4.5 Flashcards
Firewalls, web filtering, operating system security, secure protocols, email security, monitoring data, endpoint security
A network device that sits inline in the network and makes decisions about whether traffic should be allowed or disallowed.
Firewall
Traditional firewalls operate based on ____
Ports
NGFWs operate based on ____
Applications AND ports
True/False
Firewalls can be used as VPN concentrators that can encrypt/decrypt traffic
They can also perform routing services, like NAT and dynamic routing
True
Most firewall rules start from the ____ of the rule base and go to the ____.
This also means that firewall rules start more ____ and become more ____.
Top-to-bottom
Specific; broad/generic
Most firewalls include an ____ at the bottom of the rule base. That means that if a packet did not match any of the rules, it will be dropped.
Implicit deny
A rule base/policy list in a firewall is also described as
ACL
A part of the network that holds devices and services meant to be accessible to the internet. It does not contain any sensitive corporate data.
It is separated from the internal network so as to prevent attackers from gaining access to confidential data.
Screened subnet
AKA DMZ
Screened subnet is AKA
DMZ
IPS is often included in an ____
NGFW
2 ways that an IPS identifies malicious traffic
Signature-based
Anomaly-based
When an IPS tries to identify malicious traffic based on signatures, what is it looking for?
Perfect matches to known-bad code
When an IPS tries to identify malicious traffic based on anomalous behavior, what is it looking for? (2)
Deviations from baselines
Pattern detection of malicious traffic
Technology that controls traffic based on data within the content (web sites, files, etc.)
Content filtering
Technology that allows or restricts access based on a URL
URL scanning
URL stands for
Uniform Resource Locator
URL is AKA
URI
URI stands for
Uniform Resource Identifier
URL scanning is often integrated into an ____
NGFW
A content filter that is installed as software on the user’s device
Agent-based
Why would content filter agents be installed on a user’s device, instead of existing only on the network’s firewall?
Many people work from home or travel for work. They will not always be in the corporate network that has the content filter.
4 features of proxies other than NAT
Caching
Access control - limits which devices can communicate with the internet
URL filtering
Content scanning
Forward proxy is AKA
Internal proxy
A proxy that requires some configuration to let applications know how to use it
Explicit proxy
A proxy that requires no configuration with applications
Transparent proxy
Content/URL filters can filter based on content, FQDN, and ____
Reputation/risk
Trustworthy to high risk
2 ways to assign a reputation to a website for the use of a content/URL filter
Automated reputation - site is scanned and assigned a rep based on the content
Manual reputation - manager can assign a rep
A method of performing content filtering without a content/URL filter, NGFW, or firewall.
DNS filtering
How does DNS filtering work?
Real-time threat intelligence is constantly being updated. Administrators can configure the DNS server to not provide the user with the IP address of known-bad FQDNs.
What is one positive of using DNS filtering?
It does not work with just web pages.
If malware on a device is attempting to connect with a known-bad C2 server, the DNS server will block that.
A database containing all of the components of your network - computers, user accounts, file shares, printers, groups, etc.
It authenticates users, centralizes access control, and can perform administrative tasks like resetting passwords and removing accounts.
This solution is primarily Windows-based.
Active Directory
Security policies that enforce configuration settings and permissions for groups or individual users and devices.
Group Policy
A console that can configure login scripts when a user connects to the network, enforce QoS network configurations, and set security parameters that all users and devices must follow.
Group Policy Management Editor
Patches that enhance the security of Linux, including the addition of:
Mandatory access control
Least privilege
SELinux
Most default Linux distributions use ____ access control
Discretionary
A secure alternative to Telnet
SSH
A secure alternative to HTTP
HTTPS
A secure alternative to IMAP
IMAPS
A secure alternative to FTP
SFTP
True/False
Secure and insecure versions of the same protocol (ex. HTTP vs HTTPS) use different ports.
So if you use the “secure”-assigned port, you can be sure that your packets are encrypted.
False
Just because you use the port doesn’t mean that you’re actually using the secure protocol. To make sure, you need to use a sniffer to capture packets and verify that the secure version of the protocol is being used.
Instead of relying on your applications to encrypt the data, what can you do to ensure all information being sent over the network is encrypted? (2)
Configure an encryption protocol directly on the AP. That way, all data sent over the network will be encrypted. (ex. WPA3)
Or you can use a VPN.
A device that evaluates the source of the inbound email messages. It resides inside of the screened subnet/DMZ
It blocks any suspicious emails at the gateway before it reaches the user. This means it is either discarded entirely or put into your spam folder.
This device can be onsite or cloud-based.
It is often called the gatekeeper of the organization’s email.
Mail gateway
SPF stands for
Sender Policy Framework
An email authentication system/protocol that defines which mail servers are allowed to send emails on your organization’s behalf.
An administrator can manually add records of safe servers.
SPF
A list of mail servers authorized to send email message on your organization’s behalf. Receiving mail servers can perform a check on this list to see if the incoming mail really did come from an authorized host.
SPF record
DKIM stands for
Domain Keys Identified Mail
DMARC stands for
Domain-based Message Authentication, Reporting, and Conformance
An authentication protocol that is used to verify the sender of an email. It does this by storing a list of the sender’s public key(s) to verify digital signatures.
When the receiving email server checks the list of valid public keys, it will know that the supposed sender did indeed send the message.
This digital signature is verifying the email sender, NOT the integrity of the message. The end user does not see this signature.
DKIM
A list of public keys stored on an organization’s network that helps receiving email servers verify that a message did indeed come from that organization.
DKIM TXT
AKA DKIM record
A record in text format that contain information about your domain. Which email servers you use, what you want to happen to emails that don’t validate properly, and the public keys to your org’s digital signatures are all on this type of record.
DNS TXT record
An email security protocol that allows an administrator to define what they want to happen to emails supposedly from their organization’s address that do not authenticate properly.
DMARC
An email security protocol that creates and sends compliance reports to an administrator listing the statistics of how many emails from the organization were validated properly, and how many did not. This gives an idea of how many attackers are using your organization’s email address to send out spoofed emails.
DMARC
The 2 primary functions of DMARC
Tells what to do with unable-to-be-validated emails
Produces compliance reports of how many emails validated correctly vs how many did not
Difference between DKIM and DMARC
DKIM attempts to verify whether an email is legitimate by validating public keys from the organization that the email was supposedly sent from
DMARC reaches out to the legitimate organization to find out what to do with emails that did not validate correctly. This could indicate that someone spoofed this organization’s email address.
FIM stands for
File Integrity Monitoring
Software that monitors files and configurations that should rarely be changed (mainly OS components, application files). If these files change, this software alerts an administrator.
FIM
Windows’ on-demand FIM software
SFC
SFC stands for
System File Checker
Linux’s FIM software
Tripwire
True/False
HIPS can perform FIM functions, but NIPS cannot.
True
HIPS can look at all of the files on the host it is downloaded onto. But a NIPS cannot access these files so readily, since it does not reside on a host device.
A monitoring tool that can look for sensitive data being sent across the network, and block that data in real-time.
DLP
True/False
Because a DLP has to look at so many sources and destinations for data leakage, it is best practice to have multiple DLP solutions all in different places on the network.
True
DLP solutions that are installed on a device monitor data ____
in use
DLP solutions that sit inside of the network monitor data ____
in motion
DLP solutions that reside on a server monitor data ____
at rest
A DLP solution installed on a device is AKA
Endpoint DLP
A DLP function that prevents data exchange to/from a USB device
USB blocking
A DLP solution that can manage access to URLs, block viruses and malware, and block custom defined data strings that are unique to your organization.
Cloud-based DLP
A DLP solution that works by blocking keywords, identifying imposters, quarantining incoming messages, and blocking the exfiltration of sensitive corporate information.
It checks inbound and outbound emails–both internal systems or cloud-based.
Email-based DLP
The part of the network that is the link between the internal network and the internet. It is the “internet link”
Edge
How do you most commonly protect the edge of a network? (2)
Firewall
Access control - by group, location, what application to access the resource, etc.
True/False
Firewall rules change often, while access control rules are mainly static.
False
Firewall rules are mainly static, but access control rules can change at any time to reflect new security policies or give certain individuals more/less access.
This occurs when a computer is making a new connection with a network - especially for remote connections. It is a check to make sure that the computer is healthy, updated, provides full-disk encryption, and is running the necessary applications (and none of the banned applications).
Posture assessment
A posture assessment agent that is permanently installed onto a system.
Persistent agent
A posture assessment agent that requires no formal installation. It executes during a login/connection process, performs a check, and then removes itself from that system.
Dissolvable agent
A posture assessment agent that is integrated with Active Directory. It does not reside on the connecting client at any point. It runs checks during login and logoff. Checks cannot be scheduled since there is no local agent; it is integrated with the database instead.
Agentless NAC
3 types of posture assessment agents
Permanent agent
Dissolvable agent
Agentless NAC
A modern way of monitoring endpoint that exists as a lightweight agent on an endpoint. It utilizes root cause analysis, behavioral analysis, virus signatures, machine learning, and process learning. It correlates all of these together to determine whether a threat exists.
After it discovers a threat, it will isolate the system, quarantine the threat, and rollback to a known-good backup. This all happens automatically since it is API-driven.
EDR
An evolution of EDR that adds network-based detection, rather than just endpoint detection. It can correlate data and data types from endpoints, networks, and clouds to improve detections and simply security event investigations.
Beyond that, it also improves missed detections, false positives, and long investigation times.
XDR
XDR stands for
Extended Detection and Response
An XDR method of examining the behavior of users to build a baseline with which to compare anomalous traffic to. This analysis occurs in real-time.
User behavior analytics