4.5 Flashcards

Firewalls, web filtering, operating system security, secure protocols, email security, monitoring data, endpoint security

1
Q

A network device that sits inline in the network and makes decisions about whether traffic should be allowed or disallowed.

A

Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Traditional firewalls operate based on ____

A

Ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NGFWs operate based on ____

A

Applications AND ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True/False

Firewalls can be used as VPN concentrators that can encrypt/decrypt traffic

They can also perform routing services, like NAT and dynamic routing

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Most firewall rules start from the ____ of the rule base and go to the ____.

This also means that firewall rules start more ____ and become more ____.

A

Top-to-bottom

Specific; broad/generic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Most firewalls include an ____ at the bottom of the rule base. That means that if a packet did not match any of the rules, it will be dropped.

A

Implicit deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A rule base/policy list in a firewall is also described as

A

ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A part of the network that holds devices and services meant to be accessible to the internet. It does not contain any sensitive corporate data.

It is separated from the internal network so as to prevent attackers from gaining access to confidential data.

A

Screened subnet

AKA DMZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Screened subnet is AKA

A

DMZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IPS is often included in an ____

A

NGFW

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

2 ways that an IPS identifies malicious traffic

A

Signature-based

Anomaly-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When an IPS tries to identify malicious traffic based on signatures, what is it looking for?

A

Perfect matches to known-bad code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When an IPS tries to identify malicious traffic based on anomalous behavior, what is it looking for? (2)

A

Deviations from baselines
Pattern detection of malicious traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Technology that controls traffic based on data within the content (web sites, files, etc.)

A

Content filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Technology that allows or restricts access based on a URL

A

URL scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

URL stands for

A

Uniform Resource Locator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

URL is AKA

A

URI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

URI stands for

A

Uniform Resource Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

URL scanning is often integrated into an ____

A

NGFW

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A content filter that is installed as software on the user’s device

A

Agent-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Why would content filter agents be installed on a user’s device, instead of existing only on the network’s firewall?

A

Many people work from home or travel for work. They will not always be in the corporate network that has the content filter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

4 features of proxies other than NAT

A

Caching

Access control - limits which devices can communicate with the internet

URL filtering

Content scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Forward proxy is AKA

A

Internal proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A proxy that requires some configuration to let applications know how to use it

A

Explicit proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A proxy that requires no configuration with applications

A

Transparent proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Content/URL filters can filter based on content, FQDN, and ____

A

Reputation/risk

Trustworthy to high risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

2 ways to assign a reputation to a website for the use of a content/URL filter

A

Automated reputation - site is scanned and assigned a rep based on the content

Manual reputation - manager can assign a rep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A method of performing content filtering without a content/URL filter, NGFW, or firewall.

A

DNS filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How does DNS filtering work?

A

Real-time threat intelligence is constantly being updated. Administrators can configure the DNS server to not provide the user with the IP address of known-bad FQDNs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is one positive of using DNS filtering?

A

It does not work with just web pages.

If malware on a device is attempting to connect with a known-bad C2 server, the DNS server will block that.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A database containing all of the components of your network - computers, user accounts, file shares, printers, groups, etc.

It authenticates users, centralizes access control, and can perform administrative tasks like resetting passwords and removing accounts.

This solution is primarily Windows-based.

A

Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Security policies that enforce configuration settings and permissions for groups or individual users and devices.

A

Group Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A console that can configure login scripts when a user connects to the network, enforce QoS network configurations, and set security parameters that all users and devices must follow.

A

Group Policy Management Editor

34
Q

Patches that enhance the security of Linux, including the addition of:

Mandatory access control
Least privilege

A

SELinux

35
Q

Most default Linux distributions use ____ access control

A

Discretionary

36
Q

A secure alternative to Telnet

A

SSH

37
Q

A secure alternative to HTTP

A

HTTPS

38
Q

A secure alternative to IMAP

A

IMAPS

39
Q

A secure alternative to FTP

A

SFTP

40
Q

True/False

Secure and insecure versions of the same protocol (ex. HTTP vs HTTPS) use different ports.

So if you use the “secure”-assigned port, you can be sure that your packets are encrypted.

A

False

Just because you use the port doesn’t mean that you’re actually using the secure protocol. To make sure, you need to use a sniffer to capture packets and verify that the secure version of the protocol is being used.

41
Q

Instead of relying on your applications to encrypt the data, what can you do to ensure all information being sent over the network is encrypted? (2)

A

Configure an encryption protocol directly on the AP. That way, all data sent over the network will be encrypted. (ex. WPA3)

Or you can use a VPN.

42
Q

A device that evaluates the source of the inbound email messages. It resides inside of the screened subnet/DMZ

It blocks any suspicious emails at the gateway before it reaches the user. This means it is either discarded entirely or put into your spam folder.

This device can be onsite or cloud-based.

It is often called the gatekeeper of the organization’s email.

A

Mail gateway

43
Q

SPF stands for

A

Sender Policy Framework

44
Q

An email authentication system/protocol that defines which mail servers are allowed to send emails on your organization’s behalf.

An administrator can manually add records of safe servers.

A

SPF

45
Q

A list of mail servers authorized to send email message on your organization’s behalf. Receiving mail servers can perform a check on this list to see if the incoming mail really did come from an authorized host.

A

SPF record

46
Q

DKIM stands for

A

Domain Keys Identified Mail

47
Q

DMARC stands for

A

Domain-based Message Authentication, Reporting, and Conformance

48
Q

An authentication protocol that is used to verify the sender of an email. It does this by storing a list of the sender’s public key(s) to verify digital signatures.

When the receiving email server checks the list of valid public keys, it will know that the supposed sender did indeed send the message.

This digital signature is verifying the email sender, NOT the integrity of the message. The end user does not see this signature.

A

DKIM

49
Q

A list of public keys stored on an organization’s network that helps receiving email servers verify that a message did indeed come from that organization.

A

DKIM TXT

AKA DKIM record

50
Q

A record in text format that contain information about your domain. Which email servers you use, what you want to happen to emails that don’t validate properly, and the public keys to your org’s digital signatures are all on this type of record.

A

DNS TXT record

51
Q

An email security protocol that allows an administrator to define what they want to happen to emails supposedly from their organization’s address that do not authenticate properly.

A

DMARC

52
Q

An email security protocol that creates and sends compliance reports to an administrator listing the statistics of how many emails from the organization were validated properly, and how many did not. This gives an idea of how many attackers are using your organization’s email address to send out spoofed emails.

A

DMARC

53
Q

The 2 primary functions of DMARC

A

Tells what to do with unable-to-be-validated emails

Produces compliance reports of how many emails validated correctly vs how many did not

54
Q

Difference between DKIM and DMARC

A

DKIM attempts to verify whether an email is legitimate by validating public keys from the organization that the email was supposedly sent from

DMARC reaches out to the legitimate organization to find out what to do with emails that did not validate correctly. This could indicate that someone spoofed this organization’s email address.

55
Q

FIM stands for

A

File Integrity Monitoring

56
Q

Software that monitors files and configurations that should rarely be changed (mainly OS components, application files). If these files change, this software alerts an administrator.

A

FIM

57
Q

Windows’ on-demand FIM software

A

SFC

58
Q

SFC stands for

A

System File Checker

59
Q

Linux’s FIM software

A

Tripwire

60
Q

True/False

HIPS can perform FIM functions, but NIPS cannot.

A

True

HIPS can look at all of the files on the host it is downloaded onto. But a NIPS cannot access these files so readily, since it does not reside on a host device.

61
Q

A monitoring tool that can look for sensitive data being sent across the network, and block that data in real-time.

A

DLP

62
Q

True/False

Because a DLP has to look at so many sources and destinations for data leakage, it is best practice to have multiple DLP solutions all in different places on the network.

A

True

63
Q

DLP solutions that are installed on a device monitor data ____

A

in use

64
Q

DLP solutions that sit inside of the network monitor data ____

A

in motion

65
Q

DLP solutions that reside on a server monitor data ____

A

at rest

66
Q

A DLP solution installed on a device is AKA

A

Endpoint DLP

67
Q

A DLP function that prevents data exchange to/from a USB device

A

USB blocking

68
Q

A DLP solution that can manage access to URLs, block viruses and malware, and block custom defined data strings that are unique to your organization.

A

Cloud-based DLP

69
Q

A DLP solution that works by blocking keywords, identifying imposters, quarantining incoming messages, and blocking the exfiltration of sensitive corporate information.

It checks inbound and outbound emails–both internal systems or cloud-based.

A

Email-based DLP

70
Q

The part of the network that is the link between the internal network and the internet. It is the “internet link”

A

Edge

71
Q

How do you most commonly protect the edge of a network? (2)

A

Firewall
Access control - by group, location, what application to access the resource, etc.

72
Q

True/False

Firewall rules change often, while access control rules are mainly static.

A

False

Firewall rules are mainly static, but access control rules can change at any time to reflect new security policies or give certain individuals more/less access.

73
Q

This occurs when a computer is making a new connection with a network - especially for remote connections. It is a check to make sure that the computer is healthy, updated, provides full-disk encryption, and is running the necessary applications (and none of the banned applications).

A

Posture assessment

74
Q

A posture assessment agent that is permanently installed onto a system.

A

Persistent agent

75
Q

A posture assessment agent that requires no formal installation. It executes during a login/connection process, performs a check, and then removes itself from that system.

A

Dissolvable agent

76
Q

A posture assessment agent that is integrated with Active Directory. It does not reside on the connecting client at any point. It runs checks during login and logoff. Checks cannot be scheduled since there is no local agent; it is integrated with the database instead.

A

Agentless NAC

77
Q

3 types of posture assessment agents

A

Permanent agent
Dissolvable agent
Agentless NAC

78
Q

A modern way of monitoring endpoint that exists as a lightweight agent on an endpoint. It utilizes root cause analysis, behavioral analysis, virus signatures, machine learning, and process learning. It correlates all of these together to determine whether a threat exists.

After it discovers a threat, it will isolate the system, quarantine the threat, and rollback to a known-good backup. This all happens automatically since it is API-driven.

A

EDR

79
Q

An evolution of EDR that adds network-based detection, rather than just endpoint detection. It can correlate data and data types from endpoints, networks, and clouds to improve detections and simply security event investigations.

Beyond that, it also improves missed detections, false positives, and long investigation times.

A

XDR

80
Q

XDR stands for

A

Extended Detection and Response

81
Q

An XDR method of examining the behavior of users to build a baseline with which to compare anomalous traffic to. This analysis occurs in real-time.

A

User behavior analytics