13) Common Security Concepts Flashcards
You will describe basic concepts related to network security. As a networking professional, it is part of your responsibility to understand these fundamental concepts so that you can support network security controls. Lesson Objectives: • Explain common security concepts. • Explain authentication methods.
An organization hires a new Marketing department head from outside the company. The new employee is surprised to learn that they cannot assign permissions to the Marketing folders to employees that work in other areas of the company. What kind of access management is the organization using?
A. Least privilege
B. Role-based access
C. Privileged access
management
D. Zero trust
B. Role-based access
The organization is using role-based access which defines a set of organizational roles and allocates users to those roles. Under this system, only the system owner has the right to modify roles.
Least privilege means that the administrator grants a user sufficient rights to perform their job and no more. However, authorization creep can grant the user more and more rights over time.
Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts and to mitigate risks from weak configuration control over privileges.
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.
An organization hired a security firm to hack into its systems in order to determine what type of exploitable weaknesses the organization was vulnerable to. What kind of testing is this?
A. Vulnerability scanning
B. Penetration testing
C. Threat hunting
D. Zero-day
B. Penetration testing
This kind of testing is penetration testing, also known as a pen test, which uses authorized hacking techniques to discover exploitable weaknesses in the target’s security systems.
Automated vulnerability scanning software makes use of the Common Vulnerabilities and Exposures (CVE) dictionary to discover vulnerabilities on live systems.
Security Information and Event Management (SIEM) performs threat hunting and integrates vulnerability and threat assessment efforts through the automated collection, aggregation, and analysis of log data.
A zero-day is a vulnerability that threat agents exploit before the developer knows about it or can release a patch.
An organization deployed components so that they could use NetFlow to measure network traffic statistics. Which of the deployed components needs a high bandwidth network link and substantial storage capacity?
A. NetFlow exporter
B. NetFlow collector
C. NetFlow analyzer
D. IPFIX
B. NetFlow collector
A NetFlow collector needs a high bandwidth network link and substantial storage capacity because it aggregates flows from multiple exporters and a large network can generate huge volumes of flow traffic and data records.
NetFlow configures a NetFlow exporter on network appliances (switches, routers, and firewalls) and the exporter has a flow defined on it.
A NetFlow analyzer reports and interprets information by querying the collector and can generate alerts and notifications.
The IP Flow Information Export (IPFIX) is an IETF standard by which Cisco has redeveloped NetFlow to meet.
The amount of data traffic both sent and received or calculated as a percentage of the available bandwidth is known as which interface monitoring metric?
A. Resets
B. Speed
C. Utilization
D. Duplex
C. Utilization
Utilization is the amount of data traffic both sent and received or is calculated as a percentage of the available bandwidth.
Resets are the number of times an interface has restarted over the counter period. Interfaces could restart automatically if traffic volume is very high, or a large number of errors are experienced.
Speed is the rated speed of the interface, measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary, but the bandwidth of WAN and wireless links may change over time.
Most Ethernet interfaces operate in full-duplex mode. If an interface is operating in half-duplex mode, there is likely to be some sort of problem, unless you are supporting a legacy device.
An employee logs into their computer when they arrive at work and, regardless of what network resources they access throughout the day, they do not have to log in to anything else. What type of authentication is this?
A. Windows local sign-in
B. Windows network sign-in
C. Remote sign-in
D. Single sign-on
D. Single Sign-on
A single sign-on (SSO) system allows the user to authenticate once to a local device and it authorizes them to access compatible application servers without having to enter credentials again.
Windows local sign-in is when the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry.
Windows network sign-in is when the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos.
In remote sign-in, authentication of a user’s device can take place over some type of virtual private network (VPN) or web portal if it is not on the local network.
An organization has identified that they must be able to continually process customer payments and pay employee salaries to keep the business running even in the event of a service disruption as mission essential functions. What kind of assessment did the organization use to make these determinations?
A. Risk assessment
B. Posture assessment
C. Process assessment
D. Business impact analysis
C. Process Assessment
The organization used a process assessment which involves identifying critical systems and assets that support mission essential functions.
Risk assessment is a subset of risk management where an organization evaluates its systems and procedures for risk factors. Separate assessments can perform an initial evaluation and ongoing monitoring of threats, vulnerabilities, and security posture.
A posture assessment is the overall status of risk management and shows which risk response options the organization can identify and prioritize.
Business impact analysis (BIA) is the process of assessing what losses might occur for a range of threat scenarios.
Network users are reporting issues with videos constantly buffering. What kinds of issues should the administrator test for? (Select all that apply.)
A. Success/fail type events
B. Packet loss
C. Latency
D. Jitter
B. Packet Loss
C. Latency
D. Jitter
The administrator should test for packet loss or delay which, when excessive, can exhaust the buffer and cause noticeable audio or video problems (artifacts) for users.
The administrator should test for latency which is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms).
The administrator should test for a jitter which is a variation in the delay and manifests as an inconsistent rate of packet delivery.
Success/fail type events are associated with audit logs that record the use of authentication and authorization privileges and would not be associated with video buffering.
A security administrator is studying the relationship between vulnerabilities, threats, and risks. Which of the following is a true statement regarding these categories?
A. A threat is a potential for an entity to breach security
B. Risk = vulnerability * threat
C. A vulnerability is the likelihood or impact of a threat
D. Weaknesses in a system that can be triggered are risks
A. A threat is a potential for an entity to breach security
A threat is a potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.
To calculate risk you must multiply impact * likelihood.
A vulnerability is a weakness that could be accidentally triggered or intentionally exploited to cause a security breach.
Risk is the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Which of the following processes of an identity and access management (IAM) system proves that the user is who they say they are?
A. Identification
B. Authentication
C. Authorization
D. Accounting
B. Authentication
The authentication process proves that a subject is who or what it claims to be when it attempts to access a resource.
The identification process involves an administrator or system creating an account or ID that identifies the user, device, or process on the network.
The authorization process involves determining what rights subjects should have on each resource and enforcing those rights.
The accounting process tracks authorized usage of a resource or use of rights by a subject and alerts when the system detects unauthorized use or attempted unauthorized use.
A sysadmin is looking into bandwidth management. Which kind of bandwidth management technology uses a header field to indicate a priority value for a layer 3 (IP) packet?
A. IEEE 802.1p
B. DiffServ
C. Traffic shaper
D. Expedited forwarding
B. DiffServ
The Differentiated Services (DiffServ) framework classifies each packet passing through a layer 3 device and can use defined router policies to use packet classification to prioritize delivery.
The administrator implemented IEEE 802.1p which can operate at Layer 2 (independently or in conjunction with DiffServ) to classify and prioritize traffic passing over a switch or wireless access point.
Traffic shapers delay certain packet types based on their content to ensure that other packets have a higher priority.
Expedited forwarding is one of the three types of DiffServ traffic classes and has the highest priority of the three.
An organization is using Lightweight Directory Access Protocol (LDAP) to update the directory database. The administrator insists that steps to ensure access to the directory has already been completed and is secure. What authentication methods will the administrator disable? (Select all that apply.)
A. SASL
B. Simple bind
C. No authentication
D. LDAPS
B. Simple bind
C. No authentication
Since the administrator insists on secure access, the administrator will disable a simple bind in which the client must supply its distinguished name (DN) and password, but these are plaintext.
Since the administrator insists on secure access, the administrator will disable no authentication, which grants anonymous access to the directory, on the server.
In Simple Authentication and Security Layer (SASL), the client and server negotiate the use of a supported authentication mechanism, such as Kerberos. This is the preferred mechanism for Microsoft’s Active Directory (AD) implementation of LDAP.
In LDAP Secure (LDAPS), the administrator installs the server with a digital certificate which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.
A security professional is working to identify all the ways a threat agent can breach security. What security concept does the threat actor represent?
A. Vulnerability
B. Availability
C. Threat
D. Risk
C. Threat
This represents a threat which is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional.
A vulnerability is a weakness that someone could accidentally trigger or intentionally exploit to cause a security breach.
Availability is one of the properties of the CIA Triad and means that information is accessible to those authorized to view or modify it.
A risk is a likelihood and impact or consequence of a threat actor exercising a vulnerability either intentionally or unintentionally to cause a security breach.
An organization that issues public keys should obtain a digital certificate. What does the digital certificate contain? (Select all that apply.)
A. Information on the certificate’s guarantor
B. Information about the subject
C. Public key infrastructure
D. The subject’s public key
A. Information on the certificate’s guarantor
B. Information about the subject
D. The subject’s public key
The validity of the certificate is guaranteed by a certificate authority (CA) and the certificate will contain information about the certificate’s issuer or guarantor.
A digital certificate will contain information about the subject. The CA digitally signs the certificate to prove that it was issued to the subject by a particular CA.
Under PKI, anyone issuing public keys should obtain a digital certificate and the digital certificate is essentially a wrapper for a subject’s (or end entity’s) public key.
Public key infrastructure (PKI) aims to prove that the owners of public keys are who they say they are and, under PKI, anyone issuing public keys should obtain a digital certificate.
A security company is working with a new customer and is describing different kinds of attacks they have discovered through research. What form of threat research does this represent?
A. Behavioral threat research
B. Reputational threat intelligence
C. Threat data
D. Threat assessment
A. Behavioral threat research
This represents behavioral threat research, which is a narrative commentary describing examples of attacks and the tactics, techniques, and procedures (TTPs) gathered through primary research sources.
Reputational threat intelligence consists of lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.
Threat data is computer data that can correlate events observed on a customer’s own networks and logs with known TTP and threat actor indicators.
Threat assessment is not a form of threat research, it is the process of identifying threat sources and profiling the types and capabilities of threat actors.
An administrator needs to perform maintenance on routers and switches and is authenticating to them over TCP port 49. What protocol is the administrator using?
A. TACACS+
B. RADIUS
C. EAP
D. IEEE 802.1X Port-based NAC
A. TACACS+
The administrator is using TACACS+ which is a protocol used in authenticating administrative access to routers and switches and uses TCP over port 49.
Remote Authentication Dial-in User Service (RADIUS) is a protocol used for client device access over switches, wireless networks, and VPNs, and typically uses UDP ports 1812 and 1813.
Extensible Authentication Protocol (EAP) provides a framework for deploying multiple types of authentication protocols and technologies and allows lots of different authentication methods.
The IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway.
