4.3

Question 1

intrusion prevention system (IPS) Actions

Answer 1

Alerts/alarms and verbose dumps
Block attackers inline and drop packets
Syslog, Simple Network Management Protocol
(SNMP), and NetFlow outputs
Integrate with security information and event
management (SIEM) and security orchestration,
automation, and response (SOAR) systems

Question 2

web filter

Answer 2

an application layer gateway server or service (physical or virtual dedicated to analysis and
control of HTTP and HTTPS traffic

Question 3

Agent-based web filters require:

Answer 3

the deployment of
lightweight software packages on network devices,
whereas agentless filters can be instantly deployed
in Random Access Memory (RAM) or persistently
without any manual configuration

Question 4

Web reputation services accuracy is typically determined by :

Answer 4

the breadth, depth, and variety of
the data being used

Question 5

Group Policy (GP)

Answer 5

a Microsoft Windows service
that enabled IT administrators to centrally manage
and configure the settings on Windows operating
systems

Question 6

Group Policy can manage:

Answer 6

operating system settings,
applications, browsers, and user settings

Question 7

Some Group Policy examples include:

Answer 7

• Password Policy
• Screen Lock
• Power Settings
• Map Network Drives
• Install printers, software, desktop shortcuts, etc.
• Software restrictions (blocking access to programs)

Question 8

Group Policy Objects (GPOs)

Answer 8

are collections of policy
settings that apply to the domain (or OU) to manage
users, computers, or the entire domain

Question 9

Security Enhanced Linux (SELinux)

Answer 9

an access
control system built into the Linux kernel

Question 10

Security Enhanced Linux (SELinux) is used:

Answer 10

to enforce the resource policies that
define what level of access users, programs, and
services have on a system

enforces principle of least privilege

Question 11

The most common are targeted policy or multi-level
security (MLS):

Answer 11

• Targeted policy is the default option and covers a
  range of processes, tasks, and services
• MLS can be very complicated and is typically only
  used by government organizations

Question 12

Intrusion detection system (IDS)

Answer 12

Known as a passive, as it takes no action to protect or defend your network beyond its role as an alarm system it uses sensors and collectors to detect, suspicious activities 

Question 13

Intrusion prevention system (IPS)

Answer 13

A more aggressive and actively protects a network by not only identifying suspicious activities, but also taking swift action to actively block or mitigate threats, ensuring that the network remains resilient against potential threats 

Question 14

Network – based IPS (NIPS)

Answer 14

Placed very close to the firewall to filter all traffic coming into the network

Can only operate on a network, not a host device 

Question 15

DNS filtering

Answer 15

the technique of using DNS to block
malicious websites and filter out damaging or unsuitable content

**least secure network

Question 16

DNS filtering ensures:

Answer 16

the organizational data stays secure and private

Question 17

DNS filtering can blocklist web attributes based on:

Answer 17

domain or ip address

Question 18

domain

Answer 18

The DNS resolver does not resolve (or look up) the IP addresses for certain domains at all

Question 19

IP address

Answer 19

The DNS resolver attempts to resolve all domains, but if the IP address is on the blocklist,
the resolver will not send it back to the requestor

Question 20

DNS Security Extensions (DNSSEC)

Answer 20

adds a layer of trust on top of DNS by providing authentication

adding additional DNS record types (for cryptographic signatures)

Question 21

To facilitate signature validation, DNSSEC adds a few new DNS record types:

Answer 21

• RRSIG – contains a cryptographic signature
• DNSKEY – contains a public signing key
• DS – contains the hash of a DNSKEY record
• NSEC and NSEC3 – for explicit denial-of-existence of a
  DNS record
• CDNSKEY and CDS – for a child zone requesting
  updates to DS record(s) in the parent zone

Question 22

OpenDNS (umbrella solution)

Answer 22

a company that offers DNS resolution
services and a suite of consumer solutions with the
goal of making the Internet faster, safer, and more
reliable

Question 23

Sender Policy Framework (SPF)

Answer 23

an open standard
that introduces a method to prevent sender
address forgery

Question 24

SPF (info)

Answer 24

More precisely, the current version of SPF —
called SPFv1 or SPF Classic — protects the
envelope sender address, which is used for
messages delivery

Question 25

OpenDNS (umbrella solution) info

Answer 25

It is also a cloud-delivered enterprise security
service that protects against threats on the Internet;
OpenDNS’s consumer products include parental and
content filtering, web performance, and web security

Question 26

The SPF solution requires two sides to work together:

Answer 26

1. The domain owner publishes this information in
   an SPF record in the domain’s DNS zone, and
   when someone else’s mail server receives a
   message claiming to come from that domai
2. The receiving server can check whether the
   message complies with the domain’s stated policy

Question 27

Domainkeys identified mail (DKIM)

Answer 27

an email authentication method conducted between the outbound and inbound mail server or
Message Transfer Agents (MTAs)

Question 28

With DKIM, If the public key does not match the signature, it may be because:

Answer 28

• The email was not sent from the mail server
  designated in the email header but was sent from
  another (spoofed) server instead
• The email was modified in transit to the recipient
• For instance, an attacker could intercept an email
  that was sent from a valid mail server, change it and
  then resend it

Question 29

domain-based message authentication reporting and conformance (DMARC)

Answer 29

an email authentication, policy, and
reporting protocol

empowers domain owners to dictate the actions taken when their emails fail authentication tests

Question 30

DMARC builds on the widely deployed SPF and DKIM
protocols, offering:

Answer 30

• Linkage to the sender (“From:”) domain name
• Published policies for recipient handling of
  authentication failures
• Reporting from receivers to senders, to enhance and
  monitor protection of the domain from fraudulent
  email

Question 31

email security gateways

Answer 31

special gateway appliances are dedicated email security services that work in or with MTAs to
protect electronic mail

Question 32

File Integrity Monitoring (FIM)

Answer 32

examines operating system
files, configuration files, registries, application
software, and Linux system files for changes and
indicators of compromise

Question 33

Windows FIM provides alerts about suspicious activity such as:

Answer 33

• File and registry key creation or removal
• File modifications (changes in file size, access control
  lists, and hash of the content)
• Registry modifications (changes in size, access control
  lists, type, and content)

Question 34

There are a variety of hardware/software solutions
that cam mitigate data leakage and data loss:

Answer 34

• Secure email gateways
• Cloud-based email security
• Cloud access security brokers (CASB)
• Endpoint detection and response (EDR)
• Database activity monitoring (DAM)

Question 35

• Network admission control (NAC)

Answer 35

It typically enables 802.1X port-based network
access control (PNAC) on Layer 2 and Layer 3 networks

Question 36

endpoint detection and response (EDR) tools focus on

Answer 36

detecting and investigating
suspicious activities and are indicators of compromise (IoCs) on hosts/endpoints

Question 37

EDR monitors:

Answer 37

endpoint and network events and
send information to a SEIM system or centralized
database so further analysis, investigation, and
reporting can take place