2.0 - Technologies and Tools Flashcards

1
Q

Describe how the principle of least privilege would be applied to an Access Control List (ACL)

A

Most ACLs are read top to bottom, so it would list all of the Permit statements, with a Deny All statement at the bottom of the list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You would like to start blocking network traffic based on specific application actions, not just by IP and port. What solution will you need?

A

Application-Based Firewall. These can inspect traffic on the application layer and filter specific traffic for a given application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This security feature can look at packets within context and determine if a message is part of a conversation that started inside the network, or a new attempt from outside the network.

A

Stateful Packet Inspection, on a firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

All firewall rulesets should include this rule.

A

Implicit Deny - in the form of a Deny All command at the bottom of the rule list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your brand new organization will need to establish this document in order to determine how network security hardware and software are implemented.

A

Secure Network Administration Principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This system defines the desired operational state of systems in such a way that they can be presented a rules.

A

Rule-Base Management. This method is used for firewalls, proxies, switches, routers, anti-malware, IDS/IPS and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Multiple remote users are unable to establish a VPN connection. What network device would you check first.

A

VPN Concentrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You need to connect an entire remote office to the main network. What type of connection should you use?

A

Site-to-Site VPN - as opposed to a Remote Access VPN, which connects a single PC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This set of protocols works at the network layer (layer 3) to security exchange packets, so that all higher-layer protocols such as TCP, UDP and ICMP are encrypted.

A

IPSec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the difference between Trasnport Mode IPSec and Tunnel Mode IPSec.

A

Transport Mode - security is provided end-to-end, including the final link to the host. Source and destination IP addresses are not secured.

Tunnel Mode - security occurs between endpoints, but not all the way to the final host. Source and destination address are secured (with the tunnel).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe the host-to-host configuration for IPSec.

A

With the Host-to-Host configuration, one or two security associations (SA) are created for each direction between two hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does the tunnel mode of IPSec work?

A

With IPSec in tunnel mode only, the endpoint devices do not take part in IPSec, but security gateways on each side of the internet connection encrypt the data on Layer 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Can IPSec be run from the endpoints and through a tunnel?

A

Yes. With this configuration, IPSec is setup on each endpoint, but also run through an IPSec tunnel between to gateway devices. This way data is protected right to the endpoint, and IP addresses are protected through the cloud.

This could be called a tunnel inside a tunnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe the tunnel from host to gateway configuration for IPSec.

A

With tunnel from host to gateway IPSec, there is one gateway device which encypts at layer 3 from a host in the cloud to a host on the LAN. Encryption is end to end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the two protocols used in IPSec and how do they differ?

A

The AH (Athentication Header) protocol in IPSec does not protect the IP header, so the source and destination IP addresses can be read.

The ESP (Encapsulating Security Payload) protocol in IPSec protects the entire packet, including the IP header.

They can be used separately or together, and in tunnel or transport mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are some the components of an IDS / NIDS / NIPS?

A

An IDS will usually include:

  • Traffic controller or sensor - a log collector and/or a traffice sniffer
  • Analysis engine - The brains of the IDS
  • Signature database - reference of malicious patterns and definitions
  • User Interface and reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When a home user is on a VPN connection from their PC, they can see the company network, but internet sites realize that they are at home and see them at their home IP address. How does this occur.

A

The VPN connection is set to Split Tunnel mode. In Full Tunnel mode, all of their web browsing would go through the VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your network is heavily NAT encoded. What type of VPN would be better.

A

A TLS-based VPN will have an easier time with multiple NAT connections. IPSec-based VPNs have issues crossing multiple NAT domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Home users are tired of having to sign into the VPN every morning. What can you implement so that they don’t key your car?

A

An Alway-on VPN will have pre-configured configuration and credentials and would not require user interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the difference between a NIDS and a NIPS?

A

A Network Intrusion Detection System (NIDS) will detect a network intrusion but take no action against it.

A Network Intrusion Prevention System (NIDS) has all of the features of a NIDS plus it will take steps to stop the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

This type of NIPS / NIDS uses a library of patterns to detect issues.

A

Signature-Based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

This type of NIDS / NIPS uses AI algorithms to detect suspect behavior. It may be able to catch zero day attacks.

A

Heuristic/Behaviral IPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

This IDS detection model learns what normal behavior looks like on your network, the watches for behavior that differs from that.

A

Anamaly detection model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A NIPS would need this type of sensor; a NIDS would not.

A

A NIPS (Network Intrusion Protection System) would need an Inline sensor so that it can directly interact with the data stream and act as a gateway.

A NIDS only detects issues, so it could use a Passive sensor, which uses a copy process to deliver the data to the IPS.

Network performance will be lower with an inline sensor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You have a set of SQL servers that need the highest level of protection, and only communicate on a few protocols. What type of NIDS/NIPS could you use?

A

An In-Band NIPS / NIDS will use an inline sensor and will be able to make observations and/or intervene very quickly. But performance issues can be an issue, especially if many traffic types are being monitored.

An Out-of-Band NIDS uses a passive sensor. It has greater flexibility, but there will be a delay before it detects an issue.

In-Band would work in this scenario, but not to protect and entire network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Your NIDS is connected to a larger SIEM solution. What advantage will that give you?

A

Shared analytics from the other SIEM members, which should provide better detection, few false positives, and better detection of Advanced Persistent Threats (APT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Your new intern has configured a new router for remote management via Telnet. What should you do?

A

Chastise them for not using SSH. Telnet is not secure. (But be nice about it.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

This list on a router determines which packets are allowed to enter the network.

A

ACL (Access Control List)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How can you reduce IP spoofing from the outside world?

A

Configure your routers with antispoofing measures. They will reject internal packets where the source IP address does not match the interface IP space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You have a older switch that can only be configured via SNMPv2. Is that a problem?

A

Yes. SNMPv1 and SNMPv2 send passwords in clear text. Upgrade it or replace it so that communication is in SNMPv3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What are the three types of port security that a switch can provide?

A

Switches can provide these types of port security:

  • Static Learning - A single MAC allowed on the port.
  • Dynamic learning - the switch learns each new MAC is it attached.
  • Sticky learning - same as dynamic but the list is not reset on reboot
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

You need your switches to route traffic. What type of switch will you need?

A

Layer 3 switches can perform routing functions. Layer 2 switches cannot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What protocol on a layer 2 switch will help prevent traffic loops?

A

Spanning Tree Protocol (STP) allows for multiple, rendundant routing paths, while breaking an loops that occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

This feature of most firewalls and IDS/IPS solutions prevent from DoS, DDoS, and Smurf attacks.

A

Flood Guard. It monitors traffic rates to detect these types of attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

You want to limit the type of requests that can be sent to your web servers. What type of proxy should you put in front of them.

A

A Reverse Proxy will intercept all incoming requests to your web servers. It can filter traffic, decrypt SSL/TLS traffic, cache graphics and load balance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What system can you use to filter users’ web browsing.

A

A Forward Proxy can filter outbound web requests made by users on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

You want to put users behind a proxy server without changing settings on each PC. What do you need?

A

A Transparent Proxy

(sometimes called a Force Proxy, Gateway, or Tunneling Proxy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

This simple system filters traffict to just one program.

A

Application Proxy

(As opposed to a Multipurpose Proxy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

List some services proxies can provide.

A

Proxies can provide:

  • Anonimization
  • Caching
  • Content Filtering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is an Open Proxy?

A

An Open Proxy is one that is publicly available, and can be used to circumvent corporate, school or government proxies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

You want clients to remain connected to the same sever throughout their entire session. What feature do you need on your Load Balancer?

A

Affinity-Based Scheduling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

You want your servers to each receive the same number of requests, eventually modified to account for the load on each server. What Load Balancer feature do you need?

A

Round-Robin Scheduling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

How can multiple Load Balancers be configured for redundancy?

A

Redundant load balancers can be:

  • Active-Passive - the secondary device steps in only when the primary fails.
  • Active-Active - all devices are active. (Make sure their workload does not exceed N-1 devices, or the system will crash of one device goes down.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What type of IP addressing do Load Balancers need to use?

A

Load Balancers use Virtal IPs, which allow multiple IPs to be reflected back to users as a single IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Is hiding the SSID of your wireless network an effective security step?

A

Not really. The SSID is still part of every packet, and can be discovered by sniffers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Should you raname the default SSID and disable SSID broadcast on your new Wi-Fi network.

A

Yes. These important setups, but not a complete wireless security solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

You want just the five corporate-owned laptops to be on the production Wi-Fi. What type of filtering can you do, and how effective is it?

A

With a defined set of devices, you could use MAC filtering on your wireless network. But attackers could sniff out the MACs in use and spoof them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

You want to fine-tune how far beyond the outer walls the wireless signal goes. What do you configure?

A

Signal Strength

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What wireless protocols are 2.4 GHz?

A

b/g and n are 2.4 GHz

a, n and AC are 5.0 GHz

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

You want to manage all of our WAPs from a central device. What do you need?

A

A Thin, or Controller-Based, AP is designed to be managed by a controller. These systems can provide NAC (Network Access Control).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

The CIO would like to purchase a system the can collect an analyze security data from multiple sources on the network. What solution would work?

A

System Information and Event Management (SIEM) system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What SIEM feature allows you collect data from multiple sources, incuding logs, security applications, and program feeds from security applications?

A

Aggregation

58
Q

Your SIEM notices unusual activity on a certain IP, which is not itself hostile, but will consider future activity from the IP as suspect. What SIEM feature is this?

A

Correlation

59
Q

This SIEM feature allows you to set alerts and triggers for certain events.

A

Automated Alerting and Triggers

60
Q

This SIEM feature allows you to read logs from mutliple time zones without re-calculating the time stamps.

A

Time Synchronization

61
Q

You are tired of seeing the same events in log file multiple times. What SIEM feature would resolve this?

A

Event Deduplication

62
Q

How does a SIEM aggregate data for easier access?

A

A SIEM collects many log files into a standardized data structure which security adminstrators can pull reports from.

“One log file to bring them all and in the darkness bind them.”

63
Q

You want to detect is any accounting data is transfered systems outside of the accounting and administration departments. What technology do you need?

A

DLP (Data Loss Prevention) can scan packets for specific markers, such as accout numbers.

64
Q

This DLP feature keeps users from transfering data on flash drives.

A

USB Blocking

65
Q

What are some of the challenges for cloud-based DLP.

A

Very large data sets

High availability

66
Q

Users might be sending sensitive information via email. You cannot block all email attachments, but you can use this tool?

A

Email DLP

67
Q

You want to manage each new endpoint as they connect to the network. What technology will do this?

A

NAC (Network Access Control)

68
Q

What are the two common NAC solutions?

A

The two common NAC (Network Access Control) solutions are:

  • Microsoft NAP - measures health of connecting system, requires server(s)
  • Cisco NAC - uses an appliance and allows third-party extensions
69
Q

The NAC agent will need to run on the target system to check it. How long will it be there?

A

NAC agents can be Dissolvable or Permanent.

70
Q

What are some of the common Host Health Checks performed by a NAC?

A

A NAC agent may perform these Host Health Checks:

  • Agent check
  • Antivirus solution present
  • Recent OS patches installed
  • Applications patched
71
Q

Can a NAC work with out an agent?

A

Agentless NACs exist. The agent resides on the network and is deployed to memory on the PC for temporary use.

72
Q

List some features of a spam filter built into your Mail Gateway:

A

Mail Gateway Spam Filter features include:

  • Blacklisting
  • Content filtering
  • Trusted servers
  • Delay-based filtering
  • Reverse DNS checks
  • Callback verification
  • Statistical content filtering
  • Rule-based filtering
  • Egress filtering
  • Hybrid filtering
73
Q

How can a Mail Gateway guard against data loss?

A

DLP (Data Loss Prevention) can be applied to the mail gateway. It can be integrated into a larger DLP system, or stand-alone.

74
Q

This network device connects to separate network segments on Layer 2.

A

Bridge

75
Q

Most of the CPU overhead on your web servers is being used for SSL/TLS encryption. What can be done to alleviate this?

A

An SSL/TLS Accelerator could be installed ahead between the internet and the web servers. The device is transparent and more cost effective than ramping up resources on the web servers.

76
Q

How can you inspect traffic entering or leaving the network that is SSL/TLS encrypted?

A

An SSL Decryptor will use the equilivalent of a min-in-the-middle to decrypt and check the data. SSL Decryptors are a feature of Next Generation Firewalls (NGFW).

77
Q

You need to enable fast throughputs, multiple channels and multiple protocols for streaming media in your conference rooms. What solution would work?

A

A Media Gateway

78
Q

What is the best way to store encryption keys?

A

An HSM (Hardware Security Module) is a network or USB device that assists in encryption, hashing and digital signatures. HSMs have tamper protectection features that a PC lacks.

79
Q

What type of network port does a Protocol Analyzer (aka sniffer) need?

A

A protocol analyzer needs a network port that is in promiscuous mode, so it can see all traffic, not just packets addressed to that system.

On a switched network, it will usually be plugged into a SPAN or monitor port in order to see all packets.

80
Q

You want to watch for network packets that are addressed to a rival company. What tool will give you this information?

A

A Protocol Analyzer, packet analyzer, or sniffer.

81
Q

What does Nmap do?

A

Nmap is a network scanner. A nework analyzer can:

  • Find live hosts
  • Find open ports
  • Search for specific ports
  • Identify services on ports

A good network scanner can search down ICMP, TCP and UDP traffic. ICMP is no longer the best method to find endpoits as Ping is sometimes blocked.

82
Q

What are the possible responses from a port scan with Nmap or another port scanning tool?

A

For any given port and IP, you could get the following scan responses:

  • Open - the port is ready to accept connections. It may still be filtered by a host-based firewall however.
  • Closed - an RST packet was returned. The host is blocking that port.
  • Filtered - the port was unreachable and is likely being filtered by a firewall.
  • Other - some scanners will have other responses, such as dropped, timeout, etc.
83
Q

What are the two methods of rogue system detection with a network scanner?

A

Network scanners can perform rogue system detection in two ways:

  • Active scan - looks for active, unauthorized systems
  • Passive scan - an examination of packets to look for unauthorized communications
84
Q

Describe the process of network mapping.

A

Use use a network analyzer or mapper to create a map of nodes and classify each by OS, purpose, systems, etc.

85
Q

You want to check the security on the wireless network. What tool do you use?

A

Wireless Scanners, such as Kismet, NetStumbler

86
Q

You want to attempt to crack the wireless network. What tools would help?

A

Wireless Crackers such as AirSnort, AirCrack

87
Q

You want to see if users are using insecure passwords. What should you do?

A

Run a password cracker.

88
Q

What are types of Vulnerability Scanners?

A

Types of Network Vulnerability Scanners include:

  • Network - broad sweep of the network. Nessus.
  • Host - runs on the target system and just scans it. Microsoft Baseline Security Analyzer.
  • Application - looks for vulnerabilitys in certain types of applications, often web applications.
89
Q

Security Content Automation Protocol (SCAP) was developed to help with what?

A

SCAP is used by many Configuration Compliance Scanners. A baseline set of security requirments are entered into the tool, and administrators are informed when systems are not in compliance.

90
Q

Hackers and pet testers often use exploitation framework tools, such as Metasploit. What do these tools do?

A

An exploitation framework tool will walk the user through a series of steps necessary to invade the target system. This is helpful since most hacks must be perfomed in a precise order.

91
Q

These tools can find and wipe specific data sets or whole hard drives.

A

Data Sanitization Tools

92
Q

This type of tool looks for hidden content within files and data streams.

A

Steganorgaphy Tools

(Steganos - Greek for hidden or covered)

93
Q

A hacker is able to easily find information about your web servers even though they were unable to login. What technique did they use?

A

Banner Grabbing. Services such as HTTP, FTP, SMTP and Telnet often display information about the system upon connection. Removing these banners is a good security practice.

94
Q

How does the timeline of the attach influence what types of tools are used?

A

If an attacker has lots of time, they will use passive tools. If they want to work fast, they may use active tools and hope to be done before they are detected.

95
Q

This sends a simple call and response on the ICMP protocol.

A

Ping

96
Q

This command line tool lists all active connections on your system.

A

netstat

97
Q

This command line tool shows every device between you and the target.

A

tracert

98
Q

This command line tool returns DNS resolution information from multiple authortative and non-authoratative DNS servers.

A

nslookup (dig on linux)

99
Q

This command line tool can provide a list of IP and MAC addresses.

A

arp

100
Q

This packet analyzer runs in a command prompt environment, a non-GUI alternative to WireShark.

A

tcpdump (or WinDump on windows systems)

101
Q

This is a commonly used, active port scanner. It runs in a console environment.

A

nmap

102
Q

This is the tool of choice for TCP and UDP communication in Linux.

A

netcat

103
Q

Why is telnet a bad idea?

A

Telnet sends credentials in cleartext

104
Q

Tracking access violations are a good way to detect Advanced Persistent Threats (APT) but you will also find users who do not have the correct access setup. What system is often requried to weed out these these issues?

A

A SIEM (Security Information and Event Management system is often needed to find access violations that in typical of an APT.

105
Q

What is the best defense against social engineering?

A

User training.

106
Q

This mobile connection type is expensive and suffers from line-of-sight issues in urban areas.

A

SATCOM

107
Q

What Bluetooth feature should always be disabled, except when needed?

A

Discovery

108
Q

This wireless technology is often used for mobile phone payment.

A

NFC

109
Q

This low-energy wireless technology is sometimes used with heart rate monitors and fitness monitors.

A

ANT

(howerver Bluetooth Smart is another alternative)

110
Q

This commonly used device provides an easy method for data exfiltration.

A

USB drive

111
Q

Why are push notifications a possible security threat?

A

The allow the transmission of data to the device without a request.

112
Q

How trust-worthy are biometrics as a security device.

A

Not very. Most have been proven to be hackable.

113
Q

A corporate phone is prevented from accessing certain resources when it is on a public Wi-Fi connection. What is this an example of?

A

Context-Aware Authentication

114
Q

This solution will allow MDM software to control work-related content but not personal content on a device, making BYOD more feasable.

A

Containerization

115
Q

This is similar to containerization but applied to the storage system of the device.

A

Storage Segmentation

116
Q

Is Google Play or the Apple App Store a third-party app store?

A

From a corporation’s perspective they are, because they deliver apps that the corporation may not want.

117
Q

This technology allows two devices to connect directly to each other via a cable.

A

USB OTG (On-The-Go)

118
Q

Small companies, or those with many short-term workers tend to use this mobile device deployment model.

A

BYOD

119
Q

The corporation will only you let you use certain models of Android or iPhone for corporate work. What deployment model is this?

A

CYOD

(Choose your own device)

120
Q

The company gave you an iPhone but said you can load your personal data on it. What deployment model is this?

A

COPE

(Corporate Owne, Personally Enabled)

121
Q

Your work phone is purchased and managed by the corporation. What deployment model is this?

A

Corporate-owned

122
Q

You want to control hostname spoofing on your network. What solution will work?

A

Switch from DNS to the DNSSEC protocol. Regular DNS works in plaintext.

123
Q

Telnet was lots of fun long ago, but now all the cool kids use…

A

SSH. It uses asymmetric encryption, but usually requires an independent source of trust with a server.

124
Q

Most modern email software supports this secured protocol.

A

S/MIME

125
Q

What is SRTP?

A

Secure Real-time Transport Protocol (SRTP) provides encryption, authentication and integrity, and replay protection to RTP data - audio and video over IP.

126
Q

This uses SSL/TLS to encrypt calls to the Active Directory server.

A

LDAPS

127
Q

FTP with SSL/TLS. What ports?

A

FTPS uses TCP 989 and 990

128
Q

FTP over SSH. What ports?

A

SFTP. Port 22, since it relies on SSH.

129
Q

What protocol can manage and monitor devices such as printers securely?

A

SNMPv3. Ports 161 and 162.

130
Q

What port does SSL/TLS use?

A

It varies depending on what protocol it is protecting. For instance HTTP is 80 and HTTPS is 443.

131
Q

IMAP ports, without and with SSL/TLS.

A

IMAP - 143

IMAP w/ SSL/TLS - 993

132
Q

What does STARTTSL do?

A

It tells clients to switch to secure ports and an unsecured email connection is detected.

133
Q

How can your time server calls be secured?

A

Only by running them through a TLS tunnel. NTP is not secure and there is no secure alternative.