compliance with
HIPAA,PCI-DSS and others
● Obfuscation -> process of hiding, replacing or omitting sensitive information

● Masking -> use specific characters to hide certain parts of a specific dataset
● Data anonymization -> the process of encrypting or removing PII from datasets, so that
people whom the data describe remain anonymous
● Tokenization -> its like a shortcut, not giving direct access to the data but a token IOT
protect the data, eg. public cloud service can be integrated and paired with a private
cloud that stores sensitive data. The data sent to the public cloud is altered and contains
a reference to the data residing in the private cloud
15
ENROLL THIS COURSE
● Data rights management -> DRM or IRM adds an extra layer of access controls on top of
the data object or document and provides granularity flowing down to printing, saving,
copying and other options, protects sensitive content and intellectual property, ACLs that
are embedded into the file and travel with the file (persistent)
●
Lesson 2.6: Data Redundancy
Skills Learned From This Lesson: Data Redundancy, Cloud Considerations, Data archiving
● Backups and Archives -> what we backup, how often, where, how long
● BIA -> which services are the most important
● RTO -> Recovery Time Objective, how quickly I have to restore it
● RPO -> Recovery Point Objective, how current the data must be
● Data Retention -> protocol for keeping info for operational or regulatory compliance
needs
● Cloud Considerations -> legal, regulatory and standards requirements must be well
documented, data mapping, data classification
● Data archiving -> identify and move inactive data out of current productions systems into
specialized long-term archival storage systems and includes encryption granular
retrieval, e-discovery, backup, media type, restoration procedures
● S
Lesson 2.7: Secure Data Disposal
Skills Learned From This Lesson: Data Disposal, Sanitization, Data Remnants
● Sanitizing Media -> types, size of media storage needed
● Confidentiality of data stored in the media
● Will the media be processed in a controlled area?
● Should the sanitization process be conducted within the organization or outsourced?
● What is the anticipated volume of media to be sanitized by type of media?
● What is the availability of sanitization equipment and tools?
● Deleting or formatting is not the right answer!!
● If you are going to reuse the media ->zeroization
● If you are not going to reuse the media -> physical destruction
● Degaussing is in the middle
● Clearing-overwriting -> renders data inaccessible by normal means
● Purging-degaussing -> renders media unusable by normal means
16
ENROLL THIS COURSE
● Destruction-physical destruction -> irreversible by all known techniques
Module 3: Security Engineering and Architecture

Lesson 3.1: Cryptography Agenda
ryptography Agenda, Introduction, Module Description
Skills Learned From This Lesson: C
● Very testable
Lesson 3.2: Cryptography in History

Skills Learned From This Lesson: C ryptography in History, Caesar cipher, Enigma/Purple
Machine
● Caesar Cipher *, Scytale, Vignere, Vernam *, Enigma * and Purple Machine (*focus on
these)
● Caesar -> simple substitution, shift characters 3 spaces, A=D, B=E, C=F etc. ,
substitution ciphers are subject to pattern analysis, ROT 13
● Scytale -> spartans used it, wrapped tape around a rod, the diameter of the rod is the
pre-agreed upon secret
● Vignere -> first polyalphabetic cipher, a keyword is agreed upon ahead of time, the first
letter of the key is matched up against first letter of the message and so on
● Enigma/Purple machine, added complexity, a secret is shared between the two parties
out of band
● Vernam cipher -> one time pad, the only mathematically unbreakable form of
cryptography, key must be used only once, pad must be at least as long as the
message, key pad is statistically unpredictable, key pad must be delivered and stored
securely
●
Lesson 3.3: Security Services Provided by Cryptography
Skills Learned From This Lesson: C ryptography Services, Cryptography Definitions, Initialization
Vector
● Cryptography Services -> Privacy, Authenticity, Integrity, Non-repudiation (authenticity +
integrity)
● Plain text + IV + Algorithm (Cipher) + Key = Cipher Text
17
ENROLL THIS COURSE
● Initialization Vector -> randomize the starting point of a process, used for confidentiality
similar to a ”seed” (at the beginning of the process) or “salt” (at the end of process) for
password protection
●
Lesson 3.4: Algorithm
Skills Learned From This Lesson: A lgorithm, Keys, Algorithm qualities
● Algorithm -> a collection of math functions that can be performed
● Keys -> how to use the math
● Qualities of an Algorithm -> Confusion, Diffusion, Avalanche, Permutation,
Open-Kerchhoff’s Principle
● Confusion -> complex substitution, strong math
● Diffusion -> getting more complexity by combining plaintext and ciphertext
● Avalanche (chaining) -> when output from one function provides input to the next
●
Lesson 3.5: Elements of Cryptography Part 1
Skills Learned From This Lesson: Permutation, O pen-Kerchhoff’s Principle, key qualities
● Permutation -> the idea of rounds
● Open-Kerchhoff’s Principle -> openness in the algorithm, the key is secret, US
government does not agree with this and keeps both closed
● Security through obscurity -> by hiding it, it cant be broken
● GO open for the purpose of the test
● Key qualities -> long, random, secret
●
Lesson 3.6: Elements of Cryptography Part 2
Skills Learned From This Lesson: Symmetric Cryptography, Stream Ciphers, Block Ciphers
● Symmetric -> stream (RC-4 only!), Block (AES/3DES)
● Asymmetric -> Discrete logarithms (Diffie-Hellman, ECC, El Gamal), Factorization (RSA)
● Symmetric -> efficient, the most common, much faster than asymmetric
● Stream ciphers are weaker than block ciphers but very fast
●
Lesson 3.7: Principles of Secure Design
Skills Learned From This Lesson: Skill, Skill, Skill
● Security model -> lays out the framework and mathematical models that act as
security-related specs for a system architecture, it is a concept
18
ENROLL THIS COURSE
● System architecture -> the overall design of the components such as hardware, OS,
applications and networks - of an information system, brings the model to life
● State Machine Model -> if a system starts securely and functions and shutdowns (or
crashes) securely it is a secure system
● The startup of a system is the most difficult because the security mechanisms have not
loaded yet
● During shutdown (trusted recovery) -> in the event of a violation the system should
terminate with no further compromise
●
Lesson 3.8: Security Models Part 1
Skills Learned From This Lesson: Security Models, Bell-LaPadula Model, The Biba Model
● The Bell-LaPadula Model SOS -> enforce confidentiality by US govt, three rules to
enforce confidentiality: 1) Simple SP “no read up” -> a subject cannot read data from a
security level higher than subject’s security level 2) * SP “no write down” -> a subject
cannot write data to a security level lower than the subject’s security level 3) Strong * P
“no read/write up or down” -> a subject with read/write privilege can perform read/write
functions only at the subject’s security levels
● The Biba Model SOS -> the opposite of Bell-LaPadula, enforce integrity (protection) of
knowledge, three rules 1) Simple integrity axiom “no read down” -> a subject cannot
read data from an object of lower integrity level 2) * integrity axiom “no write up” -> a
subject cannot write data to an object at a higher integrity level 3) invocation property ->
a subject cannot invoke (call upon) subjects at a higher integrity level
●
Skills Learned From This Lesson: S ecurity Models, Clark-Wilson Model, Separation of Duties
● The Clark-Wilson Model -> integrity model, keep users out of your stuff or they will break
it, so the user does not access the data directly but through an interface, untrusted never
access trusted directly, SEPARATION OF DUTIES, the purpose of an API is exactly this
● This model enforces well-formed transactions through the use of the access triple: User
-> Transformation Procedure -> CDI (Constrained Data Item)
●
Skills Learned From This Lesson: S ecurity Models, Brewer & Nash Model
19
ENROLL THIS COURSE
● The Brewer & Nash Model a.k.a Chinese Wall -> combat conflict of interest in databases
housing competitor information, fair competition, defines a wall and a set of rules to
ensure that no subject accesses objects on the other side of the wall, separating
competitors data within the same integrated database
●
Skills Learned From This Lesson: Security Models, Security Architecture, Protection Rings
● The Information Flow Model -> Data is compartmentalized based on classification and
the need to know, model seeks to eliminate covert channels, data flows from low to high
security level and high to low integrity level
● The Non-Interference Model -> actions at a higher security level does not interfere with
actions at a lower level, goal is to protect the state of an entity so that data does not
pass through covert channels
● The Lattice Model -> the idea of lower and higher boundaries, confidentiality, access to
an object by an authorized subject
● Security Architecture -> directs how the components included in the system architecture
should be organized to ensure that security requirements are met. It should include:
description of locations, description of components, security specifications
● Program -> an application
● Process -> program loaded in memory
● Thread -> individual instruction within a process
● multiprogramming: no true isolation
● Multiprocessing: more than one CPU
● Multithreading: multiple CPUs in the past, multi-core processors provide this today
● CPU modes and protection rings -> Ring 0 (kernel), 1 (OS), 2 (OS and I/O drivers and
OS utilities), 3 (Applications and user activity)
● Today there are only 2 rings, fully trusted or fully untrusted
●
Lesson 3.12: System Architecture
Skills Learned From This Lesson: S ystem Perimeter, Reference Monitor, Secure Modes of
Operation
● Trusted Computer Base (TCB)
● Security Perimeter
● Reference Monitor -> its the law of the system, the rules
20
ENROLL THIS COURSE
● Security Kernel -> it enforces (invoked) the reference monitor concept, it must facilitate
isolation of processes, must be invoked at every access attempt, small enough to be
tested and verified in a comprehensive manner
● Security Policy -> a set of rules on how resources are managed within a computer
system
● Least Privilege -> one process has no more privileges than it needs
● Secure Modes of Operation -> Single State (one classification of data), Multi State
(multiple classifications of data), Compartmented (need to know), Dedicated (need to
know for everything because there are no compartments)
●
Lesson 3.13: Evaluation Criteria Part 1
Skills Learned From This Lesson: Security E valuation, TCSEC, ITSEC
● Why evaluate? To examine the security-related components of a system, Trust vs.
Assurance
● Trust is all about the function of the product eg.auditing, firewall
● Assurance is all about the reliability of the process, was it designed well
● CMMI five maturity levels (Initial, Managed, Defined, Quantitatively Managed,
Optimizing)
● The Orange Book (TCSEC) looks trust and assurance as a whole, like a checklist, A1,
B1, B2, B3, C1, C2, D
● The Orange Book & the Rainbow Series
● ITSEC (Information Technology Security Evaluation Criteria) created by European
Nations in 1991 as a standard to evaluate security attributes of computer systems
● F1 to F10 rates for functionality, E0 to E6 for assurance
Lesson 3.14: Evaluation Criteria Part 2

Skills Learned From This Lesson: E valuation Criteria, Common Criteria, C
ertification &
Accreditation
● Common Criteria ISO 15408
● Protection Profile: requirements from Agency or Customer
● Target of Evaluation (ToE): System Designed by Vendor
● Security target Documentation describing how ToE meets Protection Profile
● Evaluation Assurance Level (EAL 1-7) Describes the level to which ToE
● EAL 4 in the middle - Methodically designed, tested and reviewed
21
ENROLL THIS COURSE
● Certification & Accreditation

● Certification -> technical evaluation of the product, performed by vendor
● Accreditation -> management’s approval of the product
Module 4: Communications and Network Security
Lesson 4.1: Introduction to Communications and Network Security

Skills Learned From This Lesson: OSI model, Interoperability, Standardization
● OSI model -> promotes interoperability between vendors, enables standardization,
describes the encapsulation (packaging) of data to enable it to get from point A to point
B
Lesson 4.2: The OSI Model Part 1
Skills Learned From This Lesson: OSI Model, PDU, SPFB
● You have to know what happens in each layer for the exam
● Protocol Data Unit (PDU) is data in whatever packaging it is. 5,6,7 is data, 4 segments, 3
is a packet, 2 is frame, 1 is bits (D-SPFB)
●
Skills Learned From This Lesson: OSI Model, Physical Layer, DataLink Layer
● L1 Physical: physical connectivity, electric signals
● Across layers questions in the exam
● Threats: theft, unauthorized access, vandalism, sniffing, interference, data emanation
● L2 Data Link: LLC - error detection, MAC - Physical
● MAC spoofing
●
Skills Learned From This Lesson: M AC Addresses, ARP, ARP poisoning
● MAC Addresses
● Address Resolution Protocol (ARP) takes a known IP address and learns and unknown
MAC address
● MAC address is cached, the good is don't need to go out and ask again, the bad is that I
have old information that I trust
22
ENROLL THIS COURSE
● ARP-Cache poisoning or pollution is the change of cache for the purpose of redirection
●
Skills Learned From This Lesson: C SMA/CD, CSMA/CA, Token Passing
● Carrier Sense Multiple Access with Collision Detection CSMA/CD - Cable-free collision
free access, Ethernet 802.3 is collision based and its how the network card determines
when to transmit information and when to wait
● Carrier Sense Multiple Access with Collision Avoidance CSMA/CA - 802.11 Wireless
● Token Passing
●
Skills Learned From This Lesson: NICs, Sniffers, Switches, RARP
● NICs examine th frame
● Sniffers work in promiscuous mode, which means that they pick up all the data
regardless of their MAC address
● Switch -> by default at L2, but more right is both L2 and L3, uses MAC address to direct
traffic, isolate traffic into collision domains, does NOT isolate broadcast natively
● Reverse ARP RARP -> predecessor of DHCP, when a client doesn't have an IP,
BOOTP NICs operate at L2
● ARP poisoning happen through unsolicited reply
●
Lesson 4.7: The OSI Model Network Devices
Skills Learned From This Lesson: Hub, Switch, collisions
● Hub doesn't do any traffic control, collisions happen, if you plug a sniffer into a hub you
will get all the data that passes through the hub
● Each port on a switch is its own collision domain and we want to reduce collision, the
switch is our tool
● If I plug a sniffer to a switch port, no traffic should be coming out of the port
●
Lesson 4.8: The OSI Model Collision Domains
Skills Learned From This Lesson: Routers, VLANs, L3 Switches
● Router isolates traffic into broadcast domains and uses IP addressing to direct traffic
● In port by port basis routers are very expensive
● Each port in a router is a subdomain
23
ENROLL THIS COURSE
● VLANs -> to get broadcast isolation on a switch, a VLAN is necessary

● A L2 switch doesn't truly understand L3 IP addressing
● A L3 switch is necessary for inter-Vlan Communication, VLANs cannot talk to each other
● Routers are still essential to get off the network, but for internal traffic, L3 switches can
replace routers and create VLANs
●
Lesson 4.9: The OSI Model Layer 3 Protocols
Skills Learned From This Lesson: L3 Protocols, ICMP, ICMP attacks
● All protocols start with the letter “I” (IP, ICMP, IGMP, IGRP, IPSEC, IKE, ISAKMP)
except IMAP
● ICMP -> full of security holes, Ping of Death (big ping packet, MTU size), Ping Flood
(many pings), Smurf (spoofed source address and direct broadcasts to launch a DDOS),
LOKI attack (hides data inside ICMP messages), fraggle attack (similar to smurf but uses
UDP, L4 attack)
● Never allow a directed broadcast, block ICMP at the firewall from outside
●
Lesson 4.10: The OSI Model Layer 4
Skills Learned From This Lesson: UDP, UDP attacks, DNS
● UDP -> connectionless, unreliable, no handshaking, desirable when real time transfer is
essential (Media Streaming, Gaming, live chat), FTP uses TCP, TFTP, uses UDP
● SYN flood -> L4 attack
● DNS happens between L5 and L7
●
Lesson 4.11: The OSI Model Layer 5 and 6
Skills Learned From This Lesson: Layer 5 , Layer 6
● L5 -> responsible for establishing a connection between two applications, dialogue
control, release connection
● Setup, maintenance and teardown of a communication
● L6 -> present the data in a format that all computers can understand, the only layer that
does NOT have any protocols
● Concerned with encryption, compression and formatting
●
Lesson 4.12: The OSI Model Layer 7
Skills Learned From This Lesson: Layer 7, Layer 7 protocols, OSI vs TCP/IP
24
ENROLL THIS COURSE
● L7 -> defines a protocol that two different programs or applications understand

● HTTP, HTTPS, FTP, TFTP, SMTP, SNMP etc.
● Application Proxies
● Non-repudiation
● Certificates, digital signing
● Integration with Directory Services
● Time awareness
● OSI vs. TCP/IP model
●
Lesson 4.13: The OSI Model Firewalls Part 1
Skills Learned From This Lesson: OSI/TCP, Firewalls, HW vs SW Firewalls
● OSI/TCP what you need to know (matrix)
● Firewalls -> isolation and separation, create zones based on trust, HW firewalls vs. SW
firewalls, used rule-based access control, whitelisting
● Its not a good idea to take a windows box and make it a firewall (software), because it
performs many operations, take an HW firewall that only performs the firewalling tasks,
but its more expensive -> cost-benefit analysis
●
Skills Learned From This Lesson: Firewalls, Layer 3 FW, Defense in Depth
● L3, L5, L7 firewalls
● L3 FW -> packet filtering, screening routers, inspect L3 & L4 Headers (Source and Dest
IP, Source and Dest Port, Protocol TCP or UDP)
● The firewall is the first line of defense
●
Skills Learned From This Lesson: Firewalling, S tateful filtering, Proxy firewalls
● As you go up the OSI you get smarter but slower
● L5 Stateful filtering (awareness of the initiation of the session and the state, can block
unsolicited replies, can understand the syntax of lower-layer protocols and can block
“misbehaving” traffic)
● L7 Application Proxies/firewalls, DPI, forward proxy inspects traffic from inside going out,
reverse proxy inspects traffic from outside going in, can inspect on content, time,
application-awareness, certificates, specific to the application protocols
25
ENROLL THIS COURSE
● enforce network policy

● rut on the perimeter of a network and allow or deny traffic
● MUST have IP forwarding turned off
● generally, are dual/multi homed
● types of fw (packet filtering, state full, proxy, dynamic packet filtering)
● Packet filter → keeps no state (each packet is evaluated own it's own without regard to
previous traffic), Rule-based access control, packet filters are still used on the edge of
the network before a stateful fw for performance reasons
● State full fw → router keeps track of a connection in a table. It knows which
conversations are active, more complex, and cause DoS against by trying to fill up all the
entries in the state tables/use up memory, content dependent access control
● Proxy fw → two types (circuit level, application), both types of Proxies hide the internal
hosts/addressing from the outside world
● application proxies → more expensive, advanced logging/auditing and access control
features (restrict users to only allowed websites, inspect data for protocol violations,
inspect data for malware) extra processing requires extra CPU, proxies only understand
the protocols they were written to understand. So you need a separate application proxy
for EACH protocol you want to proxy
●
Lesson 4.16: The OSI Model NAT/PAT
Skills Learned From This Lesson: NAT, PAT, fw best practices
● Advantages → you don't need to get real public IP addresses for each computer, RFC
1918 IP addresses, hides internal network structure, transparent
● Disadvantages → Single point of failure/performance bottleneck doesn't protect from bad
content
● overall fw best practices (block unnecessary ICMP packets, keep ACLS simple, use
implicit deny, disallow source-routed packets, use least privilege, block directed IP
broadcasts, perform ingress and egress filtering, enable logging, drop fragments or
re-assemble fragments
●
Lesson 4.17: Password Security
assword Security, password length, password complexity
Skills Learned From This Lesson: P
26
ENROLL THIS COURSE
● we want security, not always complexity, so a good password could be four random
words and not with symbols
●
Lesson 4.18: Area Networks: LAN, WAN and MAN
Skills Learned From This Lesson: WAN network types, circuit switching, packet switching
● two types of WAN networks -> circuit and packet switching
● circuit switching (PSTN, ISDN, DSL, T-carriers)
● packet switching (X.25, Frame Relay, ATM, VOIP, MPLS)
● MPLS creates cost-effective private WANs faster and more secure than regular routed
“public” IP networks like the internet, more secure than the public internet because a
“virtual” private network end-to-end circuit can be built just for your organization, we don't
have to configure and maintain traditional encryption based VPN equipment anymore,
provides QoS for VOIP, and other high priority traffic, purely L3 technology
● VOIP → voice over IP, Real-Time Transfer RTP is plaintext, SIP which is used for
session initiation, UDP
● Security issues →
○ eavesdropping (greatest threat) – enable S/RTP (Secure/ RTP)
● toll fraud -> used for international calls
● vishing -> social engineering through VOIP
● SPIT -> Spam over IP Telephony
● Performance issues -> latency which is a predictable delay and jittering is an
unpredictable delay
●
Lesson 4.19: Remote Access
Skills Learned From This Lesson: Dial up, Tunnelling, authenticity issues
● Dial-Up
○ PPP (L2 framing for remote access, WAN connectivity)
● authenticity through PAP, CHAP, EAP PAP Port Authentication Prot →
not good, plaintext, CHAP Challenge Handshake Auth Prot, good because it never puts
the password on the network, Zero Knowledge Proof, EAP extensible Auth Prot many
different flavors
○ Tunneling
● PPTP only through IP network
● PAP, CHAP, EAP
27
ENROLL THIS COURSE
● MPPE Microsoft Point to Point Encryption

● GRE Generic Route Encapsulation
● L2TP Tunneling protocol no security built-in
● IPSEC
● IPSEC the latest
○ Wireless
● encryption
● WEP, WPA
● WPA II
○ Authentication
● 802.1x
●
Lesson 4.20: General Routing Encapsulation (GRE)
Skills Learned From This Lesson: GRE, GRE attributes, data encapsulation
● point to point link between 2 networks. It adds an extra IP header to the original packet.
Much more frequently used in the past to encapsulate AppleTalk, IPX and other older
protocols
● Data Encapsulation
● Simplicity
● Multicast traffic forwarding
●
Lesson 4.21: Wireless Security Part 1
Skills Learned From This Lesson: s ecurity problems, WEP, WEP vulnerabilities
● security problems
○ unauthorized access
○ sniffing unencrypted text
○ Wardriving
○ unauthorized access points (MiTM)
● WEP
○ Shared auth passwords
○ Weak IV (24 bits)
○ IV transmitted in clear text
○ RC-4 stream cipher
28
ENROLL THIS COURSE
○ easily crackable
○ only adoption for 802.11b
●
Skills Learned From This Lesson: WPA, WPA2, Authentication
WPA
○ stronger IV
○ Introduced TKIP (Temporal Key Integrity Protocol)- Dynamically negotiated
keys as opposed to static in WEP
○ Still used RC-4
○ Backward compatible with WEP
WPA2
○ AES block cipher
○ CCMP Counter Mode Cipher Block Chaining Message Authentication Code
Protocol -> provides additional encryption strength
○ NOT backward compatible
● Authentication
○ WPA and WPA2 Enterprise Uses 802.1X authentication to have individual
passwords for individual users (RADIUS)
●
Skills Learned From This Lesson: B luetooth, B
luetooth modes, Bluetooth attacks
● Bluetooth is a Personal Area Network protocol designed to free devices from physical
wires
● Bluetooth modes
○ Discovery Mode
○ Automatic Pairing
○ Blue jacking -> sending SPAM to nearby bluetooth devices
○ Blue Snarfing -> copies information off of remote devices
29
ENROLL THIS COURSE
○ Blue bugging -> more serious, allows full use of phone, allows one to make calls,
can eavesdrop on calls
●
Module 5: Identity and Access Management

Lesson 5.1: Introduction to Identity and Access Management Part 1
Skills Learned From This Lesson: IAM, Identification, Authentication
● Identification
○ Identity Proofing
○ Account Provisioning/Deprovisioning
● Authentication
○ Kerberos
○ RADIUS
○ IAM in the Cloud
● Authorization
○ Access Control Models: DAC, MAC, RBAC, RuBAC, ABAC
● Auditing/Accountability
● Identity and Management is the set of processes, procedures, tools, and technology
necessary to oversee and manage digital identities
● The goal of IAM is to provide secure and auditable access to the digital resources within
an organization
● Revolves around the effective management of the IAAA (Identification, Authentication,
Authorization, Auditing/Accounting)
● What can we allow for the ease of use VS. how do we protect it
● Online identity VS. username and password
●
Lesson 5.2: Introduction to Identity and Access Management Part 2
Skills Learned From This Lesson: Identity management, A ccess Management, IAAA
● Identity Management
30
ENROLL THIS COURSE
○ Controls the life cycle for all accounts in a system
● Access Management
○ Controls the assignment of rights/privileges to those accounts
○ Controlling a subjects manipulation of an object
● Per ISC2, Identity and Access Management solutions “focus on harmonizing the
provisioning of users and managing their access across multiple systems with different
native access control systems”
● IAAA
● Authentication - Type I (Knowledge, something i know), Type II (Possession, something i
have), Type III (Biometrics, something I am)
● Single Sign On
● Access Control Models
● Access Control Methods
● Access Control Administration
● Data Emanation
● Access is the data flow between a subject and an object

○ Subject is active- person, process or program
○ Object is passive- a resource, file, printer
○ Access controls should support the CIA triad and regulate what a subjext can do
with an object
● Access controls are security mechanisms that control how subjects can interact with
objects -> Logical, Physical, Administrative
● Controls should be layered and provide both proactive and reactive protection
● Components of Access Control

○ Identification -> make a claim (userid etc), must be unique for accountability, the
identifier should not indicate extra information about user (like job position), can
be spoofed
31
ENROLL THIS COURSE
○ Authentication -> Provide support (proof) for your claim, Type I, II, III, can be
impersonated -> MFA for stronger auth
●
Lesson 5.3.: Authentication Types Part 1: Something you know
Skills Learned From This Lesson: Type 1, Type 2, Authentication types
● Type 1:
○ Passwords, Passphrases, Cognitive Password
○ Best Practices
■ No less than 8 chars
■ Change on a regular basis
■ Enforce password history
■ Consider brute force and dictionary attacks
■ Ease of cracking cognitive passwords
■ Graphic image
■ Enable clipping levels and respond accordingly
● Type 2:
○ Token Devices
○ Smart card
○ Memory card
○ Hardware key
○ Cryptographic key
○ Certificate
○ Cookies
Lesson 5.4: Authentication Types Part 2: Token Devices

Skills Learned From This Lesson: token devices, Synchronous token devices, Asynchronous
token devices
● Token Devices: One time password generators
○ One time password reduces vulnerability associated with sniffing passwords
○ Simple device to implement
○ Can be costly
○ Users can lose or damage
32
ENROLL THIS COURSE
○ Two types: synchronous and asynchronous

●
● Synchronous token devices
● Asynchronous token devices/challenge handshake
○ User logs in
○ Authentication returns a challenge to the user
○ User types challenge string into token device and presses enter
○ Token devices returns a reply
○ Only that specific user’s token device could respond with the expected reply
○ More complex than synchronous
○ May provide better protection than sniffing
Lesson 5.5: Authentication Types Part 3: Memory Cards

Skills Learned From This Lesson: Memory cards, Smart cards,
● Memory cards -> hold information, does NOT process
○ A memory card holds authentication info, usually you’ll want to pair this with a
PIN… WHY?
○ easy to spoof
●
● Smart card
○ More secure than memory cards
○ Can actually process information
○ Includes a microprocessor
○ Often integrated with PKI
○ Two types -> Contact, contactless
●
● Smart card attacks
○ Fault generation
○ Side channel attacks
○ Micro probing
●
Lesson 5.6: Authentication Types Part 4: Something you are
iometric Concerns,
Skills Learned From This Lesson: Biometrics, B
33
ENROLL THIS COURSE
● Biometrics -> static -> not significantly change over time, fingerprint, hand geometry, iris,
retina
○ Dynamic -> very difficult to modify for any significant length of time, voice, gait,
signature, keyboard cadence
●
● Biometric Concerns
○ Accuracy
● Type 1 : False Rejection-> system identifies too much info,
excessive overhead
● Type 2 : False Acceptance->system doesn’t evaluate enough
information
○ As FRR goes down, FAR goes up and vice versa
○ The level at which the two meet is called CER (Crossover Error Rate), the lower
the number, the more accurate the system
○ Iris scan is the most accurate
●
Lesson 5.7: Strong Authentication
Skills Learned From This Lesson: A uthorization, R
ace conditions, Authorization principals
● Strong Auth provides a high level of assurance, always look for more than one type
●
● Authorization -> the concept of ensuring that someone who is authenticated is allowed
access to a resource, what rights and permissions you have
● Authorization is a preventative control
● Race conditions would try to cause authorization to happen before authentication, play
with time
● Authorization principals -> default NO access (implicit deny), Principle of Least Privilege,
need to know, content based
● Authorization creep -> as a subject stays in an environment over time, their permissions
accumulate even after they are no longer needed -> auditing authorization can help
mitigate this
● Auditing -> logging and reviewing accesses to objects, matching actions to subjects
○ Auditing is a detective control
●
Lesson 5.8: Social Media and the Introduction to Kerberos
34
ENROLL THIS COURSE
Skills Learned From This Lesson: Single Sign On, Social Medial
● Single Sign On -> as environments get larger and more complex it becomes harder and
harder to manage users accounts securely
○ Multiple users to create/disable
○ Passwords to remember leads to password security issues
○ Reduces user frustration as well as IT frustration
○ Wastes IT budget trying to manage disparate accounts
●
Lesson 5.9: Kerberos Components
Skills Learned From This Lesson: K erberos Components, Single Sign On
● Very Testable in the exam
● A network auth protocol designed from MIT project Athena. Kerberos tries to ensure auth
security in an insecure environment
● Used in Win2000+ and some Unix
● Allows for single sign on
● Never transfers passwords
● Uses symmetric encryption to verify identifications
● Avoids replay attacks
● Essential Components:
○ AS Authentication Server
○ TGS Ticket granting Service
○ KDC Key Distribution Center
○ TGT Ticket Granting Ticket
○ Ticket: means of distributing Session Key
○ Principles (users, applications, services)
○ Kerberos Software (integrated into most OSes)
○ Main Goal: user needs to authenticate himself/herself without sending passwords
across the network- needs to prove he knows the password without actually
sending it through the wire
● The Kerberos Carnival

Lesson 5.10: The Kerberos Carnival Part 1
Skills Learned From This Lesson: Kerberos functionality
● I need one TGT per login, default is 8 hours or log out
35
ENROLL THIS COURSE
● I send my username to AS and I get a TGT (wrist wrap)

● The TGS gives me a ticket to use the print service
● The password is hashed inside the AS and set aside
● The AS generates the TGT and encrypts it with kelly’s password
● So when I want to access a service and enter my password, I decrypt my TGT
● The TGT proves I entered the realm in the right way, it lets me request a TGT from TGS
● The Kerberos ticket is 2 copies of the same session key
● The first copy is encrypted with the user's password
● The second is encrypted with the services password eg. print service so I can access the
print service
● Why I don't use asymmetric cryptography? Because I can't guarantee that every domain
has a public key infrastructure
● Why I can't use the same ticket for different services? Because the session key is
encrypted with the services individual password for every service
●
●
Lesson 5.11: The Kerberos Carnival Part 2
Skills Learned From This Lesson: Kerberos functionality
● KDC = TGS + AS
● Primary Domain Controller PDC Emulator -> the KDC resides
● The fact that I am authenticated doesn't mean that I am authorized, ACLs
● I use Symmetric Cryptography despite the fact it is cumbersome because it fits in every
environment
●
●
Module 6: Security Assesment and Testing
Lesson 6.1: The 6 Security Assessments and Testing Objectives
Skills Learned From This Lesson: Introduction to security assessments
● Introduction to security assessments
● Vulnerability assessments
● Penetration testing
● Remediation
● Intrusion detection
36
ENROLL THIS COURSE
● Audit logs
● Common vulnerabilities
●
Lesson 6.2: Vulnerability Assessments and Penetration Testing
Skills Learned From This Lesson: Vulnerability Assessment, Pen testing, Knowledge Degree
● VA -> physical/administrative/logical
○ Identify weaknesses
○ Just collect information, passive
●
● Pen testing -> ethical hacking to validate discovered weaknesses
○ Red teams (Attack) / Blue teams (defend)
● NIST SP 800-42 guideline on Security Testing
● Degree of Knowledge
○ Zero-Knowledge (Black Box Testing): this simulates an external attack
○ Partial Knowledge: limited knowledge of the organization
○ Full Knowledge: this simulates an internal attack
●
Lesson 6.3: Vulnerability Scanning
Skills Learned From This Lesson: V ulnerability Scanning, A
ttack Methodology, rootkit infection
● Vulnerability Scanning
○ Identifying
■ Active hosts on the network
■ Active and vulnerable services (ports) on hosts
■ Applications
■ OSes
■ Vulnerabilities associated with discovered OS & apps
■ Misconfigured settings
Testing compliance with host application usage/security policies
Establishing a foundation for pen testing
●
● Attack Methodology
37
ENROLL THIS COURSE
○ Recon (whois, company website, social engineering)

○ Footprinting (nmap, ICMP, DNS zone transfer)
○ Fingerprinting (identify host info, port scanning)
○ VA
○ Attack (pen test, privilege escalation, rootkit, cover tracks)
● Infected from rootkit -> wipe the drive, install OS from original media, restore data from
backup
●
Lesson 6.4: Testing Guidelines
Skills Learned From This Lesson: T esting Guidelines, P
en testing considerations
● Why test?
○ Risk analysis
○ Certification
○ Accreditation
○ Security architectures
○ Policy development
●
● Develop a cohesive, well planned, and operational security testing program
●
● Pen testing considerations
○ 3 basic requirements -> meet with senior mgmt to determine the goals, document
ROE, get sign off from Senior Mgmt
○ Issue: it could disrupt productivity and systems
○ Tester should determine the effectiveness of safeguards and identify areas of
improvement -> TESTER SHOULD NOT BE THE ONE SUGGESTING
REMEDIATION. THIS VIOLATES SEPARATION OF DUTIES
Lesson 6.5: Rules of Engagement Part 1

Skills Learned From This Lesson: ROE, Approaches to Testing, N
etwork Scanning
● Specific IP addresses/ranges to be tested (any restricted hosts)
● A list of acceptable testing techniques
● Times when testing is to be conducted
38
ENROLL THIS COURSE
● Points of contact for the pen test team, the targeted systems, and the networks
● Measures to prevent law enforcement being called with false alarms
● Handling of information collected by pen test team
Approaches to Testing
● Do not rely on single method of attack
○ Get creative
● Path of least resistance
○ Start with users - social engineering is often the easiest way
● Break the rules
○ Attempt things not expected
● Do not rely exclusively on high tech tools
● Do not damage systems or data
● Do not overlook small weaknesses in search of the big ones
● Have a toolkit of techniques
Network Scanning
Password Cracking
Rogue infrastructures (unauthorized DHCP servers, DNS servers)
Lesson 6.6: Rules of Engagement Part 2

Skills Learned From This Lesson: War Dialing, Corrective Actions, Watching Network Traffic
● War Dialing
○ Goal is to discover unauthorized modems
○ Dial large blocks of phone numbers in search of available modems
○ Includes all numbers that belong to an organization, except those that could be
impacted negatively
○ If removal is not possible, block inbound calls to the modem
●
● War Driving -> looking for unprotected signal
39
ENROLL THIS COURSE
Corrective Actions
● Investigate and disconnect unauthorized hosts

● Disable unnecessary and vulnerable services
● Modify vulnerable hosts to restrict access to vulnerable services
● Modify enterprise firewalls
● Upgrade vulnerable systems
● Deploy mitigating countermeasures
● Monitor vulnerability alerts
● Modify security policies
● All of the above require going through proper change mgmt procedures
Side channel Attacks - Traffic Analysis -> I want to know where data is going, i am looking at the
actual data
Traffic Padding -> add some unnecessary traffic to make difficult to determine which systems
are receiving the legitimate traffic
Lesson 6.7: Protocol Analyzers (Sniffers) and Privacy

Skills Learned From This Lesson: Sniffers, IDS
● Sniffer uses a NIC in Promiscuous mode
● Packet Sniffer + Analysis Engine = Intrusion Detection System
IDS
● Identify suspicious activity
● Log activity
● Respond (alert people)
● Needs an interface in “promiscuous” mode
● Port mirroring/span needs to be enabled to view traffic on a switch
●
●
Lesson 6.8: IDS Part 1
Skills Learned From This Lesson: HIDS, NIDS, IDS vs. IPS
● HIDS - NIDS
40
ENROLL THIS COURSE
IDS Components
● Sensor - Data Collector -> on network segments (NIDS) or on hosts (HIDS)
● Analysis Engine
● Signature Database
● User Interface and Reporting
HIDS -> examine operation of a single system independently to determine of anything “of note”
is going on
HIDS looks at:
Logins
System log files/audit files
File activity/changes to software
Configuration file changes
Processes being launched or stopped
Use of certain programs
CPU usage
Network traffic to/from computer
Pros of HIDS -> can be OS and application specific, they can look at data after its been
decrypted (network traffic is often encrypted)
Cons of HIDS -> only protect one machine

Use local system resources
Don't see whats going on, on other machines
Scalability
HIDS could be disabled if machine is hacked
NIDS -> watch en entire network and all associated machines. Looks at SRC IP, DEST IP,
Protocol, Port Numbers, Data Content
A NIDS will look for DoS Attacks, Port Scans, Malicious Content, Vulnerability Tests, Tunneling,
Brute Force Attacks, Policy Violations eg. Detect Instant Messaging or streaming video
Pros of NIDS -> a single NIDS can cover a whole network

Deployment is usually easier
41
ENROLL THIS COURSE
A NIDS can see things that are happening on multiple machines, it gets a bigger
picture and may see distributed attacks that a HIDS would miss
Cons of NIDS -> Data must be unencrypted for a NIDS to analyze.

Switches cause problems for NIDS- port span should be implemented on the
switch port
If only on the perimeter, it can miss things on the inside
It must be able to handle LOTS of data to be effective
It does not see what’s going on a server directly
IDS vs. IPS
IDS is passive
An IPS is an IDS that takes an active approach eg. Activate FW rules dynamically, shuts down
TCP traffic

Skills Learned From This Lesson: Analysis Engines, Pattern Matching, Bypassing an IDS
● Analysis Engines
○ Pattern matching (Signature Based) -> does not protect against 0day attacks
○ Profile Matching (Anomaly/Behavior/Heuristics) -> look for changes in normal
behavior
■ Advantages -> can possibly detect 0days, can detect behavioral changes
that might not be technical attacks
■ Disadvantages -> lots of false positives, often ignored due to the reason
above, requires a much more skilled analyst
● Bypassing an IDS
○ Evasion Attack -> many small attacks from different directions, salami attack
○ Insertion attack -> adding meaningless information to a known attack
●
Skills Learned From This Lesson: Rule Based, Honeypot, Padded Shell
● Rules Based
○ Uses expert system/knowledge
42
ENROLL THIS COURSE
○ These use a database of knowledge and an “inference engine”
Promiscuous Mode -> to accomplish sniffing network analysis, or IDS functionality, you have to
put network interfaces into promiscuous mode
Honeypot -> Deployment -> pseudo flaw, sacrificial lamb system on the network
Be careful of Enticement (look appealing) vs. Entrapment (click here to win)
●
Padded Shell and Vuln Tools
Concept used in software programming where a “safe” environment is created for
applications and processes to run in -> Similar to a virtual machine
Concept used in IDS where identified intruder is moved to a “safe” environment without
their knowing
Simulated environment to keep intruder happy and busy-> hopefully leave production
sustems alone
aka. : Self Mutating Honeypot, Tarpit
Module 7: Security Operations

Lesson 7.1: Security Incident Response
Skills Learned From This Lesson: Incident Response, Computer Forensics, Digital Evidence
Rules
● Event -> a change in state
● Incident -> Series of events that has a negative impact on the company and its security
● IR focuses on containing the damage of an attack and restoring normal operations
● Investigation focuses on gathering evidence of an attack with the goal of prosecuting the
attacker
● Framework should include -> response capability, IR and handling, Recovery and
Feedback
● IR -> policies, procedures, guidelines
43
ENROLL THIS COURSE
○ Legal, HR, Executive mgmt must be involved

○ If handling in-house, an ir team must be in place
■ List of outside agencies and resources to contact (CERT)
■ List of computer or forensics experts to contact
■ Steps on how to secure and preserve evidence
■ Steps on how to search for evidence
■ List of items that should be included on the report
■ List of how different systems should be treated in this type of situation
IR and Handling
Triage
Detection
Identification
Notification
Investigations
Containment
Analysis and Tracking
Recovery and Feedback -> restoration of the system to operations. It must provide greater
security or will fall prey to the same attack again
Provide feedback -> very important and often overlooked. Document, document,
document.
Computer forensics
Five rules of Digital Evidence -> Digital Evidence must:

Be authentic -> guarantee it hasn't be changed, hashing
Be accurate -> complete, no only portion, convincing
Be complete ->
Be convincing -> furthing appoint
Be admissible ->
Lesson 7.2: The Forensics Investigation Process Part 1

Skills Learned From This Lesson: F orensic Investigation Process, Identification, Preservation
44
ENROLL THIS COURSE
● Forensic Investigation Process -> Identification, Preservation, Collection, Examination,

Analysis, Presentation, Decision
● Identification -> Locard’s principle
● Preservation -> Chain of Custody must be well documented
● Collection -> minimize handling/corruption of evidence
●
Lesson 7.3: The Forensics Investigation Process Part 2
Skills Learned From This Lesson: F orensic Investigation Process, Examination, Analysis
● Examination -> look for signatures of known attacks
● Analysis -> primary image vs. working image, root cause
● Presentation -> interpreting the results of the investigation and presenting findings,
documentation
● Decision ->Suspects, Corrective Actions
●
Lesson 7.4: Evidence Types
Skills Learned From This Lesson: E vidence Life Cycle, E
vidence Types, Suspect’s Actions
● Evidence Life Cycle
● Integrity and authenticity of evidence must be preserved throughout the life cycle
● Evidence Types ->
○ direct evidence (can prove a fact by itself and does not need backup info)
○ real evidence (physical evidence)
○ best evidence (most reliable)
○ Secondary (not strong enough to stand alone, but can support other evidence)
○ Corroborative Evidence (support evidence)
○ Circumstantial (proves one fact which can be used to reasonably to suggest
another)
○ Hearsay (2nd hand oral or written)
○ Demonstrative (presentation based)
● Who should do the investigation? Law enforcement
● Suspect’s Actions and intent
○ Enticement (tempting a potential criminal, legal and ethical, honeypot)
○ Entrapment (tricking a person into committing a crime, illegal and unethical)
●
Lesson 7.5: Fault Management
45
ENROLL THIS COURSE
Skills Learned From This Lesson: Spares, RAID, Redundant Servers

● Spares (Redundant HW, SLAs, MTBF and MTTR)
● RAID-0 -> Disk striping provides no redundancy or fault tolerance
● RAID-1 -> Disk Mirroring-Provides redundancy but is often considered to be the least
efficient usage of space
● RAID-5 -> Disk Striping with Parity: Fault tolerance + speed
● Redundant Servers -> primary server mirrors data to secondary server
● UPS -> size of load UPS can support, how long it can support this load, physical space
required, long battery life
● Clustering-> group of servers that are managed as a single system
●
Lesson 7.6: Backups
Skills Learned From This Lesson: Backup types, Backup Issues, Redundancy of Staff
● Shadowing, Remote Journaling, Electronic Vaulting
● Backups -> backing up SW and having backup HW is a large part of network availability
○ Full backup -> archive bit is reset
○ Incremental Backup -> backs up all files that have been modified since last
backup
○ Differential backup -> backs up all files that have been modified since last full
backup
○ Copy backup -> same as full backup, but archive Bit is not reset
○ Backup issues -> identify what needs to be backed up first
● Redundancy of Staff
○ Eliminate Single Point of Failure
○ Cross Training
○ Job Rotation
○ Mandatory Vacations
○ Training and Education
● Business Continuity
●
Module 8: Software Development Security
Lesson 8.1: Introduction to Software Development Security
Skills Learned From This Lesson: Design Process, Attack Surface, Threat Modeling
46
ENROLL THIS COURSE
● Design Process -> reduce the Attack Surface, Threat Modeling, Risks in Design,
Controls Evaluation
● Reducing the attack Surface of the product ->
○ User input fields
○ Protocol/Services/Interfaces/Processes
○ Resource files
○ Open named pipes/open sockets
○ How many items are accessible
○ Dynamic web pages
○ Guest accounts enabled
○ ACL configuration
● Threat Modeling
○ Identify Security Objectives
○ CIA Triad
○ Tools for Threat Modeling
○ STRIDE Mitigation(Spoofing,Tampering, Repudiation, Denial of Service,
Escalation of Privilege)
● Controls Evaluation
○ Efficacy of Controls
○ Economy of Mechanism
○ Cost/Benefit Analysis
○ Psychological Acceptability
●
Lesson 8.2: Secure Design
Skills Learned From This Lesson: Secure design, Design Considerations, Risks in Design
● Design Considerations
○ CIA triad
○ Authentication,Authorization,Auditability
○ Secure Design Principles
● Risks in Design
○ Code reuse
○ Flaws (Inherent fault with the design of code) vs. Bugs (implementation fault)
47
ENROLL THIS COURSE
○ Open vs. Closed Design
● Secure Software Development Methodologies

○ Secure Software Development Terms
○ Principles of Secure Design (Least Privilege, Separation of Duties, layered
Defense, Fail Secure, Economy of Mechanism, Open, Complete Mediation,
Psychological Acceptance, Leveraging Existing Components, Redundancy)
○ Secure Coding Concepts
○ Secure Software Development Lifecycle
○ Common Methodologies
● Security vs. Quality
○ Quality:Fitness for use. Degree to which a product meets its requirements. Does
it do what it is supposed to do?
○ Security: reducing probability or impact of vulnerabilities
●
Lesson 8.3: Requirements to Writing Secure Code
Skills Learned From This Lesson: S ecure Code, Bug Tracking, DREAD
● Training and Awareness for Developers
● Shift of focus/understanding for managers
● Security Checkpoints and Reviews
● Bug tracking
○ Classification of bugs uses DREAD
○ D -> Damage potential
○ R -> Reproducibility
○ E -> Exploitability
○ A -> Affected user base
○ D -> Discoverability
●
Lesson 8.4: Software Development Methodologies
Skills Learned From This Lesson: S oftware Development, Waterfall, Prototyping
● Waterfall : unidirectional Sequential phased approach
● Prototype
● Spiral
● Agile
48
ENROLL THIS COURSE
●
Lesson 8.5: Cloud Application Security
Skills Learned From This Lesson: C loud Security
● Determine Data Sensitivity
● Cloud Application Architecture
● Security Responsibilities Across Models
● The Software Development Lifecycle
● OWASP Top Ten Vulns
● IAM and Federated identity management
● Application Security Testing
●
Lesson 8.6: OWASP (Open Web Application Security Project)
Skills Learned From This Lesson: OWASP top ten
● Designed to raise awareness and to stress the need for security in web-based
applications
● 1)Injection
● 2)Broken Authentication
● 3)Sensitive Data Exposure
● 4)XML External Entities (XXE)
● 5)Broken Access Control
● 6)Security Misconfiguration
● 7)Cross-Site Scripting (XSS)
● 8)Insecure Deserialization
● 9)Using Components with Known Vulnerabilities
● 10)Insufficient Logging & Monitoring
●
Lesson 8.7: Organizational Normative Framework
Skills Learned From This Lesson: O rganizational Normative Framework, Validation, Verificationl
● Specified in ISO 27034
● Defines Components of application security best practices
○ Business Context
○ Regulatory Context
○ Technical Context
○ Specifications
49
ENROLL THIS COURSE
○ Roles
○ Processes
○ ASC Library
● Application Normative Framework -> Used in conjunction with the ONF and is created
for specific applications, think of best practices for applications within the context of the
organization
● Common SW vulns and countermeasures agenda
○ Why is software unsecure? Lack of training, funding, no prioritization of security,
security as an afterthought
○ Vuln databases and resources
○ Types of vulns
■ Overflows
■ Injections
■ XSS
■ CSRF
■ Misconfigurations
■ Disclosure
■ Race Conditions
■ Side Channel Attacks
■ File Attacks
● Validation -> it serves the purpose it needed to serve, management acceptance, is this
what you wanted?
● Verification -> correctness of the product, usually internal, assessment, technical testing
● Certification -> the product meets its requirements, technical verification
● Post acceptance -> ongoing updates, patches, and changes reviewed and applied
Lesson 8.8: Object-Oriented Programming

Skills Learned From This Lesson: OOP, Classes, Objects
● Most widely used approach to SW development
● Traditional programming input->Processing->output
● OOP is modular in nature and focuses on the solution of problems through objects,
classes, methods, functions
● A Class is a concept
● An Object brings that concept to life
50
ENROLL THIS COURSE
●
Lesson 8.9: Database Introduction Part 1
Skills Learned From This Lesson: DB models, Hierarchical, Distributed
● DB Models
○ Describes relationships between data elements
○ Used to represent the conceptual organization of data
○ Formal methods of representing information
○ Hierarchical-> tree like fashion, info from major group to subgroup
○ Distributed -> client server type of DB located on more than one server
distributed in several locations
○ Object-Oriented
○ Relational
●
Skills Learned From This Lesson: Relational DB, Primary key , Normalization
● Primary key -> uniquely identifies each record as unique
● Entity Integrity -> Primary key cannot be null
● Normalization -> each attribute in a database must describe ONLY the primary key.
Provides a means for removing duplicates
● Fields, Columns, Attributes -> mean the same
● Record, Rows, Tuples -> mean the same
●
Skills Learned From This Lesson: Attributes, Tuples, Foreign key
● Attributes -> Individual descriptors
● Tuples is data in rows
● Foreign key is when a PK from one table appears in a secondary table
●
Skills Learned From This Lesson: Cardinality, Schema, DB Schema
● Cardinality -> number of rows in a relation
● Degree -> number of columns in a relation
● DB Schema -> defines the design, structure
●
51
ENROLL THIS COURSE

Skills Learned From This Lesson: DB Vulns, Inference, Polyinstantiation
● DB Vulns, threats and Protections
○ Aggregation
○ Inference
○ Polyinstantiation -> multiple instances, lots of unclassified info can lead to
classified clue
○ Code Injection
○ Input Validation

Skills Learned From This Lesson: ACID test, ACID, Malware
● Doed the DB pass the ACID test?
● ACID
○ Atomicity -> transactions are either fully committed or rolled back
○ Consistency -> DB rules are enforced
○ Isolation -> transactions are invisible until committed
○ Durability -> once commit has been received, the transaction cannot be rolled
back
● Beyond the traditional DB
○
● Data-> information -> Knowledge

● Malware types
52
CISSP Glossary
53
Created by S.E. Williams, Cybrary, TA
ENROLL THIS COURSE
CISSP Glossary
1. Abstraction - The process of removing characteristics from something to reduce it to a
set of essential characteristics for the purpose of creating specific groups, classes, or
roles for the assignment of security controls, restrictions, or permissions as a collective.
SOURCE: Abernathy & McMillian, 2018; Chapple, Stewart, & Gibson, 2018.
2. Acceptance Testing - Testing used to verify a system satisfies the stated criteria for
functionality and a required security capabilities of a product. It is used to ensure a
customer is satisfied with the functionality of the software. SOURCES: Abernathy &
McMillan, 2018; Chapple, Stewart, & Gibson, 2018.
3. Access Aggregation - Associated with privilege creep, this technique also functions as a
reconnaissance tool by attackers to collect multiple pieces of non-sensitive data, which is
combined to gain greater access across more systems. SOURCES: Abernathy &
McMillian, 2018; Chapple, Stewart, & Gibson, 2018.
4. Access Control - A method to control an authorized subject’s communication with or
access to objects, resources, and physical facilities. This security-based control
determines how hardware, software, and organizational policies and procedures are used
to identify subjects to provide authentication, verification, and authorization while
monitoring and recording the subject’s access attempts. SOURCES: CNSSI-4009;
Abernathy & McMillian, 2018; Chapple, Stewart, & Gibson, 2018.
5. Access Control List (ACL) - A list associated with a specific object, specifying what
operations can be done by a subject; and a system resource access control determining
either implicit or explicit allow or deny to a resource. SOURCE: CNSSI-4009.
6. Access Control Lists (ACLs) - Columns in a control matrix, listing the permissions
granted to a subject (user, group, process) to access an object or resource, and the type
of access allowed to the subject. SOURCE: NISTIR 7298, r2.
7. Access Control Matrix - A table in which each row represents a subject, each column
represents an object, and each entry is a set of “access rights” a specific subject can take
on a specific object. Columns are the ACL. Capabilities are the rows. SOURCE: NISTIR
7316.
8. Access Control Policy - High-level security policy requirements specifying how access is
managed and which subjects may access objects, information, and resources, and under
what circumstances. SOURCE: NIST SP 800-192.
54
ENROLL THIS COURSE
9. Access Point (AP) - A wireless transmitter and receiver that logically connects wireless
client devices operating in the infrastructure to one another and provides access to a
distribution system, if connected, which is typically an organization’s enterprise wired
network. SOURCE: NIST SP 800-121, r2.
10. Account Management - Process of requesting, establishing, issuing, and closing user
accounts. Includes tracking users and their access authorizations and managing these
functions. SOURCE: NIST SP 800-12, r1.
11. Accounting - A process that ensures the actions of an entity may be traced uniquely to
that entity (subject/user) to be held accountable for their actions or inactions. SOURCES:
NIST SP 800-57, Pt. 1., r4; Abernathy & McMillian, 2018.
12. Accountability - The security goal generating the requirement for actions of an entity to
be traced uniquely to that entity to support non-repudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and legal action. SOURCES:
NIST SP 800-27 and NIST SP 800-160.
13. Accreditation - The official management decision given by a senior agency official to
authorize operation of an information system and to explicitly accept the risk to agency
operations (including mission, functions, image, or reputation), agency assets, or
individuals, based on the implementation of an agreed-upon set of security controls.
SOURCES: FIPS 200; NIST SP 800-37.
14. Acoustical Systems - Detection system that uses strategically placed microphones to
detect any sound made during a forced entry. SOURCE: Harris & Maymi, 2018.
15. Acrylic Glass - Glass made of polycarbonate acrylic, which is stronger than regular glass
but produces toxic fumes when burned. SOURCE: Harris & Maymi, 2018.
16. Active Vulnerability Scanner (AVS) - An active scanner that blocks dangerous IP
addresses and attacks. SOURCE: Abernathy & McMillan, 2018.
17. ActiveX - Microsoft’s component object model (COM) technology used in web
applications, which is implemented with Visual Basic, C, C++, and Java. SOURCE:
Chapple, Stewart, & Gibson, 2018.
18. Ad Hoc Mode/Ad Hoc Network - A wireless network with dynamic connections between
devices without the use of an access point or wireless base-station. SOURCE: NIST SP
800-121, r2.
19. Address Resolution Protocol (ARP) - A protocol used to obtain a node’s physical
address, that then resolves the IP address place in a packet to a physical or data link
layer 2 MAC/Ethernet address, to which the client can transmit data. SOURCE: NIST SP
800-45, v2, p. A-1.
55
ENROLL THIS COURSE
20. Administrative Control - Known also as “soft controls,” a method used by management
to control the development process of standards, policies, procedures, and guidelines.
Used to screen personnel, conduct security awareness training, monitor system activity,
and manage the change control process. SOURCE: Harris & Maymi, 2018.
21. Administrative Law - Laws set by the government and published in the Code of Federal
Regulations (CFR), which specify the performance and conduct standards for banking,
communications, environmental controls, healthcare and utilities. SOURCE: Abernathy &
McMillian, 2018; Stewart, Chapple, & Gibson, 2018.
22. Advanced Persistent Threat (APT) - An adversary with sophisticated expertise and
resources allowing it to attack via multiple attack vectors (e.g. cyber, physical, and
deception). Attackers repeatedly pursue objectives over extended time periods, adapt to
resist detection, and maintain levels of interaction to execute objectives, which include:
establish footholds, exfiltration of data, and undermining organizational mission.
SOURCE: NIST SP 800-39, p. B-1.
23. Adware - Software that tracks internet usage in an attempt to tailor ads and junk emails to
a user’s interest. SOURCE: Abernathy & McMillan, 2018.
24. Advance Encryption Standard (AES) - A U.S. Government-approved cryptographic
algorithm that can be used to protect electronic data. This algorithm is a symmetric block
cipher that can encipher and decipher in 128-bit blocks using 128-, 192-, 256-bit keys.
SOURCES: FIPS 197, p.5; NIST-SP 800-57 Pt.1, r4, p. 23.
25. Aggregation - The consolidation of information from different lower security levels to
produce potentially useful information at a higher sensitivity level. May also consolidate
similar log entries into a single entry containing the number of occurrences of an event.
SOURCE: NIST-SP 800-92, p. A-1.
26. Agile Software Development - Software development models emphasizing continuous
customer feedback and cross-functional teamwork, with the goal of quickly producing new
functionality with each product version update or release. SOURCES: Abernathy &
McMillian, 2018; Chapple, Stewart, & Gibson, 2015.
27. Algorithm - Known also as a cipher, it is a clearly specified mathematical process for
computation to produce a specific result to encipher and decipher data. SOURCE: NIST
SP 800-107, r1.
28. Annualized Loss Expectancy (ALE) - The expected risk factor of an annual threat
event. Equation: ALE = SLE x ARO. SOURCE: Abernathy & McMillian, 2018.
29. Annualized Rate of Occurrence (ARO) - An estimate of how often a given threat might
occur annually. SOURCE: Abernathy & McMillian, 2018.
56
ENROLL THIS COURSE
30. Application Firewall - A firewall that uses stateful protocol analysis to analyze network
traffic for one or more applications. SOURCE: NIST SP 800-179, p. 118.
31. Application Layer (Layer 7) - The layer of the TCP/IP OSI protocol stack that sends and
receives data for particular applications such as DNS, HTTP, and SMTP. SOURCE: NIST
SP 800-113.
32. Application Level Gateway (ALG) - Application specific translation agents that allow an
application (like VoIP) on a host in one address realm to connect to its counterpart
running on a host in different realm transparently. It may interact with NAT to set up state,
use NAT state information, modify application specific payload and perform whatever else
is necessary to get the application running across disparate address realms. SOURCE:
NIST SP 800-58, p. 59.
33. Application-Level Gateway Firewall - A second-generation firewall that filters traffic
based on the internet service (the application) used to transmit or received the data.
SOURCE: Chapple, Stewart, & Gibson, 2018.
34. Application Level Proxy - A type of firewall that performs deep pack inspection and
based on Layer 7 communication processes for each application. SOURCE: Abernathy &
McMillian, 2018.
35. Application Programming Interface (API) - A system access point or library function
that has a well-defined syntax and is accessible form application programs or user code
to provide well-defined functionality. SOURCE: CSRC Glossary.
36. Architecture - The organization of a system, including its components and their
interrelationships, along with the principles that guided the system’s design and evolution.
It is used to convey information about system/solution elements, interconnections,
relationships, and behavior at different levels of abstractions and with different scopes.
Related to security architecture. SOURCE: NIST SP 800-160, p.101.
37. Assembly Languages - Higher-level alternatives to machine language code, which uses
mnemonics to represent the basic instruction set of a CPU but still require hardware-
specific knowledge. SOURCE: Chapple, Stewart, & Gibson, 2018.
38. Asset - Resources of value that an organization possesses or employs. May be any
product, process, system, or digital or physical entity that has value to the organization
and must be protected. SOURCES: NISTIR 8011 Vol.1, p. B-1; Abernathy & McMillian,
2018.
39. Asset Valuation - The process of assigning a monetary value to an asset based on its
importance to the organization. Methods to determine value include costs of development,
maintenance, administration, support, repair, and replacement. Other valuations may
57
ENROLL THIS COURSE
include public confidence and ownership benefits. SOURCES: Abernathy & McMillian,
2018; Chapple, Stewart, & Gibson, 2018.
40. Assurance - Measure of confidence that the security features, practices, procedures, and
architecture of an information system accurately mediates and enforces the security
policy. NIST SP 800-53, r4., p. B-1.
41. Asymmetric DSL (ADSL) - DSL that provides 128 Kbps to 384 Kbps uploads with
downloads up to 768 Kbps. SOURCE: Abernathy & McMillian, 2018
42. Asymmetric Encryption - An algorithm that uses either complex algorithms or key pairs
(one private, one public) to encrypt and decrypt data. SOURCES: NISTIR 7298; CSRC;
and Chapple, Stewart, & Gibson, 2018.
43. Asymmetric Keys - Two related keys, comprised of a public key and a private key, which
are used to perform complementary operations such as encryption and description or
signature verification and generation. SOURCE: NIST SP 800-63-3, p. 40.
44. Asymmetric Mode - When a specific processor, each time, does work for a specific
application or process. SOURCE: Abernathy & McMillian, 2018
45. Asynchronous Encryption - Encryption or decryption requests that are processed from
a queue. SOURCE: Abernathy & McMillian, 2018.
46. Asynchronous Transfer Mode (ATM) - A cell-switching technology that transfers fixed
53 byte cells and uses an established path for the entire communication. It provides
guaranteed throughput and is excellent for WAN voice and video-conferencing.
SOURCES: Abernathy & McMillian, 2018; Chapple, Stewart, & Gibson, 2018.
47. Asynchronous Transmission - Transmission with start and stop bits communicate when
each byte is starting and stopping. SOURCE: Abernathy & McMillian, 2018.
48. Atomicity - One of four database requirements that mandates that all database
transactions must be complete or a transaction fails, meaning the entire transactions must
be rolled back. SOURCES: Abernathy & McMillian, 2018; Chapple, Stewart, & Gibson,
2018.
49. Attack - An attempt to gain unauthorized access to system services, resources, or
information, or an attempt to compromise system integrity, availability, or confidentiality.
SOURCE: NIST SP 800-82 r2, p. B-1.
50. Attacker - A party, including an insider, who acts with malicious intent to compromise a
system. SOURCE: NIST SP 800-63-3, p. 40.
51. Attack Vector - A segment of the communication path that an attack uses to access a
vulnerability. SOURCE: Abernathy & McMillian, 2018.
58
ENROLL THIS COURSE
52. Attenuation - The gradual reduction of the amplitude of a signal, electrical current, or
other oscillation as it loses strength due to the distance traveled down a cable. SOURCE:
Merriam-Webster.
53. Attribute - A quality or characteristic ascribed to someone or something. SOURCE: NIST
SP 800-63-3, p. 40.
54. Attribute-Based Access Control (ABAC) - Access control based on attributes with and
about subjects, objects, targets, initiators, resources, or the environment. An access
control rule set defines the combination of attributes under which a subject’s access may
take place. Many SDN applications use this type of control model. SOURCE: CSRC,
2019.
55. Auditing - Independent review and examination of records and activities to assess the
adequacy of system controls and ensure compliance with established policies and
operational procedures. This includes the use of audit logs and monitoring tools to track
all activity. SOURCE: CSRC, 2019.
56. Auditors - A member of the organization, usually assigned by the Chief Operations
Officer (COO), or an independent entity, who inspects reports and risk assessments from
one or more analyzers to ensure than an application or business process meets the
security requirements of the organization. SOURCE: CSRC, 2019.
57. Authentication - Verifying the identity of a user, process, or device, often as a

prerequisite to allowing access to a system’s resources. SOURCES: NIST SP 800-63-3,
p. 41.; FIPS 200, p.6.
58. Authentication Factor - Consisting of three types: Type One - Something you know;
Type Two - Something you have; and Type Three - Something you are. SOURCE: NIST
SP 800-63-3, p. 41.
59. Authentication Header (AH) - A protocol that provides integrity, authentication, and
nonrepudiation through IPsec. It provides encryption through encapsulation security
protocol (ESP). SOURCES: Abernathy & McMillian, 2018; Stewart, Chapple, & Gibson,
2015.
60. Authenticator - The means used to confirm the identity of a user, processor, or device
(e.g., user password or token). Example, a subject may attempt to connect to an AP,
switch, or remote access server in a RADIUS environment. SOURCES: NIST SP 800-53,
r4, p. B-2; Abernathy & McMillian, 2018.
61. Authorize - A decision to grant access, typically automated by evaluating a subject’s
attributes. SOURCE: NIST SP 800-63-3, p. 42.
59
ENROLL THIS COURSE
62. Authorization - The right or a permission that it granted to a system entity to access a
system resource; the granting of denying of access rights to a subject, program, or
process. SOURCE: NIST SP 800-82, r2., p.B-2.
63. Automatic Private IP Addressing (APIPA) - A feature of Windows that assigns an IP
address to a system should DHCP address assignment fail. The IP address range used
by APIPA is 169.254.0.0 - 169.254.255.255. SOURCE: Stewart, Chapple, & Gibson,
2015.
64. Auxiliary Station Alarm /Auxiliary Alarm System - An added alarm that can be either
locally or centrally placed in a facility, which automatically transmits alarms to local
emergency services (fire, police,) and the organization’s appropriate headquarters.
SOURCES: Abernathy & McMillian, 2018; Stewart, Chapple, & Gibson, 2015.
65. Availability - Tenet of the CIA Triad that ensures timely, reliable access to data and
information services for authorized users. As a security goal, it generates the requirement
for protection against intentional or accidental attempts to perform unauthorized deletion
of data or otherwise cause denial of service or data. SOURCES: NIST SP 800-53, r4., p.
B-2; NIST SP 800-152; NIST SP 800-33.
66. Avalanche Effect - The condition where any changes in the key or plaintext, no matter
how minor, will significantly change the ciphertext. SOURCE: Abernathy & McMillian,
2018.
67. Back door or Backdoor - Both an undocumented way of gaining access to a computer
system and or a malicious program that listens for commands on certain TCP and UDP
ports; both pose significant security risks. SOURCE: NIST SP 800-82, r2, p. 77.
68. BACnet2 - A master/slave industrial control system (ICS) protocol that uses port 47808.
SOURCE: Abernathy & McMillian, 2018.
69. Base Relation - A table that physically resides/exists and is stored in an SQL database.
SOURCE: Freeman, 2014.
70. Baseband - A communication medium that supports only a single communication signal
at a time and multiple transmission types are assigned time slots to use the same single
circuit. SOURCE: Stewart, Chapple, & Gibson, 2015.
71. Basel II - In 1974 the ten-country Basel Committee on Banking Supervisions based in
Switzerland, established “three pillars” of recommendations to protect banking institutions
against financial risk. The pillars define requirements for minimum capital requirements,
supervisory review, and market disciple. SOURCE: Bakiciol, et al, (n.d.).
60
ENROLL THIS COURSE
72. Baseline - A formally approved version of a configuration item, regardless of media,

formally designated and fixed at a specific time during the configuration item’s life cycle,
used as a security governance reference for performance measures. SOURCE: IEEE
828, 2012.
73. Baselining - Monitoring critical resources to determine typical utilization patterns so that
significant deviations can be detected. SOURCE: NIST SP 800-61 p. F-1.
74. Basic Rate ISND (BRI) - A telecommunications solution that provides three channels,
where two channels are each 64 Kbps, each with a 16 Kbps D channel, totaling 144
Kbps. SOURCE: Abernathy & McMillian, 2018.
75. Bastion Host - A special purpose computer on a network directly exposed to the internet
and where the computer is specifically designed and configured to withstand attacks.
SOURCE: CNSSI 4009-2015, p. 11.
76. Bell-LaPadula model - A model which uses a formal state transition to describe access
controls and how they should perform. As a system transitions between states, the
system’s security must not be lowered or compromised; uses the simple (read) no read
up property and * (star) no write down property, which are used to control the information
flow. SOURCE: Harris, & Maymi, 2018.
77. Best Evidence Rule - A rule which states documentary evidence (written or recorded)
must only be presented in its original form unless a legitimate reason exists for not using
the original, which can only be permitted by a judge (the court). SOURCE: Stewart,
Chapple, & Gibson, 2015.
78. Biba Model - A formal state transition system of computer security policy that describes a
set of access control rules designed to ensure data integrity. SOURCE: Harris, & Maymi,
2018.
79. Biometric Acceptability - Measurement of the likelihood that users will accept and follow
the system. SOURCE: Abernathy & McMillian, 2018.
80. Biometric Accuracy - How correct the overall biometric readings will be. SOURCE:
Abernathy & McMillian, 2018.
81. Biometrics - Measurable physical characteristics or personal behavioral traits used to

identify, or verify the claimed identity of, an individual. Facial images, fingerprints, and
handwriting samples are all examples of biometrics. SOURCE: NIST SP 800-32, p. 8.
82. Biometric Throughput - The rate at which the biometric system will be able to scan
characteristics and complete the analysis to permit or deny access. SOURCE: Abernathy
& McMillian, 2018.
61
ENROLL THIS COURSE
83. Birthday Attack - A type of brute-force attack where the attacker compares one-way
hashes of a password based on a birthday paradox that at least two people out of 253 in
a room will statistically have the same birthday. SOURCE: Miessler, 2014.
84. Black Box Testing - A test methodology that assumes no knowledge of the internal
structure and implementation detail of the assessment object. This method of software
testing examines the functionality of an application without peering into its internal
structures or workings. This method can be applied to virtually every level of software
testing: unit, integration, system, and acceptance. SOURCE: NIST SP 800-192, p. 55.
85. Blacklisting - The process used to identify un-authorized software programs from
executing on an information system, and the blocking of unacceptable URLs or email
senders that have previously been identified as malicious attackers or spammers. A
user’s ID may also be blocked from accessing system resources. SOURCE: NIST SP
800-53, r4, p3.
86. Blackout - A complete and extended loss of electrical power.
87. Blind Test - When a testing team conducts an attack on a network, system, or software
using only publically available information. The internal security team is alerted to the
coming attack. SOURCE: Doraiswamy, 2011.
88. Block Cipher - A symmetric-key cryptographic algorithm that transforms one block of
information at a time using a cryptographic key; the length of the input block is the same
as the length of the output block. SOURCE: NIST SP 800-90A r1, p. 3.
89. Blowfish - Created in t 2991, it is a license-free block cipher of 64-bit block with a
variable key length of 32 bits to 448 bits, which is faster than DES and IDEA. SOURCE:
Schneier, 2019.
90. Bluejacking - Hijacking a Bluetooth connection to eavesdrop or extract information from
devices. SOURCE: Stewart, Chapple, & Gibson, 2018.
91. Bluesnarfing - When an attacker connects to an unsuspecting person’s Bluetooth device,
to steal personal information such as contacts. SOURCE: Chapple, Stewart & Gibson,
2015.
92. Bluetooth 802.15 - A wireless protocol that allows two Bluetooth enabled devices to
communicate with each other within a short distance, e.g. up to thirty feet. SOURCE:
CSRC, 2019.
93. Border Gateway Protocol (BGP) - An Internet Engineering Task Force (IETF) path
vector standard routing protocol used across the global internet used to establish services
such as multicast and VPNs. SOURCE: Cisco, (2019).
62
ENROLL THIS COURSE
94. Botnet - A very large collection of computers control by a bot-master across the global
internet to attack various target or launch attacks such as DDoS attacks. SOURCE:
Norton, 2019.
95. Breach - Occurs when an internal or external attacker access information without
authorization, then discloses the stolen data (e.g. PII, sensitive information). SOURCE:
Symanovich, 2019.
96. Brewer-Nash (Chinese Wall) Model - A security model used to prevent conflict of
interests by grouping “conflict of interest classes” and restricting permissions by access
controls based on the user’s previous actions. It was designed to be used in financial
institutions. SOURCE: Brewer & Nash, 1989.
97. Broadcast - Transmission to all devices in a network without any acknowledgement by
the receivers. SOURCE: NIST SP 800-82, r2.
98. Brownout - A prolonged drop in electrical power that is below normal voltage. SOURCE:
99. Buffer Overflow - A condition at an interface under which more input can be placed into
a buffer or data holding area than the capacity allocated, overwriting other information.
Attackers exploit such a condition to crash a system or to insert specially crafted code that
allows them to gain control of the system. CNSSI 4009-2015, p. 13.
100. Build Security In (BSI) - An approach of building security into software from the start and
making security recommendations with regard to architectures, testing methods, code
review, and management processes. SOURCE: Abernathy & McMillian, 2018.
101. Business Continuity Plan (BCP) - The documentation of a predetermined set of
instructions or procedures that describe how an organization’s mission/business
processes will be sustained during and after a significant disruption. SOURCE: NIST SP
800-34 r1., p. G-1.
102. Business Impact Analysis (BIA) - Analysis of an information system’s requirements,
functions, and interdependencies used to characterize system contingency requirements
and priorities in the event of a significant disruption. SOURCE: NIST SP 800-34, r1., p.G-
1.
103. Byte - A string of eight bits. SOURCE: NIST SP 800-106, p. 3.
104. Cable Lock - A vinyl-coated steel cable that connects to a laptop and then locks around
an object. SOURCE: Abernathy & McMillian, 2018.
105. Candidate Key - A subset of attributes, columns, or fields that can be used to uniquely
identify any record in a table. SOURCE: Chapple, Stewart & Gibson, 2015.
63
ENROLL THIS COURSE
106. Capability Maturity Model Integration (CMMI) - Development model used to determine
the maturity of an organization’s processes. SOURCE: Harris & Maymi, 2018.
107. Capability Table - A table that specifies access rights a certain subject possesses to
access specific objects. Harris & Maymi, 2018.
108. Capacitance Detector - A type of proximity detector that emits a measurable magnetic
field and sounds an alarm when the field is disrupted; often used in museums. Harris &
Maymi, 2018.
109. Cardinality - The number of rows in a relational database.
110. Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) - A medium sharing
method in which each computer signals its intent to transmit data before it actually does,
to inform the other systems not to send, to prevent collisions. Harris & Maymi, 2018.
111. Carrie Sense Multiple Access/Collision Detection (CSMA/CD) - Medium access

method where a system listens for the absence of a carrier tone on the wire to determine
if the wire is free, and if so, then transmits data. Harris & Maymi, 2018.
112. Certificate Authority (CA) - An entity in a Public Key Infrastructure (PKI) organization
that is responsible to authenticate and issue digital certificates to subjects and whose root
certificate is included in modern web browsers. SOURCE: NIST SP 800-57, Pt.1, R4, p.6.
113. Certificate Revocation List (CRL) - A list of revoked public key certificates created and
digitally signed by a CA. SOURCE: CNSSI 4009-2015, p. 15.
114. Certificate Status Authority (CSA) - A trusted entity that provides on-line verification to
a relying party of a subject certificate's trustworthiness, and may also provide additional
attribute information for the subject certificate. SOURCE: CNSSI 4009-2015, p. 16.
115. Certificate Status Server (CSS) - An authority that provides status information about
certificates on behalf of the CA through online transactions (e.g., an online certificate
status protocol (OCSP) responder). SOURCE: CNSSI 4009-2015, p. 16.
116. Certification - The technical evaluation of a system; the process of evaluating the
software for its security effectiveness with regard to the customer’s needs. SOURCE:
117. Chain of Custody - A process that tracks the movement of evidence through its
collection, safeguarding, and analysis lifecycle by documenting each person who handled
the evidence, the date/time it was collected or transferred, and the purpose of the
transfer. SOURCE: CNSSI 4009-2015, p. 17.
118. Challenge Handshake Authentication Protocol (CHAP) - A system of challenges and
response mechanisms used between a server and a client. A server sends a random
challenge, which the client encrypts and returns to the server. The server decrypts the
64
ENROLL THIS COURSE
challenge value to pair it with the original value sent. If the values are the same, the
server grants access to the client. Harris & Maymi, 2018.
119. Channel Service Unit/Data Service Unit (CSU/DSU) - Required when digital equipment
will be used to connect a LAN to a WAN via a T1 or T3 line. It is used to modulate the
signals between routers, switches, and multiplexers. Harris & Maymi, 2018.
120. Chief Executive Officer (CEO) - Person primarily responsible for due diligence,
executive management decisions, and ultimate responsibility for the organization.
121. Chief Financial Officer (CFO) - Person responsible for executive management of an
organization’s budget and finances.
122. Chief Information Officer (CIO) - Executive management person responsible for
ensuring technology supports the organization’s objective. SOURCE: NIST SP 800-53,
r4., p. B-3.
123. Chosen Ciphertext Attack - An attack in which the attacker has the ability to decrypt
chosen portions of the ciphertext message. SOURCE: Chapple, Stewart, & Gibson, 2018.
124. Cipher Block Chaining (CBC) - An operation that used DES to XOR unencrypted output
of one block with the input of the next block, n+1. SOURCE: Pound, 2019.
125. Cipher Feedback (CFB) - A mode in which the DES algorithm is used to encrypt the
preceding block of cipher; the block is XORed with the next block of plaintext to produce
the next block of ciphertext. SOURCE: Chapple, Stewart, & Gibson, 2018.
126. Ciphertext - An encrypted message. SOURCE: Pound, 2019.
127. Class A Fire Extinguisher - Used on ordinary combustibles.
128. Class B Fire Extinguisher - Used on flammable liquids and flammable gasses.
129. Class C Fire Extinguisher - Used on electrical equipment.
130. Class D Fire Extinguisher - Used on combustible metals.
131. Class K Fire Extinguisher - Used on cooking oil and fat.
132. Clean Power - Pure, non-fluctuating, electrical power. SOURCE: Chapple, Stewart, &
Gibson, 2018.
133. Clipping Levels/Threshold - Used in violation analysis. When a set value is surpassed,
the event is recorded into an audit log. SOURCE: Chapple, Stewart, & Gibson, 2018.
134. Cloud Computing - A model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. SOURCE: CNSSI 4009-2015,
p. 19.
135. Code Review and Testing - Used to identify bad programming patterns, security
misconfigurations, functional bugs, and logic flaws.
65
ENROLL THIS COURSE
136. Cold Site - A backup facility that has the necessary electrical and physical components of
a computer facility, but does not have the computer equipment in place. The site is ready
to receive the necessary replacement computer equipment in the event that the user has
to move from their main computing location to an alternate site. SOURCE: NIST SP 800-
34, r1., p. G-1.
137. Collision - An event in which two different messages have the same message digest.
SOURCE: NIST SP 800-106, p. 3.
138. Collision Resistance - An expected property of a cryptographic hash function whereby it
is computationally infeasible to find a collision. SOURCE: NIST SP 800-106, p. 3.
139. Compensating Security Controls - The management, operational, and technical
controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the
recommended controls in the low, moderate, or high baselines described in NIST Special
Publication 800-53, that provide equivalent or comparable protection for an information
system. SOURCE: NIST SP 800-137, p. B-2.
140. Completely Automated Public Turing test to tell Computers and Humans Apart
(CAPTCHA) - An interactive feature added to web forms to distinguish whether a human
or automated agent is using the form. Typically, it requires entering text corresponding to
a distorted image or a sound stream. SOURCE: NIST SP 800-63-3, p. 42.
141. Common Criteria - Governing document that provides a comprehensive, rigorous
method for specifying security function and assurance requirements for products and
systems. SOURCE: NIST SP 800-53, r4., p. B-4.
142. Compensative Control - The security controls employed in lieu of the recommended
controls in the security control baselines described in NIST Special Publication 800-53
and CNSS Instruction 1253 that provide equivalent or comparable protection for an
information system or organization. CNSSI 4009-2015, p. 23.
143. Confidentiality - Ensures unauthorized subjects are denied access to confidential objects
and prevents authorized subjects from disclosure of protected data by preserving
authorized restrictions on information access and disclosure, including means for
protecting personal privacy and propriety information. SOURCE: NIST SP 800-152.
144. Configuration Management - A collection of activities focused on establishing and
maintaining the integrity of information technology products and information systems,
through control of processes for initializing, changing, and monitoring the configurations of
those products and systems throughout the system development life cycle. SOURCE:
NIST SP 800-53, r4., p. B-4.
66
ENROLL THIS COURSE
145. Confusion - Complicating the mapping between the plaintext and the encryption key, so
an attacker cannot distinguish between the input and output processes. SOURCE: Pound,
2019.
146. Continuity of Operations Plan (COOP) - A predetermined set of instructions or
procedures that describe how an organization’s mission essential functions will be
sustained within 12 hours and for up to 30 days as a result of a disaster event before
returning to normal operations. SOURCE: NIST SP 800-34 r1., p. G-1.
147. Controlled Interface - A boundary with a set of mechanisms that enforces the security
policies and controls the flow of information between interconnected information systems.
CNSSI 4009-2015, p. 32.
148. Counter Mode (CTR) - The DES encryption mode of a nonce + counter, then XOR’d with
the corresponding message block, so each block is encrypted with a unique keystream.
SOURCE: Pound, 2019.
149. Countermeasure - Actions, devices, procedures, techniques, or other measures that
reduce the vulnerability of an information system. Synonymous with security controls and
safeguards. SOURCE: NIST SP 800-137, p. B-5.
150. Covert Channel - An unintended or unauthorized intra-system channel that enables two
cooperating entities to transfer information in a way that violates the system's security
policy but does not exceed the entities' access authorizations. SOURCE: CNSSI 4009-
2015, p. 33.
151. Covert Storage Channel - Involves the direct or indirect writing to a storage location by
one process and the direct or indirect reading of the storage location by another process.
They typically involve a finite resource (e.g., sectors on a disk) that is shared by two
subjects at different security levels. SOURCE: NIST SP 800-53, r4., p. B-6.
152. Covert Timing Channel - A channel in which one process signals information to another
process by modulating its own use of system resources (e.g., central processing unit
time) in such a way that this manipulation affects the real response time observed by the
second process. SOURCE: NIST SP 800-53, r4., p. B-6.
153. Credential - An object or data structure that authoritatively binds an identity via an
identifier and additional attributes, to at least one authenticator possessed and controlled
by a subject or subscriber. SOURCE: NIST SP 800-63-3, p. 44.
154. Cross-site Request Forgery (CSRF) - An attack in which a subject currently
authenticated to a legitimate website and connected through a secure session browses to
an attacker’s website, causing subject’s browser to be used to attack a vulnerable server.
SOURCES: NIST SP 800-63-3, p. 44; Stewart, Chapple, & Gibson, 2018.
67
ENROLL THIS COURSE
155. Cross-site Scripting (XSS) - A vulnerability that allows attackers to inject malicious code
into an otherwise benign website. Often used with SQL script injection to redirect
browsing to the attacker’s website where confidentiality and integrity are compromised
when the attacker transfers data between the website and the client, without the subject’s
knowledge. SOURCE: NIST SP 800-63-3, p. 44.
156. Cryptanalysis - Operations performed in defeating cryptographic protection without an
initial knowledge of the key employed in providing the protection. Also, the study of
mathematical techniques for attempting to defeat cryptographic techniques and/or
information systems security. This includes the process of looking for errors or
weaknesses in the implementation of an algorithm or of the algorithm itself. SOURCE:
CNSSI 4009-2015, p. 36.
157. Cryptography - 1. Art or science concerning the principles, means, and methods for
rendering plain information unintelligible and for restoring encrypted information to
intelligible form. SOURCE: CNSSI 4009-2015, p. 39.
158. Cryptographic Hash Function - A function that maps a bit string of arbitrary length to a
fixed length bit string and is expected to have to be collision resistant, preimage resistant,
and second preimage resistant. SOURCE: NIST SP 800-106, p. 3.
159. Cryptographic Key - A value used to control cryptographic operations, such as
decryption, encryption, signature generation, or signature verification. SOURCE: NIST SP
800-63-3, p. 44.
160. Cryptographic Module - A set of hardware, software, and or firmware that implements
approved security functions (including cryptographic algorithms and key generation).
SOURCE: NIST SP 800-63-3, p. 45.
161. Data Custodian - The individual tasked with assigning permissions to data and the daily
maintenance and protection of data as assigned by upper management. SOURCE:
Abernathy & McMillian; 2018; Chapple, Stewart, & Gibson, 2018.
162. Data Encryption Standard (DES) - The symmetric encryption algorithm defined as a 56-
bit key algorithm developed by IBM in 1977, which the NSA proved as insecure. DES was
replaced by AES in 2001. SOURCE: Pound, 2019; NIST SP 800-15.
163. Data Loss Prevention (DLP) - A systems ability to identify, monitor, and protect data in
use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g.
data storage) through deep packet content inspection, contextual security analysis of
transaction (attributes of originator, data object, medium, timing, recipient/destination,
etc.), within a centralized management framework. Data loss prevention capabilities are
designed to detect and prevent the unauthorized use and transmission of NSS
information. SOURCE: CNSSI 4009-2015, p. 39.
68
ENROLL THIS COURSE
164. Data Mining/Harvesting - An analytical process that attempts to find correlations or

patterns in large data sets for the purpose of data or knowledge discovery. SOURCE:
NIST SP 800-53, r4., p. B-6.
165. Data Owner - The person responsible to classify information and determine who may
access data. SOURCE: Chapple, Stewart, & Gibson, 2018.
166. Decoding/Decode - Convert encoded data back to its original form of representation.
SOURCE: CNSSI 4009-2015, p. 39.
167. Defense in Depth - Information security strategy integrating people, technology, and
operations capabilities to establish variable barriers across multiple layers and missions of
the organization. SOURCE: NIST SP 800-53, r4., p. B-6.
168. Degauss - To reduce the magnetic flux to virtual zero by applying a reverse magnetizing
flied; demagnetizing media. SOURCE: CNSSI 4009-2015, p. 43.
169. Demilitarized Zone (DMZ) - Perimeter network segment that is logically between internal
and external networks. Its purpose is to enforce the internal network’s Information
Assurance (IA) policy for external information exchange and to provide external, untrusted
sources with restricted access to releasable information while shielding the internal
networks from outside attacks. SOURCE: CNSSI 4009-2015, p. 43.
170. Diffie-Hellman - A common algorithm method of key exchange used to security
exchange or establish secret keys (key materials) across an insecure network. It is used
to create temporary or single-use secret keys. SOURCE: NIST SP 800-113.
171. Diffusion - Used to create randomness in the output of a ciphertext by making plaintext
changes which carry throughout the ciphertext. SOURCE: Pound, 2019.
172. Digital Certificate - An electronic document often in X.509 format, containing the CA’s
digital signature and the owner’s public key, by which they can be identified. SOURCE:
173. Digital Signature - The result of a cryptographic transformation of data, that when
properly implemented, provides the services of: 1. Origin authentication; 2. Data integrity,
and 3. Signer non-repudiation. SOURCE: NIST SP 800-57, Pt1., r3.
174. Digital Signature Algorithm (DSA) - Used with digital signatures, it is a protocol based
on algorithms similar to Diffie-Hellman and can be used with elliptic curve cryptography to
increase the algorithm’s strength. SOURCE: Pound, 2019.
175. Disaster Recovery Plan (DRP) - A written plan for recovering one or more information
systems at an alternate facility in response to a major hardware or software failure or
destruction of facilities. NIST SP 800-37, r1., p. G-1.
176. Discretionary Access Control (DAC) - An access policy used to restrict access to
objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g.,
69
ENROLL THIS COURSE
users, processes) and/or groups to which the object belongs. The controls are
discretionary in the sense that a subject with a certain access permission is capable of
passing that permission (perhaps indirectly) on to any other subject (unless restrained by
mandatory access control). SOURCE: NIST SP 800-53, r4., p. B-7.
177. Disruption - An unplanned event that causes an information system to be inoperable for
a length of time (e.g., minor or extended power outage, extended unavailable network, or
equipment or facility damage or destruction). SOURCE: NIST SP 800-34, r1., p. G-1.
178. Domain - An environment or context that includes a set of system resources and a set of
system entities that have the right to access the resources as defined by a common
security policy, security model, or security architecture. SOURCE: NIST SP 800-53, r4., p.
B-7.
179. Dry-Pipe Fire Extinguisher - Pipes and sprinklers do not contain water but pressurized
air. When a fire is detected, water is pumped into the pipes and sprinklers from a water
storage holding tank usually located outside or below the facility.
180. Electronic Code Book (ECB) - The least secure, weakest, and most basic encryption
mode. Based on a 64-bit block, it encrypts sequential blocks of data with one chosen
secret key. The first block of data is encrypted into the next block to produce the
ciphertext output, which can be identical to other produced blocks because the same key
is used. SOURCES: Pound, 2019; Chapple, Stewart, & Gibson, 2018.
181. Elliptic Curve Cryptography (ECC) - A digital signature algorithm that is an analog of
DSA using elliptic curve mathematics and speficied by ANSI standards. It can be used to
replace Diffie-Hellman and DSA public key cryptography to perform modular arithmetic
functions (y2 = x3 + ax + b). Elliptic Curve algorithms have shorter key sizes and are more
efficient. SOURCES: NIST SP 800-57 Pt.1, r4; Pound, 2019.
182. Encapsulating Security Payload (ESP) - An IPsec security protocol that can provide
encryption and or integrity protection for packet headers and data. SOURCE: NIST SP
800-77.
183. Encryption - The cryptographic transformation of data to produce ciphertext. SOURCE:
CNSSI 4009-2015, p. 43.
184. Endpoint Security/End-to-end security - Safeguarding information in an information
system from point of origin to point of destination. SOURCE: CNSSI 4009-2015, p. 47.
185. Enterprise - An organization with a defined mission/goal and a defined boundary, using
information systems to execute that mission, and with responsibility for managing its own
risks and performance of business aspects: acquisition, program management, financial
management (e.g., budgets), human resources, security, and information systems,
information and mission management. SOURCE: NIST SP 800-53, r4., p. B-7.
70
ENROLL THIS COURSE
186. Ephemeral Mode - Starting every session with a new key exchange to guarantee forward
secrecy. SOURCE: Pound, 2019.
187. Event - Something that occurs within a system or network; an observable occurrence in
an information system. SOURCES: NIST SP 800-92, p. A-1; 800-53, r4., p. B-7.
188. Event Aggregation - The consolidation of similar log entries into a single entry containing
a count of the number of occurrences of the event. SOURCE: NIST SP 800-92, p. A-1.
189. Exclusive-Or (XOR) - An encryption operation applied to two-bits. Two bits of the same
value combine to produce the same results. Two bits with different values combine to the
value of 1 (value can be A OR B, but not A AND B). SOURCE: Pound, 2019.
190. Exfiltration - The unauthorized transfer of information from an information system.
SOURCE: NIST SP 800-53, r4., p. B-7.
191. Extensible Authentication Protocol (EAP) - Not a single protocol but a framework for
port-based access control that uses the same three components as RADIUS. SOURCE:
192. Extranet - A computer network that an organization uses for application data traffic
between the organization and its business partners. SOURCE: CNSSI 4009-2015, p. 52.
193. Fail Safe - A mode of termination of system functions that prevents damage to specified
system resources and system entities (e.g. specified data, property, and life) when a
failure occurs or is detected in the system (but the failure still might cause a security
compromise). SOURCE: CNSSI 4009-2015, p. 52.
194. Fail Secure - A mode of termination of system functions that prevents loss of secure state
when a failure occurs or is detected in the system (but the failure still might cause
damage to some system resource or system entity). SOURCE: CNSSI 4009-2015, p. 52.
195. Failover - The capability to switch over automatically (typically without human intervention
or warning) to a redundant or standby information system upon the failure or abnormal
termination of the previously active system. SOURCE: NIST SP 800-53, r4., p. B-8.
196. Fail Soft - Selective termination of affected, non-essential system functions when a failure
occurs or is detected in the system. SOURCE: CNSSI 4009-2015, p. 52.
197. False Acceptance Rate (FAR) - Proportion of verification transaction with wrongful
claims of identity that are incorrectly confirmed. Fail Soft - Selective termination of
affected, non-essential system functions when a failure occurs or is detected in the
system. SOURCE: CNSSI 4009-2015, p. 52.
198. False Rejection Rate (FRR) - Proportion of verification transaction with truthful claims of
identity that are incorrectly denied. Fail Soft - Selective termination of affected, non-
essential system functions when a failure occurs or is detected in the system. SOURCE:
CNSSI 4009-2015, p. 52.
71
ENROLL THIS COURSE
199. Fault - A momentary electrical power outage.

200. Feistel Cipher - Uses hash functions in a series of permutations (transposition rounds)
that can be reversed and converted into a block cipher. SOURCE: Pound, 2019.
201. Federal Information Security Management Act (FISMA) of 2002 - Title III of the E-
Government Act requiring each federal agency to develop, document, and implement an
agency-wide program to provide information security for the information and information
systems that support the operations and assets of the agency, including those provided or
managed by another agency, contractor, or other source. SOURCE: CNSSI 4009-2015,
p. 53.
202. Fibre Channel over Ethernet (FCoE) - A storage protocol that allows Fibre Channel
frames to run at light speed on 10GB Ethernet networks. SOURCE: Abernathy &
McMillian, 2018.
203. Firewall - A gateway that limits access between networks in accordance with local
security policy. SOURCE: CNSSI 4009-2015, p. 54.
204. Firmware - Computer programs and data stored in hardware - typically in read-only
memory (ROM) or programmable read-only memory (PROM) - such that the programs
and data cannot be dynamically written or modified during execution of the programs.
205. Frequency Hopping Spread Spectrum (FHSS) - Repeated switching of frequencies
during radio transmission according to a specified algorithm, to minimize unauthorized
interception or jamming of telecommunications. SOURCE: CNSSI 4009-2015, p. 55.
206. Functional Testing - Segment of quality assurance testing in which advertised security
mechanism of an information system are tested against specification. SOURCE: CNSSI
4009-2015, p. 55.
207. Gateway - An intermediate system (interface, relay) that attaches to two (or more)
computer networks that have similar functions but dissimilar implementations and that
enables either one-way or two-way communication between the networks. SOURCE:
CNSSI 4009-2015, p. 55.
208. Gray-box Testing - Known also as focus testing, it is a test methodology that assumes
some knowledge of the internal structure and implementation detail of the assessment
object. SOURCE: CNSSI 4009-2015, p. 55.
209. Handshake - Protocol dialogue between two systems for identifying and authenticating
themselves to each other, or for synchronizing their operations with each other. SOURCE:
IETF RFC 4949 v2.
210. Hardware - The physical components of an information system. SOURCE: NIST SP 800-
53, r4., p. B-8.
72
ENROLL THIS COURSE
211. Hash - a one-way function which maps strings of bits to fixed-length strings of bits,
satisfying the properties that integrity is maintained if the sender’s message digest value
is compared and shown to be the same as the receiver’s message digest value; and if the
two MDs are different, modification has occurred and integrity has compromised.
SOURCES: NIST SP 800-15; Abernathy & McMillian, 2018.
212. Hash function - Any size message is hashed to a fixed size output value (message
digest). Hash functions are used with digital signatures, Message Authentication Codes
(MACs) and even passwords to determine a shared key (e.g. Diffie-Hellman output).
SOURCE: Pound, 2019.
213. Hash Value - The result of applying cryptographic hash functions to data (known also as
a message digest). SOURCE: NIST SP 800-106, p.4.
214. Hashed - The process whereby data was input into a cryptographic hash function to
produce a hash value. SOURCE: NIST SP 800-106, p. 4.
215. Hashed Message Authentication Code (HMAC) - A message authentication code that
uses a cryptographic key in conjunction with a hash function. It is used to ensure
message integrity through the use of a partial digital signature based on two keys and two
applications of the hash function to solve attacks on SHA-1 AND SHA-2. Nonrepudiation
is not guaranteed. SOURCES: NISTIR 7711, p. 68; Pound, 2019.
216. Honeypot - A system (e.g., a web server) or system resource (e.g., a file on a server) that
is designed to be attractive to potential crackers and intruders, like honey is attractive to
bears. SOURCE: CNSSI 4009-2015, p. 58.
217. Hot Site - A fully operational offsite data processing facility equipped with hardware and
software, to be used in the event of an information system disruption. SOURCE: NIST SP
800-34, r1., G-1.
218. Hybrid/Hybrid Security Control - A security control that is implemented in an
information system in part as a common control and in part as a system-specific control.
SOURCE: NIST SP 800-53, p. B-9
219. Hypertext Transfer Protocol over TLS/SSL (HTTPS) - The standard method for
communication between clients and web servers, it is a secured version of HTTP using
TLS/SSL and HTTP to secure website transaction; uses TCP port 443. SOURCE: NIST
SP 800-101, r1., p.69.
220. Identification - The process of discovering the true identity (i.e., origin, initial history) of a
person or item from the entire collection of similar persons or items. SOURCE: CNSSI
4009-2015, p.59.
221. Incident - An occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system or the information the system processes,
73
ENROLL THIS COURSE
stores, or transmits or that constitutes a violation or imminent threat of violation of security

policies, security procedures, or acceptable use policies. SOURCE: NIST SP 800-53, r4.,
p. B-9.
222. Incident Response Plan - The documentation of a predetermined set of instructions or
procedures to detect, respond to, and limit consequences of a malicious cyber-attacks
against an organization’s information system(s). SOURCE: NIST SP 800-34, r1., p. G-2.
223. Industrial Control System (ICS) - An information system used to control industrial
processes such as manufacturing, product handling, production, and distribution,
including supervisory control and data acquisition (SCADA) systems used to control
geographically dispersed assets, as well as distributed control systems (DCSs) and
smaller control systems using programmable logic controllers to control localized
processes. SOURCE: NIST SP 800-53, R4., p. B-9.
224. Information assurance (IA) - Measures that protect and defend information and
information systems by ensuring their availability, integrity, authentication, confidentiality,
and non- repudiation. These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities. SOURCE:
CNSSI 4009-2015, p. 62.
225. Information Owner/Data Owner - Official with statutory or operational authority for
specified information and responsibility for establishing the controls for its generation,
collection, processing, dissemination, and disposal. SOURCE: NIST SP 800-137, p. B-6.
226. Information Security Continuous Monitoring (ISCM) - Maintaining ongoing awareness
of information security, vulnerabilities, and threats to support organizational risk
management decisions. SOURCE: CNSSI 4009-2015, p. 64.
227. Information Security Officer (ISO) - An executive or senior management person
responsible for due care in performing risk analysis, mitigation, communicating risk to
senior management, establishing security measures, and maintaining awareness of
emerging threats. This individual recommends best practices to influence policies,
standards, procedures, and guidelines to ensure the organization meets government and
industry compliance. SOURCES: Abernathy & McMillian, 2018; Stewart, Chapple, &
Gibson, 2015).
228. Information System Owner - Official responsible for the overall procurement,
development, integration, modification, or operation and maintenance of an information
system. SOURCE: NIST SP 800-53, r4., p. B-10.
229. Initialization Vector (IV) - A nonce that is associated with an invocation of authenticated
encryption on a particular plaintext, used in defining the starting point of a cryptographic
process. It is used to create randomness to increase the strength of encrypted data. The
74
ENROLL THIS COURSE
IV may be randomly repeatable and should be unpredictable. SOURCES: NIST SP 800-

38D, p.4; NIST SP 800-57, r4., p. 9.
230. Insider Threat - The threat that an insider will use her/his authorized access, wittingly or
unwittingly, to do harm to the security of United States or an organization. This threat can
include damage through espionage, terrorism, unauthorized disclosure of national
security information, or through the loss or degradation of departmental resources or
capabilities. SOURCE: NIST SP 800-53, r4., p. B-12.
231. Integrity - Guarding against improper information modification or destruction by subjects,
and includes ensuring information non-repudiation and authenticity. SOURCE: NIST SP
800-53, r4., p. B-12.
232. Internet Control Message Protocol (ICMP) - Protocol used for the exchange of control
messages between hosts and gateways for diagnostics (e.g. ping, traceroute). Used by
attackers for MiTM, DoS, and Ping of Death attacks. Security is enhanced when this
protocol is blocked. SOURCE: Harris & Maymi, 2018.
233. Internet Group Management Protocol (IGMP) - A protocol used to manage multicasting
groups or a set of hosts anywhere on a network that are interested in a particular
multicast. Hosts send this protocol message to local agents to join and leave groups.
SOURCE: Harris & Maymi, 2018.
234. IP Security (IPsec) - Operating at OSI network layer 3, this is a suite of protocols used to
authenticate and or encrypt each IP packet in a data stream. Includes protocols for
cryptographic key establishment used to secure connections between two devices and to
protect traffic over a VPN. SOURCE: CNSSI-4009.
235. Key - A secret value used to control cryptographic operations, such as decryption,
encryption, signature generation, or signature verification. When used, a message cannot
be reversed without using the same bytes. In a database, a key is a database field,
column or attribute. SOURCES: NIST SP 800-63-3; Chapple, Stewart, & Gibson, 2018.
236. Key Escrow - A deposit of the private key of a subscriber and other pertinent information
based on the escrow agreement or similar contract binding upon the subscriber, the terms
of which require one or more agents to hold the subscriber’s private key for the benefit of
the subscriber, an employer, or other party, based on the provisions set in the agreement,
to ensure the subscriber will always have access to the private key should the vendor no
longer be available. SOURCE: NIST SP 800-32, p. 49
237. Key Exchange - The process of two parties exchanging public keys in order to establish
secure communications. SOURCE: NIST SP 800-32, p. 49
75
ENROLL THIS COURSE
238. Key Expansion - Functions similar to a stream cipher where a fixed key length is
generated into Round Keys that are used between rounds of a block cipher. SOURCE:
Pound, 2019.
239. Key Mixing - The XOR function is applied to a key and message over encryption rounds
to prevent a cipher from being reversed engineered. SOURCE: Pound, 2019.
240. Key Pair - Two mathematically related keys having where one key can be used to encrypt
a message that can only be decrypted using the other key, and even knowing one key, it
is computational infeasible to discover the other key. SOURCE: NIST SP 800-32, p. 49
241. Least Privilege - The principle that a security architecture should be designed so that
each entity is granted the minimum system resources and authorizations that the entity
needs to perform its function. SOURCE: CNSSI 4009-2015, p. 76.
242. Log - A record of the events occurring within an organization’s systems and networks.
SOURCE: NIST SP 800-92, p. A-1.
243. Log Analysis - Studying log entries to identify events of interest or suppress log entries
for insignificant events. SOURCE: NIST SP 800-92, p. A-1.
244. Log Clearing - Removing all entries from a log that precede a certain date and time.
SOURCE: NIST SP 800-92, p. A-1.
245. Log Management - The process for generating, transmitting, storing, analyzing, and
disposing of log data. SOURCE: NIST SP 800-92, p. A-1.
246. Log Normalization - Converting each log data field to a particular data representation
and categorizing it consistently. SOURCE: NIST SP 800-92, p. A-1.
247. Logic Bomb - A piece of code intentionally inserted into a software system that will set off
a malicious function when specified conditions are met. SOURCE: CNSSI 4009-2015, p.
77.
248. Logical Controls/Logical Access Controls - An automated system that controls an
individual’s ability to access one or more computer system resources such as a
workstation, network, application, or database; it requires validation of an individual’s
identity through some mechanism such as a PIN, card, biometric, or other token. It has
the capability to assign different access privileges to different persons depending on their
roles and responsibilities in an organization. SOURCE: NIST SP 800-53, R4., p. B-13.
249. Macro Viruses - A virus that attaches itself to documents and uses the macro
programming capabilities of the document’s application to execute and propagate.
SOURCE: CNSSI 4009-2015, p. 78.
250. Maintenance Hook - Code left behind in an application for developers to later access to
fix the code; functions as a back door. Poses security risks as it may be exploited by an
internal or external attacker.
76
ENROLL THIS COURSE
251. Malware/Malicious Code - Software or firmware intended to perform an unauthorized

process that will have adverse impact on the confidentiality, integrity, or availability of an
information system. A virus, worm, Trojan horse, or other code-based entity that infects a
host. Other examples include spyware and some forms of adware. SOURCE: NIST SP
800-53, r4., p. B-13.
252. Mandatory Access Control (MAC) - A means of restricting access to objects based on
the sensitivity (as represented by a security label) of the information contained in the
objects and the formal authorization (i.e., clearance, formal access approvals, and need-
to-know) of subjects to access information of such sensitivity; it is also a type of
nondiscretionary access control. SOURCE: NIST SP 800-53, r4., p. B-14
253. Maximum Tolerable Down Time (MTD) - The amount of time mission/business process
can be disrupted without causing significant harm to the organization’s mission.
SOURCE: NIST SP 800-34, r1., p. G-2.
254. Media - Physical devices or writing surfaces including, but not limited to, magnetic tapes,
optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts
(but not including display media) onto which information is recorded, stored, or printed
within an information system. SOURCE: NIST SP 800-53, R4., p. B-14.
255. Media Sanitization - The actions taken to render data written on media unrecoverable by
both ordinary and extraordinary means. SOURCE: CNSSI 4009-2015, p. 80.
256. Memorandum of Agreement (MOA) - A type of intra-agency, interagency, or National
Guard agreement between two or more parties, which includes specific terms that are
agreed to, and a commitment by at least one party to engage in action. It includes either a
commitment of resources or binds a party to a specific action. SOURCE: CNSSI 4009-
2015, p. 81.
257. Memorandum of Understanding (MOU) - A type of intra-agency, interagency, or
National Guard agreement between two or more parties, which includes only general
understandings between the parties. It neither includes a commitment of resources nor
binds a party to a specific action. SOURCE: CNSSI 4009-2015, p. 81.
258. Message Digest (MD) - A digital signature that uniquely identifies data and has the
property that changing a single bit in the data will cause a completely different message
digest to be generated; used also in checksums to detect modification of data. SOURCE:
NIST SP 800-92 p. A-2.
259. Message Digest 2 (MD2) - Ronald Rivest’s 1989 secure hash for 8-bit processors, that
produces a 128-bit hash with 18 rounds of computations. SOURCES: Stewart, Chapple, &
Gibson, 2018; Abernathy & McMillian, 2018.
77
ENROLL THIS COURSE
260. Message Digest 4 (MD4) - A message digest algorithm that produces a 128-bit hash
value and performs only 3 rounds of computations. SOURCE: Abernathy & McMillian,
2018.
261. Message Digest 5 (MD5) - An unsecure 128-bit hash function that can be used as a
checksum; it produces a 128-bit hash and performs 4 rounds of computations.
SOURCES: Stewart, Chapple, & Gibson, 2018; Abernathy & McMillian, 2018.
262. Message Digest 6 (MD6) - A message digest algorithm that produces a variable hash
value, performing a variable number of computations. SOURCE: Abernathy & McMillian,
2018.
263. Message Authentication Code (MAC) - A cryptographic checksum on data that uses a
symmetric key to detect both accidental and intentional modifications of the data.
Provides authenticity and integrity protection but lacks non-repudiation protection.
SOURCES: NIST SP 800-63-3, p. 48.
264. Message Authenticity - Knowing a message or data is genuine, verified, and trusted with
assurance the originator of the message possesses the same symmetric key. SOURCE:
NISTIR 7298.
265. Metadata - Information describing the characteristics of data including, for example,
structural metadata describing data structures (e.g., data format, syntax, and semantics)
and descriptive metadata describing data contents (e.g., information security labels).
266. Mobile Code - Software programs or parts of programs obtained from remote information
systems, transmitted across a network, and executed on a local information system
without explicit installation or execution by the recipient. SOURCE: NIST SP 800-53, r4.,
p. B-14.
267. Mobile Device - A portable computing device that can be easily be carried by a single
individual; can operate without a physical connection (e.g., wirelessly transmit or receive
information); has local, non-removable or removable data storage; and has a self-
contained power source. Examples include smart phones, tablets, and E-readers.
268. Mode of Operation - An algorithm for the cryptographic transformation of data that
features a symmetric key block cipher algorithm, which can be used for message
authentication. SOURCE: NISTIR 7298.
269. Multi-Factor Authentication - Authentication using two or more different factors to achieve
authentication. Factors include: Type 1 - something you know (e.g., password/PIN); Type
2 - something you have (e.g., cryptographic identification device, token); or Type 3 -
something you are (e.g., biometric). SOURCE: NIST SP 800-53, r4., p. B-14.
78
ENROLL THIS COURSE
270. Need to Know - A determination within the executive branch in accordance with
directives issued pursuant to this order that a prospective recipient requires access to
specific classified information in order to perform or assist in a lawful and authorized
governmental function. SOURCE: CNSSI 4009-2015, p. 85.
271. Network Administrator - Ensures availability of the organization’s network resources.
Role should be separated from that of the Security Administrator role to avoid conflict of
interests.
272. Nonce - Usually based on a time stamp, it is a string of bytes which never repeats and is
used once in combination with a key to produce a random output every time; guards
against replay attacks. SOURCES: NISTIR 7298; Stewart, Chapple, & Gibson, 2015.
273. Non-Repudiation - Protection against an individual falsely denying having performed a
particular action. Provides the capability to determine whether a given individual took a
particular action such as creating information, sending a message, approving information,
and receiving a message. SOURCE: NIST SP 800-53, r4., p. B-15.
274. Object - Passive information system-related entity (e.g., devices, files, records, tables,
processes, programs, domains) containing or receiving information. Access to an object
(by a subject) implies access to the information it contains. SOURCE: NIST SP 800-53,
r4., p. B-16.
275. Object Identifier (OID) - The unique alpha-numeric identifier registered under the ISO; it
references a specific object or object class. In the federal government PKI they are used
to uniquely identify each of the four policies and cryptographic algorithms supported.
SOURCE: NIST SP 800-32, p. 50.
276. One-Time Pad (OTP) - A manual substitution cipher produced in pad from and only used
one time and every message has a different key. The encryption key is XOR’d with the
corresponding plaintext and the key is the same length as the message. SOURCES:
CNSSI-4009 & NISTIR 7298.
277. One-Way Function/Algorithm - Hash algorithms which map arbitrarily long inputs into a
fixed-size output such that it is very difficult (computationally infeasible) to find two
different hash inputs that produce the same output. Such algorithms are an essential part
of the process of producing fixed- size digital signatures that can both authenticate the
signer and provide for data integrity checking (detection of input modification after
signature). SOURCE: CNSSI 4009-2015, p. 89.
278. Open Shortest Path First (OSPF) - A standards-based link state protocol, it is a routing
protocol for IP networks. It uses link-state algorithms to calculate the shortest path
between each node. SOURCE: Abernathy & McMillian, 2016.
79
ENROLL THIS COURSE
279. Outside Threat - An unauthorized entity from outside the domain perimeter that has the
potential to harm an information system through destruction, disclosure, modification of
data, and or denial of service. SOURCE: NIST SP 800-32, p. 50.
280. Padding - Known also as traffic padding, it is mock bytes of data added to
communications to both bring make a message meet a required block size and to
disguise the size of actual data being transmitted. SOURCES: CNSSI-4009, NISTIR
7298; Pound, 2019.
281. Passive Wiretapping - The monitoring or recording of data that attempts only to observe
a communication flow and gain knowledge of the data it contains, but does not alter or
otherwise affect that flow. SOURCES: CNSSI-4009-2105, p. 91.
282. Penetration Testing - A test methodology in which assessors, typically working under
specific constraints, attempt to circumvent or defeat the security features of an information
system. SOURCE: NIST SP 800-53, r4., p. B-16.
283. Personally Identifiable Information (PII) - Information which can be used to distinguish
or trace the identity of an individual (e.g., name, social security number, biometric records,
etc.) alone, or when combined with other personal or identifying information which is
linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden
name, etc.). SOURCE: NIST SP 800-53, r4., p. B-16.
284. Point-to-Point Protocol (PPP) - A full-duplex TCP protocol used to connect two
endpoints over a WLAN. In a wire WAN it uses a high-bandwidth fiver cable and the traffic
is dedicated to the end points. Used also to connect non-LAN connections (e.g. modems,
ISDN, VPNs, Frame Relay, and dial-up connections). Considered expensive. SOURCE:
285. Point-to-Point Tunneling Protocol (PPTP) - An enhanced version of PPP that uses
generic routing encapsulation (GRE) to create encrypted tunnels between endpoints.
Used with VPN and L2TP. Uses TCP port 1723. SOURCE: Chapple, Stewart, & Gibson,
2015.
286. Portable Storage Device - An information system component that can be inserted into
and removed from an information system, and that is used to store data or information
(e.g., text, video, audio, and/or image data). SOURCE: NIST SP 800-53, r4., p. B-17.
287. Primary Rate ISDN (PRI) - A telecommunications solution that provides up to 23 B
channels and a D channel for a total of 1.544 Mbps. SOURCE: Abernathy & McMillians,
2018.
288. Private Encryption Key - The key of a signature key pair used to create a digital
signature; the key of an encryption key pair that is used to decrypt confidential
80
ENROLL THIS COURSE
information. In both cases, this key must be kept secret. SOURCE: NIST SP 800-32, p.
50.
289. Privileged Account - An information system account with authorizations of a privileged
user. SOURCE: NIST SP 800-53, r4., p. B-17.
290. Public-key Cryptography - Symmetric encryption where key pairs are used to encrypt
and decrypt messages. Key pairs consist of one private key and one public key
(published key). Two parties agree on a cryptographic algorithm to exchange keys. A
digital signature can be verified by the corresponding private key. SOURCES: NIST SP
800-57 Part 1; NSTIR 7298; Pound, 2019.
291. Public Key Infrastructure - A set of policies, processes, server platforms, software, and
workstations used for the purpose of administrating certificates and non-private key pairs,
including the ability to issue, maintain, and revoke public key certificates. SOURCE: NIST
SP 800-32, p. 51
292. Random Bit - A bit for which an attacker has exactly a 50% probability of success of
guessing the value of the bit as either zero or one. SOURCE: NIST SP 800-106, p.4.
293. Random Value - A sufficient entropy bit string. SOURCE: NIST SP 800-106, p.4.
294. Randomized Hashing - A technique for randomizing the input to a cryptographic hash
function. SOURCE: NIST SP 800-106, p.4.
295. Reciprocal Agreement/Reciprocity - Mutual agreement among participating
organizations to accept each other’s security assessments in order to reuse information
system resources and/or to accept each other’s assessed security posture in order to
share information. SOURCE: NIST SP 800-53, r4., p. B-18.
296. Records - The recordings (automated and/or manual) of evidence of activities performed
or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying
that the organization and the information system are performing as intended; known also
as units of related data fields (i.e., groups of data fields that can be accessed by a
program and that contain the complete set of information on particular items). SOURCE:
NIST SP 800-53, r4., p. B-18.
297. Recovery Point Objective (PRO) - The point in time to which data must be recovered
after an outage. SOURCE: NIST SP 800-34 r1., p. G-2.
298. Recovery Time Objective (RTO) - The overall length of time an information system’s
components can be in the recovery phase before negatively impacting the organization’s
mission or mission/business processes. SOURCE: NIST SP 800-34 r1., p. G-2.
299. Reference Monitor - A validation mechanism which as key component of an operating
system, enforces an access control policy over all subjects and objects. It must always be
invoked (i.e., complete mediation), tamperproof, and small enough to be subject to
81
ENROLL THIS COURSE
analysis and tests, the completeness of which can be assured (i.e., verifiable). SOURCE:
NIST SP 800-53, r4., p. B-18.
300. Registration Authority - An entity that is responsible for identification and authentication
of certificate subjects, but that does not sign or issue certificates, but is delegated certain
tasks on behalf of an authorized CA. SOURCE: NIST SP 800-32, p. 51.
301. Remanence - Residual information remaining on storage media after clearing. See
magnetic remanence and clearing. SOURCE: CNSSI 4009-2015, p. 102.
302. Remote Access - Access to an organizational information system by a user (or a process
acting on behalf of a user) communicating through an external network (e.g., the Internet).
303. Remote Authentication Dial-In User Service (RADIUS) - A networking protocol
comprised of a supplicant, authenticator, and an authenticating server; used to manage
users through authentication, authorization, and accounting (AAA). Used also by ISPs for
backend 802.1x authentication. Runs in the OSI stack for email and client/server services.
SOURCES: RFC 2138; Abernathy & McMillian, 2018.
304. Repository - Also known as a directory, it is a database containing information and data
relating to certificates. SOURCE: NIST SP 800-32, p. 51.
305. Residual Risk - Portion of risk remaining after security measures have been applied.
SOURCE: CNSSI 4009-2015, p. 103.
306. Risk - An expectation of loss expressed as the probability that a particular threat will
exploit a particular vulnerability within a particular harmful result. SOURCE: NIST SP 800-
32, p. 51.
307. Risk Assessment - The process of identifying risks to organizational operations
(including mission, functions, image, reputation), organizational assets, individuals, other
organizations, and the Nation, resulting from the operation of an information system. As
part of risk management, incorporates threat and vulnerability analyses, and considers
mitigations provided by security controls planned or in place. Synonymous with risk
analysis. SOURCE: NIST SP 800-53, r4., p. B-19.
308. Risk Management - The program and supporting processes to manage information
security risk to organizational operations (including mission, functions, image, reputation),
organizational assets, individuals, other organizations, and the Nation. It includes
establishing the context for risk-related activities, assessing risk, responding to risk once
determined, and monitoring risk over time. SOURCE: NIST SP 800-53, r4., p. B-19.
309. Risk Mitigation - Prioritizing, evaluating, and implementing the appropriate risk- reducing
controls/countermeasures recommended from the risk management process. SOURCE:
NIST SP 800-53, r4., p. B-19.
82
ENROLL THIS COURSE
310. Risk Monitoring - Maintaining ongoing awareness of an organization’s risk environment,

risk management program, and associated activities to support risk decisions. SOURCE:
NIST SP 800-53, r4., p. B-19.
311. Risk Response - Accepting, avoiding, mitigating, sharing, or transferring risk to
organizational operations (i.e., mission, functions, image, or reputation), organizational
assets, individuals, other organizations, or the Nation. SOURCE: NIST SP 800-53, r4., p.
B-19.
312. Risk Tolerance - The level of risk an entity is willing to assume in order to achieve a
potential desired result. SOURCE: NIST SP 800-32, p. 51.
313. Rivest, Shamir, and Adelman (RSA) - Bearing its inventor’s names, RSA is used for
encryption and digital signing. RSA uses public-key cryptography based on factoring large
prime numbers. SOURCE: Pound, 2019; Chapple, Stewart, & Gibson, 2015.
314. Role-Based Access Control (RBAC) - Access control based on user roles (i.e., a
collection of access authorizations a user receives based on an explicit or implicit
assumption of a given role). Role permissions may be inherited through a role hierarchy
and typically reflect the permissions needed to perform defined functions within an
organization. A given role may apply to a single individual or to several individuals.
315. Safeguards - Protective measures prescribed to meet the security requirements (i.e.,
confidentiality, integrity, and availability) specified for an information system. Safeguards
may include security features, management constraints, personnel security, and security
of physical structures, areas, and devices. Synonymous with security controls and
countermeasures. SOURCE: NIST SP 800-53, r4., p. B-20.
316. Salt/Salting - A bit string generated during digital signature generation using the RSA
Signature Scheme; when added to passwords it adds randomness to make the password
unique. Adding salt can be done with Bcrypt and Password-Based Key Derivation
Function 2 (PBKDF2). SOURCES: NIST SP 800-106, p.4.; Stewart, Chapple & Gibson,
2015.
317. Sandboxing - A restricted, controlled execution environment that prevents potentially
malicious software, such as mobile code, from accessing any system resources except
those for which the software is authorized. SOURCE: CNSSI 4009-2015, p. 106.
318. Sanitization/Sanitize - A process to render access to target data on the media infeasible
for a given level of effort. Clear, purge, damage, and destruction are actions that can be
taken to sanitize media. SOURCE: CNSSI 4009-2015, p. 106.
319. Scoping Considerations - A part of tailoring guidance providing organizations with
specific considerations on the applicability and implementation of security controls in the
83
ENROLL THIS COURSE
security control baseline. Areas of consideration include policy/regulatory, technology,

physical infrastructure, system component allocation, operational/environmental, public
access, scalability, common control, and security objective. SOURCE: NIST SP 800-53,
r4., p. B-20.
320. Secure Hash Standard - Secure hash algorithms established by the government via the
National Institute for Standards and Technology (NIST) for computing a condensed
representation of electronic messages (data). There are multiple secure hash standards:
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/244, and SHA-512/256. The
secure hash algorithm is used to generate message digests. SOURCE: NISTIR 7298.
321. Secure Shell (SSH) - A protocol which allows users to remotely access systems using a
secure end-to-end encryption. Often used with FTP, Telnet, and rlogin. Uses TCP port 22.
SOURCE: Chapple, Stewart, & Gibson, 2015.
322. Secure Socket Layer (SSL) - An encryption protocol used as a TCP handshake to
establish secure private communications during internet data transmissions. Usually
presented in web browsers as “https.” SSL was established by Netscape. SOURCES:
NISTIR 7298; Pound; Chapple, Stewart, & Gibson, 2015.
323. Secure/Multipurpose Internet Mail Extensions (S/MIME) - A set of specifications for
securing electronic mail that is based upon the widely-used MIME standard and describes
a protocol for adding cryptographic security services through MIME encapsulation of
digitally signed and encrypted objects. The basic security services offered are
authentication, non-repudiation of origin, message integrity, and message privacy.
Optional security services include signed receipts, security labels, secure mailing lists,
and an extended method of identifying the signer’s certificate(s). SOURCE: CNSSI 4009-
2015, p. 107.
324. Security Administrator - Person responsible for all security related tasks to ensure
confidentiality, integrity, and availability. This person performs due care by restricting
access to objects and resources based on the principles of need to know and least
privilege. Role should be separated from that of the Network Administrator to avoid
conflict of interests.
325. Security Assertion Markup Language (SAML) - A protocol consisting of XML-based
request and response message formats for exchanging security information, expressed in
the form of assertions about subjects, between on-line business partners. SOURCE:
CNSSI 4009-2105, p. 108.
326. Security Control - A safeguard or countermeasure prescribed for an information system
or an organization designed to protect the confidentiality, integrity, and availability of its
84
ENROLL THIS COURSE
information and to meet a set of defined security requirements. SOURCE: NIST SP 800-
53, r4., p. B-21.
327. Security Domain - A domain that implements a security policy and is administered by a
single authority. SOURCE: NIST SP 800-53, r4., p. B22.
328. Security Information and Event Management (SIEM) Software - A program that
provides centralized logging capabilities for a variety of log types. SOURCE: NIST SP
800-92, p. A-1.
329. Security Kernel - Hardware, firmware, and software elements of a trusted computing
base implementing the reference monitor concept. Security kernel must mediate all
accesses, be protected from modification, and be verifiable as correct. SOURCE: NIST
SP 800-53, r4., p. B23.
330. Security Label - The means used to associate a set of security attributes with a specific
information object as part of the data structure for that object. SOURCE: NIST SP 800-53,
r4., p. B23.
331. Security Policy - A set of criteria for the provision of security services. SOURCE: CNSSI
4009-2015, p. 111.
332. Sensitive Information - Information where the loss, misuse, or unauthorized access or
modification could adversely affect the national interest or the conduct of federal
programs, or the privacy to which individuals are entitled under the Privacy Act. SOURCE:
NIST SP 800-53, r4., p. B23.
333. Service Oriented Architecture (SOA) - A set of principles and methodologies for
designing and developing software in the form of interoperable services. These services
are well-defined business functions that are built as software components (i.e., discrete
pieces of code and/or data structures) that can be reused for different purposes.
334. Session Initiated Protocol (SIP) - A signaling protocol used to manage multimedia
connections (e.g., voice, video, IP networks) while providing integrity.
335. SHA-1 - A 160-bit block size (output) secure hash standard prone to collisions but can be
safely used by HMAC. It was replaced by SHA-2. SOURCE: Pound, 2019.
336. SHA-2 - Producing a 256 or 512-bit block message digest, SHA-2 decreases collisions
and is generally considered secure. It can be used for digital signatures, key-hash
message authentication codes, random number generation, and with other cryptographic
algorithms. SOURCES: NISTIR 7298; Pound, 2019.
337. SHA-3 - Known also as the Keccak algorithm, SHA-3 functions differently than SHA-1 and
SHA-2. It is currently being developed as an alternative to SHA-2 in the event SHA-2 is
found to be unsecure. SOURCES: Pound, 2019; Chapple, Stewart, & Gibson, 2015.
85
ENROLL THIS COURSE
338. Simple Mail Transfer Protocol (SMTP) - A protocol for email transmission; uses TCP
Port 25.
339. Simple Network Management Protocol (SNMP) - An application layer protocol requiring
minimal software that is a standard internet protocol used for network monitoring. It is
used to retrieve information from network devices and to send configuration changes to
those devices. Uses TCP port 161. SOURCE: Abernathy & McMillan, 2018.
340. Software - Computer programs and associated data that may be dynamically written or
modified during execution. SOURCE: NIST SP 800-53, r4., p. B-23.
341. SP-Network - An encryption method that chains substitution and permutation operations
to each other in a block cipher structure. SOURCE: Pound, 2019.
342. Spyware - Software that is secretly or surreptitiously installed into an information system
to gather information on individuals or organizations without their knowledge; a type of
malicious code. SOURCE: NIST SP 800-53, r4., p. B-24.
343. Stream Cipher - An encryption algorithm that generates a pseudorandom keystream
(sequence of symbols or their electrical or mechanical equivalents), by XORing each part
of the key with the corresponding plaintext. Stream Ciphers operated on one bit at a time.
SOURCES: CNSSI-4009; Pound, 2019; Chapple, Stewart, & Gibson, 2015.
344. Supply Chain - Linked set of resources and processes between multiple tiers of
developers that begins with the sourcing of products and services and extends through
the design, development, manufacturing, processing, handling, and delivery of products
and services to the acquirer. SOURCE: NIST SP 800-53, r4., p. B24.
345. Symmetric Encryption - Known also as symmetric encryption algorithm, it is encryption
that uses the same, single key for the process of encryption and decryption. SOURCE:
CNSSI-4009.
346. Synchronous Crypto-operation - Method of on-line cryptographic operation in which
cryptographic equipment and associated terminals have timing systems to keep them in
step. SOURCE: CNSSI 4009-2015, p. 119.
347. Syslog - A protocol that specifies a general log entry format and a log entry transport
mechanism. SOURCE: NIST SP 800-92, p. A-2.
348. System Development Life Cycle (SDLC) - The scope of activities associated with a
system, encompassing the system’s initiation, development and acquisition,
implementation, operation and maintenance, and ultimately its disposal that instigates
another system initiation. SOURCE: NIST SP 800-34, r1, p. G-3.
349. System Owner - Person or organization having responsibility for the development,
procurement, integration, modification, operation and maintenance, and/or final
disposition of an information system. SOURCE: CNSSI 4009-2015, p. 120.
86
ENROLL THIS COURSE
350. TACACS+ - A Cisco proprietary authentication service that supports centralized

authentication services such as RADIUS, Telnet, rlogin, PPP, SLIP, or EXEC services.
SOURCE: Benjamin, 2005.
351. Tactical Plans - An organization’s short term plans covering a six month to a year, with
details on how to implement the strategic plan.
352. Tailoring - The process to modify security control baselines by identifying and
designating common controls; Applying scoping to the applicability and implementation of
baseline controls; Selecting compensating security controls; Assigning specific values to
organization-defined security control parameters; Supplementing baselines with additional
security controls or control enhancements; and providing additional specification
information for control implementation. SOURCE: NIST SP 800-53, r4., p. B-25.
353. Tangible Assets - All resources that can by physically touched, e.g. equipment,
personnel, facilities.
354. Teardrop Attack - A DoS attack that causes a buffer-overflow and a system crash due to
fragmented packets being reassembled.
355. Telnet - The abbreviate name for teletype network, it is a protocol that uses a command
line to access another host. As it does not provide encryption, the protocol poses serious
security risks as it can be used by attackers to install malware or viruses on a targeted
system, or to extract sensitive information. Uses TCP port 23. SOURCE: RFC 855.
356. Threat - Any circumstance or event with the potential to cause harm to an information
system in the form of destruction, disclosure, adverse modification of data, and or denial
of service. SOURCE: NIST SP 800-32, p. 51.
357. Threat Agent/Threat Source - The intent and method targeted at the intentional
exploitation of a vulnerability or a situation and method that may accidentally trigger a
vulnerability. Synonymous with threat agent. SOURCE: NIST SP 800-53, r4., p. B25.
358. Three-legged Firewall - A firewall with three interfaces allowing the addition of a DMZ; it
requires the firewall to be configured to route packets between the outside world and the
DMZ differently than between the outside world and the internal network (one interface
towards the internal network, one to the DMZ, and one to the internet). SOURCE:
Firewall.CX, 2019.
359. Tiger - A very fast hash function used on 64-bit processors and produces hashes with bit
values of 128-, 160-, or 192-bits. It performs 24 rounds of computations on 512-bit blocks.
360. Time Division Multiplexing (TMD) - A method of putting multiple data streams in a
single signal by separating the signal into many segments, each having a very short
duration. Each individual data stream is reassembled at the receiving end based on the
timing. SOURCE: Rouse, 2019.
87
ENROLL THIS COURSE
361. Time of Check/Time of Use (TOC/TOC) - A timing vulnerability that occurs when a
program checks access permissions too far in advance of a resource request. SOURCE:
362. Total Risk - The potential for the occurrence of an adverse event if no mitigating action is
taken (i.e., the potential for any applicable threat to exploit a system vulnerability).
SOURCE: NIST SP 800-16.
363. Trade Secret - Any valuable commercial information or intellectual property that provides
a business with an advantage over competitors who do not have that information.
Examples include recipes, formulas, ingredient listings, and other information that must be
protected against disclosure. SOURCE: The Free Dictionary; Abernathy & McMillian,
2018.
364. Trademark - A registered word, slogan, or logo used to identify a company and its
products or services. SOURCE: Chapple, Stewart, & Gibson, 2015.
365. Transport Layer (Layer 4) - OSI layer that receives data from layers 7, 6, and 5 OSI,
which then adds information to identify the transport protocol and port numbers in use at
layer 7. SOURCE: Abernathy & McMillian, 2018.
366. Transport Layer Security/Secure Sockets Layer (TLS/SSL) - A security protocol
providing privacy and data integrity between two communicating applications. The
protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake
Protocol. CNSSI 4009-2015, p. 125.
367. Transmission Control Protocol (TCP) - A reliable, error-free, connection-oriented
transmission that uses a three-way handshake to establish communications (SYN,
SY/ACK, ACK); it uses well-known ports 0-1023. It enables two hosts to establish a
connection and exchange streams of data with a guarantee that transmitted packets will
be delivered in the same order in which they were sent. SOURCE: NIST SP 800-82, r2.,
p. B-17.
368. Transport Layer Security (TLS) - The current replacement for Secure Socket Layer
(SSL), also known as SSL 3 or TLS 1. TLS uses TCP port 443. SOURCE: Pound, 2019;
369. Transposition cipher - Cipher that uses an encryption algorithm to rearrange the letters
of a plaintext message to form the ciphertext message. SOURCE: Chapple, Stewart, &
Gibson, 2015.
370. Trapdoor - A means of reading cryptographically protected information by the use of
private knowledge of weaknesses in the cryptographic algorithm used to protect the data.
See backdoor. Also, in cryptography, one-to-one function that is easy to compute in one
88
ENROLL THIS COURSE
direction, yet believed to be difficult to invert without special information. SOURCE:

CNSSI 4009-2015, p. 126.
371. Triple DES (3DES) - An implementation of the data encryption standard (DES) algorithm
that uses three passes of the DES algorithm instead of one as used in ordinary DES
applications. Triple DES provides much stronger encryption than ordinary DES but it is
less secure than advanced encryption standard (AES). SOURCE: CNSSI 4009-2015, p.
126.
372. Trojan horse - A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by
exploiting legitimate authorizations of a system entity that invokes the program. SOURCE:
CNSSI 4009-2015, p. 126.
373. Trusted Agent - Entity authorized to act as a representative of an Agency in confirming
subscriber identification during the registration process. They do not have automated
interfaces with Certification Authorities. SOURCE: NIST SP 800-32, p. 51.
374. Trusted Certificate - A certificate that is trusted by the relying party on the basis of
secure and authenticated delivery. The public keys included in trusted certificates are
used to start certification paths. Known also as “trust anchor.” SOURCE: NIST SP 800-32,
p. 51.
375. Trusted Computer Base (TCB) - Totality of protection mechanisms within a computer
system, including hardware, firmware, and software, the combination responsible for
enforcing a security policy. SOURCE: CNSSI 4009-2015, p. 127.
376. Trusted Path - A mechanism by which a user (through an input device) can communicate
directly with the security functions of the information system with the necessary
confidence to support the system security policy. This mechanism can only be activated
by the user or the security functions of the information system and cannot be imitated by
untrusted software. SOURCE: NIST SP 800-53, R4., p. B25.
377. Trusted Platform Module (TMP) - A tamper-resistant integrated circuit built into some
computer motherboards that can perform cryptographic operations (including key
generation) and protect small amounts of sensitive information, such as passwords and
cryptographic keys. SOURCE: NIST SP 800-147, p. B-1.
378. Trusted Recovery - Ability to ensure recovery without compromise after a system failure.
SOURCE: CNSSI 4009-2015, p. 127.
379. Trusted Third-Party Federated Identity Model - A federated identity model in which
each organization subscribes to the standards of a third party. SOURCE: Abernathy &
McMillian, 2018.
89
ENROLL THIS COURSE
380. Tumbler Lock - A cylinder type lock operated with a key use tumbler pins, wafers, wards,
or levers, to control the lock’s operation. Movable pins prevent the lock from opening
unless a key correctly rotates the pins into position to open the lock.
381. Twisted Pair - Two independently insulated, thin diameter, copper wires that are twisted
loosely around each other to prevent cross-talk and electromagnetic interference.
Typically terminated with an RJ45 connector and used with 10BaseT, it is the Ethernet
wiring standard for 10 Mbps for distances of up to 100 meters. SOURCE: LINFO, 2005.
382. Two-Person Control - The continuous surveillance and control of material at all times by
a minimum of two authorized individuals, each capable of detecting incorrect or
unauthorized procedures with respect to the task being performed and each familiar with
established security requirements. SOURCE: CNSSI 4009-2015, p. 127.
383. Twofish - A 1998 block cipher by Counterpane Labs, that has a 128-bit block size, a key
size ranging from 128 to 256 bits, and is optimized for 32-bit CPUs; there is no current
successful cryptanalysis of twofish. SOURCE: Schneier, 2019.
384. Unicast - A one-to-one transmission between systems.
385. Uninterruptible Power Supply (UPS) - A device with an internal battery that allows
connected devices to run for at least a short time when the primary power source is lost. It
should be located between the wall outlet and the electronic device. SOURCES: NISTIR
7621, r.1, p. 18; Abernathy & McMillan, 2018.
386. United States Sentencing Guidelines of 1991 - Legislation which established
sentencing policies and practices for the federal criminal justice system for individual and
organizations convicted of federal crimes such as Class A misdemeanors. SOURCE: U.S.
Sentencing Commission, 2019.
387. URL Hiding - An attack that takes advantage of the ability to embed URLs in web pages
and email. SOURCE: Abernathy & McMillan, 2018.
388. US PATRIOT ACT of 2001 (Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism) - Legislation
enacted after September 11, 2001, which increased law enforcement and intelligence
agencies to conduct monitoring and other activities of suspected terrorists. SOURCE:
U.S. DOJ, 2019.
389. User - Individual, or (system) process acting on behalf of an individual, authorized to
access an information system. SOURCE: NIST SP 800-53, r4., p. B26.
390. Verification - Confirmation, through the provision of objective evidence, that specified
requirements have been fulfilled. May also be the process of confirming or denying
identification claimed by a subject based on comparing authentication factors of the
person requesting access to an object or resources. SOURCE: NIST SP 800-161.
90
ENROLL THIS COURSE
391. Very High Bit-Rate DSL (VDSL) - An advanced version of DSL broadband internet, with
downloads of up to 52 Mbps. SOURCE: Frontier, 2019.
392. View - A client interface used to interact with a database to limit what a subject can see
and do with the database. SOURCE: Chapple, Stewart, & Gibson, 2015.
393. Virtual LAN (VLAN) - A logical network segmentation implemented on switches and
bridges to manage traffic. When multiples are used on a single switch, they are
considered separate physical networks and function as such. SOURCE: Chapple,
Stewart, & Gibson, 2015.
394. Virtual Private Network (VPN) - Protected information system link utilizing tunneling,
security controls, and endpoint address translation viging the impression of a dedicated
line. SOURCE: NIST SP 800-53, r.4.
395. Virtual Storage Area Network (VSAN) - A collection of ports from the set of connected
Fibre Channel Switches (FCS) used to form to increase storage scalability within a
network. SOURCE: Sibergen, 2019.
396. Virus - A computer program containing a malicious segment that attaches itself to an
application of program or another executable component. SOURCE: NIST SP 800-47.
397. Vishing - Phishing which targets Voice over IP systems by spoofing the caller’s number
to evade caller ID. SOURCE: Chapple, Stewart, & Gibson, 2015.
398. Volatile Memory - Memory that loses its content when power is turned off or lost.
SOURCE: NIST SP 800-72, p.59.
399. V-Shaped Model - A development model which plans steps in a V format to emphasize
the formal verification and validation at each step of the product’s development.
SOURCE: Harris & Maymi, 2018.
400. Vulnerability - Weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
401. Vulnerability Assessment - Systematic examination of an information system or product
to determine the adequacy of security measures, identify security deficiencies, provide
data from which to predict the effectiveness of proposed security measures, and confirm
the adequacy of such measures after implementation. SOURCE: NIST SP 800-53, r4., p.
B25.
402. War Chalking - Used in the late 1990’s a type of graffiti used between cybersecurity
attackers to inform each other of unprotected wireless networks in an area.
403. War Driving - Used by attacker to search out access point radio signals to unprotected
wireless networks.
91
ENROLL THIS COURSE
404. Warded Lock - A lock with obstructions that will not open unless a key with
corresponding notches is used.
405. Warm Site - A leased or rented facility partially equipped with configured equipment and
includes utilities but not computer equipment. SOURCE: Harris & Maymi, 2018.
406. Waterfall Model - Development model that uses a linear-sequential life-cycle approach,
where each stage must be fully completed before the next stage can begin. SOURCE:
Harris & Maymi, 2018.
407. Wave Motion Detector - Known also as a microwave motion sensor, it emits waves
which are then reflected back to the device receiver to detect moving objects.
408. Web Application Security Consortium (WASC) - A 501c3 nonprofit made up of an
international group of experts, industry practitioners, and organizational representatives
who produce open source and widely agreed upon best-practice security standards for
the World Wide Web.
409. Wet Pip Fire Extinguisher - A fire extinguisher system in which water is constantly
maintained within the sprinkler piping. When a sprinkler activates this water is
immediately discharged onto the fire (not optional for rooms with electrical equipment).
SOURCE: VFP Fire Systems, 2019.
410. Whaling - A specific kind of phishing that targets high-ranking members of organizations.
SOURCE: CNSSI 4009-2015, p. 132.
411. White Box Testing - A test method that assumes explicit and substantial knowledge of
the internal structure and implementation detail of the assessment object. SOURCE: NIST
SP 800-53A, r4.
412. Whitelisting - The process used to identify software programs that are authorized to
execute on an information system, or authorized URLs and websites. SOURCE: NIST SP
800-53, r4., p. B26.
413. Wide Area Network (WAN) - A physical or logical network that provides data
communications to a larger number of independent users than are usually served by a
local area network (LAN) and that is usually spread over a larger geographic area than
that of a LAN. SOURCE: NIST SP 800-82, r2., p. B-18.
414. Wi-Fi Protected Access 2 (WPA2) - The approved Wi-Fi Alliance interoperable
implementation of the IEEE 802.11i security standard. For federal government use, the
implementation must use federal information processing standards (FIPS) approved
encryption, such as advanced encryption standard (AES). SOURCE: CNSSI 4009, p. 132.
415. Wired Equivalent Privacy (WEP) - A security protocol, specified in the IEEE 802.11
standard, that is designed to provide a WLAN with a level of security and privacy
comparable to what is usually expected of a wired LAN. Weaknesses have been found in
92
ENROLL THIS COURSE
it and so that it is no longer considered a viable encryption mechanism. SOURCE: NIST

SP 800-48, r1., p. B-1.
416. Wireless Local Area Network (WLAN) - A group of wireless APs and associated
infrastructure within a limited geographic area, such as an office building or building
campus, that is capable of radio communications. WLANs are usually implemented as
extensions of existing wired LANs to provide enhanced user mobility. SOURCE: NIST SP
800-48, r1., p. B-1.
417. Work Factor - Estimate of the effort or time needed by a potential perpetrator, with
specified expertise and resources, to overcome a protective measure. SOURCES: CSRC;
CNSSI 4009, p. 133.
418. Worm - A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume computer
resources destructively. SOURCE: NIST SP 800-82, r2.
419. WPA2 - The approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i
security standard. For federal government use, the implementation must use federal
information processing standards (FIPS) approved encryption, such as advanced
encryption standard (AES). SOURCE: CSRC, under WPA2.
420. X.25 - The ITU-T standard that defines how connections between DTE and DCE are
maintained for remote terminal access and computer communications in PDNs. It
specifies LAPB, a data link layer protocol, and PLP, a network layer protocol. Frame
Relay has to some degree superseded this protocol. SOURCE: Cisco, 2019.
421. Zachman Framework - A schema used in software development processes in which
questions (what, how, when, who, where, and why) are intersected with answers related
to identification, definition, representation, specification, configuration, and instantiation.
SOURCE: Zachman, 2019.
422. Zero Day Attack - An attack that exploits a previously unknown hardware, firmware, or
software vulnerability. SOURCE: CNSSI 4009-2015, p. 133.
423. Zero-knowledge Proof - Allows a claimant to be authenticated to a Verifier without
revealing the encryption key, password, or other information to the Verifier. SOURCE:
NIST SP 800-63-3.
93
ENROLL THIS COURSE
REFERENCES
(n.d.). Border Gateway Protocol (BGP). Cisco. Retrieved from:

https://www.cisco.com/c/en/us/products/ios-nx-os-software/border-gateway-protocol-
bgp/index.html
Ibid., (n.d.). X.25 Protocol. Cisco. Retrieved June 16, 2019 from:
https://www.cisco.com/c/en/us/tech/wan/x-25-protocols/index.html
(n.d.). Glossary, Computer Security Resource Center (CSRC). Recommendations from the
Information Technology Laboratory (ITL), National Institute of Standards and Technology
(NIST). Retrieved from: https://csrc.nist.gov/Glossary
(1983, May). RFC 855, Telnet Option Specifications. Working Group. Recommendations from
the Internet Engineering Task Force (ITEF). Retrieved from:
https://tools.ietf.org/html/rfc855
(1991). Federal Sentencing Guidelines Manual. U.S. Sentencing Commission. Retrieved June
16, 2019 from: https://www.ussc.gov/guidelines/archive/1991-federal-sentencing-
guidelines-manual
(1997, April). RFC 2138, Remote Authentication Dial In User Service (RADIUS). Network
Working Group. Recommendations from the Internet Engineering Task Force (ITEF).
Retrieved from: https://www.ietf.org/rfc/rfc2138.txt
(2001, November). Federal Information Processing Standards Publication (FIPS) 197,

Announcing the Advance Encryption Standard (AES). Recommendations from the
National Institute of Standards and Technology. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
(2005). Twisted Pair Definition. The Linux Information Project (LINFO). Retrieved June 16, 2019
from: http://www.linfo.org/twisted_pair.html
(2006, March). Federal Information Processing Standards Publications (FIPS) 200, Minimum
security requirements for federal information and information systems.
94
ENROLL THIS COURSE
Recommendations from the National Institute of Standards and Technology. Retrieved

from: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
(2011, March). NIST SP 800-39, Managing information security risk, organization, mission, and
information system view. Joint Task Force Transformative Initiative. Computer Security
Division, ITL, NIST, Gaithersubre, MD. Recommendations from the National Institute of
Standards and Technology. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
(2012, March 16). IEEE 828, Standard for Configuration Management in Systems and Software
Engineering. Recommendations from the IEEE. Retrieved June 14, 2019 from:
https://standards.ieee.org/standard/828-2012.html
(2013, April). NIST, SP 800-53, Rev.4, Security and privacy controls for federal information
systems and organizations. Recommendations from the Joint Task Force
Transformation Initiative and the National Institute of Standards and Technology.
Retrieved from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
(2019). Online dictionary. Merriam-Webster, Inc. Retrieved from: https://www.merriam-

webster.com/dictionary/attenuation
(2019). Trade Secret. The Free Legal Dictionary. Retrieved on June 16, 2019 from: https://legal-
dictionary.thefreedictionary.com/trade+secret
(2019). Three-legged firewall, Firewall Topologies. Firewall.CX. Retrieved on June 16, 2019
from: http://www.firewall.cx/networking-topics/firewalls/209-firewall-topologies.html
(2019). The USA PATRIOT Act: Preserving Life and Liberty. The U.S. Department of Justice.
Retrieved June 16, 2019, from: https://www.justice.gov/archive/ll/highlights.htm
(2019). What is VDSL? The Connection. Frontier Communications, Inc. Retrieved June 16,
2019, from: https://internet.frontier.com/resources/resources/dsl-demystified/what-is-
vdsl/
95
ENROLL THIS COURSE
(2019). What is vSAN technology and why do you need it? Sibergen Technologies. Retrieved
June 16, 2019, from: https://sibergen.com/vsan-technology-need/
(2019). Wet Pipe Fire Sprinkler System. VFP Fire Systems. Retrieved June 16, 2019 from:
https://www.vfpfire.com/systems-wet-pipe.php
Abernathy, R. & McMillan, T. (2018). CISSP Cert Guide, 3rd Edition, Glossary, pp.613-669.
Pearson Education, Indianapolis, Indiana.
Ayers, R., Brothers, S., & Jansen, W. (2014, May). NIST SP 800-101, Rev.1, Guidelines on
mobile device forensics. Recommendations of the National Institute of Standards and
Technology. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
Bader, L., Souppaya, M., Trapnell, M., Trapnell, E., Yaga, D., & Scarfone, K. (2016, December).
NIST SP 800-179, Guide to securing Apple OS X10.10 systems for IT professionals: an
NIST security configuration checklist. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-179.pdf
Bakiciol, T., Cojacaru-Durand, N., & Lu, D. (n.d.). Basel II. Princeton University. Retrieved from:
https://www.princeton.edu/~markus/teaching/Eco467/10Lecture/Basel2_last.pdf
Barker, E. (2016, January). Recommendation for Key Management, NIST SP 800-57 Pt.1, Rev.
4. Recommendations from the National Institute of Standards and Technology.
Retrieved from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
57pt1r4.pdf
Barker, E., & Kelsy, J. (2015, June). NIST SP 800-90A Rev.1, Recommendation for random
number generation using deterministic random bit generators. Recommendations from
the National Institute of Standards and Technology. Retrieved from:
http://dx.doi.org/10.6028/NIST.SP.800-90Ar1
Benjamin, H. (2005, October 28). Terminal Access Controller Access Control System Plus
(TACACS+). CCIE Self-Study: Security Protocols. Cisco Press. Retrieved on June 16,
2019 from: http://www.ciscopress.com/articles/article.asp?p=422947&seqNum=4
96
ENROLL THIS COURSE
Boyens, J. Paulsen, C., Moorthy, R., & Bartol, N. (2015, April). NIST SP 800-61, Supply chain
risk management practices for federal information systems and organizations.
from: http://dx.doi.org/10.6028/NIST.SP.800-161
Brewer, D., & Nash, M. (1989). The Chinese wall security policy. Gamma Secure Systems
Limited. Glenhurst close, Blackwater, Camberley, Surry, GU17 9BQ, UK. Retrieved from
Purdue University:
https://www.cs.purdue.edu/homes/ninghui/readings/AccessControl/brewer_nash_89.pdf
Chapple, M., Stewart, J.M., & Gibson, D. (2018). Glossary for the CISSP (ISC)2 Certified
Information Systems Security Professional Official Study Guide, Eigth Edition. [Apple
iBooks]. Sybex. John Wiley & Sons, Inc., Indianapolis, Indiana.
Cooper, D., Polk, W., Regenscheid, A., & Souppaya, M. (2011, April). NIST SP 800-147, BIOS
protection guidelines. Recommendations of the National Institute of Standards and
Dang, Q. (2009, February). NIST SP 800-106, Randomized hashing for digital signatures.
Computer Security Division, Information Technology Laboratory. Recommendations of
the National Institute of Standards and Technology. Retrieved from:
Dang, Q. (2012, August). NIST SP 800-107, Rev. 1,Recommendation for applications using
approved hash algorithms. Recommendations of the National Institute of Standards and
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf
Dempsey, K., Eavy, P., & Moore, G. (2017, June). NISTIR 8011 Vol. 1, Automation support for
security control assessments, Vol. 1: overview. Recommendations of the National
Institute of Standards and Technology. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-1.pdf
97
ENROLL THIS COURSE
Dempsey, K., Chawal, N., Johnson, A., Johnston, R., Jones, A., Orebaugh, A., Scholl, M., &
Stine, K. (2011, September). NIST SP 800-137, Information security continuous
monitoring (ISCM) for federal information systems and organizations. Recommendations
of the National Institute of Standards and Technology. Retrieved from:
Doraiswamy, A. (2011, October 25). Blind SQL Injection 1.0 - attack anatomy. INFOSEC.
Retrieved June 14, 2019, from: https://resources.infosecinstitute.com/blind-sql-injection/
Dukes, C. (2015, April). Committee on National Security Systems (CNSSI) No. 4009. Retrieved
from https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf
Dworkin, M. (2007, November). NIST SP 800-38D, Recommendation for block cipher modes of
operations: Galois/Counter Mode (GCM) and GMAC. Computer Security Division,
Information Technology Laboratory. Recommendations from the National Institute of
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
Frankle, S., Hoffman, P., Orebaugh, A., & Park, R. (2008, July). NIST SP 800-113, Guide to
SSL VPNs. Recommendations of the National Institute of Standards and Technology.
Retrieved from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
113.pdf
Freeman, Z. (2014). SQL: What is a base relation? Quora. Retrieved June 14, 2019 from:
https://www.quora.com/SQL-What-is-a-base-relation
Grassi, P., Garcia, M., & Fenton, J. (2017, June). NIST SP 800-63-3, Digital identity guidelines.
from: https://doi.org/10.6028/NIST.SP.800-63-3
Harris, S., & Maymi, F. (2018). All in One CISSP Exam Guide, 8th Ed., Apple iBook conversion
by Code Mantra. McGraw Hill Education. New York, NY.
Hu, C., Ferraiolo, D., & Kuhn, D. (2006, Sept.). NISTIR 7316 Assessment of Access Controls.
Recommendations of the National Institute of Standards and Technology. Retrieved
from: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7316.pdf
98
ENROLL THIS COURSE
Hu., C., Kuhn, R., & Yaga, D. (2017, June). NIST SP 800-192, Verification and test methods for
access control policies/models. Recommendations of the National Institute of Standards
and Technology. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-192.pdf
Jansen, W., & Ayers, R. (2004, November). NIST SP 800-72, Guidelines on PDA Forensics.
from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-72.pdf
Kent, K., & Souppaya, M. (2006, Sept.). NIST-SP 800-92, Guide to Computer Security Log
Management. Recommendations from the National Institute of Standards and
Kissel, R. (2013, May). Glossary of Key Information Security Terms, NSTIR 7298, Rev.2. U.S.
Department of Commerce, National Institute of Standards and Technology. Retrieved
from: https://doi.org/10.6028/NIST.IR.7298r2
Kuhn, D., Hu, V., Polk., W., & Chang, S. (2001, February). NIST SP 800-32, Introduction to
public key technology and the federal PKI infrastructure. Recommendations from the
Miessler, D. (2014, June 28). The Birthday Attack. Daniel Miessler, online. Retrieved from:
https://danielmiessler.com/study/birthday_attack/
Niele, M., Dempsy, K., Pillitteri, V. (2017, June). NIST SP 800-12, An Introduction to Information
Security. NIST SP 800-12, Rev.1. Recommendations from the National Institute of
Standards and Technology. Retrieved from: https://doi.org/10.6028/NIST.SP.800-12r1.
Norton. (2019). What is a botnet? Malware. Norton by Symantec. Retrieved from:

https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
99
ENROLL THIS COURSE
Padgette, J., Bahr, J., Holtmann, M. Smithbey, R., & Scarfone, K. (2017, May). NIST SP 800-
121 Rev. 2, Guide to Bluetooth security. Recommendations of the National Institute of
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf
Paulsen, C., & Toth, P. (2016, November). NISTIR 7621, R1, Small business information
security: the fundamentals. Recommendations of the National Institute of Standards and
Technology. Retrieved from: https://doi.org/10.6028/NIST.IR.7621r1
Pound, M. (2019), Encryption Glossary, Version 1.5. O’Reilly Online Training, Introduction to
Encryption. Retrieved June 8, 2019 from: https://cryptography.io/en/latest/glossary/
Regenscheid, A., & Beier, G. (2011, September). NISTIR 7711, Security best practices for the
electronic transmission of election materials for UOCAVA voters. Information
Technology Laboratory. Recommendations of the National Institute of Standards and
Technology. Retrieved from: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7711.pdf
Ross, R., McEvilley, M., & Oren, J.C., (November, 2016). NIST SP 800-160, Systems Security
Engineering, Considerations for a multidisciplinary approach in the engineering of
trustworthy secure systems. Recommendations of the National Institute of Standards
and Technology. Retrieved from: https://doi.org/10.6028/NIST.SP.800-160
Ross, R., Viscuso, P., Guissanie, G., Dempsey, K., & Riddle, M. (2016, December). NIST SP
800-171, Rev.1, Protecting controlled unclassified information in nonfederal systems and
organizations. Recommendations of the National Institute of Standards and Technology.
Retrieved from: https://doi.org/10.6028/NIST.SP.800-171r1
Ross, R., Swanson, M., Katzke, S., & Johnson, A. (2004, May). NIST SP 800-37 Rev.1, Guide
for the security certification and accreditation of federal information systems.
from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-37.pdf
Rouse, M. (2019). Time-division multiplexing (TMD). TechTarget. Retrieved on June 16, 2019
from: https://whatis.techtarget.com/definition/time-division-multiplexing-TDM
100
ENROLL THIS COURSE
Scheier, B. (2019). The Blowfish encryption algorithm. Schneier on Security. Retrieved June 14,
2019, from: https://www.schneier.com/academic/blowfish/
Ibid., (2019). Twofish. Schneier on Security. Retrieved June 14, 2019, from:
https://www.schneier.com/academic/twofish/
Shirey, R., (2007, August). IETF RFC 2828. Internet Security Glossary. Working Group. Internet
Engineering Task Force (IETF). Retrieved from: https://www.rfc-editor.org/info/rfc2828
Stoneburner, G., Hayden, C. and Feringa, A. (2004, June). NIST SP 800-27 Rev A.,
Engineering Principles for Information Technology Security (A Baseline for Achieving
Security). Recommendations from the National Institute of Standards and Technology.
27ra.pdf
Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015, May). NIST SP 800-82,
Guide to Industrial Control Systems (ICS). Recommendations from the National Institute
of Standards and Technology. Retrieved from: http://dx.doi.org/10.6028/NIST.SP.800-
82r2
Swanson, M., Bowen, P., Phillips, A., Gallup, D., & Lynes, D. (2010, May). NIST SP 800-34 R1.,
Contingency planning guide for federal information systems. Recommendations from the
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
Symanovich, S. (2019). What is a privacy breach? Norton by Symantec. Retrieved June 14,
2019 from: https://us.norton.com/internetsecurity-privacy-what-is-a-privacy-breach.html
Tracy, M., Jansen, W., Scarfone, K., & Butterfield, J. (2007, February). NIST SP 800-45 v.2,
Guidelines on electronic mail security. Recommendations from the National Institute of
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-45ver2.pdf
101
ENROLL THIS COURSE
Wison, M., Zafra, D., Pitcher, S., Tressler, J., & Ippolito, J. (1998, April). NIST SP 800-16,
Information Technology Security Training Requirements: A role- and performance-based
mode. Recommendations from the National Institute of Standards and Technology.
16.pdf
Zachman, J. (2019). The concise definition of The Zachman Framework by John A. Zachman.
Zachman International. Retrieved June 16, 2019 from: https://www.zachman.com/about-
the-zachman-framework
102
CISSP Flashcards
103
ENROLL THIS COURSE
CISSP Flashcards
Created By: S.E. Williams, Teaching Assistant

Description: Use these flashcards to learn terms related to CISSP!
Domain 1:
Access Controls -
https://quizlet.com/276590324/d1-access-controls-and-access-control-categories-fla
sh-cards/?i=10e3tr&x=1jqY
Control Frameworks -
https://quizlet.com/246556168/d1-control-frameworks-flash-cards/?i=10e3tr&x=1jqY
Domain 4:
Firewall Architecture -
https://quizlet.com/265509987/d4-1-firewall-architecture-cissp-domain-4-communicat
ion-and-network-security-flash-cards/?i=10e3tr&x=1jqY
WAN Technologies -
https://quizlet.com/265502433/cissp-d4-wan-technologies-flash-cards/?i=10e3tr&x=1
jqY
OSI and TCP Models -
https://quizlet.com/265780566/cissp-d4-osi-and-tcp-models-flash-cards/?i=10e3tr&x
=1jqY
Wireless Networks -
https://quizlet.com/276205999/cissp-d4-wireless-networks-flash-cards/?i=10e3tr&x=
1jqY
Types of Cyber Attacks -
https://quizlet.com/265725495/cissp-d4-types-of-cyber-attacks-flash-cards/?i=10e3tr
&x=1jqY
Network Devices -
https://quizlet.com/265505403/cissp-d4-network-devices-flash-cards/?i=10e3tr&x=1j
qY
104
ENROLL THIS COURSE
Domain 5:
Access Control Security Models -
https://quizlet.com/276308688/cissp-d5-access-control-security-models-flash-cards/
?i=10e3tr&x=1jqY
Domain 6:
Security Assets and Testing -
https://quizlet.com/257163130/cissp-d6-security-assets-and-testing-flash-cards/?i=1
0e3tr&x=1jqY
Domain 7:
Security Operations -
https://quizlet.com/257455186/cissp-d7-security-operations-flash-cards/?i=10e3tr&x
=1jqY
Domain 8:
Software Development Security Flashcards -
https://quizlet.com/249544355/cissp-d8-software-development-security-flash-cards/?
i=10e3tr&x=1jqY
105
CISSP
Review Questions
106
ENROLL THIS COURSE
Kelly Handerhan’s CISSP Preparation Course
CISSP Exam Review Questions
Domain 1: Information Security and Risk Management
1. A security model called “The State Machine Model” dictates that unless a system is protected in all of
its states (Startup, Function, and Shutdown), then the system is not secure. This requirement includes the
necessity of responding to security violations/failures in such a way that no further compromises can be
successful. This is an example of what security concept?
a. Open Design
b. Closed Design
c. Trusted Recovery
d. Least Privilege
2. OpenSSL was compromised recently by the Heartbleed virus. Certain versions of OpenSSL were
vulnerable to attempts to read memory content, which ultimately led to the exposure of private keys of
services providers and other protected information. Many security professionals feel that open design is
better than closed design. What one consideration is usually necessary to allow an open design to provide
greater security?
a. Peer Review
b. Security through obscurity
c. Complexity of design
d. Trusted hierarchy
Not for reproduction or sale 107

ENROLL THIS COURSE
3. A security concern in an environment that uses private keys is that a user’s private key may become
corrupted. In order to mitigate the difficulties this corruption would cause, we often select a key recovery
agent who is able to backup and recover those keys. However, by granting a single individual the ability
to recover the private keys of users, we risk eliminating non- repudiation of actions. Which principle
might best be implemented?
a. Separation of duties
b. Principle of least
c. Dual control
d. Need to know
Source Video
Skills Tested: Develop and implement documented security policy, standards, procedures, and
guidelines. Additional focus on the need for Need for common baseline level of good practice.
4. In order for a Business Continuity Planning committee to be successful, they must have the support of
senior management. The development of a BCP takes time, resources and money. At what phase of the
BCP process does Senior Management provide (in writing) its commitment to support, fund and assist
with the creation of this plan?
a. Project Initiation
b. Planning
c. Implementation
d. Development

ENROLL THIS COURSE
5. A senior manager has requested that you take over the project to develop a business continuity plan.
The previous project manager was removed from the project because he was behind schedule and over
budget. The manager has asked that you get things back on track as quickly as possible. In reviewing
documentation, you determine there no signed BCP policy. What should you do?
a. Begin work immediately and have senior management write a policy once the project is
back on track.
b. Before beginning work, obtain a signed policy/charter from senior management.
c. Begin work immediately and use the Business Impact Analysis in lieu of a policy.
d. At this point in time, it is too late to worry about policy. Begin immediately and work
towards correcting the course of the project.
6. Some organizations split the Business Impact Analysis and Risk Analysis as two separate processes. In
this case, what is the difference between the two?
a. Risk analysis deals with a monetary potential for loss. The Business Impact Analysis
provides a more qualitative assessment.
b. Risk analysis is authorized in the policy; the Business Impact Analysis is a function of the
project manager.
c. Risk Analysis looks at threats and vulnerabilities, and the Business Impact Analysis looks
that the impact the implemented security controls have on the organization.
d. The Business Impact Analysis looks at business processes and prioritizes them based on
criticality. Risk Analysis looks at the probability and impact of a threat compromising an asset.
Source Video
Skills Tested: Understand advanced concepts of Disaster Recovery Planning and Business
Continuity Planning.

ENROLL THIS COURSE
7. Though Senior Management is responsible for ensuring that the BCP is thoroughly tested and
that the tests are reviewed, they are rarely involved in technical details. If senior management specifies
that data is to be current within one hour’s time, who is responsible for ensuring the technology is in place
to achieve those goals?
a. The network administrator
b. The functional manager
c. The BCP committee
d. The salvage team
8. A disaster recovery plan should detail the criteria to be met in order to declare a disaster. Who
can make this decision and declare an organization-wide disaster?
a. Anyone
b. Board of Directors
c. Steering Committee
d. Senior Management
9. The BCP committee should be a cross-functional team that is representative of the departments within

the organization. Of the following, what is the most important activity that the BCP team will perform?
a. Restore critical operations in the event of a disaster.

b. Conduct the Business Impact Analysis.
c. Promptly declare that a disaster has occurred and begin implementing phase one of the
plan.
d. Create a testing strategy and review the tests for accuracy.
10. Which team is responsible for the restoration of services and operations at the organization’s
permanent facility after a disaster has taken place?
a. Recovery Team
b. Salvage Team
c. Continuity Team
d. Senior management

ENROLL THIS COURSE
Source Video
Skills Tested: Understand the advanced concepts of Disaster Recovery Planning and Business
Continuity Planning and the individual and team roles and responsibilities
11. An organization may likely have employees with physical, or other impairments. In the event of a
disaster, these employees may need assistance in getting to safety. Which plan would include detail on
how these employees will get to safety?
a. Occupant Emergency Plan

b. Disaster Recovery Plan
c. Continuity of Operations Plan
d. Emergency Notification Plan
12. There are several sub-plans that are part of the overall Business Continuity Plan. These plans serve
one of three purposes: Protect, Recover, Sustain. Which function does the Continuity of Operations Plan
(COOP) provide?
a. Rescue
b. Recovery
c. Sustain
d. None of the Above
13. The plan that is responsible for describing the steps necessary to restore the most critical
business operations in the event of a disaster is which of the following?
a. Disaster Recovery Plan

b. Business Impact Analysis
c. Contingency Plan
d. Business Recovery Plan
Source Video

ENROLL THIS COURSE
Continuity Planning specifically regarding the various necessities and corresponding plans
necessary for comprehensive recovery and continuity.
14. In the event that a Business Continuity Plan needs to be implemented, its success is highly dependent
on the employees’ ability to carry out the actions defined in the plan. Which of the following focuses on
employee response in the event of a disaster? To whom should the BCP be distributed?
a. All employees
b. Employees with roles specifically assigned in the BCP or DRP processes
c. Senior Management
d. Various sections of the BCP are distributed on a need-to-know basis
15. Because of the dynamic nature of businesses environments today, it is important that the BCP
be kept up-to-date and relevant. How often should the BCP be reviewed for necessary changes?
a. Weekly
b. After a major change
c. Once every few years
d. Once per year, or following a major change
16. On Friday afternoon a junior network administrator reported to a team leader that he was concerned
that network utilization was escalating slightly as the afternoon progressed, even continuing as users were
leaving for the day. Because the increase was small, it was attributed to normal variance. However, on
Monday morning, the network utilization was at 99%, and traffic was at a standstill. Though the
organization had a contingency plan for a large-scale network outage, the only copy of this plan was
located on the intranet server, which was unreachable. Which principle of continuity was not
implemented?
a. Elasticity
b. Redundancy
c. Duplicity
d. Reconstitution

ENROLL THIS COURSE
Source Video
Continuity Planning specifically regarding the next phases including development and review of
the plan.
17. There are several types of tests that can be used to verify a recovery plan for accuracy and
completeness. Some plans are paper-based, which are less risky to conduct than more intrusive tests.
However, to get a true assessment of the completeness of a plan, one may want to surpass paper-based
plans and determine if remote operations can be restored at an off-site facility and handle a small portion
of business transactions. What type of test would this be?
a. Simulation
b. Full-Interruption
c. Structured Walkthrough
d. Parallel
18. In order to determine and provide procedures to implement controls allowing data transactions to be
restored, the BCP committee will need to know how quickly the data must be restored and how current it
should be. These metrics should be established in which document?
a. The DRP
b. The COOP
c. The BIA
d. The OEP

ENROLL THIS COURSE
19. In the event of a disaster and the company facility is unreachable for a day or longer, some employees
are tasked with working from home through VPN access to the corporate site. These details should be
specified in what phase of the DRP?
a. Notification
b. Recovery
c. Reconstitution
d. Planning
Source Video
Continuity Planning specifically regarding the next phases including development and review of
the plan.

ENROLL THIS COURSE
Domain 2: Asset Security
1. An attacker gains access to the network with the hope of using a protocol analyzer to capture and view
traffic that is unencrypted (also known as sniffing the network.) What is a PROACTIVE way to mitigate
this risk with the minimum amount of effort?
a. Implement a policy that forbids the use of packet analyzers/sniffers. Monitor the
network frequently.
b. Scan the network periodically to determine if unauthorized devices are connected. If those devices are
detected, disconnect them immediately and provide management a report on the violation
c. Provide security such as disabling ports and mac filtering on the switches to prevent an unauthorized
device from connecting to the network. Implement software restriction policies to prevent unauthorized
software from being installed on systems.
d. Install anti-spyware software on all systems on the network.
2. Confidentiality is very frequently breached through social engineering attacks. Though training is
helpful in reducing the number of attacks, it still does not eliminate the risk. Which of the following
would be an administrative policy that is most likely to help mitigate this risk?
a. Formal On-boarding Policies
b. Job Rotation
c. Formal Off-boarding Policies
d. Separation of Duties
3. Classification of resources indicates the value of the resources being protected. Classifications exist in
both public and private sectors while still serving the same purpose. What is the purpose of classification?
a. To determine which baseline security controls should be implemented to protect the data
b. To indicate what steps should be taken if the information is compromised
c. To allow users to understand how critical the information is to an organization’s existence
d. To indicate the damage done should the information be compromised
Source Video
Skills Tested: Protect Privacy of Data

ENROLL THIS COURSE
4. Organizations that allow users to install applications or make other changes to their systems do so for
to provide ease of use and greater flexibility. However, users may install inappropriate software or make
harmful changes to their systems. Usually a well-documented and enforced policy of
configuration/change management would prevent these changes without the review of a change control
board through a well-controlled process. Of the answers below, what is the greatest benefit of
configuration/change management?
a. To reduce the effort needed for end-users to maintain their systems

b. To provide stability of network systems and resources
c. To generate more paperwork for administrators to complete
d. To prevent any and all changes to a system’s baseline images.
5. An emergency situation has required a change to a database server to prevent the loss of a sizeable
amount. A lead technician has instructed the administrator to make the change. There was no time to
submit a change request, as action had to be taken immediately. What is the next thing the administrator
should do immediately?
a. Advise other network administrators to make the same change to all servers as a
proactive measure.
b. Nothing, since a lead technician authorized the change
c. Perform the change and then follow the company’s emergency change control
procedure.
d. Ignore the request since change control is not being followed.
6. A vendor has developed the proprietary operating system that runs on 85% of your enterprise’s network
computers. They have just released a security patch that provides a safeguard for a recently discovered
flaw that allows compromise of the operating system leading to the discovery of passwords. What should
you do?
a. Test the patch in the lab and roll out the change immediately.
b. Since the patch is security-related and corrects a known vulnerability, push out the patch immediately.
c. Call the vendor to inquire about the specifics of the patch.
d. Review and follow your organization’s patch management strategy.

ENROLL THIS COURSE
Source Video
Skills Tested: Ensuring appropriate retention, controls and documentation for network systems
through configuration management
7. Data can exist in various states. When we refer to data at rest, we are describing data in some form of
permanent storage (hard drive, USB drive, DVD, etc.) You have a laptop system, and you are concerned
that if it gets stolen, the data would be compromised. What is the best way to protect the data on your
laptop?
a. Use a cable lock to protect against theft.

b. Encrypt your data.
c. Install monitoring software to detect changes to your data.
d. Review your audit logs each day.
8. Due to the high sensitivity of information stored on a specific system, there is a need to encrypt the
entire hard drive, as opposed to just encrypting the data. This service is provided in Windows with a
utility called BitLocker, as well as through 3rd party software by other vendors. This technique allows the
key for the encrypted drive to be stored on a particular chip on the motherboard, so that if the drive is
stolen it will be rendered inaccessible. What is the name of the chip on which the key will be stored?
a. Clipper Chip
b. L3 Cache
c. Trusted Platform Module
d. SD-ROM

ENROLL THIS COURSE

9. Many protocols designed for transmission of data across a network are designed without integrated
security. This vulnerability frequently means that credentials and data are transmitted across the network
in plaintext and is true of protocols such as FTP, Telnet and the R-login (and other R utilities that UNIX
uses to allow remote access.) Which protocol would provide a secure alternative to the above protocols
for file transfer and remote access?

a. TFTP
b. SSH
c. SSL
d. TLS

Source Video
Skills Tested: Understanding how to protect data at rest, in process, and in transit

ENROLL THIS COURSE
Domain 3 Security Engineering

SECTION 1—Security Architecture and Design

1. Certain components of a system determine the security of that system. The trust of the system
is a reflection of the trust of these components. These components are collectively referred to as the
_______________ of the system.

a. Ring 1 elements
b. Trusted Computing Base
c. Operating System Kernel
d. Firmware

2. In each instance where a subject attempts to access an object, that access must be authorized. In order
to authorize the access, the set of conceptual requirements must be verified by the portion of the operating
system kernel that deals with security. The conceptual ruleset is known as the __________, while the
enforcement mechanism is referred to as the ____________

a. Access Control List, Security Enforcer
b. Security Enforcer, Access Control List
c. Reference Monitor, Security Kernel
d. Security Kernel, Reference Monitor

3. One of the foundational principles of security is that security controls must be aligned with business
objectives. Based on the impact security has upon an organization’s success, why is the concept of
business alignment important?

a. There is always a tradeoff for security, so an organization has to weigh the cost vs. benefits of the
security measures.
b. Security is cheap and easily implemented compared to the potential for loss. Security should be
implemented everywhere possible.
c. Security is so important that every organization must implement as much as possible.
d. Security is too costly to implement in small organizations.

ENROLL THIS COURSE
Source Video
Skills Tested: Implement and manage engineering processes using secure design principles,
including security by design. Focus is on system architecture, trusted Computer Base (TCB),
Security Perimeter, Reference Monitor, Security Kernel

4. IPv4 is a protocol that was designed many years ago with the purpose of transmitting data across
physically secured lines in a localized environment. Because the threats were very different at this time
and because the physical lines were secured, security was not built into the protocol. However, IPv6 was
designed to include IPSec to provide confidentiality, integrity, authenticity, and non-repudiation. What is
this concept utilized in IPv6 known as?

a. Security through obscurity
b. Principle of least privilege
c. Economy of design
d. Secure by design

5. At one point in time, it was common for organizations to have mainframe computers which were
accessed by terminals on the users’ workstations. Terminals were the ultimate thin clients. Now as we
move towards cloud-based services, we are hearing the term “thin clients” again today more and more.
What is the implication of using thin clients?

a. Localized processing so the user has direct access to resources on their system
b. An independent and stand-alone system that is not “weighed down” with connectivity issues
c. A Centralized environment in which software and resources can be installed, updated and managed.
d. Guaranteed access even in the event that the network is down

6. Coupling is an important concept in object-oriented programming, Service Oriented Architecture
(SOA), and has other implementations as well. Loose coupling is preferred to high coupling. Why?

a. Loose coupling allows the ability of an application to focus on a single purpose and function.
b. Loose coupling limits the interactions between modules of code and allows them to interact without the
necessity of the code, location, protocol of another module.
c. Loose coupling prevents the interaction between modules of code.
d. Coupling allows multiple applications to run in the same allocation of memory.

ENROLL THIS COURSE

Source Video
Skills Tested: Implement and manage engineering processes using secure design principles

7. The Bell LaPadula security model was designed in order to protect the confidentiality of secrets for the
US government. One of the security properties of the model is designed to prevent someone at a high
level from leaking secrets to those who should not have access. This property is called the *_Security
Property. Which of the following is indicated by the *_Security Property?

a. No write down
b. No write up
c. No read down
d. No read up

8. The Secure State Model essentially dictates if a system starts securely, operates securely and shuts
down securely (even in failure) then it is a secure system. Which phase is the most difficult to secure?

a. Startup
b. Shutdown
c. Failure
d. Operations

9. The Clark-Wilson security model promotes the idea that trusted elements should be separated from
untrusted elements. If, for example, an application (untrusted) needs to access memory (trusted) then the
untrusted element gets access to an interface, and the interface has access to the application. Which of the
following security principles does this enforce?

a. Dual control
b. Separation of duties
c. Open systems
d. Redundancy

ENROLL THIS COURSE
Source Video
Skills Tested: Understand the fundamental concepts of security models and their role in secure
design

ENROLL THIS COURSE
SECTION 2—Assessing and Enforcing the

Trustworthiness of Systems

1. There are various responsibilities in relation to safeguarding sensitive information. Who is responsible
for the classification of data, as well as determining who should be able to access the data?

a. The Data Owner
b. The Authorizing Official
c. The Data Custodian
d. Senior Management

2. The minimum security baseline of a system references the lowest acceptable security configuration for
a system in a specific environment. However, before the MSB can be determined, the system must be
categorized based on the Confidentiality, Integrity, and Availability needs for the data. When evaluating a
system where the potential impact of unauthorized disclosure is “high,” the impact of an integrity breach
is medium, and the impact if the data is temporarily unavailable is low, what is the overall categorization
of a system?

a. High
b. Medium
c. Low
d. Medium-high

3. In evaluating a system per the TCSEC and the more recent Common Criteria, there are two elements
that are assessed as part of the evaluation: Trust and Assurance. Which of the following best describes
trust and assurance?

a. Trust describes how secure the system is, while assurance describes performance capabilities.
b. Assurance describes how secure the system is, while trust describes performance capabilities.
c. Trust describes the function of the product, while assurance describes the reliability of the process used
to create the product.
d. Assurance describes the function of the product, while trust describes the reliability of the process used
to create the product.

ENROLL THIS COURSE
Source Videos: One / Two

Skills Tested: Select controls and countermeasures based on systems security evaluation model

4. A user logs in to a system at 8 am but has his credentials suspended at 10 am. A network administrator
is surprised to find that this user is still logged on to the network at 2 pm. What type of attack is this?
a. TOC/TOU
b. Privilege Escalation
c. LDAP Injection
d. Exception Event

5. Syn Floods, Buffer overflows, and other resource exhaustion attacks are types of denial of service
attacks that operate based on trying to access more resources than are currently available. What is the best
defense against an attack of this nature?

a. Input validation
b. Throttling mechanisms
c. limiting the number of resources that an unauthorized user can cause to be expended
d. All of the above

6. An application stores sensitive data in memory that is not secured or has not been properly locked.
Ultimately, this data is written to a swap file on disk by the virtual memory manager. The attacker is then
able to access the information in the swap file and gain access to information that should have been
confidential. What type of security design is being described in this case?

a. TOC/TOU
b. DoS
c. Improper Storage
d. Exception Handling

Source Video
Skills Tested: Assess and mitigate the vulnerabilities of security architectures, designs, and
solution elements

ENROLL THIS COURSE
SECTION 3—Cryptography

1. The Caesar cipher was used during Caesar’s time as a means of transferring information without
disclosure. This cipher involved shifting the alphabet three characters. This method performs the
substitution. For example, A is always substituted for D, B for E, and so on. What are the easiest means of
cracking substitution ciphers?

a. Meet in the Middle Attacks
b. Man in the Middle Attacks
c. Sniffing/Analyzing the network
d. Pattern/Frequency analysis

2. In 1918, Gilbert Vernam created a means of providing mathematically unbreakable encryption by using
a one-time pad that served as a key. Obviously, the keypad could only be used once. What technology
today is based on the ideas implemented in the Vernam Cipher?

a. Asymmetric Cryptography
b. Digital Signatures that are used to provide authenticity
c. The handshake process used by IPSec and numerous other frameworks
d. Session keys

3. The Enigma machine was used by the Germans during World War II to exchange encrypted messages.
It was a rotary-based system which used the rotor configuration as its secrecy mechanism. When the
original system was compromised, the Germans added a fourth rotor to exponentially increase the
complexity necessary to break the code. This concept is seen in the relationship between ___________.

a. AES and Kerberos
b. DES/3DES
c. RSA and DSA
d. RSA and DSA
Source Video: https://www.cybrary.it/video/part-09-security-services-of-crypto/

Skills Tested: Security services provided by cryptography

ENROLL THIS COURSE
4. A user receives an email that they believe to have been sent by a colleague. In actuality, the email was
spoofed by an attacker. What security services would have indicated that the message was spoofed?

a. Privacy
b. Authorization
c. Integrity
d. Non-repudiation

5. Two users are exchanging information across an unreliable link. There is frequently interference, and
other issues causing packets to be dropped. These individuals need a means to detect that their data has
not been corrupted as part of the change. Which security services would detect corruption?

a. Privacy
b. Authenticity
c. Integrity
d. Non-repudiation

6. The reasonable guarantee that someone can’t dispute a message, nor the contents of the message are
referred to as ________.

a. Privacy
b. Authenticity
c. Integrity
d. Non-repudiation

Source Video:
Skills Tested: Historical uses of cryptography and their influence on today’s cryptographic
mechanisms

ENROLL THIS COURSE
7. Because the user-created passwords rarely provide the necessary security, and because many
algorithms still used to protect these passwords have been broken, what should be added to passwords?

a. A keys
b. A certificate
c. An algorithm
d. A salt

8. RC-4 is the algorithm used by WEP and WPA to provide encryption for Wi-Fi networks. RC-4 is a
stream cipher. What are a common means of providing encryption in stream algorithms?

a. XOR
b. Blocking
c. Chaining
d. Feedback modes

9. A crypto-variable provides the instructions for utilizing the math functions used to encrypt data. What
is another name for this term?

a. Key
b. Algorithm
c. Cipher
d. Initialization Vector

Source Video
Skills Tested: Definitions of cryptographic terms

ENROLL THIS COURSE
10. The Rijndael algorithm was designed to replace DES as the de facto standard algorithm for most
applications. It is also the result of a government standard required to provide protection for data that is
sensitive, but unclassified. What is it more frequently known as?

a. RC-6
b. 3DES
c. AES
d. Kerberos

11. What is the most trusted way to ensure only the intended recipient obtains the key in a purely
symmetric system?

a. Manager hand-delivers the key
b. Encrypt the key with the receiver’s public key
c. Encrypt the key with a passphrase
d. Encrypt the key with the sender’s private key

12. A certain type of symmetric algorithm “chunks” data into blocks and sends each block through a
series of math functions based on the key. What type of symmetric cipher is this called?
a. Stream
b. Block
c. Chained
d. Feedback

Source Video
Skills Tested: Symmetric cryptography’s limitations and benefits

ENROLL THIS COURSE
13. Asymmetric algorithms provide some of the security services that are lacking from asymmetric
algorithms. Which security service can an asymmetric algorithm provide that a symmetric algorithm
cannot?

a. Privacy
b. Authenticity
c. Integrity
d. Non-Repudiation

14. How do asymmetric algorithms solve the problem of key distribution as seen in symmetric
algorithms?

a. Asymmetric encryption requires an out-of-band key exchange.
b. Asymmetric algorithms do not provide encryption for privacy. Therefore no key exchange is needed.
c. Asymmetric algorithms post private keys to a Key Distribution Server.
d. The relationship between public and private keys prevents the need to send a protected key across the
network.

15. When using Asymmetric cryptography, what should an administrator do if they become aware of
public key compromise?

a. Revoke the private key
b. Revoke the public key
c. Revoke the key pair
d. Do nothing

Source Video
Skills Tested: Asymmetric cryptography’s limitations and benefits

ENROLL THIS COURSE
16. Symmetric ciphers are known to have the ability to provide comparable encryption several thousands
times faster than asymmetric algorithms. Why is this?

a. Symmetric ciphers don’t use keys but instead use one-way math.
b. Symmetric ciphers can provide security equivalent to asymmetric ciphers but with much shorter keys.
c. Asymmetric ciphers can provide security equivalent to symmetric ciphers but with much shorter keys
d. Symmetric algorithms are implemented in hardware devices which are much faster than software
implementations which asymmetric algorithms use.

17. Though Symmetric algorithms can provide encryption services much quicker than asymmetric
ciphers, what is the greatest drawback of using these ciphers?

a. Symmetric ciphers need a longer key in order to provide the same encryption.
b. Symmetric ciphers cannot utilize an initialization vector.
c. Symmetric ciphers require an out-of-band key exchange.
d. Symmetric Ciphers require a public key infrastructure.

18. Alice gives a copy of her private key to the crypto admin, Bob for backup. Which problem below
would most likely affect the accountability of the system?

a. Bob could read documents destined for Alice.
b. Bob could sign documents as Alice.
c. Bob could leave the company, and Alice’s backup of her key could be unavailable.
d. Bob could update the CRL claiming Alice’s key was lost.

Source Video
Skills Tested: Comparison of asymmetric algorithms vs. symmetric algorithms

ENROLL THIS COURSE
19. Due to the difficulty of key exchange with symmetric cryptography, key exchange is often performed
out-of-band. In the implementation of a digital envelope, the contents of the message are encrypted with a
symmetric session key that is included with the message. How is the session key protected?

a. It is encrypted with the sender’s public key.
b. It is encrypted with the Sender’s private key.
c. It is encrypted with the receiver’s public key.
d. It is encrypted with the receiver’s private key.

20. When a client connects to a secure web server using the https protocol, what is the response of the
server?

a. The server will send the client its private key.
b. The server will send the client its public key.
c. The server will request the private key of the client.
d. The server will request the public key of the client.

21. Often in mail messages, the contents of the message are provided by a symmetric algorithm, likely
AES. Non-repudiation, however, is obtained through a combination of hashing and an asymmetric
algorithm. How is non-repudiation accomplished?
a. By encrypting the document with the sender’s private key, then hashing document
b. By encrypting the document with the sender’s public key, then hashing the document
c. By hashing the document and then encrypting the hash with the sender’s private key
d. By hashing the document then encrypting the hash with the receiver’s public key

Source Video
Skills Tested Understand how asymmetric, and symmetric algorithms work together to provide
benefits of each.

ENROLL THIS COURSE
22. Diffie-Hellman was the first asymmetric algorithm and was developed in the late 1970’s. Which of
the following services does the Diffie-Hellman algorithm provide?

a. Privacy
b. Authenticity
c. Key Exchange
d. Key Agreement

23. Handheld devices such as some cell phones and tablets are incapable of providing the processing
power necessary to use many of today’s secure algorithms. In order to address this problem, an efficient
algorithm was developed which provides very good encryption with a minimum of resource usage in
specific environments. What is this algorithm?

a. Elliptical Curve Cryptography
b. RSA
c. Diffie-Hellman
d. AES

24. Digital signatures provide non-repudiation through a hash encrypted with a sender’s private key.
Which asymmetric algorithm is most frequently used to encrypt the hash?

a. AES
b. SHA-1
c. DSA
d. RSA

Source Video
Skills Tested: Understand the function of the Diffie-Hellman, RSA, and ECC algorithms.

ENROLL THIS COURSE

25. A fundamental concept of hashing is that hash should not be able to be reversed to reveal the contents
of the message or file. What provides this secrecy in a hashing algorithm?

a. A public key
b. A private key
c. One-way math
d. A digital signature

26. In order to ensure integrity, a hashing algorithm creates a unique representation of the data or file that
was hashed. This value is called a message digest. In the event that the message or file should change, the
hash should change. However, because the possible values for all hashes are finite, there will be a very
small likelihood that two different files could produce the same digest. What is this called?

a. Collision
b. Key clustering
c. Chaining
d. Escrow

27. What is a birthday attack?

a. An attack on passwords based on the idea that many users choose bad passwords based on personal
information such as birthdays
b. A logic bomb that is triggered on the date of the attacker’s birthday
c. An attack that attempts to find collisions in separate messages
d. An attack which focuses on personnel databases in an attempt to compromise personal information for
the purpose of identity theft

Source Video
Skills Tested: Understand the functionality and basic concepts of hashing

ENROLL THIS COURSE
28. What prevents spoofing during the transmission of a hashed document?

a. Nothing
b. The shared key
c. The private key
d. The public key

29. A digital signature provides non-repudiation, whereas a MAC (Message Authentication Code) only
provides reasonable authentication and integrity. What is the reason that a MAC cannot provide
non-repudiation?

a. It doesn’t include a hash or integrity check value.
b. MACs use asymmetric encryption.
c. MACs use symmetric encryption.
d. There is nothing unique to the sender and/or receiver in a MAC.

30. Which key is used to produce a digital signature and which key is used to verify a digital signature?

a. Sender’s public creates, sender’s private verifies
b. Sender’s private creates, sender’s public verifies
c. Sender’s public creates, receiver’s private verifies
d. Receiver’s public creates, receiver’s private verifies

Source Video
Skills Tested: Determine the distinctions between hashes, MACs, and Digital Signatures

31. In order to initiate a secure connection with a web server, the client uses the https protocol.When the
server receives the request for a secure connection, it sends a certificate to the client. Which of the
following information would not be on a server’s certificate?

a. Public Key
b. Private Key

ENROLL THIS COURSE
c. Signature of a Certification Authority

d. Class

32. When a user gets a message stating that the server to which they are connecting has a certificate that
has not been signed by a trusted certificate authority. What does this mean?

a. The web server has not been issued a certificate.
b. The Certificate Authority who issued the server’s certificate is not registered with IANA.
c. The Certificate Authority, who issued the server’s certificate does not have its certificate installed on
the server.
d. The Certificate Authority, who issued the server’s certificate does not have its certificate
installed on the client computer.

33. When a client receives a certificate as a means of authenticating a server, the client will check to
ensure that the certificate has not expired. The client also needs to verify that the certificate has not been
revoked. How is this information obtained?

a. The client locates this information on the certificate.
b. The next step of the SSL/TLS handshake requires the server to provide proof of revocation status.
c. The client queries an OCSP (Online Certificate Status Protocol)server.
d. The client verifies this information with their ISP (Internet Service Provider.)

Source Video
Skills tested: Understand the purpose and function of elements within a public key infrastructure.

34. In relation to IPSec and other protocols, encapsulation is often confused with encryption. Out of the
below choices, which best describes the difference between the two?

a. Encapsulation provides privacy; Encryption adds headers to an existing protocol packet.
b. Encryption provides privacy; Encapsulation adds headers to an existing protocol packet.
c. Encapsulation is only used by tunneling protocols; encryption is used universally.
d. Encapsulation is used for transporting data; encryption is used for protecting data’s confidentiality.

ENROLL THIS COURSE
35. Which mode of IPSec encapsulates the entire IP packet?

a. AH
b. ESP
c. Tunnel
d. Transport

36. Which mode of IPSec would be used for a site-to-site VPN connection (For example, from one VPN
concentrator to another?)

a. AH
b. ESP
c. Tunnel
d. Transport

Source Video
Skills Tested: Encapsulation options with IPSec

37. AH and ESP provide the security services most people have come to associate with IPSec. However,
another sub-protocol of IPSec, called IKE (Internet Key Exchange.) is concerned with managing the
handshake process and negotiating keys. What asymmetric algorithm does IKE use for key agreement?

a. Diffie-Hellman
b. Knapsack
c. DSA
d. RSA

ENROLL THIS COURSE
38. A user needs to provide protected IP communications across his local network. He needs encryption,
as well as authentication and integrity. Which sub-protocol of IPSec offers encryption?

a. AH
b. ESP
c. SKIP
d. IKE

39. AH (Authentication Header) is a sub-protocol that provides non-repudiation. AH runs an ICV
(Integrity Check Verification) on the entire packet (header, data, and trailer.) Because the Integrity check
is run on the entire IP packet, including the header, AH guarantees that no portion of the pack has been
modified. As helpful as this is, there is a network service whose primary function is to modify the headers
of packets before they leave the local network. What is this service?

a. NAT
b. TCP
c. DNS
d. LDAP

Source Video
Skills Tested: IPSec sub-protocols, handshake, and Security Associations

40. An organization is considering designing a facility for a newly acquired business unit. They want to
make sure that the site is designed to be as secure as possible, with the intent of adding additional security
if needed. Which of the following would NOT be an element of secure building design for organizations
that have medium level security needs?

a. Ensure that the building is obscured from view, so as to not attract attention.
b. Ensure the building is in a prominent location, as opposed to being less visible.
c. Ensure that plants and shrubbery are planted underneath windows.
d. Plan secure design strategies in a layered method of defense.

ENROLL THIS COURSE

41. An organization has invested a sizeable amount of money in provided badged access to their secured
data center. However, upon observation, numerous employees are allowing individuals without badges to
“piggyback” into the facility. What should an employee do when someone without a badge attempts to
gain access to the building on someone else’s card swipe?

a. Explain to the individual that you cannot allow the individual to enter the building without using their
badge.
b. Allow them to enter, as long as you recognize them as an employee.
c. Allow them to enter, but notify security at your earliest convenience.
d. Escort that individual to security, even if you recognize them as an employee.

42. Your organization has decided to implement a Wi-Fi network for internal employees. You have been
asked to perform a site survey of your current facility and recommend the best location for the access
points, with the primary consideration of preventing access outside the building. As a general rule, what
are the main considerations when deciding where to put Access Points in your facility?

a. The Access points should be in the corners of the building to provide the best-unobscured access signal.
b. Access points need to be placed in the locked server room at all times.
c. Access points should be located in areas of public access to ensure guests have easy access.
d. Access points should be placed in the center of the building.

Source Video
Skills Tested: Apply secure principles to site and facility design

43. Prosecuting computer crime can be very difficult, even if numerous technical controls are in place.
One of the greatest difficulties requires the placement of an individual at the source of the crime. For
internal employees, we use digital signatures and smart cards to link actions to individuals. However, this
is not fail-proof, as an employee determined to commit fraud can simply say that their card or key was
compromised. Another cause for reasonable doubt is that while the employee may acknowledge the attack
originated from their computer, but deny they were the one responsible. The employee can make the case
that they occasionally forget to log out of their systems, or remove their smart cards. At that time anyone
could’ve accessed the system and initiated the attack. Which physical security mechanism could help
prove no one else accessed the employee computer?

ENROLL THIS COURSE
a. Door locks to the data center

b. Badged access to the building
c. Closed Circuit TV cameras
d. A policy that dictates all systems must be locked and smart cards must be removed anytime the system
is unmanned.

44. Doors provide an important barrier to sensitive areas within a building. Which of the following
provides the least protection from an intruder gaining access by compromising a door to the area?

a. Pick-resistant locks
b. A kick plate
c. Enforced and protected hinges
d. Strike-plate

45. To provide protection to employees and to preserve human life, positive pressurization should be
provided by a company’s HVAC system. What does positive pressurization mean?

a. Air flows into a room, instead of outside the room.
b. Air flows out of a room rather than in.
c. The HVAC system starts up automatically if it detects a change in air pressure.
d. The HVAC system shuts down immediately in the event of fire to limit smoke spreading from room to
room.

Source Video
Skills Tested: Design and implement physical security

ENROLL THIS COURSE
Domain 4 Telecommunications and

Network Security

1. When discussing a connectivity issue between two networked systems, the technician tells you that he
suspects a Layer 1 issue has caused the lack of communication between hosts. What would be best
described as a “Layer1” issue?

a. Cable
b. Router
c. Switch
d. NIC

2. In choosing cable in a highly secure environment, which type is resistant to eavesdropping and immune
to EMI (Electromagnetic Interference) and RFI (Radio Frequency Interference?)

a. Thick Coaxial Cable
b. Thin Coaxial Cable
c. Fiber Optic Cable
d. Shielded Twisted Pair

3. Most devices that function at the lower Layers of the OSI have less “intelligence” than devices at other
Layers. By this, it is meant that they do nothing to direct, address, or correct packets on the network.
However, lower Layer devices usually have which of the following benefits over upper Layer devices?
a. Lower layer devices provide better inspection of traffic.
b. Lower layer devices are better able to encapsulate data, so it is better able to traverse the physical
network.
c. Lower layer devices are usually faster than their upper layer counterparts.
d. Lower Layer devices are easier to monitor and provide greater insight into network activity, as they are
less complex.

Source Video

ENROLL THIS COURSE
Skills Tested: Understanding the OSI Reference models with a focus on Layer1, the physical
layer.

4. The Data Link Layer is the only sublayer of the OSI Model that has two sublayers. One of the
sublayers is the MAC (Media Access Control) sublayer. Media Access Control provides a means for
determining which system or systems can have access to the media and be allowed to transmit at any
given time. Ethernet uses a method called CSMA/CD (Carrier Sense Multiple Access with Collision
Detection.) What does this imply?

a. Ethernet environments avoid collisions by detecting their likelihood before transmitting.
b. Ethernet environments only allow an individual host to access the cable at any given time and are
capable of detecting collisions as they happen.
c. Even though Ethernet traffic is prone to collisions, a hub can all but eliminate them.
d. Though multiple systems can access the media simultaneously, the result will be a collision, which
should be immediately detected.

5. MAC (Media Access Control) addresses are physical hardware addresses assigned to each network
interface for each host on the network. Though IP addressing is used to locate hosts from anywhere in the
world, MAC addresses must be used locally. How does resolution occur from an IP address to a MAC
address?
a. The host queries through DNS lookup.
b. The MAC addresses are published in the Global Catalog Server.
c. The hosts use an ARP broadcast to learn the MAC address of the destination.
d. Clients broadcast their MAC addresses every 30 seconds.

6. Wi-Fi networks have no collisions, as they follow the Media Access Method of CSMA/CA. How does
this method eliminate collisions?
a. CSMA/CA uses a control frame to traverse the network. Systems are wishing to communicate capture
the frame. Since there is only one frame and a host can’t communicate without the frame, there are no
collisions.
b. Though technically there are still a small number of data collisions with CSMA/CA, drastically reduces
their number by assessing the likelihood of a collision before transmission.
c. In CSMA/CA a host signals its intent to transmit, rather than sending its data immediately.
d. In CSMA/CA collisions are avoided by utilizing hardware, like switches, to isolate the network into
collision domains.

ENROLL THIS COURSE
Source Video
Skills Tested: Understanding the OSI Reference models with a focus on Layer2, the data link
layer. Understanding media access control

7. Switches have replaced hubs in most standard environments years ago. Switches are better at directing
traffic and are also more secure. However, there is an attack called MAC flooding that essentially causes a
switch to fall back to the functionality of a hub. This is caused by overwhelming a switch’s CAM table
with bogus MAC addresses. What is the greatest security concern with a switch that reverts back to the
functionality of a hub?

a. Traffic will be slower, and performance will be degraded.
b. All traffic will be forwarded out all ports and will likely give an attacker access to a greater amount of
data than the specific port to which he or she is connected.
c. Because hubs work at Layer 1, they will be unable to use MAC addresses to direct traffic.
d. Network collisions will increase.

8. A user complains that connectivity to the network is slow. This network is rarely used, and its hardware
is quite dated. You notice that the NIC on the user’s system is an amber color, instead of green. As a
general rule, this indicates collision on the network. What would be the best way of mitigating this
problem?

a. Change your media access method to CSMA/CA.
b. Implement a switch.
c. Implement a hub.
d. Implement a router.

9. In earlier times, when an attacker plugged a sniffer into a port on a hub, the attacker had access to all
data on that hub. Now that switches have replaced hubs, what traffic will an attacker “see” when
connected to a port on a switch?
a. ARP broadcasts
b. Absolutely none
c. Only traffic passing through that particular switch
d. All non-encrypted traffic

ENROLL THIS COURSE
Source Video
Skills Tested: Understanding the role switches play on a network, as well as the vulnerabilities
they can introduce.

10. Though many certification tests and assessments place network devices and protocols in single Layers
of the OSI Model. In reality, most devices and protocols function across multiple Layers, as they satisfy
requirements across these Layers. For example, many people consider routers to be Layer 3 devices, but
across which layers does a router actually work?

a. 2-5
b. 3-7
c. 1-3
d. 3-4

11. Natively, switches provide collision domain isolation a network, basically improving performance by
(almost) eliminating collisions. However, most production switches offer VLAN (Virtual LAN)
capabilities. What primary function does a VLAN provide on a switch?

a. Routing
b. Broadcast isolation
c. Connectivity to a WAN switch
d. The ability to connect multiple media types

12. Most Layer2 and Layer3 switches are capable of supporting VLANs. What would be the purpose,
then, of using a Layer3 switch?

a. A Layer 3 switch is faster than a Layer2 switch.
b. A Layer 3 switch is cheaper than a Layer2 switch.
c. A Layer 3 switch can allow inter-VLAN communication.
d. A Layer 3 switch inspects traffic based on content.
Source Video
Skills Tested: Understanding routers, VLANs and Layer 3 switches

ENROLL THIS COURSE
13. Upper Layer protocols rely upon Layer four protocols for end-to-end connection. Two main Layer4
protocols are TCP and UDP. TCP provides guaranteed, connection-oriented services. UDP provides
unreliable, connectionless services, with the benefit of faster speed. What service might be best suited for
UDP instead of TCP?

a. Media Streaming
b. Small File downloads
c. Web traffic
d. Email exchange

14. In examining a TCP vs. a UDP packet, you notice that the TCP packet has fields that are not present
in the UDP packet. Which of the following fields would appear on both the TCP and the UDP packet?

a. Syn
b. Ack
c. Window-size
d. Port number

15. There are two separate protocols that are frequently used for file transfer: FTP and TFTP. FTP
requires connection-oriented delivery, while TFTP uses connectionless delivery for faster performance.
What provides the difference in the delivery?

a. FTP uses UDP, while TFTP uses TCP.
b. FTP uses TCP, while TFTP uses UDP.
c. The SYN numbers on the FTP packet guarantee the delivery
d. FTP uses IP for connection-oriented delivery.

Source Video
Skills Tested: OSI Model Layer4, focus on TCP and UDP, Layer4 exploits

ENROLL THIS COURSE
16. Only one Layer of the OSI Model has no protocols associated with it. Although the standards and
formatting for multimedia files such as JPEG, GIFs, MP4s and other multimedia types are handled at this
layer, there are no specific protocols. At which Layer of the OSI model is this true?

a. Application Layer (7)
b. Presentation Layer (6)
c. Session Layer (5)
d. Transport (4)

17. Which of the following attacks occur at Layer 5 of the OSI Reference Model?

a. Syn Flood
b. Smurf Attack
c. Fraggle attack
d. Session Hijack

18. Many websites today use SSL to protect login pages, but use the standard, unencrypted HTTP
protocol once the client has been authenticated. An attack called sidejacking takes advantage of this
vulnerability. How can sidejacking be mitigated by the web server?

a. Multi-factor authentication should be required.
b. Mutual authentication should be required.
c. The server should use certificates for authentication.
d. The server should use https:// for all pages that it provides.

Source Video
Skills Tested: Understanding Layers 5 and 6 of the OSI Reference Model

19. A network administrator has been told that employee performance has decreased in the last few
months and management is convinced part of the reason for this decrease is that people are spending more
and more time browsing websites that are not necessary for work. What device is needed to block
websites that provide gaming services?

ENROLL THIS COURSE
a. An application proxy
b. screening router
c. A stateful firewall
d. IDS

20. A junior network administrator has recommended that an application proxy should be the first line of
defense for traffic coming into the organization’s LAN from the internet. How should you respond?

a. You should agree. Deep packet inspection is necessary to provide the greatest degree of security.
b. You should disagree. Application proxies are too slow to be the first line of defense and may be better
suited elsewhere.
c. You should agree. Application proxies provide thorough inspection very quickly and at lower costs.
d. You should disagree. Application proxies are too expensive to be used on most networks, and the stated
requirements can be accomplished at Layer 3.

21. Viruses on the network are increasing at an alarming rate. Management suspects that users are
downloading files from untrusted websites. Also, of concern is that even legitimate websites that users
must access could become compromised. You want to ensure that only trusted content is downloaded.
Which of the following rules is most likely to provide the necessary protection, without affecting
necessary business activity?
a. Block all downloads from the internet.
b. Configure a rule that does deep packet inspection of outgoing traffic.
c. Configure a rule that prohibits all downloads, except those files that are digitally signed.
d. Educate users and remind them of corporate policy regarding file downloads.

Source Video
Skills Tested: Understanding Application (7) Layer protocols and services.

22. An organization has been hesitant to spend additional money to upgrade its existing infrastructure.
However, with ever-increasing threats, they’ve decided to ask your advice. They’re considering upgrading
their existing wireless equipment which they purchased many years ago. These devices were purchased as
soon as the 802.11g standard was released. What benefit would be gained by moving to 802.11n or
802.11ac?

ENROLL THIS COURSE
a. The later devices are backward compatible with all 802.11 standards.
b. The newer standards have a shorter range capability natively, so they would be less resistant to
war-driving.
c. The 802.11g devices most likely only support WEP or WPA. The newer devices support WPA II.
d. The 802.11g devices use AES for encryption, while the 802.11n or 802.11ac devices use RC-4.

23. When configuring a client system to use WPA II, you are then asked to choose “Personal” or
“Enterprise.” Choosing WPA II selects how the data will be encrypted, while “Personal” or “Enterprise”
sets the framework for authentication. What type of authentication would “Enterprise” mode support?

a. RADIUS
b. Challenge-Response
c. Kerberos
d. LDAP

24. WEP can be broken in a mere matter of seconds with today’s technology. Even when it was first
implemented, it was known that WEP did not provide a high degree of security. After WEP, WPA was
introduced as a “quick fix.” Even though it didn’t solve many of the existing problems, it offered a slight
improvement in the length of the initialization vector and key exchange process. However, it wasn’t until
WPA II that we saw a significant improvement. What was the major improvement from WEP/WPA to
WPA II?

a. Better performance with WPA II
b. Self-synchronization with WPA II
c. A stronger encryption algorithm with WPA II
d. WPA II uses symmetric encryption whereas WEP/WPA II used asymmetric encryption.

Source Video
Skills Tests: Wireless standards, encryption, and authentication

ENROLL THIS COURSE

25. As you are considering migrating resources to the cloud, you want to ensure the Cloud Service
Provider has the ability to provision and de-provision resources in an autonomic manner, such that at each
point in time the available resources match the current demand as closely as possible. This technique is
referred to as:

a. Scalability
b. Elasticity
c. Availability
d. Reliability

26. An organization has historically outsourced the management of its IT resources to another company
for service management and maintenance. They are now considering moving to a cloud-based solution
and would like to ensure that the network components, such as routers, switches, and storage components
are all handled by the cloud provider. Which type of cloud framework is this?

a. IaaS
b. Paas
c. SaaS
d. DRaaS

27. A medical organization has decided that in order to maintain compliance with HIPAA, they would
need to update their environment. Specifically, in order to be in compliance, they would need to upgrade
their storage devices and increase their security controls to provide the necessary security to protect their
patients’ information. Additionally, they do not want to take on any more administrative duties. Among
other options, they are considering storing their data in the cloud. Which deployment would likely satisfy
their needs in the most cost-effective manner?

a. Private cloud
b. Public cloud
c. Hybrid cloud
d. Community cloud

Source Video

ENROLL THIS COURSE
Skills tested: Understanding of the different cloud benefits, infrastructures, and frameworks

28. The TCP handshake is a three-way process that allows the hosts to establish a connection. The 3-way
handshake consists of SYN, SYN-ACK, ACK. When a malicious host sends numerous SYN packets to
the recipient (called a SYN Flood), what happens on the recipient?

a. The recipient sends a TCP reset to avoid a DoS (Denial of Service) Attack.
b. As each SYN packet is received, the recipient opens space in memory to process the data indicated by
the SYN packet.
c. The client returns an ACK packet to indicate that the SYNs are received. If there are enough SYN
packets, and return ACK packets the network performance will be degraded.
d. The recipient will close the port from which the incoming packets are coming as a means of
self-protection.

29. An older attack called a Smurf attack is a Layer 3 DoS (Denial of Service) using ICMP directed
broadcasts from a spoofed source address. Later, an attack that was very similar called a Fraggle attack,
became successful as a DoS. Instead of using ICMP, however, the Fraggle attack used UDP packets.
Which of the following is true regarding defense against these attacks?

a. Since Fraggle attacks use UDP, they generate many false negatives for Intrusion Detection Systems.
b. Since Smurfs use ICMP, they are harder to detect than Fraggle attacks. Most Layer3 firewalls can’t
examine ICMP packets.
c. Smurf attacks are more likely to be successful than Fraggles because ICMP shouldn’t be blocked by the
firewall. Otherwise, troubleshooting utilities like PING and Trace Route will not work.
d. Fraggle attacks are more likely to be successful than Smurf attacks because blocking UDP at the
firewall is not practical, as it would prevent many other services from running.

30. A means of redirecting hosts to rogue devices on a network is frequently done through modifying
information in the cache memory of a system. When a client system is compromised in such a way that its
table that maps IP addresses to MAC addresses is modified, what type of attack is being used?

a. DNS Pollution
b. ARP Poisoning
c. IP Redirection
d. ARP flood

ENROLL THIS COURSE
Source Video
Skills Tested: Network-based attacks and protocol exploits

31. When a client sends a recursive query to a DNS server, that DNS server looks to other name
resolution servers to help resolve the query. Each time the DNS server learns something from other
naming servers, it adds that information to its cache. However, if there were rogue DNS servers
responding, that information may be compromised. What security mechanism can DNS servers use to get
a reasonable assurance that the servers they are querying are legitimate and authorized servers?

a. Configure the “Secure Cache from Poisoning” option in DNS properties.
b. Use DNSSec
c. Use IPSec for authentication
d. Disable recursion

32. In a security awareness training class, the trainer mentioned the term “rootkit” and explained that this
was a type of malware that can be difficult to detect and to eradicate from a system, as it installs itself at
the same layer as the operating system kernel. If you detect a rootkit on your system, what steps should be
taken to remove it with the least effort?

a. Restore your data from backup.
b. Fully restore your system from backup.
c. Format the system, restore operating system from backup then restore the data from backup.
d. Format the system, re-install the operating system from original media, and then restore data from
backup.

33. Even though performance was typical and there was no indication of any problems on Friday
afternoon, on Monday morning, network utilization was at 98%. What type of malware has most likely
caused this severe degradation of network availability?

a. Virus
b. Worm
c. Logic Bomb
d. Teardrop

ENROLL THIS COURSE
Source Video
Skills Tested: Understanding mitigating techniques for common network attacks

34. A packet-filtering firewall can make decisions on which of the following type of information?

a. IP address, port number, and protocol
b. Hostnames, usernames, and content
c. IP addresses, content, signature files,
d. Context of protocols and session information

35. NAT devices provide the ability to hide an organization’s internal IP addresses from the untrusted
entities on the internet. The NAT device intercepts the outgoing packet, strips its true source address, and
replaces that address with the IP address of the external interface of the NAT device. Based on how NAT
operates, it is incompatible with a particular sub-protocol of IPSec. With which sub-protocol is NAT
incompatible?

a. IKE
b. ISAKMP
c. AH
d. ESP

36. A security administrator wants to monitor his internal users and determine which sites they visit. He
also wants to restrict certain users’ access to particular sites after 5 pm and to ensure that users do not
have access to pages with violent content. Which type of firewall should he implement?

a. Dynamic
b. Stateful
c. Application Proxy
d. Circuit level Proxy

Source Video
Skills Tested: Understand the different types of firewalls and NAT devices and their capabilities.

ENROLL THIS COURSE
37. Many older types of WAN connections utilized circuit-switching technology that provided access to
the phone provider’s networks. With circuit switching, packets follow the same path all the way from
source to destination. However, many more modern WAN technologies divide traffic into “chunks,” and
each “chunk” finds its own best path to the destination, with the idea that the fastest path at the beginning
of the communication is not necessarily the fastest path later. What is the technology called?

a. Frame routing
b. Packet Switching
c. Block sourcing
d. Directional forwarding

38. Though analog and digital are two different signaling types, we’ve always wanted have these two
disparate signals use the same cable. In the past, we’ve used modems to convert the digital signal from
our computers to analog, in order to allow computers to communicate across analog phone lines. Now
that phone lines are digital, we want the analog voice to run across digital lines (VOIP, or IP Telephony.)
What is the greatest security threat on a VOIP network?

a. Smurf attacks
b. Toll Fraud
c. Spam
d. Eavesdropping

39. In organizations that have a large amount of VOIP traffic, QoS (Quality of Service) is very important.
VOIP traffic can place high demands on available bandwidth. Which of the following WAN technologies
provides QoS and prioritization for data packets?

a. Frame Relay
b. FIOS
c. MPLS
d. DSL

Source Video
Skills tested: Understand the basic concepts behind WAN connectivity

ENROLL THIS COURSE
Domain 5 Identity and Access

Management

1. In the realm of security, most people first think of malicious threats to their systems. However, when
we consider the three tenets of security: Confidentiality, Integrity, and Availability, we realize that
environmental issues could render a system unavailable quite easily. Which of the following would help
control the environment in which servers are stored?

a. Hot/Cold aisles
b. Drop ceilings
c. High humidity
d. High temperature

2. Just as in logical security, an important idea in the world of physical security is security by design.
CPTED (Crime Prevention through Environmental Design) presents four concepts that help an
organization secure their facility by choosing secure materials and environmental surroundings to secure a
physical building. Which of the following would be an aspect of CPTED?

a. Using surveillance cameras to detect threats
b. Implementing fencing and lighting
c. Planting bushes underneath windows
d. Security through obscurity

3. Physical security must be both proactive and reactive. It important to deter and prevent intruders, but
we know that determined intruders can circumvent any system if they have the resources. In that instance,
detective and corrective controls help us recover from a successful breach. Which of the following is a
detective control?

a. Fence
b. Burglar alarm
c. “Beware of Dog” sign
d. Lighting

ENROLL THIS COURSE
Source Video
Skills Tested: Control physical and logical access to assets

4. The decision to use simple password-based authentication can expose an organization to numerous
threats. Users write down passwords, reuse then, and unfortunately share them with others. Which of the
following would allow and administrator to enforce passwords of a certain complexity and lifespan?

a. Access control lists
b. Group policy
c. Firewall rules
d. Password policies

5. Often in applications that allow a password reset function, cognitive passwords are used to get a
reasonable verification of a user’s identity. Which of the following would be considered a cognitive
password?

a. P@$$w0rd
b. Mother’s maiden name c
c. Last four digits of a credit card
d. Account number

6. Often social engineers find it infinitely easier to trick someone into giving away their password than to
crack that password. However, in the event that social engineering does not work, there are technical tools
that are very successful. Which of the following revolutionized the speed with which a password can be
broken?

a. Brute force attacks
b. Hybrid attacks
c. Rainbow tables
d. Dictionary attacks

Source Video Skills Tested: Understand the IAAA of Access control and Type I authentication
techniques.

ENROLL THIS COURSE

7. Type II authentication is based on something a user has. What the user has can be a physical or
technical possession. Which of the following is a technical Type II means of authentication?

a. Public key
b. Password
c. Cookie
d. Thumbprint

8. The only mathematically unbreakable form of cryptography is called the Vernam cipher created by
Gilbert Vernam in the early 1900’s. One time keys and passwords are very valuable because they
drastically reduce an attacker’s chance of reusing passwords or keys. However, asking users to change
their passwords each time they log in would not be received well. How can one-time passwords be
implemented in today’s environments?

a. Using group policy, configure the system to assign a random password to the user for each login.
b. Provide users with token devices that display a different set of characters every sixty seconds.
c. Implement the use of certificates within your organization.
d. Use Smart cards for login.

9. Though there are many ways that users authenticate today, multi-factor authentication provides the
strongest form of authentication. Which of the following environments implements multi- factor
authentication?

a. A user is required to log in with a smart card.
b. A user is required to show both a passport and a driver’s license.
c. A user is required to log in with a password and a thumbprint
d. A user is required to provide both and iris scan and a retina scan.

Video Source
Skills Tested: Understand the various kinds of Type II Authentication

ENROLL THIS COURSE
10. An organization has asked for your consulting services in order to help them implement a biometric
system for authentication prior to being allowed to access to data. What should you recommend as the
strongest form of authentication?

a. Iris scanning system
b. Retina scanning system
c. Thumbprint and password
d. Palm scanning system

11. An organization wants to implement a biometric system but doesn’t know enough to make a good
decision. What is of least concern when choosing a biometric system to implement?

a. Cost
b. User acceptance
c. Technology type
d. Accuracy

12. In configuring the settings on a fingerprint reader, you’ve determined that protecting your network
from intruders is your first priority. Therefore you want to ensure that you have an extremely low
likelihood of an illegitimate user to gain access. What should you configure?

a. Low FAR (False Acceptance Rate)
b. Low FRR (False Rejection Rate)
c. High FAR
d. High FRR

Source Video Skills Tested:
Understand the specifics of type III authentications

ENROLL THIS COURSE
13. One of the many benefits of using Kerberos for network authentication is that the users’ passwords
don’t traverse the network during the authentication process. Without sending the password to the
authentication server, how does the client prove the correct password was entered?

a. The client sends its digitally signed certificate to the authentication server.
b. The client‘s password is verified locally, and the verification information is sent to the authentication
server.
c. The server challenges the client by encrypting a ticket with the user’s password. If the password was
entered correctly, the client is able to decrypt the ticket.
d. The client sends a challenge to the server. The server responds to the challenge with a session key that
can only be decrypted with the client’s private key.

14. Kerberos is a ticket-based authentication protocol that many network operating systems use.
The client is granted a TGT (Ticket Granting Ticket,) if it authenticates properly. Next, the client requests
a ticket from the TGS (Ticket Granting Service.) What is the most important information contained on a
ticket?

a. Two copies of the exact same session key
b. The digital signature of a trusted authority
c. A single session key
d. An authentication token for access to a system

15. When a user logs on to a Windows environment, they receive an authentication token. What
information is included in an authentication token?

a. The user’s digital certificate
b. The user’s list of accessible hosts
c. The user’s access control lists
d. The user’s group memberships

Source Video
Skills Tested: Understand the concepts of Kerberos and SSO (Single Sign On)

ENROLL THIS COURSE

16. A member of the Human Resources team frequently assists with payroll. She is granted full access to
all payroll information during the workday. However, after 5 pm she is restricted and has no access at all.
What type of access control is this?
a. Content-based control
b. Context-based control
c. Constrained interface
d. Access control list

17. A senior network administrator creates a “toolbox” of technical tools for his junior trainee.
These tools can be used to administer the network. The senior admin has limited the toolbox to only those
utilities he wants the junior admin to have access to. This is an example of what type of restriction?

a. Content-based
b. Context-based
c. Constrained interface
d. Access control list

18. Which of the following is the most basic type of firewall that is still capable of using rule-based
access control?

a. Circuit Proxy
b. Proxy server
c. Packet filtering firewall
d. Web application firewall

Source Video
Skills Tested: Different ways to control access to network resources

ENROLL THIS COURSE
19. The IEEE (Institute of Electrical and Electronics Engineers) specifies the 802.1x standards as EAPoL
(Extensible Authentication Protocol over LAN) as having three elements. What are those three elements?

a. Client, network access server, authentication server
b. Supplicant, authenticator, authenticating server
c. Applicant, supplicant, authenticator
d. Client, Authenticator, LDAP server

20. RADIUS offers centralized authentication for access to a network. A benefit of having centralized
access is greater consistency, and ease of administration. However, some environments work better in a
decentralized environment. Which of the following is a benefit of decentralized access?

a. Security
b. Easier distribution
c. Granularity
d. Scalability

21. PAP (Password Authentication Protocol) is an obsolete protocol that provided password-based
authentication but sent the password across the network in plaintext. PAP was replaced by CHAP
(Challenge Handshake Authentication Protocol.) Which of the following is the benefit of CHAP?

a. CHAP offers better performance.
b. The password is encrypted as it travels the network.
c. CHAP can support smart cards and other means of authentication.
d. The password never travels the network

Source Video
Skills Tested: Understand the significance and function of authentication protocols and central
authentication servers

ENROLL THIS COURSE
22. An organization that processes highly confidential information is concerned about data leakage from
their laptop systems. In order to prevent this leakage of information, what should you do?

a. Encase the systems in heavy metal to absorb the signal.
b. Ensure the laptops are not using CRTs.
c. Unplug the laptops when not in use.
d. Ensure no one is within 30 feet, as that is the limit for data emanations.

23. TEMPEST was a government study from the 1950’s designed to analyze emanations from
devices and to subsequently prevent eavesdroppers and attackers from gaining information from this type
of analysis. As a result of this study, several suggestions were made for preventing sensitive information
from being leaked. Which of the following is NOT recommended as part of TEMPEST

a. Data encryption
b. Control zones
c. White noise
d. Faraday cages

Video Source
Skills Tested: Understand the threats associated with data emanations

24.. As identity management continues to become more complex, and as users need access to more
systems, IdaaS (Identity as a Service) is becoming increasingly popular. Which of the following is NOT a
benefit from managing identity solutions in the cloud?

a. IdaaS allows users to have fewer usernames and passwords for users to remember
b. Identity service providers are required to be in compliance with government standards, so there is the
assurance that information is protected.
c. IdaaS provides centralized management of usernames and passwords.
d. IdaaS makes it easy to remove the credential of a user when he leaves the organization.

ENROLL THIS COURSE
25. Typically, with IDaaS (Identity as a Service,) where is the LDAP/Active Directory database most
likely to be stored? Choose the best answer from below.

a. On the clients’ computers
b. On each server to be accessed
c. On the organization’s internal network
d. In the cloud

26.. Which of the following is an XML-based, open standard data format for exchanging authentication
and authorization data between an identity provider and a service provider?

a. SPML
b. XML
c. LDAP
d. SAML

Source Video
Skills Tested: Identity as a service

27. User account provisioning is best described as:
a. The business process for creating and managing access to resources in an information technology (IT)
system
b. Creating federated trusts to allow authentication tokens to be passed from one domain to another
c. Securing the user environments through group policy management
d. Implementing authentication strategy for users.

28. As part of the Identity Provisioning Lifecycle, an Identity Policy must be created. What information
would normally be contained as part of an organization’s Identity Policy?
a. How users are granted credentials based on their identities
b. Which types of authentication users will be required to use
c. How a user’s identification is verified and screened before the user is granted an account and
credentials
d. How the identities of users are protected and how disclosure is prevented

ENROLL THIS COURSE

29. A user’s manager requests access to various systems for a new employee in his department. After the
individual is approved and access granted, the requests are stored and will be used in future audits. What
type of provisioning model does this scenario follow?

a. Role-based
b. Rule-based
c. Request-based
d. Identity-based

ENROLL THIS COURSE
Domain 6 Security Assessment and

Testing

1. As part of a yearly audit, you are required to conduct a review of the security controls implemented on
your network and to ensure that known security vulnerabilities have been mitigated. You’ve been told that
due to the critical nature of your business, your review must have a minimal effect on the network’s
performance, as well as the performance on any individual systems. What type of test should be
conducted in order to meet these requirements?

a. Penetration test
b. Vulnerability assessment
c. Process review
d. Gap analysis

2. Bob is hired to conduct a penetration test for a local organization. After Bob had conducted a
penetration test on a critical server, he learned that management was furious that performance was
degraded during key business hours. Which document would have made clear which systems should have
been tested and the acceptable times and techniques to be used?

a. Rules of engagement
b. Concept of operations
c. Statement of work
d. Exception reports

3. What is the purpose of a “full knowledge” penetration test?

a. To determine if an attacker can gain full knowledge of the network from external sources
b. To determine if full knowledge of a system can lead to a greater network compromise
c. To determine if controls are in place to protect the organization in the event that an administrator
attempts to compromise the network
d. To determine the minimum amount of information that would need to be collected to obtain full
knowledge of resources within a network.

ENROLL THIS COURSE
Source Video
Skills Tested: Understand vulnerability assessments and penetration tests at a high level

4. Your company has been selected to conduct a vulnerability assessment and penetration test for a
medium-sized organization. Which step should be taken first before proceeding?

a. Get management’s approval for the test in writing.
b. Determine which tools you will use.
c. Begin with social engineering attacks, as employees are usually the easiest pathway onto a network.
d. Meet with management and determine the goals of the penetration test.

5. Penetration testers attempt to find weaknesses in systems just as attackers do. Often an attacker starts
with no knowledge of the network and is forced to perform reconnaissance in order to learn information
from publicly available sources. Which of the following is NOT likely to be found from publicly
available sources?

a. Office Locations
b. Phone numbers of other locations
c. Names of managers
d. Internal IP addressing schemes

6. An attacker has intercepted a DNS zone transfer in the hopes of finding which hosts are running critical
services such as Active Directory, Kerberos, Mail Services, etc. What is the name of the technique which
gathers information about the network?

a. Fingerprinting
b. Footprinting
c. Reconnaissance
d. Escalation

Source Video
Skills Testing: Understanding of the steps and procedures used in conducting a penetration test

ENROLL THIS COURSE
7. A network administrator wants to ensure that there is no improper access to his company’s web server,
so he sets up a honeypot to distract attackers from legitimate company resources. He has designed a fake
website that advertises “free music downloads” to those that access the page. When users access the page,
they are then reported to law enforcement for accessing a system without the appropriate permissions.
What can be said of this practice?

a. It is a good security practice, and the administrator is likely to catch numerous attackers.
b. It is a good security practice because it “nudges” attackers in the direction to compromise the system so
that they can be caught.
c. It is a poor security practice and an example of entrapment.
d. It is a poor security practice as attackers will not be interested in downloading free music if they are
looking for company information.

8. Similar to a honeypot, some applications are written with apparent vulnerabilities that are actually
designed by the developer. These apparent loopholes are designed to trap an attacker and thus, provide
greater protection for the system. What are these vulnerabilities called?

a. Honey-app
b. Virtual application
c. Maintenance hook
d. Pseudo-flaw

9. As a detective measure, your organization has decided to implement a honeypot. You would like to
gain insight into the tools and techniques that attackers are using. However, you know that a risk of using
a honeypot is that they may become compromised and used to gain access to protected resources. Given
the above information, where should your honeypot be placed?

a. Inside the DMZ
b. The company’s internal network
c. Outside the company’s firewall
d. Inside the company’s firewall

Video Source
Skills tested: Understanding the placements, purpose, and risks associated with honeypots

ENROLL THIS COURSE
10. A security technician is complaining that he has spent the majority of his afternoon responding to
alerts from his intrusion detection system. The company has incorporated a new application that is
generating requests that the IDS does not recognize, and therefore assumes that they are malicious in
nature. What type of analysis engine is likely being used?

a. Pattern matching
b. Profile matching
c. Host-based
d. Network-based

11. Because of the number of false positives created by the IDS previously used by your organization,
you’ve decided to use a signature-based system. Which of the following characteristics is NOT true of
signature-based IDS?

a. Signature-based systems must update their signature files frequently or risk becoming outdated.
b. Signature-based systems are less likely to create false positive alerts than behavior based systems.
c. Signature-based systems are particularly good at detecting zero-day attacks.
d. Signature-based systems can be fooled by polymorphic code.

12. Which of the following best describes how an anomaly based analysis engine detects an attack?

a. The IDS compares the network activity to a known attack.
b. The IDS looks for patterns of behavior that seem suspicious.
c. The IDS evaluates network activity against a baseline.
d. The IDS uses rules manually configured by a network administrator.

Source Video
Skills tested: Understand the analysis engines that provide IDS/IPS to identify potential attacks.

13. While conducting a penetration test, you discover a significant security vulnerability that could allow
an attacker to compromise the passwords of the payroll database and gain access to sensitive information.
What should you do?

ENROLL THIS COURSE
a. Research and apply a corrective means for this vulnerability.

b. Follow the procedures in the Rules of Engagement document.
c. Stop testing and immediately report the flaw to management.
d. Contact the payroll system administrator and pull the system offline immediately.

14. Your organization uses an internal addressing scheme on the 10.x.x.x network. This was chosen
because the 10.x.x.x network consists of internal private IP addresses. When analyzing your IDS logs for
suspicious activity, you notice that traffic is leaving your network from an external source IP address.
What might this indicate?

a. Your network is being used to launch a downstream attack.
b. A denial of service attack directed at your network.
c. An external host is using a spoofed source address.
d. Employees are bypassing the proxy by manually configuring their IP addresses.

15. Upon completion of a penetration test for a new client, you provide them with your findings in a
report. The main contact at the client company says that the report is too technical for him to understand
and he would like the information in “plain language” that is easy to understand. To what section of your
report should you refer him?

a. Scope Statement
b. Executive Summary
c. Attack Narrative
d. Metrics

Source Videos: One / Two
Skills tested: Analyze and report test outputs

ENROLL THIS COURSE
Domain 7 Security Operations PART 1

Investigations and Daily Processes

1. After weeks of training, you have just joined your company’s forensics investigation team. You’ve
been asked to investigate a system that has possibly been compromised. You are the first member of the
team to access the system in question. As the first person on the scene, what is your top priority?

a. Begin investigations immediately so that no time is lost.
b. Reboot the system to terminate the attack.
c. Search the date and time stamps and determine if any new applications or processes have been installed
recently.
d. Focus on ensuring that the evidence is preserved and start the chain of custody.

2. In evidence collection, we must work from most volatile to least. Volatility describes the capability of
the evidence to change or become lost—often due to system shutdown or loss of power. Which of the
following elements would be most volatile?

a. RAM
b. CPU registers
c. Virtual memory
d. Hard drive

3. In computer forensics what is an important requirement of evidence collection?

a. The analysis should begin the moment evidence is identified.
b. Anyone who discovers evidence can begin the process or collection and examination.
c. Evidence should not be modified as a result of the collection.
d. The analysis should be performed on the original system or device whenever possible, as it is more
likely to be admissible in court.

Source Video

ENROLL THIS COURSE
Skills Tested: Understand the purpose and process of forensics investigations

4. Your organization purchased a server from a vendor who provided a signed SLA guaranteeing
performance metrics. Within the warranty provided by the SLA, the server failed, and the vendor refused
to meet their obligations. What type of evidence would describe a signed SLA?

a. Real evidence
b. Hearsay
c. Best evidence
d. Direct evidence

5. Your client’s sensitive information was leaked via email to an outside source. The digital signature on
the message indicated that a particular employee was responsible for the compromise. A cryptography
expert was retained to testify on the techniques used for digital signatures and their reliability. What type
of evidence would this expert’s testimony be considered?

a. Primary
b. Best Evidence
c. Hearsay
d. Secondary evidence

6. A police officer locates a USB drive of an employee who is suspected of fraudulent activity. The
officer asks for the employee to turn over the drive, but that individual refuses. If law enforcement were
to seize evidence without the proper permission, that would be a violation of the employee’s fourth
amendment rights. In which of the following situations can evidence be seized without causing such a
violation?

a. The evidence appears to incriminate the employee.
b. The evidence appears to exonerate the employee.
c. The evidence is in immediate danger of being destroyed.
d. The evidence is part of a federal crime.

Video Source
Skills Tested: Types of evidence and their implications

ENROLL THIS COURSE

7. Hearsay is rarely admissible in court, as it usually describes second-hand evidence. Why might a
print-out of an audit log, be ruled hearsay and thus inadmissible?

a. The actual information resides on the system in the 1’s, and 0’s recorded. The information often must
be printed out which is a copy of the digital evidence.
b. Audit logs are unreliable and often don’t track the necessary information.
c. Audit logs are not admissible because they are computer generated and there is no way to attest to their
accuracy and integrity.
d. Often audit logs are misconfigured and would include more information than necessary, making them
difficult to sift through.

8. Several years ago, an organization created a policy to allow security administrators to intercept
messages and monitor their contents. They informed employees of this policy, had each sign a waiver
acknowledging the new policy. The further implemented login banners indicating that there is no
expectation of privacy. Will evidence collected in this manner be admissible in court?

a. No, because if the policy is created before users are notified, then it may not be admissible.
b. No, because employees were not trained on the policy, evidence may not be admissible.
c. If the policy isn’t applied universally and the information is not collected as part of normal business
processes, then it may not be admissible.
d. Yes, the company has done all it is required to do, and the evidence it collects as a result of this practice
should be admissible in court.

9. Once an intruder has compromised a system, they usually attempt to delete any signs of their access.
One frequent technique is to erase entries in audit logs. Which of the following will help lessen the risks
of manipulation of audit logs?

a. Sending audit logs to write-once media
b. Hashing audit logs
c. Regular review of the contents of logs
d. All of the above

Video Source

ENROLL THIS COURSE
Skills Tested: Conduct Monitoring and Logging Activities

10. Which of the following is the best description for resource provisioning?

a. A business process to create trusts between organizations
b. A Business process which creates and manages access to resources in an information technology
environment
c. An automated process of sharing information across boundaries
d. Means of automating permissions for shared objects in a network environment

11. In an organization with a large number of employees, it is necessary to offload some basic activities to
users. For instance, the IT department can be overwhelmed with tasks such as resetting passwords and
creating new accounts. Which of the following would best assist with reducing the IT staff’s workload?

a. Delegate administrative access to users.
b. Add users to power user group.
c. Transfer these processes to the help desk.
d. Implement self-service account provisioning.

12.. Users in your organization have access to a large number of applications and network-based services.
The IT department is overwhelmed with ensuring consistent access to resources. You want to find a way
to make sure accounts are created, and permissions granted as part of the onboarding process and that
accounts are deleted and permissions revoked as part of offboarding. Which of the following would
enable this functionality?

a. Workflow provisioning
b. Discretionary account provisioning
c. Self-service provisioning
d. Automated provisioning

Sources: One / Two / Three / Four
Skills Tested: Secure the provisioning of resources

ENROLL THIS COURSE
13. You have become concerned that your company’s switch is not as secure as perhaps it could be. The
switch is located in a locked room. Mac Filtering is enabled, and you have prevented all remote access
protocols and require anyone accessing the switch to use console access only. You’re now concerned with
Man-In-The-Middle attacks, particularly those that poison the cache tables which contain mappings of IP
addresses to MAC address. What security feature may you want to add?

a. DHCP Snooping
b. Dynamic ARP Inspection
c. Network Address Translation
d. Static IP addressing

14. In order to protect against leakage of sensitive information in the Human Resources Department,
you’ve been asked to recommend an effective means of separating this department’s traffic from the rest
of the network. Which of the following would be the most cost-efficient method to create this isolation?

a. Implement a switch.
b. Implement a VLAN.
c. Implement a gateway
d. Implement IPSec in transport mode.

15. Firewalls are designed to separate zones based on the security requirements of each zone. Traffic is
inspected and, based on the configured rule-set, traffic is allowed or denied. A generally accepted best
practice is that firewalls should use which of the following?

a. Whitelisting
b. Blacklisting
c. Rules-based access control
d. Permit Any

Video Sources: One / Two / Three
Skills Tested: Employee resource protection through network segmentation

ENROLL THIS COURSE

16. While training a new member of the incident response team, you’ve been asked to define the primary
purpose of incident response? Which of the following is the best answer?

a. To collect information to be used in the prosecution of an attacker
b. To track, document and respond to network events
c. To eliminate the damage caused by a cyber attack
d. To reduce the impact of cyber incidents on the business.

17. A network administrator wants to be notified in the event that baseline performance metrics are
exceeded. What is the best way for an administrator to learn of these events in a timely manner?

a. Review the audit logs on a regular basis.
b. Contact the audit log administrator and ask to be notified via email in the event described above.
c. Configure an alert within the software that monitors the system.
d. Run frequent queries on the performance metrics of the system in question.

18. DDoS (Distributed Denial of Service) attacks take advantage of compromised systems which are
commandeered to launch an attack on another system or network. Which of the following is the most
likely indicator that your internal hosts are being used (unintentionally) to launch a downstream attack on
another network or system?

a. Traffic coming into the internal network with an internal address
b. Traffic coming into the internal network with an external address
c. Traffic leaving the internal network with an external address
d. Traffic leaving the internal network with an internal address

Video Source
Skills Tested: Perform Incident Response

ENROLL THIS COURSE
19. A member of the evidence collection team retrieves audit logs from Monday, Wednesday and
Thursday which indicate suspicious activity. No other logs are provided. Which of the following rules of
evidence might prohibit those logs to be admitted in court?

a. Digital evidence must be complete.
b. Digital evidence must be authentic.
c. Digital evidence must be convincing.
d. Digital evidence must be accurate.

20. In forensic investigations, identification of evidence is the first step. Once an item has been identified
as evidence, the incident response team should be notified. What is the most important responsibility of
the first responder?

a. Examination of the evidence
b. Analysis of the evidence
c. Collection of the evidence
d. Preservation of the evidence

21 During a forensics investigation, it has been determined that an examination and analysis of the hard
drive will be required. In order to demonstrate that the hard drive was not modified, you’ve been
instructed to create hashes. How many hashes of the hard drive are necessary for the investigative
process?

a. One
b. Two
c. Three
d. Four

Video Source
Skills Tested: Conduct incident management and understand basic concepts of forensics

ENROLL THIS COURSE
22. Bob is attempting to connect to the hotel’s wireless network to access his company’s mail server. He
is instructed by the hotel staff to use the SSID “HOTELX” where X is his floor number. Hours later, he
discovers that his email has been uploaded to a malicious website. Which of the following would have
(most likely) prevented this problem?

a. RADIUS
b. Mutual authentication
c. Two-factor authentication
d. Extensible Authentication Protocol

23. Your organization has a great number of sales people who travel from client site to client site. Their
laptops are connected many different networks including home and unsecured networks. Before allowing
these laptops to connect to your network, you want to ensure that the laptop is protected (as much as
possible) from becoming affected by malware or exploits to the operating system. Which of the following
network services should you employ?

a. NAC (Network Access Control)
b. RADIUS
c. Group policy
d. Firewall services

24. Access-list 102 deny TCP any any eq 23” serves what purpose on a router or firewall?

a. Blocks all TCP traffic
b. Blocks TCP traffic but allows traffic on port 23
c. Blocks all telnet traffic
d. Limits remote connections to 23 connections

Video Source: One / Two
Skills Tested: Operate and maintain preventative measures

ENROLL THIS COURSE
25. A system audit indicates that the payroll system is not in compliance with the security policy due to
several missing operating system security patches. After review, it seems that the system has not been
patched in over a year. When you contact the vendor, he tells you that the payroll system is supported
only on the current operating system patch level. Which of the following strategies should be used to
lessen the vulnerability of the missing OS patches on this system?

a. Isolate the system on a separate network to limit its interaction with other systems
b. Implement an application layer firewall to protect the payroll system interface
c. Monitor the system’s security log and look for unauthorized access to the payroll application
d. Perform reconciliation of all payroll transactions on a daily basis.

26. You’ve been placed in charge of developing a patch management strategy. You want to ensure
systems stay up to date with the current patches and updates, and know that you can’t rely on users to take
the time to update their systems. You want to ensure that the patches are tested first, and prevent users
from downloading files before they’ve been approved. What solution might best solve these problems?

a. Download the patches to a lab environment. Test the updates and patches and, once approved, install
them on the client computers.
b. Create a group policy that forces users to download security patches as soon as these updates become
available. Other updates can be approved when possible and then distributed to user systems when
appropriate.
c. Only download patches from the particular vendor’s website. Once the vendor has made the patches
available, it can be assumed that they’ve been tested.
d. Implement a patch management server. Test and approve appropriate patches. Configure group policy
so that the clients will contact this server and download the approved updates.

27. In your organization, new systems connect to a network server and download an operating system.
After the operating system has been installed, patches and updates must then be applied. Which of the
following describes a more efficient way of ensuring these newly installed operating systems are patched?

a. Implement Rolling updates
b. Implement Slipstreaming
c. Implement Patch management servers
d. Implement live

ENROLL THIS COURSE
Video Source Skills Tested: Implement and support patch and vulnerability management

28. A technician reports that he read in a recent tech magazine that the brand of computers on your
production network have a documented issue with their original BIOS instruction set. The article
recommends that the BIOS be flashed (updated) to correct this issue. What should you do?

a. Test the proposed changes in the lab and if successful flash the BIOS of the production systems.
b. Test the proposed changes in the lab and if successful meet with department heads and schedule the
implementation of the change on a department-by-department basis.
c. Make the change immediately.
d. Refer the change to your Change Control Board and wait for approval.

29. As a member of the server administration team, you receive a call at 2 am explaining that the database
server has failed and has rendered several business units unable to continue their work. When you arrive
at the office, you determine that the server has been infected with malicious code. After researching the
issue, you determine that once you remove the malicious software, several registry keys will also need to
be changed. Your company has a change control policy in place. What should you do?

a. Wait until the morning and begin the process of change control.
b. Make the change to limit the disruption to the business, as per your emergency change control process.
c. Remove the malicious code, but do not modify the registry of the system.
d. Call the head of the departments affected and determine how critical it is to restore services to those
departments. Base your decisions on his reply.

30. The Change Control Board has approved a modification to the systems settings of the computers in
the finance department. The proposed changes are tested in the lab and found to have no negative impact.
The changes are scheduled and rolled out to the finance computers. Shortly thereafter the systems begin to
fail with random error messages. What is most likely the problem?

a. The lab environment does not accurately reflect the systems in the Finance Department.
b. The Finance Department computers have been infected with a virus.
c. The settings were improperly configured.
d. The Finance department systems have had additional software installed which conflicts with the
configuration changes.

ENROLL THIS COURSE
Source Video
Skills Tested: Participate in and understand the change control process

ENROLL THIS COURSE
Domain 7 Security Operations PART 2

Redundancy and Business Continuity

1. You have been tasked with developing a strategy to provide redundancy for hard drives. You need to
determine the average amount of time a hard drive should last. Which of the following metrics would
provide the best indication of the life expectancy of a device?

a. MTTR
b. MTBF
c. SLA
d. SLE

2. A file server operates on your organizational network. In the past, RAID 0 was used to enhance
the performance of both “read” and “write” operations. Now, you’ve been asked to update the RAID
array to include redundancy without losing the performance boost. Which is the best choice?

a. Disk Striping
b. RAID 1
c. Disk Duplexing
d. RAID 5

3. When using a mirrored set of drives (A RAID 1 array) how much disk space can be used for storage if
two 4 TB drives are purchased?

a. 1 TB
b. 2 TB
c. 3 TB
d. 4TB

Source Video
Skills Tested Hardware Redundancy

ENROLL THIS COURSE
4. In order to provide high availability for your company’s website, a technician suggests that you
implement clustering. Which of the following is the best definition of a cluster?

a. Multiple servers which, in turn, handle incoming requests to increase performance
b. Multiple servers that replicate information on a regular basis so that all servers contain current
information
c. Multiple physical servers acting as a single logical unit
d. Multiple servers configured with “Round Robin” load balancing through DNS

5. You work in a small store that sells auto parts. The company’s computer systems are used to access
inventory and other minor activities as needed. There is very little money in the budget for IT systems.
However, redundancy for the server is necessary as a failure in service would equate to lost sales. What is
the cheapest way to provide server redundancy from the choices below?

a. Implement an Active-Passive cluster
b. Implement a web farm
c. Migrate your services to the cloud
d. Implement RAID 10

6. What is the difference between redundant servers and a server cluster?

a. Redundant servers don’t provide load balancing while all clusters provide that service by default.
b. Usually, redundant servers are individual and discrete devices on the network while a cluster may
contain many nodes but will still appear as a single system.
c. Redundant servers can span geographic locations, but a server cluster must be local.
d. Redundant servers have a quicker failover and fail-back process than a server cluster.

Video Source
Skills Tested: Understand redundancy provided by server clustering

ENROLL THIS COURSE
7. At 4:00 in the afternoon you receive a request to install an operating system patch on a production
server. Before applying the patch, you want to ensure that you’re able to recover the server in the event
that the patch does not work properly. What type of backup should you perform?

a. Full
b. Incremental
c. Differential
d. Copy

8. Your organization always performs a nightly backup at 9:00pm. Each morning, the tape is ejected, and
the backup report indicates the backup was successful. However, malware has infected the data on the
current drive, and when you attempt to restore from the backup, you get an error message which reads
“File not found.” How should backups be tested and verified?

a. Backups should be hashed and the hash compared with the hash on the logs.
b. Backup reports are accurate and a good indication of a successful backup. In this case, he problem is
caused by something else.
c. The only way to have true confidence in backups is to restore them periodically.
d. Backups should be verified as part of the backup procedure.

9. Your organization runs a full backup each Sunday night. Then, each day of the week an incremental
backup is performed. On Thursday morning the server suffers a failure requiring a full restoration of data.
How many tapes must be restored?

a. 1
b. 2
c. 3
d. 4

Video Source
Skills Tested: Understand Backup and Restore Operations

ENROLL THIS COURSE

10. You work for an organization that has a very low tolerance for loss of data. Nightly backups, though
conducted, do not provide enough protection against data loss. What type of technology would allow you
to transfer batches of transactions to an offsite facility numerous times per day?

a. Clustering
b. Data Shadowing
c. Electronic Vaulting
d. Remote Journaling

11. After a disaster, critical systems are migrated to an offsite facility. A user calls with a complaint that
the restored data is too old to be of any use. You check the restored data to ensure it was restored from the
most current backup available. What is the most likely cause of this problem?

a. The user is likely looking at a cached copy.
b. The data was restored to the incorrect directory.
c. There is a network replication issue.
d. Recovery point objectives are very short, and the backups are not frequent enough to meet those needs.

12. How best would database shadowing be defined?

a. The database is copied to an alternative location periodically for fault tolerance.
b. The data transactions are simultaneously written to two different databases.
c. The database transactions are written to a striped set for performance.
d. The database uses RAID 1.

Video Source
Skills Tested: Additional backup strategies

ENROLL THIS COURSE

13. The Disaster Recovery Plan provides instruction on the actions necessary to be taken during the
immediacy of the disaster, with a focus on protecting life, above all, and then property. Which of the
following provides the next steps of the DRP?

a. Return services to order, starting with least critical working towards most critical.
b. Return services to order starting with most critical working towards least critical.
c. Restoring operations to full capacity as quickly as possible.
d. Restoring the original facility so that business processes can return.

14. A small organization has a RAID array that can be restored in one hour to provide redundancy for
hard drives. In addition, they have a backup policy in which data is backed up every night at midnight; the
backups are stored onsite for one month and then off-site for one year. The strategies were decided in
writing the BIA. In the above situation, what are the organizations RPO for data?

a. One Day
b. One Hour
c. One Week
d. One Month

15. Your organization leases a cold site from a vendor in the area. What information may not be
guaranteed in your contract? a. Size of the facility b. Services available at the facility c. Availability of the
facility d. General location of the facility

Video Source
Skills Tested: Implement disaster recovery processes

ENROLL THIS COURSE
16. You would like to conduct a test of your organization’s Disaster Recovery Plan, but are concerned
about the potential harm to your production environment. You would like to use the most realistic test,
without out the risk of running processes out of the offsite location. What type of test would be best in
this situation?
a. Checklist
b. Structured Walkthrough
c. Simulation
d. Parallel

17. Which of the following would not be determined in a test of the disaster recovery plan?

a. Does the plan include practical instructions that can be carried out?
b. How well do employees carry out the plan?
c. Does the plan contain accurate information?
d. Are all the necessary steps addressed in the plan?
18. On Friday afternoon your organization shuts down all business processes. Over the weekend the team
works on enabling services at an offsite facility. On Monday morning, all business functions are
performed at the offsite location. What type of testing was performed?

a. Structured walk-through
b. Parallel
c. Simulation
d. Full interruption

Video Source
Skills Tested: Test disaster recovery plans

ENROLL THIS COURSE
19. You are the project manager for the Business Continuity Planning project. After getting a written
policy from senior management, you’re ready to proceed with the following steps. As you begin
conducting the BIA (Business Impact Analysis) one of your team members asks the difference between
Business Impact Analysis and Risk Analysis. How should you respond to the question?

a. The BIA and risk analyses are the same things and both address the potential threats and their potential
harm.
b. The BIA addresses the impact that various threats could have on your organization, while risk analysis
determines how likely the threats are to materialize.
c. The BIA identifies and prioritizes business processes based on criticality while risk analysis focuses on
threats and their likelihood and impact.
d. The BIA identifies the risks while Risk Analysis addresses how we respond to risks.

20. The first step of creating a Business Continuity Plan is to obtain a BCP policy from senior
management. In addition to setting the direction and goals of the plan, why else is the policy so
important?

a. The BCP policy is a commitment from senior management to support and fund the project.
b. The BCP policy indicates how important the BCP is to the organization and will help encourage
involvement from all the employees in the organization.
c. The BCP policy is necessary to be in compliance with regulations that require a BCP.
d. The BCP policy authorizes the project manager of the project.

21. Often senior management assigns members to the BCP team. Which employees should be members of
the BCP team?

a. IT managers
b. A cross-functional representation of the business units
c. All employees
d. Senior management

Video Source
Skills Tested: Participate in business continuity planning and exercises

ENROLL THIS COURSE
22. One morning, as you swipe your access card and enter the building, an unknown individual attempts
to enter behind you. How should you proceed?
a. Ask the visitor if he or she has an access card. If not, ask him or her to leave.
b. Ask the visitor if he or she has an access card. If not, escort him or her to security immediately.
c. Ask him or her which department her works for and call that department.
d. Ask him to show you some form of identification before letting him in.

23. In assessing the environment of the server room, the following information was collected: Humidity
70% and temperature 70 degrees. What should be done to protect the devices in the server room?

a. Increase the temperature.
b. Decrease the temperature.
c. Increase the humidity.
d. Decrease the humidity.

24. Your organization is considering adding fencing to your perimeter to increase the physical safety of
employees and provide a physical barrier against attackers. What is the least height fence that will deter
an intruder?

a. 8 feet
b. 6 feet
c. 10 feet
d. 12 feet

Video Source
Skills Tested: Implement and manage physical security

ENROLL THIS COURSE

25. Your data center is populated with numerous electronic devices and has a staff of roughly two
hundred people. Your organization requires that a water-based sprinkler system is used to limit the loss of
life and property in the event of a fire. What type of sprinkler system is best-suited for this environment?

a. Wet pipe
b. Dry pipe
c. Deluge
d. Pre-action

26. The BCP is made of several sub-plans. Which of the following sub-plans would include information
on how to help employees with physical challenges to evacuate a building in the event of an emergency?

a. Crisis Communication Plan
b. Occupant Emergency Plan
c. Reconstitution Plan
d. Recovery Plan

27. In a data center, the greatest risk of fire comes from electrical distribution systems. How close to these
systems should fire extinguishers be placed?

a. 25 feet
b. 50 feet
c. 100 feet
d. 1000 feet

Video Source
Skills Tested: Participate in addressing personnel safety concerns

ENROLL THIS COURSE
Domain 8 Software Development

Security

1. When allowing users to input information to a form, you want to ensure that data which does not meet
your requirements is blocked from entry, but not modified. You would also like to ensure that no data
control language is used as well. What should happen before form entries are accepted?

a. Validation
b. Sanitization
c. Extraction
d. Elevation

2. Which of the following is a software testing technique used to discover coding errors and security
loopholes in software, particularly lack of input validation

a. Validating
b. Sanitizing
c. Fuzzing
d. White box testing

3. Your organization has determined a need to be more aggressive with its security testing of software
before implementation. Senior management has asked whether white box testing is currently used. What
is white box testing?

a. A type of code review
b. A type of user acceptance testing
c. A type of fuzzing
d. A type of input validation

Source Video

ENROLL THIS COURSE
Skills Tested: Assess the security of software

4. You have been hired to assess the security for a small training company. This company offers an
introductory class to computer hacking. The classroom is not segmented from the rest of the training
company’s network. The admin explains that the students in the class are only script kiddies and could
never do any real harm. What is your response?

a. Agree, as the skills necessary to truly damage a network or system are much higher than what a user of
that level of knowledge would possess.
b. Agree, as the cost of segmenting the classroom from the rest of the network would be greater than the
potential for loss.
c. Disagree, as script kiddies can be just as dangerous as any other hacker, and sometimes more so, as
they don’t realize the power of the code they are executing.
d. Assume the admin has assessed the risk, and support his decision.

5. An Advanced Persistent Threat is a type of attack directly targeting a specific system or organization.
These attacks are often sophisticated and occur over a period of time until ultimately accomplishing their
goal. What attack type would an APT be classified as?

a. Unstructured
b. Structured
c. Restructured
d. Highly Structured

6. An organization has asked that you provide penetration testing for a critical database server. Authorized
pen-testing is sometimes referred to as ____________.

a. White-hat testing
b. White-box Testing
c. Grey-hat Testing
d. Grey-box Testing

Video Source
Skills tested: Assess effectiveness of security controls

ENROLL THIS COURSE
7. When scanning a system, which of the following information would be LEAST helpful to an
attacker?

a. Network services running
b. IP Address and Subnet Mask
c. Operating system
d. Installed software

8. The first step of many attacks is reconnaissance. In reconnaissance, an attacker looks to find
information about the organization from publically available sources. Which of the following is LEAST
likely to help an attacker?

a. Job postings for technical positions in your organization
b. The WhoIs database
c. Company Policy and Mission Statement from the company’s web page
d. List of branch offices, locations, and phone numbers

9. Senior management has recently become concerned with reducing their liability in relation to the
protection of company assets. They want to ensure that the meet legal requirements and industry
standards in relation to information security. By authorizing a vulnerability test of the corporate network,
what legal responsibility are they demonstrating?

a. Due Care
b. Due Diligence
c. Proximate Causation
d. Adherence to policy

Video Source
Skills Tested: Understand the essentials of vulnerability scans and penetration testing

ENROLL THIS COURSE
10. An attack in which unvalidated data is sent to an interpreter as part of a query or command, tricking
the interpreter into executing hostile commands or processing data without proper authentication is called
_____________

a. XSRF Attack
b. Code injection
c. Reverse query
d. DDoS

11. In configuring a web server for your intranet, you’ve been advised to use SSL/TLS instead of HTTP.
You’ve heard that HTTP is insecure and does not often privacy for data. What is another concern of
HTTP?

a. HTTP is slower than HTTPS due to the extended handshake process.
b. HTTP key distribution is complex.
c. HTTP authenticates but does not encrypt
d. HTTP is stateless.

12. A web page displays comments by customers in relation to their new test product. They hope that the
positive feedback from customers will encourage other customers to buy their product. However an
attacker enters, “<script>MaliciousCommand();</script>” into the comment section. When the page is
displayed in users’ browser, the script will run. What type of attack is this?

a. XSRF
b. XSS
c. LDAP Injection
d. Session hijacking

Video Source
Skills Tested: Understand common threats directed at web applications

ENROLL THIS COURSE
13. While you are logged into your online bank account at MyBank.com, a malicious user, “Mallory”
send an email with the link:
<imgsrc="https://www.MyBank.com/transfer?amount=1000&destination=mallory"> When you
click, the link is processed by your browser and sends 1000 to Mallory. The attack appears as if it
originates from you, as your session ID and other cookies are sent as part of the request. What type of
attack is this?

a. XSRF
b. XSS
c. LDAP Injection
d. Session hijacking

14. When John provides his username and password to a banking server, he is granted access to his own
confidential banking information. John then notices the URL reads “https://bank/balance?acc=123” John
modifies the URL to read, “https://bank/balance?acc=124” and is able to access another user’s account.
What is exploited in this attack?

a. Missing input validation
b. Directory Traversal
c. Indirect Object Access
d. Missing Function level

15. A user logs on to a company site with his username, JSmith and sees the following reference in the
URL: Http://company.com/app/standarduserpage. He then types :
http://company.com/app/administratorpage and gains administrative privileges to the site. What is
exploited in this attack?

a. Missing input validation
b. Directory traversal
c. Indirect object access
d. Missing function level access control

Video Source
Skills Tested: Skills Tested: Understand common threats directed at web applications

ENROLL THIS COURSE
16. Java applets are small applications that run in users’ browser that provide additional functionality.
However, if that applet is allowed unlimited access to operating system resources or hardware such as
memory it can be used to modify the system maliciously, it can do harm in the hands of someone with the
intent of causing damage or harm. What defensive mechanism is used to limit the scope of Java applets?

a. Input validation
b. Client-side scripting
c. Sandboxing
d. Indirect object access

17. You, as a database administrator, want to control user access to your database. Users need the ability
to manipulate items in the database, while still being forced to create well-formed transactions. What
should you provide to give the users the access they need while still protecting your database?

a. Privileged access
b. Anonymous access
c. Front-end application
d. Client-side script

18. You work for a vendor that frequently processes credit card payments for customers. To be in
compliance with PCI-DSS (Payment Card Industry Data Security Standards) as well as to follow best
practices, you want to ensure that no credit card numbers are stored on your Point of Sale terminals nor in
your company database. What is recommended in this situation?

a. Tokenization
b. Principle of least privilege
c. Front-end applications
d. Anonymization

Video Source
Skills Tested: Understand defensive coding techniques to mitigate application vulnerabilities

ENROLL THIS COURSE

19. Distributed databases are those which house portions of the database in multiple locations. This may
be for load-balancing, redundancy, security, or efficiency. Which of the following services is offered
through a distributed database?

a. LDAP
b. DNS
c. Office 365
d. PaaS

20. Active Directory and other directory services based on the LDAP structure are hierarchical in nature.
DNS is also a hierarchical database, which is hierarchical as well. Which of the following is true about
these database models?

a. In relational databases, parents can have only one child
b. In relational databases, a child can have only one parent
c. In hierarchical databases, a parent can have only one child
d. In hierarchical databases, a child can have only one parent

21. Database models that store information in tables and rows and use primary and foreign keys to
organize data are referred to as ____________

a. Distributed
b. Hierarchical
c. Segregated
d. Relational

Video Source
Skills tested: Understand the different type of database models.

ENROLL THIS COURSE
22. In each table of a relational database, there must be a field that uniquely identifies every record as
being unique. What is this field called?

a. Primary key
b. Foreign key
c. Degree
d. Attribute

23. You Database administrator mentioned that a relationship link was based on a one-to-many
relationship. What database term describes the type of relationship and how the records are related?

a. Cardinality
b. Schema
c. Tuple
d. Attribute

24. Which of the following is the best definition of a database’s schema?

a. The relationship between keys
b. Centrally located repository to store database functions, metadata and other elements that are available
universally within the database
c. The defining description of all elements in a database including tables, relations, relationships, etc.
d. The rules of a database that are used to enforce principals such as entity and referential integrity

Video Source
Skills Tested: Understand components of a relational database

CISSP
Review Question
Answer Key
196
ENROLL THIS COURSE
Domain 1
1. Answer: C
Trusted Recovery is required in high-security systems and allows a system to terminate its processes in a
secure manner. If a system crashes, it must restart in a secure mode in which no further compromise of
system policy can occur.
2. Answer A
Open design is often thought to be better than closed design, as the openness allows for review from
others in the community. The idea is that if others have access to the code, they will help examine and
review the code, and ultimately improve it. That was not the case unfortunately with OpenSSL. The point
being that it is not necessarily that open source is more secure. If the code is not reviewed, it might as
well be closed source. Also, ultimately the quality of the code dictates the security, much more so than
whether it is open or closed.
3. Answer C
Dual Control is a security principle that requires multiple parties to be present for a task that might have
severe security implications. In this instance, it is likely best to have at least two network administrators
present before a private key can be recovered. A subset of dual control is called M of N control. M and N
are variables, but this control requires M out of a total of N administrators to be present to recover a key.
4. Answer A
Project Initiation is traditionally the phase in which senior management pledges its support for the project.
Often in this phase, management provides a project charter, which is a formal written document in which
the project is officially authorized, a project manager is selected and named, and management makes a
commitment to support.
5. Answer B
Before any work should be done on a Business Continuity Policy, there must be a BCP policy signed by
management. Without one, the BCP Coordinator/Project Manager will not know management’s
objectives, scope, and level of commitment. The policy will also include management’s degree of support
and funding for the project. Without this information and commitment, the project is doomed from the
start.
197
ENROLL THIS COURSE
6. Answer D
Some organizations group risk analysis into the process of conducting the Business Impact Analysis,
while others consider it a separate function. The purpose of the BIA is to identify business processes and
prioritize them based on criticality. After this step, risk analysis would identify the threats (and their
likelihood) that could compromise those business processes.
7. Answer B
Though senior management is responsible for testing the plan, they cannot be expected to be involved in
testing the technology that will implement the plan. Functional managers or department heads will
oversee the technical systems that will achieve the overall goals that senior management has laid out. For
instance, senior management may set a goal of data recovery within an hour but is up to the head of the
department to ensure that the company’s backup/recovery strategy can meet those goals.
8. Answer D
Senior Management (or possibly the BCP coordinator, if specified in the plan) should fulfill the
responsibility of declaring a disaster. The plan should explicitly define the characteristics of a disaster,
and senior management should determine if the current environment meets that criterion. If so, then
senior management should begin phase one of the plans, which is to notify employees.
9. Answer B
Arguably, the BCP committee’s most important function is to conduct the Business Impact Analysis. This
document is the point from which all other plans will begin. The BIA will specify the metrics and objects
to be met as a result of the Disaster Recovery Plan, as well as others.
10. Answer B
The Salvage Team is responsible for reconstitution (also known as failback) to a state of permanence.
Reconstitution will require restoration of LEAST critical services first, ultimately leading to the full
restoration of operations at the permanent facility. Only after reconstitution is a disaster considered to be
over.
11. Answer A
The Occupant Emergency Plan will detail how employees are to evacuate a facility and reach a safe
environment. It will often include how to assist those with limitations, assign responsibility for activities
such as ensuring all members have reached safety as well as include evacuation and backup routes.
198
ENROLL THIS COURSE
12. Answer C
The COOP is responsible for enabling the long-term (relatively speaking) operations after a disaster.
Rescue plans address the protection of human life and property in the immediacy of the disaster. The
recovery phase deals with restoring critical operations as quickly as possible. The COOP begins after
operations have been restored and is designed to provide guidance on running the organization until full
operations can be resumed.
13. Answer D
The Disaster Recovery Plan is usually focused on restoring IT services based on their criticality. The
DRP’s counterpart that addresses business processes is called the Business Recovery Plan.
14. Answer D
The BCP should be distributed based on a need-to-know basis. The entire plan may contain sensitive
information and plans about how to respond to security breaches and how to protect against them. This is
not information that should be distributed indiscriminately. Individuals are granted access to the portion
of the plan that is relevant to them. Most users are only given information about how to safely evacuate
the building and any necessary steps following the evacuation.
15. Answer D
Most industry experts indicate that an annual review of the BCP is necessary to ensure the information
contained within is current. Also, in the event of a major change, like acquisition or merger with another
organization, a review is necessary.
16. Answer B
Redundancy is an important principle that provides high availability. Because of the inherent importance
of Disaster Recovery and Contingency plans, copies should be kept at multiple locations and should be
stored digitally and as a hard copy.
17. Answer D
A test in which an offsite facility is activated, and a portion of operations are performed at this offsite
facility is called a parallel test. It is riskier than paper-based tests because if the alternate facility isn’t
properly operational, a portion of operations can be lost. It is, however, less risky than a full- interruption
test in which all operations are ceased at the normal facility, and resumed at the alternate facility.
199
ENROLL THIS COURSE
18. Answer C
The BIA will determine metrics such as MTD (Maximum Tolerable Downtime) which defines how
quickly a service or data should be restored. RPO (Recovery Point Objective) will dictate how current
data must be. These pieces of information will determine what controls will be put in place. For instance,
if an organization needs to be able to provide data that is current within one hour, but only conducts daily
backups for redundancy, it will be impossible to guarantee the RPO. Nightly backups have a possible loss
of a day’s worth of data (Systems could fail at 4:59 and we would only have last night’s backup to use for
recovery.)

19. Answer B
The DRP has three phases: Notification, Recovery, and Reconstitution. The recovery phase of the DRP
should address the function and recovery of critical operations, often at other locations. These locations
can include an offsite facility (hot, warm or cold site) that the organization uses to restore operations. It
also, however, can describe an environment in which employees perform their operations from home (or
elsewhere), usually for very limited periods of time, and not for long-term disasters.

200
ENROLL THIS COURSE
Domain 2
1. Answer C
To significantly mitigate risks on the network, we have to implement security that limits connectivity to
our network from external devices. Additionally, we are concerned with monitoring software being
installed on our hosts, so we want to limit the ability of such software to be installed. Further, we want to
ensure that other basic security requirements are satisfied, such as using strong passwords, lockout
policies on systems, physical security, etc. Remember: Proactive devices PREVENT an attack, as
opposed to responding to it. Network scans often detect these devices, but they rarely prevent.

2. Answer D
Separation of Duties is frequently used to limit the amount of information to which any one individual has
access. For instance, a user cannot likely leak the password for a file server because that information is
exclusively available for those for whom their jobs require that information. Separation of duties
frequently goes hand-in-hand with need-to-know and the principle of least privilege

3. Answer A
Though B, C, and D may be part of what is detailed with the various levels of classification, the primary
purpose of classification is to ensure that the appropriate controls are implemented to provide adequate
and consistent security for the resource.

4. Answer B
One of the greatest benefits of configuration management is that it provides stability for systems on the
network, as well as the network itself. Without a means of evaluating, controlling and documenting
proposed changes, changes could be made at will. Often changes that seem like a good idea at first may
have a long-term effect on systems and may have unanticipated results. Also, users frequently don’t
understand the functional and security ramification of application installation or modification of settings.

5. Answer C
Organizations that practice good configuration managements should have a well-documented policy on
the change control process. Part of the policy should include the emergency change control process. Even
if a lead technician or manager authorize a change, the change should still be presented to the Change
Control Board through the emergency change control process.

201
ENROLL THIS COURSE
6. Answer D
An organization’s patch management strategy should include how to handle security-related patches,
often with an expedited process. Never take it upon yourself to implement a patch, regardless of the
reason. Patches may occasionally have an adverse reaction to systems, which is why there should be a
well-documented policy.

7. Answer B
The best way to protect data is to encrypt it. Though a cable lock would indeed help prevent a laptop from
being stolen, without encryption the data can still be compromised. Monitoring and the review of audit
logs will probably not reveal access to sensitive information, and even if they did, the logs would only
indicate that data had been accessed, and would not prevent that access.

8. Answer C
The TPM (Trusted Platform Module) chip is hardware contained on the motherboard originally designed
for the limited purpose of hard drive encryption. Vendors today are frequently using this chip for other
purposes, such as using it a location to store activation information in an attempt to prevent privacy.

9. Answer B
SSH is a secure protocol for remote administration. Additionally, it can be used to transfer files through
the use of S/FTP. S/FTP is the SSH protocol with an FTP shell so that users experienced in FTP can use
the commands with which they are familiar.

202
ENROLL THIS COURSE
Domain 3 - Section 1

1. Answer B
The TCB (Trusted Computer Base) describes the elements of a system which enforce the security policy
and are used to determine the security capabilities of a system. This term was coined by the Orange Book
(Also known as the Trusted Computer System evaluation criteria.) Some components included in the
TCB are the system BIOS, the CPU, Memory, the OS kernel.

2. Answer C
As a subject attempts to access an object, two of the main elements that control access are the Reference
Monitor and the Security Kernel. The Reference Monitor is the conceptual rule set that defines access
while the Security Kernel includes the hardware, software, or firmware that enforces the rules set.

3. Answer A
There is always a trade-off for security. Sometimes the cost comes in actual dollars spent. Often, other
times, security negatively affects performance, backward compatibility and ease of use. An organization
must look at the overall objectives of the business considering their primary needs. Whereas systems
which house sensitive military information must be designed with much more security than a small
home/office environment that has information of little to no value to an attacker. The amount of security
that should be implemented should meet the needs of the business, without exceeding the amount of cost
the organization is willing to pay.

4. Answer D
Secure by design is one of the most important concepts in system/software development. Often in the
past, we have asked two questions: “Does it work?” and “Is it secure?” In following the “secure by
design” philosophy, products are not considered functional unless they function securely. Security is
addressed at each phase of the SDLC (System Development Lifecycle) including the initial phases which
include the practices of risk assessment, functional design and implementation. By including security in
each of the phases, we design a product to be secure, as opposed to considering security as an
afterthought.

203
ENROLL THIS COURSE
5. Answer C
One of the main benefits of thin clients is that the responsibility is taken off the client for the installation,
upgrades, and management of resources. A central computer hosts the software and services and the
clients access these services. The client can contain very minimum hardware/software, as the services are
actually running on the server, whether it be a local server or a server accessed through a cloud service
provider’s network.

6. Answer C
A benefit of loose coupling is that the Components in a loosely coupled environment or system can be
exchanged with alternative implementations which provide the same services, and are much less
constrained by the same language, platform, operating system, or build environment.

7. Answer A
The *_Security Property of the Bell-LaPadula security module is designed to prevent users that have
access to higher levels of data access from writing to an area of lower access. For instance, it would
prevent a document classified as “top secret” from being written to a folder classified as “secret.”

8. Answer A
Startup of a system is difficult to secure, as many protective mechanisms have yet to be loaded. Some of
the more successful malware has been designed to load early in the process—perhaps when the kernel or
virtual device drivers load to evade detection.

9. Answer B
The Clark-Wilson security models enforce separation of duties. Rather than allow an untrusted entity to
have full access, we limit the untrusted entity to a limited access of an interface. The interface would then
control and end enforce a well-formed request. The Clark-Wilson model is implemented in many ways in
the Information Security world. We use a firewall as an interface between the public internet and our
trusted internal network. We use application programming interfaces to allow an application to access the
trusted resources it needs.

204
ENROLL THIS COURSE

1. Answer A
The data owner has the responsibility of determining the classification of data based on pre-defined
criteria. The data custodians primary responsibility is to implement the security controls based on the
classification and to provide the day-to-day oversight, including ensuring that backups are current.

2. Answer A
For an information system, the potential impact values assigned to the respective security objectives
(confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among
those security categories that have been determined for each type of information resident on the
information system.

3. Answer C
Trust is typically defined in terms of the security features, functions, mechanisms, services, procedures,
and architectures implemented within a system. Security assurance is the measure of confidence that the
security functionality is implemented correctly, operating as intended and producing the desired outcome
based on the reliability of the processes used to develop the system.

4. Answer A
A TOC/TOU attacks when an attacker (or a system process) creates a variance between when a resource
is verified and when it is used. In this instance, the network operating system has authenticated the user
and allowed him access to the domain. The OS continues to use the information learned in the initial
check for the user’s authentication. The user continues to “Use” the system, as no updated information
about the account suspension is passed along. There are numerous instances when this attack can be used,
causing multiple issues including privilege escalation.

5. Answer D
The best means of mitigating the threat of resource exhaustion is implementing a means of detecting and
limiting access to the resource. Input validation can help ensure that an attacker doesn’t input a data value
greater than expected. Throttling might include tracking the rate of requests received from users and
blocking requests that exceed a defined rate threshold.

205
ENROLL THIS COURSE
6. Answer C
Data resides in storage much longer than it does in transit and must be stored in a secure manner.
Encryption of data helpful to enforce confidentiality and protect application data, keys, passwords, etc.
However, even when encryption is used, it may not be used properly. Common mistakes include:
• Failure to encrypt sensitive data
• Weak protection for the storage of credentials (keys, certificates, and passwords)
• Improper storage of confidential information in memory/swap files,
• Poor statistical randomness
• Weak cryptographic algorithms.

206
ENROLL THIS COURSE

1. Answer D
Pattern analysis is often the easiest way to crack a pure substitution cipher. For instance, knowing things
such as the most commonly used letter of the English alphabet is “e” can lead us to make a reasonable
assumption that whatever character most commonly appears is likely substituted for “e.” Also, it is
estimated that as many as 60% of emails start with the letter “h.” The more assumptions we are able to
make correctly the quicker we can compromise a substation cipher.

2. Answer D
Sessions keys are used for a single session and are then discarded, as is the one-time pad. Additionally,
each session key must be statistically unpredictable and unrelated to the previous key, as the one-time pad
requires, as well. Any technology that takes advantage of a short-term password or key can ultimately be
traced back to the one-time pad.

3. Answer B
DES was originally the standard used to protect sensitive but unclassified information for the US
Government. Once DES was compromised we needed a quick means to increase the security. 3DES
literally tripled the length of the key from 56 bits to 168 bits. Often a quick means to strengthen a
compromised algorithm is to increase the key length or the length of the initialization vector.

4. Answer B
Non-repudiation is the combination of authenticity and integrity and is implemented through the use of
digital signatures.

5. Answer: C
Integrity provides assurance against modification of data, whether malicious or accidental. Though non-
repudiation (which includes integrity) would also provide detection that messages have been corrupted, it
would also provide the additional security services of authenticity and non-repudiation, which would
cause additional overhead.

6. Answer D
Non-repudiation combines integrity (which guarantees the message has not been modified) and
authenticity which verifies the origin of the message. Only non-repudiation would meet the above
requirements.
207
ENROLL THIS COURSE
7. Answer D
Seeds or salts are added to provide additional randomness to passwords as part of the second layer of
defense against password cracking.

8. Answer A
XOR (Exclusive Or) is a process frequently used by stream ciphers to provide bit-by-bit encryption.
Typically this type of encryption is very fast and efficient but does not usually provide the same security
that block ciphers provide.

9. Answer A
Another term for the key is crypto-variable which indicates that the randomness and variability of the
crypto process comes from the key.

10. Answer C
Rijndael was selected by the government to satisfy the Advanced Encryption Standard specified by the
government in 2002 and is the default algorithm that many applications use to provide security.

11. Answer A
One major challenge in a purely symmetric system is how to share the secret key. Encrypting the key with
a passphrase is out of place here, since we still have the fundamental problem of sharing the passphrase.
Answers b and d refer to asymmetric cryptography.

12. Answer B
Due to complexity and security provided, the most commonly used type of symmetric cipher is a block
cipher. DES, 3DES, AES, Twofish, Blowfish and others are examples of block ciphers. Generally, blocks
ciphers provide greater security than stream ciphers. However, performance suffers.

13. Answer B
Authenticity is provided through the use of the sender’s public key. Both symmetric and asymmetric
provide privacy. Integrity is provided by hashing algorithms, which rely on one-way math (not a key) and
non-repudiation requires a hash.

14. Answer D
In symmetric cryptography, a secret key needs to be shared between two parties to encrypt private
messages. However, in asymmetric algorithms, the recipient’s public key is used to provide privacy. The
208
ENROLL THIS COURSE
public key contains no sensitive information and does not need to be kept secret.

15. Answer C
There is no such thing as a public key compromise as there is nothing sensitive attached to a public key.
The secrecy of asymmetric algorithms comes from the relationship between the public and private key
and the fact that it should be impossible (or at least highly unlikely) to determine the private key from the
public key.

16. Answer B
Symmetric keys can provide the same strength of encryption with much shorter keys. RSA Security
1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit
symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys RSA claims that 1024-bit keys are
likely to become crackable sometime between 2006 and 2010 and that 2048-bit keys are sufficient until
2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. NIST key
management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit
symmetric keys.

17. Answer C
Symmetric ciphers provide good, fast privacy, however exchanging the shared key requires some other
means than the symmetric algorithms can provide. Frequently, the key exchange is handled by an
asymmetric algorithm while the data exchange is provided by the symmetric algorithm.

18. Answer B
Though while Bob could also read documents destined for Alice, being able to sign documents as Alice
would affect the accountability of the system.

19. Answer D
In asymmetric cryptography, privacy comes from using the receiver’s public key to encrypt the
information. In this event, only the receiver’s private key can decrypt (which only the legitimate receiver
should have.)

20. Answer B
When initiating a secure connection with a web server using https, the server responds by sending the
client its public key on a certificate, ideally signed by a trusted Certificate Authority. The server’s public
key will then be used to encrypt a session key from the client.

209
ENROLL THIS COURSE
21. Answer C
A digital signature provides non-repudiation (a combination of integrity and authenticity) for a message.
With a digital signature, the message is hashed with a hashing algorithm like SHA-1 or SHA-256. The
hash is then encrypted with the sender’s private key using an algorithm like RSA.

22. Answer D
Diffie-Hellman is described as providing a means for two parties to agree upon a key without having to
send that key across the network. It has traditionally been used as a means for the two parties to agree
upon a session key, which will then provide symmetric encryption for the data.

23. Answer A
ECC (Elliptical Curve Cryptography) is a very fast and efficient protocol used to protect communications
on devices with limited processing power. Its secrecy is based on the algebraic structure of elliptic curves
over finite fields.

24. Answer D
RSA has replaced DSA as the current algorithm used as the standard for digital signatures.

25. Answer C
Hashes are based on one-way math—math that is very easy to perform one way, but exceedingly difficult
to reverse. Passwords are frequently stored as hashes for this reason. If a password is forgotten, a network
administrator can’t view the password, though they can reset it.

26. Answer A
A collision is caused when two different contents produce the same hash. In this instance, the hash has
been broken and is no longer reliable as it doesn’t detect a change in content. However, as everything
encrypted can be decrypted, with another effort all hashes can have a collision. The strength of the
hashing algorithm is in its resistance to collisions.

27. Answer C
A birthday attack is based on the idea that it is easier to find two hashes that just happen to match rather
than trying to produce a specific hash. It is called a birthday attack based on the fact that it is easier to find
two people whose birthdays just happen to match, rather than someone with a specific birthday.

210
ENROLL THIS COURSE
28. Answer A
Because there is no indication of the origin of the message or file, there is no guarantee against spoofing if
only a hash is used. Authenticity must be added in order to get an assurance against spoofing.

29. Answer C
A MAC includes a message plus a symmetric key that only the sender and receiver should know. Because
two users share this symmetric key, we can’t get true non-repudiation. Even though this doesn’t supply
the same assurance that a digital signature does, it requires less of an infrastructure.

30. Answer B
A sender uses his or her private key to encrypt the hash, producing a digital signature. The receiver
verifies the digital signature by using the sender’s public key to decrypt the hash. If the hash can be
decrypted using the sender’s public key, it had to have been encrypted by the sender’s private key (Which
only the sender has.)

31. Answer B
A private key should never be on a certificate or any other mechanism that is made public. As a matter of
fact, even the Certificate Authority will not know the server’s private key. As part of a server’s request to
a CA for a certificate, the server generates a public/private key pair. The public key is registered with the
CA, and that key is added to the certificate.

32. Answer D
A message indicating a certificate has not been signed by a trusted authority indicates that the Certificate
Authority’s public key is unavailable to verify the authenticity of a web server’s certificate. The way CAs
certificates are made available to web browsers is that they are loaded into the certificate repository
within the browser (often by the vendor who provides the browser). A trusted CA is one whose certificate
is accessible on the client’s system.

33. Answer C
OCSP is a protocol that streamlines the process of verifying the revocation status of a certificate. An
OCSP server or responder is responsible for checking with the CAs CRL (Certificate Revocation List)
periodically and provide a reasonable current assessment of whether the certificate has been revoked.

211
ENROLL THIS COURSE
34. Answer B
Encapsulation “wraps” the data into some sort of packaging—usually a header and a trailer. Encryption is
a transformation process that involves taking plaintext and transforming it into ciphertext through the use
of a key and an algorithm. IPSec provides security for the portions of the packet that are encapsulated.

35. Answer C
IPSec, in tunnel mode, provides encryption for the entire IP packet. IPSec adds its own header and trailer
to the packet. The IP entire packet is the IPSec Payload. Though this can take longer, it provides better
security.

36. Answer C
In creating a secure tunnel from one site to another, IPSec is normally configured to operate in tunnel
mode. Tunnel mode provides greater security by encrypting the header, payload, and trailer of the IP
packet.

37. Answer A
Diffie-Hellman is an algorithm whose sole purpose is to allow key agreement without pre-shared secrets
and is used by Oakley, a sub-protocol of IKE.

38. Answer B
ESP is the only sub-protocol that provides encryption. AH provides non-repudiation, but no privacy
services.

39. Answer A
NAT (Network Address Translation) has the primary function of hiding internal IP addresses from hosts
located outside the network. A NAT device does this by removing the original source address and
replacing that address with its own external interface’s address. Though this service is very helpful in
enhancing network security, the header modification is detected by AH. For this reason, NAT and AH are
natively incompatible, though solutions like NAT-Traversal are used to make the two work together.

40. Answer A
A medium security organization is best suited to an area with high visibility and natural surveillance.
Security through obscurity is a myth and often leaves an organization more vulnerable.

212
ENROLL THIS COURSE

41. Answer D
Anyone trying to access the building without proper credentials should be escorted to security. If they are
simply denied access, they will wait for someone else to come along that will let them in. Additionally,
even if that individual is a recognized employee, they should still be escorted to security. It is possible
that employee has been terminated and his credentials have been revoked. Disgruntled employees have
been the source of numerous attacks resulting in the loss of life, property and data.

42. Answer D
Generally, access points should be placed in the center of the building, allowing the walls and other
physical aspects of the facility to absorb the signal and help contain access to Wi-Fi to the building.
Additionally, signal strength can be manipulated to reduce the chance of outside access.

43. Answer C
CCTV cameras could provide surveillance to disprove employee claims of improper physical access.
Though doors data center doors should certainly be locked and badged access to a building is helpful,
these solutions don’t protect against employee actions once in the building. Further, though the policy is
important, it is an administrative control that simply deters fraud. It will not detect the fraud.

44. Answer B
A kick plate is designed to protect the bottom of the door against cosmetic damage but doesn’t really
enhance its physical security. A strike plate is the part of the locking mechanism that re-enforces the door
at the doorknob area. Hinges can be protected by encompassing them or by reinforcing them, so they are
resistant to tampering.

45. Answer B
Positive air flows are designed such that air flows out of a room instead of into it. This limits the ability of
contaminants to flow from room to room.
213
ENROLL THIS COURSE
Domain 4

1. Answer A
Layer 1 of the OSI Reference Model is referred to as the “Physical Layer” and provides physical
connectivity to the network. Cable, connectors, hubs and any device that is only concerned with creating a
means for the physical signal to traverse the network are Layer 1 devices. Though there is an element of a
NIC (Network Interface Card) that does provide physical connectivity, it is considered by most to be a
Layer 2 device.

2. Answer C
All copper cable is susceptible to eavesdropping to some degree. Even shielding of twisted pair cabling
only makes an improvement to its resistance to tapping and eavesdropping. However, if the goal is to find
a type of cable that is truly immune to interference and much more difficult on which to eavesdrop, fiber
optic cable is the best choice. Though fiber has traditionally been more expensive and more difficult to
work with, it is becoming more commonly used, and prices are dropping.

3. Answer C
Lower layer devices are usually faster than upper layer devices, as these devices are not concerned with
complicated inspection and decision making. In order to make decisions at Layer 7 for instance, the lower
Layer headers would have to be stripped away, to provide deep packet inspection and direction. Layer 1
devices just provide a medium for the signal to travel, without taking the time to analyze or inspect.

4. Answer D
Ethernet Media Access uses CSMA/CD. This indicates that hosts will “sense” the cable to determine if
data is being transmitted. However, multiple hosts could have sensed that the media was available at the
same time. In this case, if multiple hosts transmit on the cable it causes a collision which should be
detected immediately. A hub would not help with this problem. In order to limit collisions, a switch is
necessary.

5. Answer C
In order to resolve a known IP address to an unknown MAC address, a host uses an ARP (Address
Resolution Protocol) broadcast. ARP uses a broadcast to query the MAC address for a specific IP address.
That MAC address is then added to the ARP cache, so as to eliminate the need for another broadcast
should that information be needed again.

214
ENROLL THIS COURSE
6. Answer C
CSMA/CA which is specified for devices following IEEE standard of 802.11, or Wi-Fi systems. In this
method, a client sends a signal to indicate its desire to transmit. As a result of this signal, no other host
transmits. In CSMA/CA environments, collisions are not simply reduced but eliminated.

7. Answer B
Switches maintain a CAM table that maps MAC addresses on the network to physical ports on the switch.
This function allows the switch to direct data out of the appropriate physical port where the host is
located, as opposed to indiscriminately broadcasting the data out all ports as a hub does. In a MAC
flooding attack, the attacker sends the switch many Ethernet frames, with each one containing a different
source MAC addresses. The intention is to consume the limited memory set aside for the CAM table.
Ultimately, this process overwrites the legitimate entries that the switch has learned. Once the switch no
longer has legitimate entries in its CAM table, it broadcasts data until it re-learns the MACs of the
legitimate hosts.

8. Answer B
A switch serves two main functions on a network. First, it directs traffic out the appropriate physical port
for the destination device. This prevents the need for the switch to send all traffic out all ports, as a hub
did. Secondly, each physical port on a switch is its own collision domain. By lessening the number of
hosts in each collision domain, there are fewer systems competing for time on the cable.

9. Answer A
With switches being used, traffic is directed out the appropriate physical port that is mapped to the
recipient’s MAC address. Since most likely there is no traffic addressed to the sniffer the only traffic
being directed out that port would be ARP broadcasts used to learn the MAC address of the recipient.

10. Answer C
A router is usually considered a Layer three device because of its capability to handle the best path
determination and to use IP addressing. However, routers must have some form of physical interface
which is Layer 1. Also, once traffic is sent to the proper interface on the router, it uses an ARP broadcast
(Layer 2) to locate the local client.

11. Answer B
The primary purpose of a VLAN is to create separate broadcast domains on a network. This function has
traditionally been the responsibility of routers. However, routers are expensive and more difficult to
logically configure, so this capability has been incorporated into switches.
215
ENROLL THIS COURSE
12. Answer C
Broadcasts domains are subnetted and identified by their network addresses. IP addressing is a Layer 3
function. Though a VLAN can provide this segmentation on either type switch, when a standard switch is
employed, the switch (Layer2) can’t “understand” the difference between the network IP (Layer3)
addresses. In this case, the VLANs would not be able to communicate. With a Layer3 switch that
understands IP segmentation, the VLANs would be able to communicate.

13. Answer A
Media Streaming would best benefit from using UDP as its transport Layer protocol. Because media
streaming is so very bandwidth intensive, speed and throughput are essential. Though UDP can also be
used for file downloads through the TFTP (Trivial File Transfer Protocol,) usually TCP is used for small
files.

14. Answer D
Since UDP is connectionless, it has no needs for fields that assist with guaranteeing communication or
handshaking. However, UDP still requires the use of port numbers in order to identify the protocol or
service being transmitted.

15. Answer B
The main difference between the protocols FTP and TFTP is that they use different layer 4 protocols. FTP
uses TCP that provides connection-oriented delivery. TFTP uses UDP for faster connectionless delivery
of data.

16. Answer B
The Presentation Layer sends data to the Application layer. This Layer provides a translation into
standard formats, encryption, and compression. Though there are no specific protocols that work at The
Presentation Layer (6,) most application Layer protocols are considered to function across the top three
Layers.

17. Answer D
A session hijack occurs at the Session Layer (5.) In session hijacking, an attacker uses session-based
information, such as Session ID, Username, and any other cached information, to step in and take over an
existing session.

18. Answer D
The best way to mitigate sidejacking is a well-designed and secure website. The server should use https://
216
ENROLL THIS COURSE
for all pages served instead of just the ones for login information. On the client side, the best way to
protect against this attack would be to secure your network to ensure that there are no unauthorized
devices and packets are not being sniffed.

19. Answer A
An application proxy is the best choice in this question. In order to make decisions based on content, a
screening device would need full access to all layers of the OSI stack. Application layer devices are the
only ones who have this degree of access.

20. Answer B
Though Application Proxies do provide a high degree of security through deep packet inspection, the can
cause a significant performance decrease. The first line of defense is often a screening router that has very
basic ACLs (Access Control Lists) to evaluate traffic very quickly.

21. Answer C
Though blocking all downloads would keep modified files from being downloaded, it would interfere
with normal operations. The best means of ensuring that files downloaded are from the true server, as
presented, and to ensure these files have not been modified is to ensure only files digitally signed are able
to be downloaded. Digital signatures provide both authenticity and integrity.

22. Answer C
The earlier standards for Wi-Fi (802.11 a, b, g) did not support WPA II and were only capable of using
WEP and later WPA (which provided much less security than their successor). WPA II was required to be
supported by any standards after 802.11i.

23. Answer A
RADIUS (Remote Authentication Dial-in User Services) allows authentication through a central
authentication server. This technique is frequently implemented in corporations that do not wish to
manually configure authentication rules on each of their Wi-Fi access points (or VPN servers, RAS, or
other network access devices.) RADIUS is only available in Enterprise mode.

24. Answer C
The most significant change brought by WPA II was the use of the AES algorithm. AES is a block cipher,
which is a sizeable improvement over the stream cipher RC4; both WEP and WPA used RC4. Block
ciphers are generally much stronger than stream ciphers, though they are slower. RC4 also had a short
encryption key (either 40 or 104 bit) whereas AES can provide 128, 192, or 256-bit encryption.
217
ENROLL THIS COURSE
25. Answer B
One of the big benefits of a cloud infrastructure is the elasticity it offers. Elasticity is the degree to which
systems are able to adapt to changes in workload by provisioning and de-provisioning needed resources
automatically so that each time the available resources match the current demand as closely as is possible.

26. Answer A
IaaS stands for Infrastructure as a Service and provides cloud-based access to routers, switches, servers,
storage and other elements necessary to support a network infrastructure.

27. Answer D
In a community cloud deployments, storage is usually provided to clients of the same or similar industries
that require the same security implementations, usually due to compliance issues. In this case, there is
likely a cloud service provider that houses medical information from other healthcare providers or others
required to maintain HIPAA compliance. This solution will most likely be cheaper and easier to manage
than hosting their own private cloud.

28. Answer B
In a SYN flood attack, the malicious host sends a large number of SYN packets to the recipient, who in
turn opens up space in memory to process the data that should be coming as the result of the handshake.
Eventually, the system’s available memory is exceeded, causing a DoS.

29. Answer D
Blocking ICMP at the firewall is almost always mandated. ICMP is a frequently exploited protocol. Even
though it is useful inside a network for troubleshooting, there is no need to allow ICMP packets from
outside the networks. However, numerous upper Layer services like DHCP, DNS, and TFTP (as well as
others) require UDP to work properly. Therefore it is more difficult to protect against Fraggle attacks.
Nevertheless, there are other strategies to mitigate against Fraggles. For one, directed broadcasts should
be blocked. Directed broadcasts are those that originate from outside the firewall.

30. Answer B
An ARP poisoning attack is implemented when an attacker overwrites legitimate entries in the cache and
replaces them with the addresses of rogue devices. Malicious modification of cache is usually referred to
as poisoning or pollution attacks.

218
ENROLL THIS COURSE
31. Answer B
DNSSEC (Domain Name System Security Extensions) is a set of extensions that provide security to the
DNS service through enabling DNS responses to be validated. DNSSEC provides origin authenticity and
integrity. With DNSSEC, DNS is much less susceptible to spoofing.

32. Answer D
If a rootkit is detected, the best way to ensure that it is removed is to wipe the system, reinstall the
operating system from original media, then restore data from backup. It can be difficult to tell when a
rootkit was installed, so restoring the operating system from backup could potentially reinstall the rootkit
as well.

33. Answer B
This degradation is most likely the result of a worm infestation on the network. Because things were fine
on Friday, the indication is that the issue is not a result of a virus, because a virus requires user
interaction. A worm, however, consumes a tremendous amount of network resources and is able to spread
throughout the network on its own.

34. Answer A
A packet-filtering firewall provides layer 3 and 4 inspection of headers for determining if traffic should be
blocked or allowed. Some of the information that can be found at these layers is source and destination IP
address (Layer 3), source and destination port (Layer 4) and protocol (Layer 4.)

35. Answer C
The primary purpose of AH is to detect spoofing, which means, it is designed to protect against
modification of the source addresses. Because NAT modifies that source address, the two are natively
incompatible.

36. Answer C
An application proxy is the best choice in this case. Application proxies have time awareness, Active
Directory integration (which is likely needed to limit specific users,) as well as deep packet inspection
which allows access to the content of data. Though Application Proxies provide much more in-depth
inspection, they are usually slower and more expensive than lower layer firewalls.

219
ENROLL THIS COURSE
37. Answer B
Packet Switching technology like MPLS (Multi-Protocol Labeled Switching,) VOIP and ADSL divides
data into packets. Each packet finds its own best pathway to the destination. Packet switching is a much
faster technology than circuit switching.

38. Answer D
Any type of traffic on an IP network is susceptible to sniffing. Natively, VOIP uses insecure protocols
like RTP (Real Time Protocol) that does not provide encrypted communications. Though more secure
protocols can be used, natively VOIP offers no inherent security. Tools such as Wireshark can very easily
sniff VOIP traffic and reveal the details of the communication.

39. Answer C
Multiprotocol Label Switching (MPLS) is provider-based network designed for networks which need
high-performance communications. MPLS networks direct data from node to node in the network based
on short labels rather than long network (IP) addresses. This process is quicker than using complex
routing tables. The headers added to the packet before traversing the MPLS network includes a field for
QoS, so that VOIP traffic is prioritized.

220
ENROLL THIS COURSE
Domain 5

1. Answer A
Hot/cold aisles are used in the server room and other areas where there isn’t always much room for air to
circulate properly. A major concern would be that as one system expel hot air, another system would use
that hot air to cool those systems. In order to prevent this problem, systems are set up to expel hot air back
to back (hot aisle) and to pull in only cool air from the cold aisle.

2. Answer C
Planting bushes directly underneath windows makes it more difficult for an attacker to gain entry. Fences,
lighting and surveillance cameras will help enhance security but are not environmental. Security through
obscurity is the false idea that being less visible improves security (in fact, that makes an organization less
secure as there is no visibility and crime is more likely to go undetected.)

3. Answer B
Burglar alarms are reactive devices that are activated by some sort of trigger. This trigger indicates the
breach has happened or is happening. Lighting usually considered a deterrent, but motion-detection
lighting would be considered detective. However, since this fact was not mentioned in the question, the
best answer is B.

4. Answer B
Group policy can be used to enforce rules in relation to passwords. Password complexity requires users to
have passwords which meet certain criteria, such as length, uniqueness, etc. Also, the length of time for
which a password is valid, and password history can all be controlled with group policy.

5. Answer B
Cognitive passwords are knowledge-based authentication consisting of words or phrases which a user
should intrinsically know. Mother’s maiden name, name of someone’s first pet, high school mascot, etc.
are examples of cognitive passwords. Keep in mind that in today’s world of information sharing many of
these pieces of information may be readily available on the internet.

6. Answer C
A rainbow table is a precomputed table designed to be used for reversing cryptographic hash functions.
Since frequently hashes are stored as passwords, the most frequent use of rainbow tables is to crack
passwords.
221
ENROLL THIS COURSE
7. Answer C
Cookies are often placed on user systems when the user first opens an account with a financial server or
other server wanting to provide seamless two-factor authentication. When a user tries to log in from a new
system, they get a warning message telling them that they are logging in from an untrusted system. At this
point, the user is prompted to provide additional authentication information.

8. Answer B
One-time password generators allow a one-time password to be used without dramatically increasing the
overhead on the user.

9. Answer C
Multi-factor authentication is not simply providing multiple means of authenticating; it requires providing
at least two different types. A smart card is only single-factor authentication—a card is something you
have. In almost every imaginable instance, the smart card is coupled with a password or PIN. Then and
only then does it provide multi-factor authentication. Answer C uses a password (Type I) and a
thumbprint (Type II.)

10. Answer C
Though biometrics offer the best authenticity for single factor authentication, multi-factor authentication
is always best. Adding a password (Type I) or a Smart card (Type II) would offer multifactor
authentication when used in conjunction with biometrics.

11. Answer C
The type of technology that will be chosen is based upon the other three options. For instance, an
organization will have a cost in mind; they will have a reasonable understanding of the accuracy needed
and the degree to which their users will be required to submit to verification. The answers to these
questions will determine what technology type to choose.

12. Answer A
FAR (False Acceptance Rate) indicates the number of times that someone is able to gain entry without
having the appropriate credentials. This number is inversely related to FRR. When FARs go down, FRRs
go up. However, you’re not wanting to accomplish a high FRR, though that might be a result of changing
the settings.

13. Answer C
In Kerberos, a user enters his or her password onto a system. The password is stored locally. The
222
ENROLL THIS COURSE
username is sent to the authentication server. The authentication server generates a TGT (Ticket Granting
Ticket) and encrypts the TGT with the user’s password. If the user had entered the correct password, then
the TGT can be decrypted. The face that the user has a decrypted TGT proves that the user authenticated
properly.

14. Answer A
When a client requests a session with a principle in a Kerborized environment, the TGT issues a ticket.
This ticket contains two copies of the exact same session key. One copy of the key is encrypted with the
user’s password. The second session key is encrypted with the service’s password. With this technique,
only the correct password will decrypt the session key on the client side and only the correct key of the
service. Kerberos is a purely symmetric environment, so the key exchange is cumbersome.

15. Answer D
In Windows-based systems, an authentication token contains a list of the groups in which the user is a
member. This list of group membership is compared up against the access control list for the resource and
the determination is made whether to allow access.

16. Answer B
The above answer uses context, not content-based decisions. The member is not being blocked to the
content of the payroll information—she has access to it all day. Context-based access control evaluates
accessed on HOW the information is being accessed.

17. Answer C
The Clark-Wilson security model states the need to protect trusted resources from untrusted entities. In
order to do so, an interface is used to enforce well-formed transactions. By constraining the interface, we
constrain the activities that the junior admin can perform.

18. Answer C
Almost all firewalls use some form of rule-based access control to filter traffic. The rules on the firewall
are usually referred to as ACLs (Access Control Lists.) In the question, the most basic firewall of the four
listed is the packet filtering firewall. This is a layer three device which inspects information in the packet
header at the network layer, which would include source and destination IP address, port number, and
protocol.

19. Answer B
The IEEE 802.1x standard for EAPoL. 802.1X authentication involves three elements: the supplicant, the
223
ENROLL THIS COURSE
authenticator, and the authentication server. The might be a dial-up client, a VPN client, a Wi-Fi device or
some other device requesting access. The authenticator is a network access device, such as a wireless
access point, a VPN server, etc. The authentication server is typically a server running RADIUS or other
similar software.

20. Answer C
The greatest benefit of a decentralized environment is granularity. Each individual network access device
could have its own individual policies and access control criteria and could be more closely aligned with
the individual roles of each server.

21. Answer D
With CHAP, when a peer tries to authenticate, the authenticator sends a challenge to the peer. The peer
performs an algorithm on the challenge and responds with the result. If the result is what the authenticator
expected, the peer is authenticated.

22. Answer A
Heavy metal absorbs stray signal and is frequently used to prevent leakage. A faraday cage is made of
heavy metal and can describe an actual cage, room, building or any other casing that can absorb the
signal.

23. Answer A
Data encryption, though important for privacy protection, is not a protection against data emanations.
Often the study of the emanations analyzes the frequency, power consumption and other details which
encryption would not mitigate.

24. Answer B
Though Cloud-based solutions provide centralized management and ease administration of users and
accounts, CSPs (Cloud Service Providers) are not regulated and not required to provide the degree of
security your company may need. Obtaining a well-written contract and auditing that contract are two
ways to ensure your company’s security requirements are met.

25. Answer D
Identity as a Service typically indicates that the directory database is cloud-based and managed by a cloud
service provider. Though the organization can host its own directory service, it is less likely to use IdaaS
if storing the database on the internal network.

224
ENROLL THIS COURSE
26. Answer D
SAML (Security Assertion Markup Language) is an XML-based, open data format to facilitate the
exchange of authentication and authorization information between parties, often across organizational
boundaries.

27. Answer A
User account provisioning creates, modifies, and disables/deletes user accounts as well as their profiles
across the IT infrastructure and business applications as needed. Many provisioning tools can use
approaches such as cloning, roles, and rules to automate onboarding, offboarding or other administration
workforce processes (new account creation, transfers, promotions and/or termination.) Provisioning tools
can also automatically aggregate and correlate identity data from entities such as HR,CRM, mail systems
or other “identity stores.” Fulfillment can be initiated via self-service, from a management request or
changes to HR systems.

28. Answer C
In the provisioning lifecycle, before an account is created, or credentials assigned, there must be a policy
in place to determine how an individual provides proof of their identity. Perhaps reference checks,
certification verification or other procedures must be followed before a user is granted access to company
systems.

29. Answer C
In request-based provisioning, users or their managers search for and request access to applications,
privileges, or resources with a system. These requests are then validated by workflow-driven approvals.
Finally, they will audit for reporting and compliance purposes.

225
ENROLL THIS COURSE
Domain 6

1. Answer B
A vulnerability assessment will have the least impact on your network, while still verifying that common
security vulnerabilities have been mitigated. These tests are generally considered passive, as they are
looking for weaknesses but not attempting to exploit them.

2. Answer A
The Rules of Engagement document provides important information detailing any limitations to a pen
test. Certain systems, tools, times, etc. may be off limits, and this information needs to be clearly
understood. Pen tests introduce risk to the environment, and ideally, these risks should be reduced as
much as possible.

3. Answer C
Full knowledge penetration begins with providing the tested the same amount of information an
administrator would be expected to have. This type of test emulates a scenario when it is the network
administrator or some other privileged user who is committing the attack.

4. Answer D
The first step of any type of network assessment is to meet with management and determine the goals.
How we approach testing will depend on what our ultimate purpose is.

5. Answer D
Most of the information listed above is easily accessible to the general public. Names of managers, office
locations, and phone numbers are obtained from the internet or simply from querying the organization.
This information is often used to form the basis for a social engineering attack. Internal IP addressing
schemes, however, are almost never published publicly.

6. Answer B
The purpose of footprinting is to gather information about the configuration of the network. An attacker
will use this technique to learn about the services on the network and the hosts which provide them. An
attacker may also learn about the various connectivity devices and where they are placed, as well as other
critical information. Once the network has been footprinted, and the attacker has located a desirable
system, that system is often fingerprinted. The goal of fingerprinting is to determine the operating system
running on the host, in the hopes of finding known vulnerabilities.
226
ENROLL THIS COURSE
7. Answer C
The scenario above describes entrapment, as the attacker is tricked into accessing a system that he might
not have accessed otherwise. A honeypot should entice an attacker away from other resources without
persuading them to commit a crime or violate policy.

8. Answer D
A pseudo-flaw is an intentional fault written into the code of an application or operating system in order
to distract or trap an intruder.

9. Answer A
In order to mitigate the risk of your honeypot being compromised and causing damage (either to your
network or someone else’s) the most logical place for a honeypot is in the DMZ. The honeypot can attract
attackers and can be placed alongside other legitimate DMZ servers, providing early warning of threats.

10. Answer B
Profile matching systems look for activity on the network that is unexpected and label that activity
malicious. Behavior and anomaly based systems fall into this category and frequently report false
positives. They greatest problem with false positives is that they can desensitize administrators to alerts
and lead them to be complacent.

11. Answer C
Since zero-day attacks are those for which no signature exists, signature-based systems cannot detect
these attacks. It can take weeks or even months before a signature is developed for an attack. Until that
signature is developed, the IDS cannot detect the attack as malicious activity.

12. Answer C
An anomaly-based IDS monitors network traffic and compares it against a baseline. The baseline is
created and will then be used to identify what is “normal” behavior for that network. Considerations can
include the amount of bandwidth, which protocols are used, ports frequently utilized, etc.

13. Answer B
The Rules of Engagement document should include the details necessary for the penetration tester to
determine necessary action in the event that a critical security error is found. The tester should never act
on his own to correct problems as this would violate the separation of duties and change control policies.

227
ENROLL THIS COURSE
14. Answer A
In DDoS (Distributed Denial of Service) attacks, unsuspecting network hosts are commandeered to
launch an attack on another network. These hosts are often referred to as zombies or bots. These systems
are usually configured to send packets with spoofed source addresses.

15. Answer B
The Executive Summary of your penetration testing report should present the meaningful information
summarized in such a way that the senior managers can understand. Many executives are not technical
experts and need the information broken down and simplified.

228
ENROLL THIS COURSE
Domain 7 - Part 1: Investigations and Daily Processes

1. Answer D
The primary job of a first responder is to preserve the evidence. Digital evidence is extremely volatile,
and one must be certain that the integrity of the evidence is preserved before the investigations begin.
Documenting the Chain of Custody should begin as soon as evidence is identified.

2. Answer B
Typically, CPU registers store instructions or addresses for a very short period of time. These registers are
extremely volatile elements of the system.

3. Answer C
One of the most important requirements in forensics investigations is that evidence should not be
modified as a result of its collection. The first responder should immediately preserve the evidence to the
best of their ability, and whenever possible, an examiner should work with a copy and not the original
system or device.

4. Answer C
A signed contract is considered to be “Best Evidence.” The “Best Evidence Requirement” is a legal
principle that considers the original version of a document as the superior form of evidence. The rule
specifies that a copy or fax would not be admissible if an original of the document exists and is
obtainable.

5. Answer D
Expert witnesses, such as forensic experts, cryptography experts, etc. are considered to present secondary
evidence.

6. Answer C
One of the exceptions to the fourth amendment (which protects citizens from illegal search and seizure by
law enforcement) is in cases of exigent circumstances. Exigent circumstances describe a situation in
which evidence is in immediate harm of being destroyed.

229
ENROLL THIS COURSE

7. Answer A
Copies of documents are ruled as second-hand, or hearsay evidence. In order to be admissible in court,
steps need to be taken to prove their authenticity and integrity. Hashing, Digital Signatures, private keys
and other controls can assist in providing the logs’ legitimacy.

8. Answer C
In relation to a policy of this nature, email auditing should take place and become a part of normal
business operations. For instance, if this policy was only used to investigate a particular employee, it may
appear as if that employee is the only one to whom the policy applies. Best practice dictates that we create
policy, implement policy, audit policy and enforce the policy to all to whom the policy applies.

9. Answer D
In order to reduce the risk of an attacker modifying audit logs, all choices above are valid. Write-once
media obviously should not be able to be overwritten or modified. Hashing detects any modification. And
finally, the regular review of audit logs will help an administrator familiarize himself with standard
activity so that (hopefully) an anomaly will stand out.

10. Answer B
Provisioning provides users access to data and technical resources. The term is used in reference to
organizational resource management. Provisioning combines the duties of the human resources and
Information Technology departments in an enterprise, where users are given access to data or granted
authorization to systems, software, and databases based on their unique user identity, and secondly, users
are granted access to hardware resources such as computers, mobile phones, and tablets. The process
requires that the rights and privileges are monitored and tracked to strengthen the security of an
enterprise's resources.

11. Answer D
Self-service account provisioning allows users to participate in certain aspects of the provisioning
process, helping to reduce the administrative overhead. Frequently, users are able to request an account
and choose, manage and reset their own passwords.

12. Answer D
Automated account provisioning requires each account to be added through a centralized interface,
usually in an HR application or database. Every person has an account which is linked to each one of their
corresponding accounts. Any changes to the primary account (credential changes, role changes, workflow
230
ENROLL THIS COURSE
changes, termination, etc.) are automatically updated to all accounts.

13. Answer B
DAI (Dynamic ARP inspection) is a security feature which rejects invalid and/or malicious ARP packets.
This feature prevents a type of MITM attacks in which an attacker intercepts traffic for other systems by
poisoning the ARP cache of its neighbors.

14. Answer B
A VLAN provides logical segmentation of networks. Though VLANs are created on switches, not all
switches support VLANs (this is why answer A is incorrect.) A router would also create this
segmentation, but on a port-by-port basis, a router is much more expensive

15. Answer A
Any filtering mechanism that uses whitelisting will block all traffic, except for what is specifically
allowed on a so-called “whitelist.” This filtering method works well with firewalls but is likely to be
entirely too restrictive for situations like spam filtering for mail servers. It is hard to imagine having a
mail server that blocks all traffic except for that from a particular network or domain. So in that instance,
we would use blacklisting. Blacklisting would allow all traffic, except for that which is on the so-called
“blacklist.”

16. Answer D
The primary function of incident response is to minimize the impact of the attack on the organization as a
whole. Often one of the first things we consider is to isolate the affected system or subnet from the rest of
the environment, so the attack doesn’t spread and affect other systems.

17. Answer C
Most monitoring software includes the ability to configure alerts in the event that certain thresholds are
exceeded. This is the timeliest means of detecting these issues. Reviewing logs and querying metrics may
work, but would only be done periodically. An alert will message the admin immediately.

18. Answer C
Traffic on the internal network should have an internal network address. If outgoing traffic has an external
address, it is often an indicator that the systems have been compromised with malicious software that
allows them to be remotely controlled and can access the internet through public addresses. Traffic
coming into the internal network with an internal address might indicate a spoofing attack.

231
ENROLL THIS COURSE

19. Answer A
Because in the above scenario, only a small representation of audit logs are presented, it could easily be
ruled as incomplete. In order to have a better likelihood of admissibility, it would be better to collect data
from the entire week or even month. When a small amount of data is presented, it may appear that the
only information presented is that supports the goals of the investigator, and may not represent the
complete picture.

20. Answer D
In regards to forensics, one of the most important rules is that the investigations process should prevent
alteration of the evidence. First responders are responsible for ensuring that the identified evidence is
preserved in such a way as to prevent modification.

21. Answer C
Three forensic hashes are necessary to provide the proof that the hard drive has not been modified as a
result of the investigation. When it is determined that the drive needs to be analyzed, the drive should be
placed in a write-protected system and hashed immediately, documenting the hash. Next, a bit-by- bit
copy of the drive should be created, and that copy hashed (and documented.) Finally, after analyzing the
copy in a write-protected system, the drive should be hashed again. All three hashes should be exactly the
same.

22. Answer B
Mutual authentication requires both parties to provide authentication. Though most environments require
users to authenticate, we often fail to require authentication of our network systems. Certificates, keys,
and other mechanisms could provide a way for access points and other systems, such as DNS to prove
their identity.

23. Answer A
Network Access Control is a network service designed to inspect systems and allow or deny access to
network services based on client health. Good health might indicate a system has anti-virus software,
anti-spyware, a firewall, as well as being up to date on patches and upgrades. Other criteria can be
specified as well.

24. Answer C
The access list above is a typical ACL which might be found on any router. Traffic is denied from any
source host to any destination host on port 23, which is telnet.
232
ENROLL THIS COURSE

25. Answer A
A system that cannot be patched to the current level poses a threat to a network environment. However,
since the payroll system is only supported on the current OS patch, the best way to protect the rest of the
network is to isolate the unpatched server.

26. Answer D
Implementing a patch management server can streamline the patch management process. Patches and
updates can be downloaded, tested and made available to users. Group policy can require the users to
connect to the patch management server and download only those updates which were approved. Of note,
even though security patches should be given priority, they should never be distributed without testing.

27. Answer B
Slipstreaming is a technique in which software updates are integrated into the original operating system
media. With slipstreaming, the operating system and the updates are installed as part of the same
installation, providing a more integrated process and fewer reboots.

28. Answer D
In order to promote the stability of systems, a change control process should be in place and should be
strictly followed. When a change is proposed, the first step is to refer the change to the company’s
Change Control Board. The CCB will evaluate the change for risk and determine if the change should be
made. At that point, the proposed change will be implemented and tested in a lab environment before
being implemented.

29. Answer B
Though it is essential to follow the formal change control process whenever possible, at times, a change
will have to be made to limit the impact an incident has on current business functions. At that time, the
change should be implemented, as per your emergency change control process, which will likely include
documenting the change and then referring the change for review by the CCB.

30. Answer A
When a modification or new installation works properly in a lab environment, but not in production, it is
usually due to a discrepancy between how the lab configuration and the production environment.

233
ENROLL THIS COURSE
Domain 7 - Part 2: Redundancy and Business Continuity

1. Answer B
“Mean Time Between Failures” is a metric that indicates the amount of time a hardware device should
function before it fails. Once the MTBF is known, then an administrator or technician can be prepared for
the failure of the device.

2. Answer D
RAID 5 is often defined as “Disk Striping with Interleave Parity” provides the same performance
improvement as RAID 0 (Disk Striping.) However, RAID 5 adds parity information interleaved through
the RAID array. The parity can be used to rebuild data from a failed drive.

3. Answer B
One-half of disk space is always set aside for redundancy in a RAID 1 array. Each drive is an exact
replica of the other, so the array must be comprised of equal disk size.

4. Answer C
A cluster can be simply defined as multiple physical servers that function as a single node for the purpose
of fault tolerance and often load-balancing. Of note, not all clusters provide load balancing though many
today do.

5. Answer A
An Active-Passive cluster is fairly easy to implement and doesn’t require a large investment or a monthly
payment. Often in active-passive clusters, the primary server is the device that handles the entire
workload; the passive cluster can be a low-end system that only comes online in the event that the
primary fails.

6. Answer B
Redundant servers are usually unique devices on the network that are independently accessible. With
clustering, nodes are incorporated into the cluster and are no longer accessible individually except through
an administrative access.

234
ENROLL THIS COURSE
7. Answer D
Unscheduled backups should be performed as a “copy.” The copy function neither looks for nor cares
about the archive bit. If a full backup was performed at 4:00 in the afternoon, the archive bit would have
been cleared. The nightly backup, then, would’ve only contained changes to files that occurred since 4:00

8. Answer C
In order to have the assurance that the backup process is working, backups should be fully restored. Only
then do you have the assurance that the backup is accessible and complete.

9. Answer D
When using incremental backups, the full backup must be restored and then each of the corresponding
incremental backups. In this case, Sunday’s full backup as well as the backup from Monday, Tuesday,
and Wednesday must be restored.

10. Answer C
Electronic vaulting allows an organization with high availability needs to transmit transactions in batches
to another facility or location numerous times a day. This allows for data to be more current in the event
that a restoration is necessary.

11. Answer D
RPOs (Recovery Point Objectives) relate to data that must be recovered and the required age of the data.
With an RPO less than 24 hours, nightly backups would not be frequent enough. Remote journaling,
vaulting or shadowing should be considered.

12. Answer B
Database shadowing provides the quickest restoration and least amount of data loss in the event of a
disaster or corruption. Transactions are written simultaneously to two separate databases, sometimes
using different storage media for high availability of data.

13. Answer B
The recovery plan provides instructions on returning the most critical services to operation as quickly as
possible. Criticality is determined in the BIA (Business Impact Analysis) and indicates the loss suffered
without the process or service. Most critical processes cost the organization the most money while they
are down. Reconstitution is the process by which operations are returned to the original or permanent
facility and begins with the restoration of least critical, working to most critical.
235
ENROLL THIS COURSE
14. Answer A
The RPO is the company’s tolerance for data loss. If the company merely runs backup once a day, then
the possibility is that a full day’s worth of data could be lost. The organization may have determined that
the need for current data is not worth the cost of more frequent backups. Remember, RAID is not a
redundancy for data. If a malicious file infects one drive in an array, they are likely all infected.

15. Answer C
When leasing a cold site from a vendor, it is important to be aware of the fact that vendors frequently
lease the same space to multiple organizations. This assumes that companies will just need these sites for
a disaster affecting only their company. However, in the event of a regional disaster, the facility is
available to the first of those leasing the site to show up. Cold sites are the least expensive of the other
options.

16. Answer C
A simulation test goes through the motions to verify that the plan is accurate and complete. A structured
walkthrough is sometimes referred to as a tabletop test because despite the name “walkthrough” it is
actually a discussion based process involving the members of the disaster recovery team. The parallel test
is one in which a portion of business operations are conducted at the offsite facility, while other processes
take place at the original facility.

17. Answer B
Test verify the plan for accuracy and completeness. Employee response is evaluated in drills and
exercises. Usually, by the time drills are conducted, the plan has already been tested and found to be
complete.

18. Answer D
A full interruption test is the riskiest test because after fail-over, all business operations begin at the
offsite facility. If for any reason the site were not ready, then the organization will likely lose some or all
of its new transactions.

19. Answer C
The purpose of the BIA is to identify business processes and prioritize them based on criticality. Often
risk analysis is lumped in with the BIA but should really be a separate function which examines threats
and vulnerabilities that could lead to the compromise of those functions.

236
ENROLL THIS COURSE
20. Answer A
A BCP policy is essential because it will include the commitment of senior management to support and
fund the BCP process. This process is complex, lengthy, and has no direct ties to profitability. For this
reason, not all managers buy into this project.

21. Answer B
A Business Continuity Planning team should include members throughout the various business processes
so that each department’s interests are represented. It is also helpful if those carrying out the plan are the
same people who create the plan.

22. Answer B
When someone attempts to enter a building without providing the correct credentials, he or she should be
escorted to security immediately. If you don’t let him in or ask him to leave, he will simply wait for
someone that he can follow to come along later.

23. Answer: D
It is best if the humidity is around 50%. Anything below this could lead to problems with static electricity.
More than this can lead to condensation, which among other issues, can cause components to rust.

24. Answer A
An eight-foot fence is required to deter an intruder. Often barbed wire or concertina wire is used atop
fences to add extra deterrence. Remember, there is no height fence that will prevent a determined intruder.
There is always a taller ladder, or a means to go around, over, or under any type of fence. To truly protect
your perimeter, use layered defense.

25. Answer D
A pre-action system holds water in a reservoir which is released into the pipe when the alarm is triggered.
A plastic valve holds the water back until it melts, providing mitigation in the event of a false alarm.

26. Answer B
The Occupant Emergency Plan deals with the most important aspect of disaster recovery: Safety of
personnel. It will include information such as safe evacuation of employees, how to determine that all
employees have been evacuated, and any special procedures or processes that are necessary.

237
ENROLL THIS COURSE
27. Answer B
Class C fire extinguishers should be located within fifty feet of electrical distribution systems. Class C
extinguishers are designed specifically for electrical fires, though many extinguishers today are rated for
multiple types of fire. Always check and be sure the correct type of extinguisher is provided and clearly
marked.
238
ENROLL THIS COURSE
Domain 8

1. Answer A
Input validation prevents improper entries from being passed along to the backend data. Examples of
validation might include verifying the length of the input, examining for data control languages and data
type. Input sanitization will attempt to “clean up” data before entry, strip improper characters or change
single quotes to double quotes.

2. Answer C
In tests that involve fuzzing, large amounts of random data, referred to as fuzz, are entered into the
software in order to ensure that validation techniques are effective.

3. Answer A
White box testing is a type of testing in which the tester has full access to the software’s code and
examines the code for structure and logic.

4. Answer C
Script kiddies are individuals with little true knowledge of hacking, and instead, are known for copying
and pasting script from other, more knowledgeable attackers. When script kiddies run code, often they
don’t truly understand the potential for the loss they could be inflicting upon a system or network.

5. Answer D
A Highly structured attack is one that is instigated by attackers with more technical skill and competency
than most attackers. Often these attacks can persist for long periods of time, and because the attacker is
usually quite motivated, they will often continue until they have accomplished their objective.

6. Answer A
Ethical hacking or white-hat hacking are other ways to describe penetration testing. Though the term
“hacking” has long held a negative connotation, in reality, it is neither positive nor negative. As long as
the penetration test is authorized by the organization, then it is ethical to conduct these tests.

239
ENROLL THIS COURSE
7. Answer B
Often the IP address and subnet mask would be known before beginning a scan (usually necessary to
connect to the system.) Network services running would indicate open ports. Operating systems and
applications have known vulnerabilities that may help an attacker gain access to the system.

8. Answer C
The company policy and mission statements are not likely to give an attacker much useful information.
However, job postings for a Unix administrator would indicate that Unix systems are in place. The WhoIs
database will provide information about publically registered domain names and may include information
(technical contacts, name servers, addresses) that could be used in a technical or social engineering attack.
Knowing branch office locations and phone numbers may also be helpful in a social engineering attack.

9. Answer B
Due diligence describes the research necessary to make good business decisions. By authorizing a
vulnerability scan, the company is determining where their weaknesses lie. Once they take steps to correct
the vulnerabilities, they are demonstrating due care.

10. Answer B
The above scenario describes code injection. If forms do not have a means of input validation, then there
is the risk of an attacker inserting code into the available fields. If the code is passed along to the back
end, it can be processed causing data loss and modification. The best defense is, as stated, input
validation.

11. Answer D
It is recommended that SSL/TLS be used to connect to web servers for a secure connection. One of the
reasons for this recommendation is that HTTP is a stateless protocol. Stateless protocols don’t hold
information based on the previous sessions, and either have to resend information or have the information
cached. For example, authentication information must be transmitted for each request and often session
information, such as the session id, is stored in cookies.

12. Answer B
An XSS (Cross-site scripting attack) is the most common attack on web applications. This attack relies
upon exploiting a trusted website lack of input validation. Many client-side browsers check for pages that
may be vulnerable, but it is best mitigated by good web application design with input validation.

240
ENROLL THIS COURSE
13. Answer A

An XSRF (Cross Site Request Forgery) attack occurs by exploiting the trust a web server has in a
currently logged in client. Through the use of pre-established session IDs and cookies, the malicious
intruder is able to masquerade as the legitimate client and authorize transactions without leaving a trace.
Often phishing emails with links to financial institutions or other desirable sites are used. Users should
not sessions concurrently running that consist of secure and insecure connections.

14. Answer B
Indirect object access can occur when an application allows access to a resource solely based on user
input. Providing additional authentication and access control, as well as using obfuscating the reference
and ensuring it is not predictable will help mitigate this attack.

15. Answer D
Missing Function level access control is an attack very similar to exploiting direct object access, except
the former allows additional privileges, where the latter allows unintended objects. Lack of predictability
and greater access control will mitigate both of these issues.

16. Answer C
Java uses a security measure in its development environment to limit the behavior and (some) functions
which are applied when the applets are sent as part of a web page. The term “sandbox” is a term that
references the area of containment. For instance, the applets are sandboxed in the browser.

17. Answer C
A front-end application will allow the users an interface which will ultimately modify the backend
database. However, the application will help ensure consistency and better-formed transactions through
the use of data typing, drop-down arrows, field length limits and other restrictive means.

18. Answer A
Tokenization will remove the credit card information from the company’s internal network while
replacing it with a pointer, or “token.” Merchants then use only the token to access, modify or maintain
the individual customers’ credit card information. The actual credit card information is stored at a secure
offsite location.

241
ENROLL THIS COURSE
19. Answer B
DNS is a distributed, hierarchical database, with different servers responsible for different portions of the
namespace. For instance, there are root servers, top-level servers (.com, .net, .edu, etc.) as well as 2nd
level and beyond.

20. Answer: D
The hierarchical database organizes data in an inverted tree, with the top-level as the root of the tree and
the sub-levels branching out. The root is the ultimate parent object and objects directly below the root are
its children. This continues throughout the hierarchy. This model mandates that each child object may
have only one parent object.

21. Answer D
Relational databases store information in tables. Each table contains records and attributes describing the
individual entities contained. Keys are used to build relationships between the tables, allowing
information to be aggregated across tables.

22. Answer A
The primary key is a field necessary to identify each record as unique. Key fields are used to provide links
between these tables to aggregate information.

23. Answer A
The cardinality of a database describes the number of rows in a relation. For instance, a common
cardinality might be a one-to-many relationship. This would indicate that the primary key would appear
once in its primary table and many times in a secondary table. For instance, customer 123, would only
appear once in the Customers table but could appear many times in the Orders table.

24. Answer C
The schema of a database contains the complete description of the structure and contents of a database.
One can think of the schema as the “blueprint” describing the logical elements of the database.

242
243

34 SF W - Cybr06 m7rbGD9f7tx4xjzuhkkyXw

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

34 SF W - Cybr06 m7rbGD9f7tx4xjzuhkkyXw

Uploaded by

Copyright:

Available Formats

CISSP Certiﬁcation

Preparation Guide Kit

Module 5: Identity and Access Management ........................................................................................................................... 30

Module 6: Security Assesment and Testing ............................................................................................................................... 36

Module 7: Security Operations .............................................................................................................................................................. 43

Module 8: Software Development Security ............................................................................................................................... 46

Review Question Answer Key.................................................................................................. 196

● The 8 Domains of CISSP

Lesson 1.2​: Computer Adaptive Testing (CAT)

Lesson 1.3​: Domain 1 Agenda

Lesson 1.4​: Information Security Program Part 1

Lesson 1.5​: Information Security Program Part 2

Lesson 1.6​: Roles and Responsibilities

● BIA: Resource Prioritization

Continuity of Support Plan/IT Contingency Plan), ​Sustain​ (Continuity of Operations

Lesson 1.27​: Types of Tests

Module 2: ​Asset Security

Lesson 2.2​: Data Classification

○ Classify -> criteria for classification

● Both government and private sector use data classifications

Lesson 2.5​: Threats to Data Storage

Data Security in the Cloud

● Obfuscation -> process of hiding, replacing or omitting sensitive information

● Destruction-physical destruction -> irreversible by all known techniques

Module 3: ​Security Engineering and Architecture

Lesson 3.2​: Cryptography in History

Lesson 3.14​: Evaluation Criteria Part 2

● Certification & Accreditation

Module 4: ​Communications and Network Security

Lesson 4.1​: Introduction to Communications and Network Security

● VLANs -> to get broadcast isolation on a switch, a VLAN is necessary

● L7 -> defines a protocol that two different programs or applications understand

● enforce network policy

● MPPE Microsoft Point to Point Encryption

Module 5: ​Identity and Access Management

○ Controls the life cycle for all accounts in a system

● Access is the data flow between a subject and an object

● Components of Access Control

Lesson 5.4​: Authentication Types Part 2: Token Devices

○ Two types: synchronous and asynchronous

Lesson 5.5​: Authentication Types Part 3: Memory Cards

● The Kerberos Carnival

● I send my username to AS and I get a TGT (wrist wrap)

● NIST SP 800-42 guideline on Security Testing

○ Recon (whois, company website, social engineering)

Lesson 6.5​: Rules of Engagement Part 1

Rogue infrastructures (unauthorized DHCP servers, DNS servers)

Lesson 6.6​: Rules of Engagement Part 2

● Investigate and disconnect unauthorized hosts

Lesson 6.7​: Protocol Analyzers (Sniffers) and Privacy

Cons of HIDS -> only protect one machine

Pros of NIDS -> a single NIDS can cover a whole network

Cons of NIDS -> Data must be unencrypted for a NIDS to analyze.

IDS vs. IPS

Lesson 6.9​: IDS Part 2

○ These use a database of knowledge and an “inference engine”

aka. : Self Mutating Honeypot, Tarpit

Module 7: ​Security Operations

○ Legal, HR, Executive mgmt must be involved

Five rules of Digital Evidence -> Digital Evidence must:

Lesson 7.2​: The Forensics Investigation Process Part 1

● Forensic Investigation Process -> Identification, Preservation, Collection, Examination,

Skills Learned From This Lesson: Spares, RAID, Redundant Servers

Lesson 1.2: Computer Adaptive Testing (CAT)

Lesson 1.3: Domain 1 Agenda

Lesson 1.4: Information Security Program Part 1

Lesson 1.5: Information Security Program Part 2

Lesson 1.6: Roles and Responsibilities

Continuity of Support Plan/IT Contingency Plan), Sustain (Continuity of Operations

Lesson 1.27: Types of Tests

Module 2: Asset Security

Lesson 2.2: Data Classification

Lesson 2.5: Threats to Data Storage

Module 3: Security Engineering and Architecture

Lesson 3.2: Cryptography in History

Lesson 3.14: Evaluation Criteria Part 2

Module 4: Communications and Network Security

Lesson 4.1: Introduction to Communications and Network Security

Module 5: Identity and Access Management

Lesson 5.4: Authentication Types Part 2: Token Devices

Lesson 5.5: Authentication Types Part 3: Memory Cards

Lesson 6.5: Rules of Engagement Part 1

Lesson 6.6: Rules of Engagement Part 2

Lesson 6.7: Protocol Analyzers (Sniffers) and Privacy

Lesson 6.9: IDS Part 2

Module 7: Security Operations

Lesson 7.2: The Forensics Investigation Process Part 1

Lesson 8.8: Object-Oriented Programming

Lesson 8.13: Database Introduction Part 5

Lesson 8.14: Database Introduction Part 6