4.5

Question 1

A network device that sits inline in the network and makes decisions about whether traffic should be allowed or disallowed.

Answer 1

Firewall

Question 2

Traditional firewalls operate based on ____

Answer 2

Ports

Question 3

NGFWs operate based on ____

Answer 3

Applications AND ports

Question 4

True/False

Firewalls can be used as VPN concentrators that can encrypt/decrypt traffic

They can also perform routing services, like NAT and dynamic routing

Answer 4

True

Question 5

Most firewall rules start from the ____ of the rule base and go to the ____.

This also means that firewall rules start more ____ and become more ____.

Answer 5

Top-to-bottom

Specific; broad/generic

Question 6

Most firewalls include an ____ at the bottom of the rule base. That means that if a packet did not match any of the rules, it will be dropped.

Answer 6

Implicit deny

Question 7

A rule base/policy list in a firewall is also described as

Answer 7

ACL

Question 8

A part of the network that holds devices and services meant to be accessible to the internet. It does not contain any sensitive corporate data.

It is separated from the internal network so as to prevent attackers from gaining access to confidential data.

Answer 8

Screened subnet

AKA DMZ

Question 9

Screened subnet is AKA

Answer 9

DMZ

Question 10

IPS is often included in an ____

Answer 10

NGFW

Question 11

2 ways that an IPS identifies malicious traffic

Answer 11

Signature-based

Anomaly-based

Question 12

When an IPS tries to identify malicious traffic based on signatures, what is it looking for?

Answer 12

Perfect matches to known-bad code

Question 13

When an IPS tries to identify malicious traffic based on anomalous behavior, what is it looking for? (2)

Answer 13

Deviations from baselines
Pattern detection of malicious traffic

Question 14

Technology that controls traffic based on data within the content (web sites, files, etc.)

Answer 14

Content filtering

Question 15

Technology that allows or restricts access based on a URL

Answer 15

URL scanning

Question 16

URL stands for

Answer 16

Uniform Resource Locator

Question 17

URL is AKA

Answer 17

URI

Question 18

URI stands for

Answer 18

Uniform Resource Identifier

Question 19

URL scanning is often integrated into an ____

Answer 19

NGFW

Question 20

A content filter that is installed as software on the user’s device

Answer 20

Agent-based

Question 21

Why would content filter agents be installed on a user’s device, instead of existing only on the network’s firewall?

Answer 21

Many people work from home or travel for work. They will not always be in the corporate network that has the content filter.

Question 22

4 features of proxies other than NAT

Answer 22

Caching

Access control - limits which devices can communicate with the internet

URL filtering

Content scanning

Question 23

Forward proxy is AKA

Answer 23

Internal proxy

Question 24

A proxy that requires some configuration to let applications know how to use it

Answer 24

Explicit proxy

Question 25

A proxy that requires no configuration with applications

Answer 25

Transparent proxy

Question 26

Content/URL filters can filter based on content, FQDN, and ____

Answer 26

Reputation/risk

Trustworthy to high risk

Question 27

2 ways to assign a reputation to a website for the use of a content/URL filter

Answer 27

Automated reputation - site is scanned and assigned a rep based on the content

Manual reputation - manager can assign a rep

Question 28

A method of performing content filtering without a content/URL filter, NGFW, or firewall.

Answer 28

DNS filtering

Question 29

How does DNS filtering work?

Answer 29

Real-time threat intelligence is constantly being updated. Administrators can configure the DNS server to not provide the user with the IP address of known-bad FQDNs.

Question 30

What is one positive of using DNS filtering?

Answer 30

It does not work with just web pages.

If malware on a device is attempting to connect with a known-bad C2 server, the DNS server will block that.

Question 31

A database containing all of the components of your network - computers, user accounts, file shares, printers, groups, etc.

It authenticates users, centralizes access control, and can perform administrative tasks like resetting passwords and removing accounts.

This solution is primarily Windows-based.

Answer 31

Active Directory

Question 32

Security policies that enforce configuration settings and permissions for groups or individual users and devices.

Answer 32

Group Policy

Question 33

A console that can configure login scripts when a user connects to the network, enforce QoS network configurations, and set security parameters that all users and devices must follow.

Answer 33

Group Policy Management Editor

Question 34

Patches that enhance the security of Linux, including the addition of:

Mandatory access control
Least privilege

Answer 34

SELinux

Question 35

Most default Linux distributions use ____ access control

Answer 35

Discretionary

Question 36

A secure alternative to Telnet

Answer 36

SSH

Question 37

A secure alternative to HTTP

Answer 37

HTTPS

Question 38

A secure alternative to IMAP

Answer 38

IMAPS

Question 39

A secure alternative to FTP

Answer 39

SFTP

Question 40

True/False

Secure and insecure versions of the same protocol (ex. HTTP vs HTTPS) use different ports.

So if you use the “secure”-assigned port, you can be sure that your packets are encrypted.

Answer 40

False

Just because you use the port doesn’t mean that you’re actually using the secure protocol. To make sure, you need to use a sniffer to capture packets and verify that the secure version of the protocol is being used.

Question 41

Instead of relying on your applications to encrypt the data, what can you do to ensure all information being sent over the network is encrypted? (2)

Answer 41

Configure an encryption protocol directly on the AP. That way, all data sent over the network will be encrypted. (ex. WPA3)

Or you can use a VPN.

Question 42

A device that evaluates the source of the inbound email messages. It resides inside of the screened subnet/DMZ

It blocks any suspicious emails at the gateway before it reaches the user. This means it is either discarded entirely or put into your spam folder.

This device can be onsite or cloud-based.

It is often called the gatekeeper of the organization’s email.

Answer 42

Mail gateway

Question 43

SPF stands for

Answer 43

Sender Policy Framework

Question 44

An email authentication system/protocol that defines which mail servers are allowed to send emails on your organization’s behalf.

An administrator can manually add records of safe servers.

Answer 44

SPF

Question 45

A list of mail servers authorized to send email message on your organization’s behalf. Receiving mail servers can perform a check on this list to see if the incoming mail really did come from an authorized host.

Answer 45

SPF record

Question 46

DKIM stands for

Answer 46

Domain Keys Identified Mail

Question 47

DMARC stands for

Answer 47

Domain-based Message Authentication, Reporting, and Conformance

Question 48

An authentication protocol that is used to verify the sender of an email. It does this by storing a list of the sender’s public key(s) to verify digital signatures.

When the receiving email server checks the list of valid public keys, it will know that the supposed sender did indeed send the message.

This digital signature is verifying the email sender, NOT the integrity of the message. The end user does not see this signature.

Answer 48

DKIM

Question 49

A list of public keys stored on an organization’s network that helps receiving email servers verify that a message did indeed come from that organization.

Answer 49

DKIM TXT

AKA DKIM record

Question 50

A record in text format that contain information about your domain. Which email servers you use, what you want to happen to emails that don’t validate properly, and the public keys to your org’s digital signatures are all on this type of record.

Answer 50

DNS TXT record

Question 51

An email security protocol that allows an administrator to define what they want to happen to emails supposedly from their organization’s address that do not authenticate properly.

Answer 51

DMARC

Question 52

An email security protocol that creates and sends compliance reports to an administrator listing the statistics of how many emails from the organization were validated properly, and how many did not. This gives an idea of how many attackers are using your organization’s email address to send out spoofed emails.

Answer 52

DMARC

Question 53

The 2 primary functions of DMARC

Answer 53

Tells what to do with unable-to-be-validated emails

Produces compliance reports of how many emails validated correctly vs how many did not

Question 54

Difference between DKIM and DMARC

Answer 54

DKIM attempts to verify whether an email is legitimate by validating public keys from the organization that the email was supposedly sent from

DMARC reaches out to the legitimate organization to find out what to do with emails that did not validate correctly. This could indicate that someone spoofed this organization’s email address.

Question 55

FIM stands for

Answer 55

File Integrity Monitoring

Question 56

Software that monitors files and configurations that should rarely be changed (mainly OS components, application files). If these files change, this software alerts an administrator.

Answer 56

FIM

Question 57

Windows’ on-demand FIM software

Answer 57

SFC

Question 58

SFC stands for

Answer 58

System File Checker

Question 59

Linux’s FIM software

Answer 59

Tripwire

Question 60

True/False

HIPS can perform FIM functions, but NIPS cannot.

Answer 60

True

HIPS can look at all of the files on the host it is downloaded onto. But a NIPS cannot access these files so readily, since it does not reside on a host device.

Question 61

A monitoring tool that can look for sensitive data being sent across the network, and block that data in real-time.

Answer 61

DLP

Question 62

True/False

Because a DLP has to look at so many sources and destinations for data leakage, it is best practice to have multiple DLP solutions all in different places on the network.

Answer 62

True

Question 63

DLP solutions that are installed on a device monitor data ____

Answer 63

in use

Question 64

DLP solutions that sit inside of the network monitor data ____

Answer 64

in motion

Question 65

DLP solutions that reside on a server monitor data ____

Answer 65

at rest

Question 66

A DLP solution installed on a device is AKA

Answer 66

Endpoint DLP

Question 67

A DLP function that prevents data exchange to/from a USB device

Answer 67

USB blocking

Question 68

A DLP solution that can manage access to URLs, block viruses and malware, and block custom defined data strings that are unique to your organization.

Answer 68

Cloud-based DLP

Question 69

A DLP solution that works by blocking keywords, identifying imposters, quarantining incoming messages, and blocking the exfiltration of sensitive corporate information.

It checks inbound and outbound emails–both internal systems or cloud-based.

Answer 69

Email-based DLP

Question 70

The part of the network that is the link between the internal network and the internet. It is the “internet link”

Answer 70

Edge

Question 71

How do you most commonly protect the edge of a network? (2)

Answer 71

Firewall
Access control - by group, location, what application to access the resource, etc.

Question 72

True/False

Firewall rules change often, while access control rules are mainly static.

Answer 72

False

Firewall rules are mainly static, but access control rules can change at any time to reflect new security policies or give certain individuals more/less access.

Question 73

This occurs when a computer is making a new connection with a network - especially for remote connections. It is a check to make sure that the computer is healthy, updated, provides full-disk encryption, and is running the necessary applications (and none of the banned applications).

Answer 73

Posture assessment

Question 74

A posture assessment agent that is permanently installed onto a system.

Answer 74

Persistent agent

Question 75

A posture assessment agent that requires no formal installation. It executes during a login/connection process, performs a check, and then removes itself from that system.

Answer 75

Dissolvable agent

Question 76

A posture assessment agent that is integrated with Active Directory. It does not reside on the connecting client at any point. It runs checks during login and logoff. Checks cannot be scheduled since there is no local agent; it is integrated with the database instead.

Answer 76

Agentless NAC

Question 77

3 types of posture assessment agents

Answer 77

Permanent agent
Dissolvable agent
Agentless NAC

Question 78

A modern way of monitoring endpoint that exists as a lightweight agent on an endpoint. It utilizes root cause analysis, behavioral analysis, virus signatures, machine learning, and process learning. It correlates all of these together to determine whether a threat exists.

After it discovers a threat, it will isolate the system, quarantine the threat, and rollback to a known-good backup. This all happens automatically since it is API-driven.

Answer 78

EDR

Question 79

An evolution of EDR that adds network-based detection, rather than just endpoint detection. It can correlate data and data types from endpoints, networks, and clouds to improve detections and simply security event investigations.

Beyond that, it also improves missed detections, false positives, and long investigation times.

Answer 79

XDR

Question 80

XDR stands for

Answer 80

Extended Detection and Response

Question 81

An XDR method of examining the behavior of users to build a baseline with which to compare anomalous traffic to. This analysis occurs in real-time.

Answer 81

User behavior analytics