Change Management and Cryptography Quiz

Questions and Answers

What are the potential risks of not implementing clear change policies?

• Increased risk of data corruption (correct)
• Improved data security
• Increased application availability
• Reduced risk of downtime

What is the primary role of a change approval process?

• To identify the individual responsible for performing the change
• To ensure all changes are completed quickly
• To manage changes effectively and avoid confusion and mistakes (correct)
• To avoid any potential downtime during the change process

Which of these is not a typical stage of the change approval process?

• Negotiating a price for the change (correct)
• Scheduling a date and time for the change
• Determining the impact of the change
• Identifying the scope of the change

What is the purpose of a sandbox testing environment in the change process?

To test the change in a safe, controlled environment before deployment (B)

Which of the following is NOT a valid reason to have a backout plan for a change?

To guarantee that the change will succeed perfectly without any issues (D)

What is the primary responsibility of the change owner?

To manage the change process and ensure it's followed correctly (D)

What is the most important reason to have a maintenance window for changes?

To limit the impact of the change on end users (C)

Which of the following is NOT a benefit of using larger keys in cryptography?

Reduced overhead and faster processing times (C)

What type of encryption protects data at rest, often used for full-disk encryption?

Database encryption (C)

Which encryption method is commonly used for protecting data traversing the network?

Transport encryption (C)

What is the primary factor that determines the strength of a cryptographic key?

The length of the key (A)

What is the purpose of key stretching?

To make weak keys more resistant to attacks by performing multiple processes (B)

Which of the following is an example of an encryption algorithm often used for protecting data at rest?

AES (Advanced Encryption Standard) (A)

Which of the following is a common feature of asymmetric encryption?

The creation of key pairs for separate encryption and decryption operations (D)

What is the primary purpose of transport encryption?

To ensure confidential communication over a network (C)

Which of the following is NOT a common method for encrypting data in an application?

None of the above (E)

Which of the following is a true statement regarding the importance of keeping encryption keys private?

Only authorized users should have access to the key to maintain data confidentiality and integrity (D)

What is the primary purpose of a Certificate Authority (CA)?

To digitally sign a website certificate to establish trust (C)

What is a Wildcard certificate used for?

To support multiple subdomains within a single domain (A)

Which of the following best describes OCSP stapling?

A process that allows certificate holders to verify their own status (C)

What is the role of a Certificate Revocation List (CRL)?

To store a list of revoked certificates (B)

What characteristic often distinguishes external threat actors?

They usually lack sophisticated resources and funding (D)

What is the role of Alice's private key in the encryption process?

It is used to decrypt ciphertext back into plaintext. (A)

Which statement describes a characteristic of the public key in asymmetric encryption?

It can be distributed freely to ensure secure communication. (B)

What is the primary requirement for asymmetric encryption to be secure?

The private key must remain confidential. (B)

Which encryption method involves two mathematically related keys?

Asymmetric encryption (B)

What should be done to manage access to cryptographic keys effectively?

Control access and maintain procedures. (D)

Why is it important to trust a third-party in the context of public keys?

They manage access to the cryptographic keys. (B)

Which type of storage devices can benefit from encrypting stored data?

Any type of storage device. (D)

What process does Bob use to create ciphertext from Alice’s public key?

He combines Alice's public key with the plaintext. (C)

What is a potential consequence of legal proceedings on cryptographic key access?

Access to keys may be mandated through court orders. (B)

Which of the following best describes asymmetric encryption?

It uses a pair of keys: one public and one private. (C)

What is the primary purpose of the private key in Public Key Infrastructure?

Decrypt data encrypted with the public key (C)

Which statement is true regarding the relationship between public and private keys?

The public key is used to encrypt data, and only the corresponding private key can decrypt it. (D)

What is a disadvantage of symmetric encryption compared to asymmetric encryption?

It requires the distribution of a single shared key. (B)

What role does a certificate authority play in a Public Key Infrastructure?

It is responsible for creating and managing digital certificates. (B)

Which of the following statements best describes key escrow?

It involves a third party holding decryption keys for legitimate business reasons. (B)

What mathematical concepts are often associated with key generation in PKI?

Large prime numbers and randomization (B)

Why might symmetric encryption be combined with asymmetric encryption?

To leverage the speed of symmetric encryption and the secure key exchange of asymmetric encryption. (C)

What is a primary characteristic of asymmetric encryption?

It involves a pair of keys (public and private), which are linked mathematically. (D)

Flashcards

Data Corruption

Corruption of data can lead to security vulnerabilities and disruptions.

Change Approval Process

Formal management system for initiating and implementing changes.

Sandbox Testing Environment

Isolated space to test changes without affecting real systems.

Backout Plan

A strategy to revert changes if they cause issues.

Ownership in Change Process

Responsible individual or entity for managing and overseeing changes.

Maintenance Window

Scheduled time for implementing changes or updates to systems.

Impact Analysis

Assessing the potential effects of a proposed change on systems and processes.

Asymmetric encryption

A method using a pair of keys, public and private, for secure data communication.

Public key

A key that can be shared with anyone, used to encrypt data sent to the owner of the corresponding private key.

Private key

A secret key kept confidential, used to decrypt data that is encrypted with the public key.

Ciphertext

Encrypted data that is not readable without decryption.

Plaintext

The original readable data before it is encrypted.

Encryption process

The method of converting plaintext into ciphertext using a key.

Decryption process

The reverse action of encryption, converting ciphertext back to plaintext using a private key.

Cryptographic keys

Secret values used in encryption and decryption, critical for data security.

Trust in public key systems

The reliance on third parties to manage and distribute public keys securely.

Encrypting stored data

The process of protecting data on storage devices through encryption.

Public Key Infrastructure (PKI)

A system that manages digital certificates and binds public keys to entities.

Digital Certificates

Files that verify ownership of a public key and identify the entity.

Key Escrow

An arrangement where a third party holds decryption keys.

Certificate Authority (CA)

An entity that issues and verifies digital certificates.

Key Generation

The process of creating both public and private keys simultaneously.

Internal Certificate Authority (CA)

A trusted entity that issues digital certificates for secure communication.

Wildcard Certificate

A certificate that secures multiple subdomains of a domain with a single certificate.

Certificate Revocation List (CRL)

A list maintained by a CA to show revoked certificates.

Online Certificate Status Protocol (OCSP)

A method for checking the revocation status of a certificate in real-time.

Certificate Signing Request (CSR)

A request sent to a CA containing a public key and identity information for certificate issuance.

Cryptographic Process

A method of transforming data to protect its confidentiality.

Full-Disk Encryption

Encrypts the entire disk to protect data at rest.

BitLocker

A full-disk encryption feature in Windows OS.

File Encryption

Encrypts specific files to keep them confidential.

EFS (Encrypting File System)

A feature for encrypting files in Windows to secure data.

Transparent Encryption

Encrypts data without affecting how it's accessed by applications.

VPN (Virtual Private Network)

Encrypts data sent over a network to enhance security.

Key Stretching

A process to make weak keys stronger through multiple transformations.

Study Notes

CompTIA Security+ SY0-701 Course Notes

• This course covers CompTIA Security+ SY0-701 exam
• The exam is 90 minutes long and includes multiple choice and performance-based questions
• Exam topics are broken down into sections, each with a percentage weighting
• Section 1.0 covers General Security Concepts (12%)
• Section 2.0 covers Threats, Vulnerabilities, and Mitigations (22%)
• Section 3.0 covers Security Architecture (18%)
• Section 4.0 covers Security Operations (28%)
• Section 5.0 covers Security Program Management and Oversight (20%)

1.1 - Security Controls

• Security controls are crucial for mitigating risks
• Technical, managerial, operational, and physical controls are discussed
• Includes detective, corrective, and preventive controls
• Examples include firewalls, anti-virus, security policies, and physical security measures (locks, security guards)

1.2 - The CIA Triad

• Confidentiality, Integrity, and Availability are fundamental principles in security
• Keeps sensitive data safe
• Prevent unauthorized access (Confidentiality)
• Protect data integrity from modification (Integrity)
• Ensure system availability (Availability)

1.2 - Non-repudiation

• Verifies what was said/done
• Can't deny actions
• Cryptographic methods are used for verification
• Digital signatures and hashing are details about non-repudiation

1.2 - Authentication, Authorization, and Accounting

• Authentication confirms identity
• Authorization defines permitted actions
• Accounting keeps records of resource use

1.2 - Gap Analysis

• Identifies the difference between the current and desired security posture
• Examines and compares security measures
• Helps define priorities to improve security

1.2 - Zero Trust

• Assumes no implicit trust within a network
• Verifies every device, user, and application
• Applies security to everything, everywhere
• Multiple planes of operation are discussed

1.3 - Physical Security

• Protects physical assets
• Barrier control (bollards)
• Access control vestibules are used
• Security badges, security guards
• Prevent access to areas, equipment, or resources

1.3 - Deception and Disruption

• Using decoys may mislead the attackers
• Honeypots (virtual or physical systems)
• Decoy files and resources
• Can observe attacker behavior

1.4 - Digital Certificates

• Verifies the identity of an individual or device
• Public key cryptography is a crucial component
• Trust is built by using a Certificate Authority (CA)

1.4 - Encrypting Data

• Full-disk encryption
• File encryption
• Data encryption during transport protects data in motion

1.4 - Key Exchange

• Symmetric key encryption Uses the same key for encryption and decryption
• Asymetric key encryption
• Public key and private key
• Often used in conjunction with encryption

1.4 - Trusted Platform Module (TPM)

• Securely stores cryptographic keys
• Offers hardware-based security
• Helps prevent exploits

1.4 - Obfuscation

• Hiding data to make it difficult to understand
• Useful for protecting sensitive information
• Uses many different techniques to protect
• Cryptographic hash functions, steganography, etc.

1.4 - Blockchain Technology

• A distributed, immutable ledger
• Cryptographically secured
• Used to secure transactions, maintain records, etc.

2.1 - Threat Actors

• Nation-state actors
• Organized crime
• Hacktivists
• Insider threats
• Unskilled attackers
• Shadow IT actors

2.2 - Common Threat Vectors

• Message-based (phishing)
• File-based (malware)
• Voice-call vectors
• Wireless vectors
• Supply chain vectors

2.3 - Memory Injections

• Modifying memory of other applications
• Can be a way to exploit vulnerabilities

2.3 - Buffer Overflows

• Risks can occur with poorly secured code
• Vulnerability in programs
• Can cause unexpected behavior or system crash

2.3 - Race Conditions

• A vulnerability where unanticipated concurrent operation causes errors
• Attackers use timing-sensitive vulnerabilities to disrupt processes

2.3 - Malicious Updates

• Often delivered through legitimate channels
• May contain additional malware

2.3 - Operating System Vulnerabilities

• Vulnerable to exploits
• Not keeping systems updated

2.3 - SQL Injection

• Manipulating input to break into databases
• Enables access to sensitive data

2.3 - Cross-site Scripting (XSS)

• Injecting scripts into websites to steal information

2.3 - Hardware Vulnerabilities

• Attacking weaknesses in hardware devices
• Could be a potential way to bypass defenses

2.3 - Virtualization Vulnerabilities

• Potential security issues in virtualization
• The ability to escape a virtual environment
• Attackers see these as a weakness

2.3 - Cloud-Specific Vulnerabilities

• Similar attacks as on-premises, such as vulnerabilities and misconfigurations
• Security is complex
• Third-party issues can occur

2.3 - Supply Chain Vulnerabilities

• Attacking the chain between producers and consumers
• Vulnerable links can be exploited or corrupted
• Compromising a supplier can threaten the entire network

2.3 - Misconfiguration Vulnerabilities

• Leaving security settings not updated

2.4 - Cryptographic Attacks

• Exploitation of cryptographic algorithms
• Can be used to create security weaknesses

2.4 - Password Attacks

• Brute-force attacks
• Using stolen credentials or weak passwords

2.4 - Application Attacks

• Exploiting application weaknesses
• SQL injection, cross-site scripting

2.4 - On-path Attacks

• Network compromises
• Manipulating traffic when moving packets between source and destination

2.4 - Replay Attacks

• Replaying intercepted data to gain unauthorized access
• Spoofs or imitates actions

2.4 - Denial of Service (DoS)

• Attacking services to stop them from working
• Flood services with requests and data to overload them
• Distributed denial of service (DDoS) uses many computers to attack

2.4 - Wireless Attacks

• Jamming attacks
• Wireless deauthentication attacks

2.4 - Malware: Viruses, Worms, Ransomware, Trojans, Rootkits, Spyware, Bloatware

• Malware types
• How they operate and spread
• How they are used in attacks

2.4 - Other Malware Types

• Keyloggers
• Logic bombs

3.1 - Network Infrastructure Concepts

• Physical and logical separation
• Secure network designs

3.1 - Other Infrastructure Concepts

• Attackers always look for vulnerabilities
• On-premises vs. cloud security

3.2 - Secure Infrastructures

• Security zones
• Network appliances

3.2 - Intrusion Prevention System (IPS)

• Intrusion detection and intrusion prevention
• Active and passive monitoring

3.2 - Network Appliances

• Firewalls and proxies
• Multipurpose devices
• Manage network traffic

3.3 - Data Types and Classifications

• Data types and classifications
• Data at rest, data in transit and data in use
• Privacy concerns with data

3.4 - Recovery Testing

• Test recovery procedures often
• Backup
• Backup techniques

3.4 - Resiliency

• Ensure systems can withstand failures
• Recovery and backups are crucial
• Redundancy and diversity of resources help resiliency

3.4 - Capacity Planning

• Match supply with demand

4.1 - Secure Baselines

• Define secure configurations for systems
• Manage software configurations
• Secure protocols

4.2 - Asset Management

• Asset identification and tracking
• Security controls and policies

4.3 - Vulnerability Scanning

• Identify and analyze security vulnerabilities
• Test for threats

4.3 - Vulnerability Remediation

• Address security vulnerabilities
• Install security updates
• Mitigate risks

4.3 - Threat Intelligence

• Research threats and risk factors
• Use information to build security
• Analysis of data and patterns to detect threats

4.4 - Security Monitoring

• Continuous security oversight and response
• Investigate and address security issues
• Detection and response to security incidents

4.5 - Firewalls and Network Based Firewalls

• Manage traffic routing
• Separate trusted and untrusted networks
• Next-Generation Firewalls (NGFWs): Layer 7 firewalls providing more granular controls

4.5 - Web Filtering

• Monitor web traffic
• Block inappropriate or malicious content
• Reputation systems

4.5 - Secure Protocols

• Using encrypted protocols
• Secure port configurations

4.5 - Monitoring Data

• Collect and analyze data from various sources
• Identify and address issues

4.6 - Identity and Access Management (IAM)

• Centralize identity and access management
• Manage credentials
• Control access

4.7 - Scripting and Automation

• Use automation for repetitive tasks
• Security configuration management
• Orchestrate and automate processes

4.8 - Incident Response

• Plan for security incidents
• Identify, contain, eradicate
• Respond to incidents properly

5.1 - Security Policies

• Develop and implement policies
• Address risks

5.1 - Security Standards

• Conform to existing standards
• Maintain consistent security policies

5.2 - Risk Management

• Evaluate risks
• Develop mitigation strategies

5.2 - Risk Analysis

• Identify risk factors
• Evaluate potential impacts
• Choose a method for risk assessment

5.3 - Third-party Risk Assessments

• Evaluate third-party risks
• Secure policies and procedures required for mitigation

5.4 - Compliance

• Meet legal and regulatory requirements
• Manage risks for compliance

5.5 - Audits and Assessments

• Verify compliance and security status
• External and internal assessments
• Use audits to improve security controls

5.6 - Security Awareness Training

• Educate users about security threats and risks
• Train users on security best practices
• Implement awareness programs