Security+ Exam Cram: Domain 1 Overview

Questions and Answers

What is the role of a Policy Enforcement Point (PEP)?

To manage cryptographic keys

To evaluate access requests against policies (correct)

To ensure physical security

To monitor network traffic

A subject is a user who wishes to access a resource.

True

A short, sturdy vertical post used to control traffic flow is called a ______.

bollard

What is the primary purpose of an access control vestibule?

To strictly control access to highly secure areas.

What is a honeypot used for in cybersecurity?

To lure attackers for observation

What is the function of change management in security?

To process and evaluate changes to reduce risk and ensure security.

A tool used for managing cryptographic keys is known as a ______.

key management system

Match the following terms with their definitions:

Public Key = Used for encrypting data that only the private key can decrypt. Private Key = Used to decrypt data encrypted with the corresponding public key. Certificate Authority (CA) = An entity that issues digital certificates. Honeynet = A collection of honeypots designed to deceive attackers.

The efficacy of a fence is greater at a height of 6-7 feet.

True

Explain the importance of documentation in change management.

Documentation provides a clear understanding of system configurations and is crucial for future reference and changes.

Which of the following is a deceptive method used to observe attackers?

Honeypot

Which of the following is a type of security control?

Compensating

What does 'CIA' stand for in security concepts?

Confidentiality, Integrity, Availability

Safeguards and countermeasures are interchangeable terms.

False

Match the following security control types with their functions:

Preventive = Thwarts unwanted activity Detective = Discovers unwanted activity Corrective = Restores normal operations Directive = Encourages compliance with security policies

___ ensures that data or system configurations are not modified without authorization.

Integrity

What is non-repudiation?

The guarantee that no one can deny a transaction.

Which type of access control model is characterized by user roles?

Role-Based Access Control

In a Zero Trust model, no entity is trusted by default.

True

What is the primary purpose of a Policy Enforcement Point (PEP)?

To enable, monitor, and terminate connections based on access control policies.

Policies, procedures, and standards fall under ___ controls.

managerial

What is one example of asymmetric cryptography?

RSA

Which of the following are types of ciphers?

All of the above

Block ciphers encrypt data one bit at a time.

False

What is a common key length recommendation for RSA?

2048 bits

What is the purpose of Digital Signatures?

Authentication, non-repudiation, and integrity.

Which ciphers rearrange the order of plaintext letters?

Transposition cipher

Which cryptographic concept is used to validate the integrity of data?

Hashing

A ________ is random data added to a password before hashing to enhance security.

salt

What does the term 'key stretching' refer to?

Processes that take a weak key and make it stronger.

Digital Signature Standard works only with SHA-1.

False

Match the following cryptographic concepts with their functions:

Digital signature = Ensures authentication and integrity Hashing = Creates a fixed-length output from variable-length input Tokenization = Replaces sensitive data with non-sensitive equivalents Salt = Random data added to passwords before hashing

What is the main advantage of using a blockchain?

Decentralization and immutability.

Which of the following best describes a hardware security module (HSM)?

A device that manages and safeguards digital keys

What is another term for a certification authority?

Public Key Infrastructure (PKI)

Which of the following types of CAs issues certificates to new subordinate CAs?

Root CA

The Certificate Revocation List (CRL) contains information about valid certificates.

False

What is the purpose of the Online Certificate Status Protocol (OCSP)?

To check a certificate's status faster than downloading a CRL.

What does an Online CA do?

Both A and B

What is a certificate signing request (CSR)?

Records identifying information for a person or device that owns a private key and the corresponding public key.

What do the terms 'pinning' and 'stapling' refer to in the context of certificates?

Stapling allows a web server to provide OCSP responses.

What is the purpose of key escrow?

To enable recovery of lost cryptographic keys.

Match the following certificate types with their descriptions:

Wildcard = Supports multiple Fully Qualified Domain Names (FQDNs) Code signing = Provides proof of content integrity Self-signed = Issued by the same entity that uses it Email = Allows users to digitally sign their emails

Certificates can have a maximum lifetime of 3 years.

False

What is the Hardware Root of Trust (HRoT)?

A secure hardware component that verifies keys before the secure boot process.

The ___ encryption algorithm is the current industry gold standard.

AES

Which algorithm is considered an asymmetric encryption algorithm?

RSA

What is the difference between a partition and a volume?

A partition is a physical section of storage; a volume is a logical division that can span multiple partitions.

Self-Encrypting Drives (SEDs) are not as secure as software-based encryption.

False

Which of the following best describes 'Data in transit'?

Data that is being transmitted over a network

When is data considered to be 'in use'?

When it is being processed by applications in random access memory (RAM).

Study Notes

Zero Trust Model and Data Plane

• Implicit Trust Zones characterize traditional security with defined perimeters using firewalls and security devices.
• Subjects are users accessing resources, while systems refer to non-human entities such as devices.
• Policy Enforcement Point (PEP) evaluates access requests against predefined policies.
• Conditional access involves enforcing specific access conditions through a workflow of signal, decision, and enforcement.
• Policy Decision Point (PDP), Policy Engine, and Policy Administrator are components in the data plane responsible for policy decisions.

Physical Security Essentials

• Physical security is critical; without it, other security measures are ineffective.
• Bollards serve as sturdy vertical posts to deter vehicle access and protect sensitive areas.
• Access Control Vestibule, or mantrap, restricts entry by permitting only sequential door openings to prevent unauthorized access.
• Fences act as deterrents; height matters:
  • 3-4 feet inhibit casual trespassers.
  • 6-7 feet hinder climbing, enhancing visual security.
  • 8 feet with barbed wire deter determined intruders but can be costly.

Security Control Types

• Video Surveillance includes CCTV for monitoring and identity verification, with motion detection capabilities.
• Security Guards can offer preventive control by physically monitoring access to secure areas.
• Access badges provide electronic entry controls to maintain security.
• Lighting, along with strategic placement and efficiency considerations, contributes to deterring break-ins.
• Various sensor technologies (infrared, pressure, microwave, ultrasonic) detect unauthorized movement effectively.

Deception Techniques

• Honeypots lure and monitor attackers without entrapping them, creating a controlled distraction away from actual assets.
• Honeyfiles and Honeytokens are decoy items designed to divert attackers and reveal attempted data theft.

Change Management Processes

• Change management aims to align business processes with security, enhancing overall operations.
• Effective change management reduces security incidents, ensures configuration consistency, and facilitates risk management.
• Key elements of change management include:
  • Approval processes for proposed changes.
  • Clearly defined ownership of changes.
  • Stakeholder analysis to assess impact on affected parties.
  • Detailed impact analysis and testing protocols.
  • Backout plans for safe rollback of unsuccessful changes.
  • Maintenance windows to limit disruptions during updates.

Technical Implications in Change Management

• Allow lists/deny lists and restricted activities are crucial to managing access and ensuring security.
• Documentation helps maintain a comprehensive record of system configurations and changes.
• Version control systems (like Git) track code and configuration changes and identify conflicts, improving collaborative software development.

Cryptographic Solutions and Public Key Infrastructure (PKI)

• PKI includes tools like certificate revocation lists (CRLs), trusted platform modules (TPMs), and hardware security modules (HSMs).
• Key management encompasses generation, exchange, storage, usage, and destruction of cryptographic keys.
• Certificate Authorities (CAs) issue digital certificates under specified policies within the PKI hierarchy.
• Encryption types vary including full-disk, partition, and file-level encryption to protect sensitive data.

Summary of Key Concepts

• Understanding security measures from both logical (Zero Trust) to physical (fences, bollards) aspects is crucial for robust cybersecurity.
• Effective change management processes directly improve security postures and ensure stable business operations.
• Utilizing cryptographic tools and PKI systems enhances data security through proper key management and certificate issuance.### Public Key Infrastructure (PKI) Concepts
• A certification authority (CA) issues certificates, maintaining a hierarchy of trust through root, subordinate, and issuing CAs.
• Root CA operates in an offline state for enhanced security; subordinate CAs (or policy CAs) and issuing CAs provide certificates for clients, servers, and devices.
• Certificate Revocation List (CRL) contains revoked certificate information. CAs must publish CRLs; certificate users decide on checking revocation status.
• Online Certificate Status Protocol (OCSP) allows real-time checks of a certificate's status, improving efficiency over CRLs.

Certificate Management

• Certificate Signing Request (CSR) includes identifying information linked to the owner's private key and associated public key; it is sent to a CA to obtain a digital certificate.
• Common name (CN) refers to the Fully Qualified Domain Name (FQDN) of the entity, such as a web server.
• Online CAs operate continuously, while offline CAs are utilized only for specific operations—best practices recommend offline use for root CAs.
• Certificate stapling enables web servers to supply validity information for their own certificates, improving OCSP efficiency.

Trust Models and Key Management

• Certificate chaining affirms trust through a hierarchy of CA certificates, where each CA endorses another in the trust model.
• Key escrow allows recovery of cryptographic keys to prevent data loss, particularly crucial for symmetric keys and private keys in asymmetric cryptography.

Certificate Formats and Types

• Formats: DER (no private key), PEM (private key), PFX/P12 (private key), CER (single certificate), P7B (no private key).
• User Certificates establish digital identity; Root Certificates serve as trust anchors in PKI.
• Domain-Validated (DV) and Extended Validation (EV) certificates provide varying levels of trust.
• Wildcard Certificates cover multiple FQDNs in a domain, reducing costs.
• Self-signed Certificates are created by the entity using them but lack validation.

Encryption Levels and Data Protection

• File Encryption: Encrypts individual files, ideal for sensitive information.
• Volume Encryption: Protects partitions within a physical drive.
• Disk Encryption: Automates encryption for all data written to and from a disk, e.g., BitLocker for Windows.
• Full Disk Encryption (FDE) is integrated within the operating systems, with Trusted Platform Module (TPM) enhancing security.

Self-Encrypting Drives (SED)

• SEDs encrypt data at rest automatically, following the OPAL storage specification—more secure and faster than software-based solutions.
• Ideal for protecting data on lost or stolen devices without user intervention required for decryption.

Transport Communications Security

• Data in transit is commonly protected by TLS or HTTPS to safeguard communication, notably during sensitive transactions like credit card data entry.

Data Protection in Relational Databases

• Row-level and column-level encryption can be implemented for sensitive data within databases, with transparent data encryption (TDE) providing full database protection with minimal impact on performance.

Symmetric vs. Asymmetric Cryptography

• Symmetric Encryption: Utilizes a shared secret key, less scalable and lacks non-repudiation; ideal for bulk encryption.
• Asymmetric Encryption: Employs public-private key pairs for secure communication, offering scalability and supporting non-repudiation; used for key exchanges and digital signatures.

Common Encryption Algorithms

• Symmetric Algorithms:
  • AES: Gold standard, efficient, with variable key lengths (128, 192, 256 bits).
  • 3DES: Phased out version of DES; less commonly used today.
  • Blowfish and Twofish: Known for strength and speed in bulk encryption.
• Asymmetric Algorithms:
  • RSA: Widely used, foundational for key exchanges and signatures, relies on the difficulty of large prime factorization.
  • ECC: Efficient with smaller key sizes; suitable for constrained systems.
  • Diffie-Hellman: Protocol for secure key exchange.

Key Takeaways

• Understanding of PKI components (CAs, CRLs, OCSP) is critical for secure communication.
• Knowledge of certificate types and their appropriate usage informs security practices.
• Mastery of encryption methods and algorithms is essential for effectively protecting data at rest and in transit.
• The importance of reactive and preventive measures in data protection strategies, particularly in database management and application security.### Asymmetric Cryptography
• Examples include RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC).
• Supports distribution of symmetric bulk encryption keys.
• Provides identity authentication through digital signatures and certificates.
• Enables non-repudiation services and key agreement mechanisms.

Types of Ciphers

• Stream Cipher: Encrypts plaintext digits one at a time using a pseudorandom keystream.
• Block Cipher: Encrypts data in fixed-size blocks (e.g., 64 bits) and is generally more secure than stream ciphers.
• Substitution Cipher: Replaces characters or bits of plaintext with other characters (e.g., Caesar, Vigenère ciphers).
• Transposition Cipher: Scrambles the order of plaintext letters without changing the letters themselves (e.g., Rail Fence, Columnar Transposition).

Cryptographic Key Length

• Increasing key length enhances algorithm strength exponentially.
• A small key length increase significantly raises the work required to crack encryption.
• Asymmetric Example: RSA key sizes of 1024, 2048, and 4096 bits; NIST recommends a minimum of 2048 bits.
• Symmetric Example: Advanced Encryption Standard (AES) supports 128, 192, and 256 bits; 256-bit key is suggested for quantum resistance.
• Doubling key length from 128 to 256 bits increases strength by 2^128 times.

Static vs. Ephemeral Keys

• Static Keys: Semi-permanent keys like RSA keys valid for a certificate's lifetime (usually 1-2 years).
• Ephemeral Keys: Short-lived keys generated for a single session (e.g., used in Diffie-Hellman).

Trusted Platform Module (TPM)

• Hardware chip on motherboards for key management and full disk encryption solutions.
• Provides system access to keys while preventing unauthorized data access.
• Supports secure OS boot processes.

Hardware Security Module (HSM)

• Physical device for managing digital keys and performing cryptographic functions.
• Can be external or removable, safeguarding keys with high security.

Hardware Root of Trust (HRoT)

• Mechanism for preventing unauthorized firmware execution.
• Ensures keys are verified before secure processes are initiated.
• TPM and HSM implementations exemplify HRoT.

Key Management System (KMS)

• Centralized cloud services for secure storage of application secrets (e.g., Azure Key Vault, AWS KMS).
• Offers programmatic access via APIs for secure key management and CI/CD integration.

Secure Enclaves

• Isolated areas for processing sensitive data in a secure manner.
• Combines hardware-based security and trusted execution environments.

Obfuscation Techniques

• Steganography: Concealment of messages within other files or data.
• Tokenization: Replaces sensitive data with randomly generated tokens.
• Pseudonymization: Substitutes identifiable information with pseudonyms for privacy.
• Anonymization: Removes all identifying data to ensure original subjects cannot be identified.

Hashing vs. Encryption

• Encryption: Two-way function that allows recovery of the original data with a key.
• Hashing: One-way function producing a unique digest; used for data integrity, digital signatures, and verification.

Hash Function Requirements

• Must support any input length while producing fixed-length output.
• Efficient computation and one-way functionality are essential.
• Collision resistance ensures unique hash outputs.

Common Use Cases of Cryptographic Algorithms

• Symmetric: AES used for bulk data encryption.
• Asymmetric: RSA and DH for secure key distribution and identity authentication.
• Hash Functions: Verify integrity and generate pseudo-random numbers.

Key Stretching

• Techniques to strengthen weak keys by increasing randomness and length.
• Recommended minimum RSA key length of 2048 bits since 2015 due to evolving security needs.

Blockchain Technology

• Original foundation for Bitcoin, functioning as a decentralized public ledger for transactions.
• Data is secured cryptographically, and each block contains the hash of the previous block.
• Employs proof of work to validate new data.

Differences between Blockchain and Open Public Ledger

• Decentralization: Blockchain is distributed with no central authority; open ledgers can be centralized.
• Immutability: Blockchain data is cryptographically secured and difficult to alter; public ledger data can be changed more easily.
• Validation: Blockchain employs consensus mechanisms; public ledgers rely on central authority integrity.
• Transparency: Blockchain transactions can be pseudonymous, while public ledgers tend to be fully transparent.

Limitations of Cryptographic Choices

• Speed and efficiency of applications must match encryption complexity.
• Resource requirements for encryption (memory, storage) must align with capabilities.
• Predictability and entropy in random number generation are crucial for cryptographic strength.
• Older algorithms face imminent retirement as technological capabilities evolve.

Description

Prepare for the Security+ examination with this focused quiz covering Domain 1: General Security Concepts. This material is aligned with the official exam syllabus and is designed to enhance your understanding before test day. Utilize 500-1000 practice questions and study guides for effective learning.