Logical Security

Question 1

Non-physical measures implemented to protect digital data, restrict unauthorized access, and ensure data integrity and confidentiality

Answer 1

Logical Security

Question 2

Security process that provides identification, authentication, and authorization mechanisms for users and computers

Answer 2

Identity and Access Management (IAM)

Question 3

Supports the identities of various assets by defining the resources an asset has permission to access based on the function the asset fulfills | Servers, people & endpoints

Answer 3

Roles

Question 4

authenticates or proves an identity using more them one method | Something you know, something you have, something you are, something you do, somewhere you are

Answer 4

Multifactor Authentication

Question 5

Guesses the password by attempting to check every single word or phrase contained within a word list, called a dictionary

Answer 5

Dictionary Attack

Question 6

Tries every possible combination until the password is figured out

Answer 6

Brute Force Attack

Question 7

Combination of dictionary and brute force attacks

Answer 7

Hybrid Attack

Question 8

Something you know - Knowledge - Usernames, passwords, PINs, personal question answers

Something you have - Possession - Smartcards, RSA key fobs, RFID tags

Something you are - Inherence - Fingerprints, retina scans, voice prints

Something you do - Action - How you sign your name, how you draw a pattern, how you say a catchphrase

Somewhere you are - Location - Geotagging, geofencing

Question 9

The process of determining whether someone or something is who or what it claims itself to be

Answer 9

Authentication

Question 10

A database that is used to centralize information about the clients and the objects on the network

Answer 10

Lightweight Directory Access Protocol (LDAP)

Question 11

LDAP - Port 389

LDAP Secure - Port 636

Question 12

Organizes and manages everything on the network, including clients, servers, devices, and users

Answer 12

Active Directory (AD)

Question 13

Focused on authentication and authorization within a Windows domain environment

Answer 13

Kerberos

Question 14

The domain controller keeps port 88 open to receive service login requests from clients when using Kerberos

Question 15

In an SSO system, users can have a single strong password or utilize multi-factor authentication

Question 16

An XML-based data format that is used to exchange authentication information between a client and a service | Service provider, user agent & identity provider

Answer 16

Security Assertion Markup Language (SAML)

Question 17

Provides centralized administration of dial-up,VPN, and wireless authentication, so it can be used with both 802.1x and the Extensible Authentication Protocol (EAP)

Answer 17

Remote Authentication Dial-In User Service (RADISU)

Question 18

RADISU Authentication messages - port 1812

RADISU Accounting messages - Port 1813

Question 19

Was developed by Cisco and it can perform the role of an authenticator in an 802.1x network | Used for authentication, authorization, accounting and security features

Answer 19

Terminal Access Controller Access Controller System Plus (TACACS+)

Question 20

TACACS+ - Support all protocols

RADIUS - Doesn’t support all protocols

Question 21

Security mechanism that generates a temporary, dynamic password or token that is valid only for a short period | Time-based authentication significantly enhances security

Answer 21

Time-Based Authentication / (TOTP)

Question 22

Using the lowest level of permissions or privileges needed in order to complete a job function or admin task

Answer 22

Least Privilege

Question 23

An access control method where access is determined by the owner of the resource

Answer 23

Discretionary Access Control (DAC)

Question 24

Drawbacks of DAC:

Answer 24

Every object in a system has to have an owner

Each owner must determine the access rights and permissions for each object

Question 25

An access control policy where the computer system gets to decide who gets access to what objects | Used in the military & not in most enterprise networks

Answer 25

Mandatory Access Control (MAC)

Question 26

An access model that is controlled by the system but focuses on a set of permissions versus an individual's permissions

Answer 26

Role-Based Access Control (RBAC)

Question 27

Location of data within a processing system | Data at rest, data in motion, data in processing

Answer 27

Data State

Question 28

Any data stored in memory, a hard drive, or a storage device | full disk encryption, folder encryption, file encryption & database encryption

Answer 28

Data at Rest

Question 29

Any data moving from one computer or system to another over the network or within the same computer

Answer 29

Data in Transit/Motion

Question 30

Any data read into memory or is currently inside the processor and being worked on or manupulated

Answer 30

Data in Use/Processing

Question 31

Provides authentication and encryption of data packets to create a secure and encrypted communication path between two computers

Answer 31

IP Security (IPSec)

Question 32

Five main steps in the process of establishing and using a secure VPN tunnel when you're using IPSec

Answer 32

1. Key exchange request - Site to Site or Client to Site 2. IKE Phase 1 - Main mode or Aggressive mode 3. IKE Phase 2 4. Data transfer 5. Tunnel termination

Question 33

Conducts three two-way exchange between the peers, from the initiator to the receiver

Answer 33

Main Mode

Question 34

Uses fewer exchanges, resulting in few packets and faster initial connection than main mode

Answer 34

Aggressive Mode

Question 35

1. Agree upon which algorithms and hashes will be used to secure the IKE communications throughout the process 2. Use of Diffie-Hellman exchange to generate shared secret keying material so that the two parties can prove their identities 3. Verify the identity of the other side by looking at an encrypted form of the other peer's IP address

Question 36

Only occurs after IKE already established the secure tunnel in Phase 1 using either main or aggressive mode

Answer 36

Quick Mode

Question 37

Allows two system that don't know each other to be able to exchange keys and trust each other

Answer 37

Diffie-Hellman Key Exchange

Question 38

1. PC1 sends traffic to PC2 and then RTR1 initiates creation of IPSec tunnel 2. RTR! and RTR2 negotiate Security Association (SA) to form IKE Phase 1 tunnel (ISAKMP tunnel) 3. IKE Phase 2 tunnel (IPSec tunnel) is negotiated and set up 4. Tunnel is established and information is securely sent between PC1 and PC2 5. IPSec tunnel is torn down an the IPSec SA is deleted

Question 39

Uses packet's original IP header to be used for client-to-site VPNs

Answer 39

Transport Mode

Question 40

When using a client-to-site VPN, it is recommended to use transport mode as the IPSec method

Question 41

Encapsulates the entire packet and puts another header on top of it

Answer 41

Tunneling Mode

Question 42

For site-to-site VPNs, jumbo frames need to be allowed

Question 43

Transport - Client to site Tunneling - Site to site

Question 44

Provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks

Answer 44

Authentication Header (AH)

Question 45

Provides authentication, integrity, replay protection, and data confidentiality

Answer 45

Encapsulating Security Payload (ESP)

Question 46

In transport mode, use AH to provide integrity for the TCP header and ESP to encrypt it

Question 47

In tunneling mode, use AH and ESP to provide integrity and encryption of the end payload

Question 48

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

Answer 48

Public Key Infrastructure (PKI)

Question 49

This encryption and decryption process is just one small part of the overall PKI architecture

Answer 49

Public Key Cryptography

Question 50

Issues digital certificates and keeps the level of trust between all of the certificate authorities around the world

Answer 50

Certificate Authority

Question 51

Process where cryptographic keys are stored in a secure, third-party location, which is effectively an "escrow"

Answer 51

Key Escrow

Question 52

Framework for managing digital keys and certificates that facilitate secure data transfer, authentication, and encrypted communications

Answer 52

Public Key Infrastructure (PKI)

Question 53

Public Key Infrastructure (PKI) - Public Key Cryptography Public Key Encryption - Asymmetric encryption and decryption

Question 54

PKI is pivotal in ensuring secure communication and data exchange on the Internet

Question 55

Digitally signed electronic document that binds a public key with a user's identity

Answer 55

Digital Certificate

Question 56

Allows all of the subdomains to use the same public key certificate and have it displayed as valid

Answer 56

Wildcard Certificate

Question 57

Certificate that specifies what additional domains and IP addresses are going to be supported

Answer 57

Subject Alternate Name (SAN) field

Question 58

Only requires the sever to be validated

Answer 58

Single-Sided Certificate

Question 59

Requires both the server and the user to be validated

Answer 59

Dual-Sided Certificate

Question 60

Digital certificate that is signed by the same entity whose identity it certifies

Answer 60

Self-Signed Certificate

Question 61

Digital certificate issued and signed by a trusted certificate authority (CA)

Answer 61

Third-Party Certificate

Question 62

Each certificate is validated using the concept of a root of trust or the chain of trust

Answer 62

Root of Trust

Question 63

Trusted third party who is going to issue these digital certificates

Answer 63

Certificate Authority

Question 64

Requests identifying information from the user and forwards that certificate request up to the certificate authority to create the digital certificate

Answer 64

Registration Authority (RA)

Question 65

A block of encoded text that contains information about the entity requesting the certificate

Answer 65

Certificate Signing Request (CSR)

Question 66

Serves as an online list of digital certificates that the certificate authority has already revoked

Answer 66

Certificate Revocation List (CRL)

Question 67

Occurs when a secure copy of a user's private key is being held

Answer 67

Key Escrow

Question 68

Specialized type of software that allows the restoration of a lost or corrupted key to be performed

Answer 68

Key Recovery Agent

Question 70

Refers to how an organization will generate, exchange, store, and use encryption keys

Answer 70

Key Management

Question 71

To get into a website, a person must be able to enter their password, username, and answer two personal questions. How many authentication factors does this website test?

Answer 71

1 - All of the items are something you know, so there is only one factor being teste here

Question 72

What communication protocol does RADIUS use?

Answer 72

UDP

Question 73

In a corporate environment with separate departments needing isolated network access, which process would be most effective for ensuring both network segmentation and traffic monitoring?

Answer 73

Configure a VLAN

Question 74

Nordic Treasures, a small business, has decided that it wants to improve its security stance and take steps to secure its internal communications. It was decided that due to a low budget, they will implement a system that provides better authentication without relying on third-party certificate authorities. Which method would be the most suitable?

Answer 74

Utilizing PKI with self-signed certificates

Question 75

Which type of security measure is used to control access to an area by using a retina scan?

Answer 75

Biometric