• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

93 Cards in this Set

  • Front
  • Back

What are the core security goals?

Confidentiality, availability, and integrity

Why is confidentiality a core security goal?

It prevents the unauthorized disclosure of data. In other words, authorized personnel can access the data, but unauthorized personnel cannot access the data.

What is encryption?

Encryption scrambles data to make it unreadable by unauthorized personnel. Authorized personnel can decrypt the data to access it, but encryption techniques make it extremely difficult for unauthorized personnel to access encrypted data.

What are access controls?

Identification, authentication, and authorization combined provide access controls and help ensure that only authorized personnel can access data.

What is Identification?

Users claim an identity with a unique username.

What is Authentication?

Users prove their identity with authentication, such as with a password.

What is Authorization?

You can grant or restrict access to resources using an authorization method, such as permissions.

What is steganography?

The practice of hiding data within data. Many people refer to it as hiding data in plain sight. For example, you can embed a hidden message in an image by modifying certain bits within the file. If other people look at the file, they won't notice anything.

T/F The best way to protect confidentiality of data is by encrypting it.


What is integrity?

Integrity provides assurances that data has not changed. This includes ensuring that no one has modified, tampered with, or corrupted the data.

What is a hash?

A hash is simply a number created by executing a hashing algorithm against data, such as a file or message. As long as the data never changes, the resulting hash will always be the same. By comparing hashes created at two different times, you can determine if the original data is still the same. If the hashes are the same, the data is the same. If they are different, the data has been modified.

T/F Hashing tells you what modified the message.

False. It only tells you that the message has been modified, with the implication that the information should not be trusted as valid.

T/F You can use hashing techniques to enforce integrity.


What are the 3 different meanings of MAC with Security+?

1. Media access control (MAC) addresses are the physical addresses assigned to network interface cards (NICs)

2. The mandatory access control (MAC) model is one of several access control models.

3. Message authentication code (MAC) provides integrity similar to how a hash is used.

T/F A digital signature can provide authentication.

True. If the digital signature arrives intact, it authenticates the sender.

T/F Digital signature provide non-repudiation.

True. A sender cannot later deny sending an email because the digital signature proves he/she did.

Digital signature require the use of what two things?

Certificates and Public Key Infrastructure (PKI). Certificates include keys used for encryption and the PKI provides the means to create, manage, and distribute certificates.

What is availability?

Availability indicates that data and services are available when needed. Organizations commonly implement redundancy and fault-tolerant methods to ensure high levels of availability.

What are the benefits of redundancy?

It adds duplication to critical systems and provides fault tolerance. If a critical component has a fault, the duplication provided by the redundancy allows the service to continue without interruption.

What is a common goal of fault tolerance and redundancy techniques?

Remove each single point of failure (SPOF). If an SPOF fails, the entire system can fail.

What are some common examples of fault-tolerance and redundancy techniques?

- Disk redundancies

- Server redundancies

- Load balancing

- Site redundancies

- Backups

- Alternate power

- Cooling systems

How do disk redundancies affect availability?

Fault-tolerant disks such as RAID-1, RAID-5, and RAID-6 allow a system to continue to operate even if a disk fails.

How do server redundancies affect availability?

Failover clusters include redundant servers and ensure a service will continue to operate, even if a server fails. In a failover cluster, the service switches from the failed server in a cluster to an operational server in the same cluster. Virtualization can also increase availability of servers by reducing unplanned downtime.

How does load balancing affect availability?

Load balancing uses multiple servers to support a single service, such as a high-volume web site. It can increase the availability of web site and web-based applications.

How do site redundancies help availability?

If a site can no longer function due to a disaster, the organization can move critical systems to an alternate site. The alternate site can be a hot site (ready and available 24/7), a cold site (a location where equipment, data, and personnel can be moved to when needed), or a warm site ( a compromise between a hot site and cold site).

How to backups affect availability?

If personnel back up important data, they can restore it if the original data is lost. Without data backups, data is lost forever.

How does alternate power affect availability?

Uninterrupted power supplies (UPSs) and power generators can provide power to key systems even if commercial power fails.

How do cooling systems affect availability?

Heating, ventilation, and air conditioning (HVAC) systems improve the availability of systems by reducing outages from overheating.

You can increase availability by:

A. Adding fault tolerance

B. Redundancies (RAID, Failover clusters, backups, and generators)

C. Installing HVAC systems

D. Patching

E. All the above

E. All the above.

How does patching increase availability?

Software bugs cause a wide range of problems, including security issues and even random crashes. When software vendors discover the bugs, they develop and release code that patches or resolves these problems. Organizations commonly implement patch management programs to ensure that systems stay up to date with current patches.

What things to organization do to protect the safety of their people?

Safety of people: Some of the biggest risks for people occur during disasters, such as fires, earthquakes, etc. Organizations develop business continuity plans to prepare for these disasters. These plans include items such as escape plans and escape routes. They also ensure personnel are aware of these plans by holding drills and training.

What things to organization do to protect the safety of their assets?

A wide variety of physical security controls helps ensure the safety of assets. These include elements such as fencing around a building, lighting, locks, and closed-circuit television systems to provide video monitoring. Adding stronger locks and door access systems increases safety. Exit doors with electronic locks typically fail in an open position so that personnel can exit safely.

What is layered security?

Layered security, or defense in depth, combines multiple layers of security, such as a firewall, as IDS, content filtering, and antivirus software. You must implement security at several different layers in case one layer fails you still have additional layers to protect you.

What is considered a security threat?

Any circumstance or event that has the potential to compromise confidentially, integrity, or availability. A threat can come from inside an organization, such as from a disgruntled employee, or from outside the organization, such as from an attacker who could be located anywhere on the Internet.

Threats can be natural, such as hurricanes, tsunamis, or tornadoes, or man-made such as malware written by a criminal.

They can be intentional, such as from attackers, or accidental, such as from employee mistakes or system errors.

What is a vulnerability?

A vulnerability is a weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating the system.

Reducing a risk is known as what?

Risk mitigation.

How does implementing risk mitigation help security?

Risk mitigation reduces the changes that a threat will exploit a vulnerability. You reduce risks by implementing controls (also called countermeasures and safeguards).

T/F All threats to IT Security are preventable.

False. Most threats aren't preventable. You can't stop a tornado or prevent a criminal from writing malware. However, you can reduce risk by reducing vulnerabilities to the threat or by reducing the impact of the threat.

T/F In authentication, at least 2 entities know the credentials.

True. One entity, such as a user, presents the credentials. The other entity is the authenticator that verifies the credentials.

For example, Jane knows her username and password, and an authenticating server knows her username and password. Jane present her credentials to the authenticating server, and the server authenticates her.

T/F Authentication is limited only to users.

False. Services, processes, workstations, servers, and network devices all use authentication to prove their identities. Many computer use mutual authentication, where both parties authenticate to each other.

_____________ occurs when a user claims an identity such as with a username or email address.


____________ occurs when the user proves the claimed identity (such as with a password) and the credentials are verified.


What is identity proofing?

The process of verifying that people are who they claim to be prior to issuing them credentials.

In regards to identity proofing, why isn't providing your birthdate, SS#, and mother's maiden name, etc enough?

Because so many entities requested this information and didn't always protect it, it became easy for attackers to obtain this information and use it to steal identities. Security questions have been implemented as identity proofing, but they may not be a valid option much longer as breaches can occur and can allow access to your answers.

T/F Password Recovery Systems is an additional use of identity proofing.

True. Password reset or password recovery systems provide automated password recovery and are extremely useful in systems with a large number of users. They can actually reduce the total cost of ownership of the system.

What are the 5 categories of authentication factors?

1. Something you know

2. Something you have

3. Something you are

4. Somewhere you are

5. Something you do.

What is the least secure form of authentication?

Anything within the something you know authentication category. People often write down their passwords, PINs, etc or type them in within plain sight.

What is the something you know authentication factor?

This refers to a shared secret, shared as a password or event a PIN. It is the weakest type of authentication factor.

What characterizes a strong password?

The password must be at least 8 characters and include multiple character types, such as uppercase letters, lowercase letters, numbers, and symbols.

What prevents users from reusing old passwords?

Password histories prevent user from using the same password repeatedly.

T/F When verifying a user's identity before resetting a password, the best practice is reset the password with a temporary one that expires upon first use.


What prevents password-guessing attempts?

Account lockout policies. If a user enters the wrong password too many times, an account lockout policy locks the account.

T/F If a system comes with a default password, administrators should only change it after the system has been in service longer than 90 days.

False. The default password should be changed before putting any system into service.

If you have to write you password down, which of the following are acceptable places to put it:

A. on a post-it note

B. under your keyboard.

C. concealed under an item on your desk

D. a locked safe

D. a locked safe.

T/F The recommendations for the best length of a strong password very depending on the type of account.

True. A lot of documentation recommends a password length of at least 8 characters for a regular user, and organizations often require administrator to create passwords at least 15 characters long.

What makes up the key space in a password?

The combination of different characters in a password makes up the key space.

How can you calculate the key space?

You can calculate the key space with the following formula:


C is the number of possible characters used, and N is the length of the password. The ^ character in C^N indicates that C is raised to the N power.

i.e. A 6-character password using only lowercase letters (26 letters) is calculated as, 26^6 , or about 308 million possibilities.

Given that a 6-character password using only lowercase letters calculates to 308 million possibilities, why isn't that sufficient?

There are password cracking tools that can test more than 20 billion passwords per second on desktop computers with a high-end graphics processor. An attacker can crack a 10-character password using only lowercase characters (141 trillion possibilities) in less than two hours.

If you use all 94 printable characters (uppercase, lowercase, numbers, and special characters) with a 10-character password length how many possibilities do you get? (Pull out your calculator)

53 quintillion (53 followed by 18 zeros)

The password tool that cracks a lowercase password in 2 hours will take years to crack a 10-character password using all four character types.

T/F More complexity equates to less security.

True. This is because users have problems remembering overly complex passwords such as 4%kiEINsB* and they are more likely to write them down.

T/F When it comes to passwords, passphrases are encouraged.

True. Instead of nonsensical strings of characters, a passphrase is a long string of characters that has meaning to the user. A few examples of strong passphrases are IL0veSecurity+, IL0veThi$B00K, and IWi11P@$$.

How often should a user change his password?

every 45-90 days depending on the system and policy.

Before resetting a password it extremely important to verify ______________.

The user's identity.

What is the account lockout threshold?

This is the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account.

What is the account lockout duration?

This indicates how long an account remains locked. It could be set to 30, indicating that the system will lock the account for 30 minutes. After 30 minutes the systems automatically unlocks the account. If the duration is set to 0, the account will remain locked until an administrator unlocks it.

What does the "something you have" authentication factor refer to?

Something you can physically hold like a smart card, common access cards or hardware tokens.

What are smart cards?

Smart cards are credit card-sized cards that have an embedded microchip and a certificate. Users insert the smart card into a reader, similar to how someone would insert a credit card into a credit card reader. The reader reads the information including the details from the certificate.

What does the embedded certificate on a smart card allow?

It allows the use of a complex encryption key and provides much more secure authentication than is possible with a simple password. Additionally, the certificate can be used with digital signatures and data encryption. The smart card provides confidentiality, integrity, authentication, and non-repudiation.

What are 2 main requirements for a smart card?

1. Embedded certificate.

2. Public Key Infrastructure (PKI)

What does an embedded certificate on a smart card hold?

It holds a user's private key (only accessible to the user) and is matched with a public key (publicly available to others). The private key is used each time the user logs on to a network.

What is a Common Access Card (CAC)?

A common access card (CAC) is a specialized type of smart card used by the U.S. Dept of Defense. In addition to including the capabilities of a smart card, it also includes a picture of a user and other readable information.

What is a Personal Identity Verification (PIV) card?

It is a specialized type of smart card used by U.S. Federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.

T/F Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (password or PIN).


Homer needs to send an email to his HR department with an attachment that includes PII. He wants to maintain the confidentiality of this attachment. Which of the following choices is the BEST choice to meet his needs?

A. Hashing

B. Digital signature

C. Encryption

D. Certificate

Correct Answer: C

Encryption is the best choice to provide confidentiality of any type of information, including personally identifiable information (PII). Hashing, digital signatures, and certificates all provide integrity, not confidentiality.

You want to ensure that messages sent from administrators to managers arrive unchanged. Which security goal are you addressing?

A. Confidentiality

B. Integrity

C. Availability

D. Authentication

Correct Answer: B

Integrity provides assurances that data has not been modified, and integrity is commonly enforced with hashing. Confidentiality prevents unauthorized disclosure of data but doesn't address modifications of data. Availability ensure systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.

Your organization recently implemented two servers that act as failover devices for each other. Which security goal is your organization pursuing?

A. Safety

B. Integrity

C. Confidentiality

D. Availability

Correct Answer: D

Your organization is pursuing availability. A failover cluster uses redundant servers to ensure a service will continue to operate even if one of the servers fail. Safety methods provide safety for personnel and other assets. Integrity methods ensure that data has not been modified. Confidentiality methods such as encryption prevent the unauthorized disclosure of data.

Management at your company recently decided to implement additional lighting and fencing around the property. Which security goal is your company MOST likely pursuing?

A. Confidentiality

B. Integrity

C. Availability

D. Safety

Correct Answer: D

Lighting and fencing are two methods that can enhance the security goal of safety. Confidentiality is enhanced with encryption and access controls. Integrity is enhanced with hashing, certificates, and digital signatures. Availability is enhanced with redundancy and fault-tolerance procedures.

You are logging on to your bank's web site using your email address and a password. What is the purpose of the email address in this example?

A. Identification

B. Authentication

C. Authorization

D. Availability

Correct Answer: A

The email address provides identification for you and your account. The password combined with the email address provides authentication, proving who you are. Based on your identity, you are granted authorization to view your account details. Availability is unrelated to identification, authenticationm and authorization.

Your organization has a password history value of 12. What does this indicate?

A.Your password must be at least 12 characters long.

B. Twelve different passwords must be used before reusing the same password.

C. Passwords must be changed every 12 days

D. Passwords cannot be changed until 12 days have passed.

Correct Answer: B

The password history indicates how many passwords a system remembers and how many different passwords must be used before a password can be reused. Password length identifies the minimum number of characters. Password maximum age identifies when users must change passwords. Password minimum age identifies the length of time that must pass before users can change a password again.

A user calls into the help desk and asks the help-desk professional to reset his password. Which of the following choices is the BEST choice for what the help-desk professional should do before resetting the password?

A. Verify the user's original password

B. Disable the user's account.

C. Verify the user's identity

D. Enable the user's account

Correct answer: C

Before resetting a user's password, it's important to verify the user's identity. Users often need the password reset because they have forgotten their original password, so it's not possible to verify the user's original password. It's not necessary to disable a user account to reset the password. You would enable the account if it was disabled or locked out, but the scenario doesn't indicate this is the case.

Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?




D. Kerberos

Correct Answer: B

A time-based one-time password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds. HMAC- based one-time password (HOTP) creates passwords that do no expire. A Common Access Card (CAC) is a type of smart card, but it does not create passwords. Kerberos uses tickets instead of passwords.

Which type of authentication is a fingerprint scan?

A. Something you have

B. Biometric


D. One-time password

Correct Answer: B

A fingerprint scan is a biometric method of authentication in the something you are factor of authentication. The something you have factor of authentication refers to something you can hold, such as a hardware token for a one-time password. Password Authentication Protocol (PAP) is an authentication method that sends passwords across the network in cleartext.

When users log on to their computers, they are required to enter a username, a password, and a PIN. Which of the following choices BEST describes this?

A. Single-factor authentication

B. Two-factor authentication

C. Multifactor authentication

D. Mutual authentication

Correct Answer: A

Both the password and the PIN are in the something you know factor of authentication, so this is single-factor authentication. Two-factor authentication requires the use of two different authentication factors. Multifactor authentication requires two or more factors of authentication. Mutual authentication is when both entities in the authentication process authenticate with each other and it doesn't apply in this situation.

The security manager at your company recently updated the security policy. One of the changes requires dual-factor authentication. Which of the following will meet this requirement?

A. Hardware token and PIN

B. Fingerprint scan and retina scan

C. Password and PIN

D. Smart card

Correct Answer: A

A hardware token (such as a RSA token or a USB token) is in the something you have factor of authentication and the PIN is in the something you know factor of authentication. Combined they provide dual-factor authentication. The remaining answers only provide single-factor authentication.

Your network infrastructure requires users to authenticate with something they are and something they know. Which of the following choices BEST describes this authentication method?

A. Passwords

B. Dual-factor

C. Biometrics

D. Diameter

Correct Answer: B.

This is dual-factor authentication because users must authenticate with two different factors of authentication (something you are and something you know). Passwords are in the something you know factor and biometrics are in the something you are factor, but the scenario includes both factors, not just one. Diameter is a remote access authentication service that supports Extensible Authentication Protocol (EAP)

Which of the following authentication services uses tickets for user credentials?


B. Diameter

C. Kerberos


Correct Answer: C

Kerberos uses a ticket-granting ticket server to create tickets for users and these tickets include user credentials for authentication. Remote authentication Dial-in User Service (RADIUS) provides authentication for remote users. Diameter is an alternative to RADIUS and it can utilize Extensible Authentication Protocol (EAP). Lightweight Directory Access Protocol (LDAP) is an X.500-based authentication service.

A network includes a ticket-granting server. Which of the following choices is the primary purpose of this server?

A. Authentication

B. Identification

C. Authorization

D. Access Control

Correct Answer: A.

Kerberos uses a ticket-granting ticket server for authentication. Users claim an identity with a username for identification. They prove their identity with credentials for authentication and Kerberos incorporates these credentials in tickets. Users are authorized access to resources with permissions, but only after they have been authenticated by an authentication service such as Kerberos. Access controls restrict access to resources after users are identified and authenticated.

You network uses an authentication service based on the X.500 specification. When encrypted, it uses TLS. Which authentication service is your network using?


B. Diameter

C. Kerberos


Correct Answer: D

Lightweight Directory Access Protocol (LDAP) uses X.500-based phrases to identify components and Secure LDAP can be encrypted with Transport Layer Security (TLS). Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO), but it is not based on X.500. Diameter is an alternative to Remote Authentication Dial-In User Service (RADIUS), but neither of these are based on X.500.

When you log on to your online account, you are also able to access a partner's credit card site, check-ordering services, and a mortgage site without entering your credentials again. What does this describe?


B. Same sign-on


D. Kerberos

Correct Answer: A

This is an example of single sign-on (SSO) capabilities because you can log on once and access all the resources without entering your credentials again. Same sign-on requires you to reenter your credentials for each new site, but you use the same credentials. Security Assertion Markup Language (SAML) is an SSO solution used for web-based applications and the bank might be using SAML, but other SSO solutions are also available. Kerberos is used in an internal network.

Your organization recently made an agreement with third parties for the exchange of authentication and authorization information. The solution uses an XML-based open standard. Which of the following is the MOST likely solution being implemented?


B. Diameter



Correct Answer: D.

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO) solutions. Remote authentication Dial-in User service (RADIUS) is a remote access authentication service. Diameter is an alternative to RADIUS. Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication service that replaces the older TACACAS protocol. RADIUS, Diameter, and TACACS+ do not use XML.

Which of the following provides authentication services and uses PPP?

A. Diameter and biometrics

B. Kerberos and LDAP



Correct Answer: D

Both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) use Point-to-Point Protocol (PPP). Diameter is an authentication service, but biometrics is an authentication method. Kerberos is an authentication service, but it doesn't use PPP and LDAP as a method of querying directories. SAML is an XML-based data forma used for single sign-on (SSO), but it doesn't use PPP.

Users in your organization access your network from remote locations. Currently, the remote access solution uses RADIUS. However, the organization wants to implement a stronger authentication service that supports EAP. Which of the following choices BEST meets this goal?


B. Diameter

C. Kerberos

D. Secure LDAP

Correct Answer: B.

Diameter is an alternative to RADIUS and it can utilize EAP. TACACS+ is an authentication service that replaces older TACACS. Kerberos is an internal authentication protocol that uses tickets. Secure LDAP is an X.500-based authentication service that can be secured with Transport Layer Security (TLS)

Which of the following choices provide authentication services for remote users and devices?

A. Kerberos


C. Secure LDAP

D. Diameter

Correct Answer: B, D

Both RADIUS and Diameter are authentication services for remote users and devices. Diameter is more secure than RADIUS. Kerberos is an authentication service used with a domain or realm and Secure LDAP uses TLS for encryption and is used to query directories.