701 - Section 4 Flashcards

1
Q

What makes up a secure baseline?

A

The specific device or applications foundational security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In my working experience, what is a secure baseline that I have used?

A

STIG checklists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is it called to apply these foundational secure configurations to the associated system?

A

Hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are three general ways to harden a mobile device?

A

Always apply updates when ready, segment the company and user data, control with an MDM, which is a mobile device manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are three ways to harden a workstation?

A

Apply and automate monthly patches, connect to a policy management system, such as active directory group policy, remove unnecessary software to limit the threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you harden network infrastructure devices?

A

Always check with the manufacturer because when they do put out security updates, while not frequent, they are usually very important.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are three ways to harden cloud infrastructure?

A

Apply least privilege to services, network settings, etc… configure endpoint detection and response (EDR), always have an offsite back up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are four general ways to harden a server?

A

Always apply all updates service packs, and patches… apply best practices to user accounts, limit network access, monitor and secure with antivirus anti-malware software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you harden an embedded system because they can be difficult to upgrade?

A

Apply security patches when available, prevent access from unauthorized users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you harden an RTOS?

A

Isolate the system, run with the minimum services needed, protect with a host-based firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you harden IOT devices?

A

Change the default passwords, deploy updates quickly, segment these devices by putting them on their own VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is another name for a map of an organizations wireless network?

A

A site survey

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some of the benefits of a site survey?

A

They identify existing access points, they allow you to lay out and plan for interference, they identify wireless signal strengths

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an especially helpful wireless survey tool?

A

Spectrum analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are three Features that an MDM provides?

A

Centralize management of the mobile devices, sets policies on apps, data, camera… Manages access control for things like screen locks and PINs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does BYOD stand for?

A

Bring your own device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does COPE stand for? And what is it?

A

Corporate owned personally enabled… When the company buys and controls the device but allows you to use it as a personal device as well

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are three security concerns with a cellular network?

A

Traffic monitoring, location tracking, worldwide access to any mobile device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are three securities concerns with the Wi-Fi network?

A

Data capture so encrypt your data, on path attacks, denial of service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is another name for Bluetooth?

A

PAN or personal area network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How do we ensure that all wireless communication is confidential?

A

By encrypting the wireless data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is MIC? And what is it used for?

A

Message integrity check, and it is used to confirm that the received data is identical to the original #DATA sent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the problem with WPA2?

A

It is vulnerable to a pre-shared key (PK) brute force attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a pre-shared key?

A

It is the wireless key that everyone uses when they connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What protocol solves the WPA two PSK problem?

A

WPA3 and GCMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is GCMP and what does it offer?

A

Galois counter mode protocol. It offers #DATA confidentiality with AES, MIC with Galios message authentication code GMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How does W PA3 resolve the issues with WPA2?

A

It includes mutual authentication, creates a shared session key without sending that key across the network, no more four-way handshakes or ashes which eliminates the brute force attack vector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is SAE stand for, and how does it work,

A

Simultaneous authentication of equals… it uses a Diffie-Hellman derived key exchange with an authentication component, uses a different session key even with the same pre-shared key, and includes an eye EEE standard the dragonfly handshake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Where do you configure security on a wireless network?

A

On your wireless access point or wireless router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are three wireless security modes?

A

Open system, which means no authentication password is required, WPA3 personal or WPA3 PSK, WPA3 Enterprise or WPA3-802.1x

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What does radius stand for?

A

Remote authentication dial-in user service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is RADIUS? And what does it do?

A

One of the more common AAA protocols and is supported on a wide variety of platforms and devices… it’s centralizes the authentication for users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the AAA framework?

A

Authentication, authorization, accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is EAP, and what standard is it integrated with?

A

Extensible authentication protocol. It is an authentication framework… It integrates with 802.1X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a primary methodology that developers can use to secure their application?

A

Validate the input fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a secure cookie?

A

A cookie that has its secure attribute set a browser will only send it over HTTPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

True or false it is OK to store sensitive information within a cookie?

A

False, they are not designed to be secure storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are four methods for securing application code?

A

Static code analyzers, code signing, sandboxing, application security monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What method of securing code uses automated tools to identify security flaws?

A

Static code analyzers also known as static application security testing SAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What method of application code security is used to confirm that the application was written by a specific developer? And how does it work?

A

Code signing, which means the application code is digitally signed by the developers private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?

A

Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?

A

Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which form of application security uses real time logging information?

A

Application security monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is this testing methodology called that throws random data at input fields on a form?

A

Fuzz testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the name of the multi step process for requesting and obtaining goods and services?

A

Acquisition or procurement process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What does an organization use to track IT equipment purchased and who it is assigned to?

A

A central asset tracking system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is the process called to completely remove #DATA so no usable information remains?

A

System disposal or decommissioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is usually contained on an asset tag?

A

Barcode, RF ID, visible tracking number, organization name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What can be used to physically destroy an asset like a hard drive?

A

Shredder or pulverizer, a drill or hammer, degaussing Which removes the magnetic field or incineration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

When a third-party physically destroys an IT acid, what do you receive in return that confirms the assets has been destroyed and how it was destroyed?

A

A certificate of destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is it called when you back up your data and keep it for a period of time?

A

Data retention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What are two reasons why data is retained?

A

Regulatory compliance or operation needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Is vulnerability scanning the same thing as penetration testing?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is it? An example of vulnerability scanning that I have used in the past? And what is one example within the scans?

A

ACAS or Nessus, a port scan to see what ports are open

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is SAST and what does it do?

A

Static application secure testing, and it is used to help identify security flaws within application code… it can identify security, vulnerabilities such as buffer, overflows, and database injections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

True or false, knowing who the threat actors are is helpful with threat intelligence?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

True or false, knowing who the threat actors are is helpful with threat intelligence?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What does OSINT stand for?

A

Open source intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

This type of threat intelligence is compiled and available for sale and is constantly monitoring for new threats so it’s always being updated?

A

Proprietary or third-party intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What is CTA?

A

Cyber threat alliance… A member group who compiles, classifies threat intelligence for CTA members

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What is the internet area where hacking groups provide tools and techniques and other information for sale, including credit cards and account and passwords?

A

Dark web… it is good to monitor this area for signs of your or your companies information..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

The process of simulating and attack is called what?

A

Penetration testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What is the organization that provides technical guides and testing and assessment procedures for penetration testing?

A

The national Institute of standards and technology… NIST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

This is an important document that outlines the purpose and scope and makes everyone aware of the test parameters for the penetration test?

A

Rules of engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What are some of the items within the rules of engagement?

A

The type of testing (physical, internal/external)and schedule, and the rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What are some of the rules that might be outlined and the rules of engagement?

A

IP address ranges, emergency contacts, how to handle sensitive information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What are some of the dangers of penetration testing?

A

Could cause a denial of service or loss of data, buffer overflows can cause instability, privilege escalations can occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

And penetration testing, once you were able to gain access to a system, what are some important moves to test?

A

Lateral movement or moving from system to system, which tests if the network is relatively unprotected, being persistent, and ensuring once in that you can get back in by setting up a back door building fake user accounts, changing or verifying default passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What is called a reward offered for discovery of vulnerabilities?

A

A bug bounty program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

At what point is a vulnerability publicly announced?

A

After the manufacturer has created a fix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What is a vulnerability that is identified that doesn’t really exist called?

A

False positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What is a vulnerability that exist but is not detected?

A

False negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

It is important to have the latest of these when performing vulnerability scans?

A

Signatures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What does CVSS stand for and what is it?

A

Common vulnerability scoring system… It provides a quantitative scoring of a vulnerability from 0 to 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What does CVE stand for, and what is it?

A

Common vulnerabilities and Exposures… Each vulnerability is assigned a CV and contains a CVSS score

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What types of systems are generally included in a vulnerability scan?

A

Desktop, mobile apps, web application, misconfigured firewalls, open ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is the loss of value or business activity if the vulnerability and an organization is exploited called?

A

The exposure factor and it’s usually expressed as a percentage… This is also a useful metric when assigning priority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

This type of variable for assigning a vulnerability priority when it impacts things such as internal servers, public cloud, or test lab?

A

Environmental type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

This type of variable for assigning a vulnerability priority when it impacts things such as hospitals or power plants?

A

Industry or Organizational impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is the amount of risk acceptable to an organization called?

A

Risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What is the most common mitigation technique for vulnerability remediation?

A

Patching

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

An unscheduled patch that has the highest priority is generally for what type of vulnerability?

A

Zero day

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What can an organization purchase for a cyber security event does occur that causes loss?

A

Cyber security liability insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

To limit the scope of an exploit, an organization will separate devices into their own networks/VLANS… what is that called?

A

Segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What type of segmentation is it when the application is completely disconnected from everything?

A

And air gap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What can be used to block unwanted unnecessary internal traffic between VLANs?

A

NGFWs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What are the two types of segmentation?

A

Physical and logical

88
Q

What device is required when you want to communicate between VLANs?

A

A layer 3 device or router

89
Q

What is it called when the optical security method may not be available so you apply this instead?

A

Compensating controls

90
Q

Name several examples of compensating controls?

A

Disabling a problematic service, revoking access to an application, limiting external access

91
Q

Sometimes these are given for a vulnerability, an example of this is a vulnerability that may require a local login only?

A

Exceptions and exemptions

92
Q

What are two ways to validate the vulnerability remediation?

A

Rescan and QA testing

93
Q

In my experience, what does the navy call the process of ongoing vulnerability processing?

A

Continuous monitoring

94
Q

What is an SIEM? And what does it do?

A

Security information and event manager, it consolidates many different logs to a central database and allows alerting and reporting on the data collected

95
Q

What are the different logs that can be consolidated into an SIEM?

A

Server logs, firewall logs, database logs, Internet server, logs, VPN logs

96
Q

What can workstation/server scanning provide to an organization? And in my experience, what am I familiar with this type of software?

A

It is actively checking systems and devices, and reporting back operating system type and versions, device driver, versions and installed applications…Belarc

97
Q

What are three uses for system scan software data?

A

It can report on number of devices that are up-to-date and in compliance, devices running older operating systems, and when a new vulnerability is found it can identify the number systems that may be vulnerable

98
Q

What is the average period of time for a company to identify and contain a breach?

A

9 months

99
Q

What are some of the pros and cons of SIEM alerts?

A

The alerts can enable quick response by sending up-to-date status information
There may be false positives, and false negatives to the alerts as they will require tuning over time.

100
Q

What are some examples of events that may trigger and SIEM alert?

A

An increase in authentication errors, large file transfers

101
Q

What is SCAP? And what does it do?

A

Security content automation protocol… through the standards created, It allows the many available security tools to identify and act on the same criteria

102
Q

What are some of the advantages of SCAP?

A

SCAO content can be shared between tools, it is especially useful in large environments with many different operating systems and applications, and the specification standard enables automation between different tools

103
Q

What is it called when an organization applies security best practices to everything and these are well documented? In my experience what have i used?

A

Benchmarks, STIG checklists

104
Q

What are some example benchmarks for a mobile device?

A

Disable screenshots, disable screen recordings, prevent voice calls when locked, and force encryption back ups

105
Q

What are the two types of compliance software?

A

Agent and agentless

106
Q

This type of security compliance software is installed on the device always monitors for real time notifications but must be maintained and updated?

A

Agent

107
Q

This type of security compliance software does not require a installation. It performs its checks and then disappears, but will not inform or alert if it is not running?

A

Agentless

108
Q

True or false antivirus and anti-malware are effectively the same these days?

A

True

109
Q

What is DLP? And what does it do?

A

Data loss prevention…when it detects sensitive data being transmitted across the network, it will block the data in real time and prevent it from being stolen

110
Q

What is SNMP?

A

Simple network management protocol

111
Q

What is MIB stand for, and what is it? And what does it contain?

A

Management information base, it is a database of data… it contains OIDs which are object identifiers

112
Q

What does SNMP do?

A

It polls devices at fixed intervals in order to capture data

113
Q

What port does SNMP use?

A

udp 161

114
Q

What is an SNMP trap? And what port does it use?

A

It is an alert that can be configured on the monitor device that if a threshold is really reached, it will send a trap which will allow the monitoring station to react immediately… it uses UDP port 162

115
Q

What gathers traffic statistics for all network traffic flows and can be used to watch network communications?

A

Netflow

116
Q

Which firewall filters traffic by port number in which by application?

A

Traditional, NGFW

117
Q

When you VPN between sites, what does a firewall do with the traffic?

A

It encrypt the traffic

118
Q

What other function can a firewall serve and what are some of the things that they do in that function?

A

They can act as layer three devices or routers, perform network address translation and dynamic routing

119
Q

An application layer gateway, a state full multi layer inspection, deep packet inspection… These are all different names for what device?

A

NGFW

120
Q

What does an NGFW do?

A

It analyzes, categorizes and applies a security decision to every packet

121
Q

Name the application that operates on these ports… TCP port 80 and 443, TCP port 22, TCP port 3389, UDP port 53, UDP port 123…

A

Web server, SSH server, RDP, DNS query, NTP

122
Q

With fire wall rules, where are the more specific rules generally located at? And what about the more general rules?

A

Usually at the top, near the bottom

123
Q

What do firewalls include at the bottom of the rules?

A

An implicit deny

124
Q

Firewalls can also include these which allow or disallow traffic by category groupings source IP destination, IP time of day?

A

Access control list

125
Q

What is an additional layer of security that organizations will place between you and the Internet that allows public access to public resources and that private data remains in accessible in the internal network?

A

A screened subnet

126
Q

What is usually integrated into an NGFW?

A

An IPS

127
Q

What are two ways that IPS rules can be built?

A

Signature based and anomaly based

128
Q

What is the web filtering called when you control web traffic based on data within the content? And what are two types?

A

Contant filtering… URL filtering and website category filtering

129
Q

What is the web filtering that allows or restricts based on the URL or URI?

A

URL scanning

130
Q

What do organizations use for web filtering that is installed software on all user devices?

A

Agent based filters

131
Q

This device also can perform Web filtering, and it sits between the users and the external network? In addition to Web filtering what other services can this device offer?

A

Proxy server… cashing, access control, content scanning

132
Q

What are three other methods of Web filtering based on the URL or IP address?

A

Block rules, reputation, DNS filtering

133
Q

This method of web filtering can be performed on a specific URL, cat category of site content, and can utilize different dispositions, for example allow and alert or block and alert?

A

Block rules

134
Q

This method of web filtering, filters URLs, based on their perceived risk such as trustworthy, low risk, medium risk, high risk?

A

Reputation

135
Q

This method of Web filtering utilizes the IP address combined with real time threat intelligence?

A

DNS filtering

136
Q

What is the database that contains everything on the network, such as computers, useraccounts, fileshares, printers, groups… It is primarily window-based?

A

Active directory

137
Q

What are some examples of functionality that can be performed on active directory?

A

Manage user accounts, centralized access control, reset passwords

138
Q

What can be used to manage computer or users with such things as login script, network configurations, security parameters?

A

Group policy

139
Q

This adds mandatory access control to Linux?

A

Security enhanced Linux or SELinux

140
Q

In Linux… what is MAC and what is DAC? Which one is traditionally used by Linux?

A

Mandatory access control, and discretionary access control… Linux traditionally uses DAC

141
Q

What does MAC provide to Linux?

A

Least privilege

142
Q

What are some examples of unencrypted protocols? And what are their secure alternative?

A

Telnet, FTP, HTTP, IMAP
SSH, SFTP, HTTPS, IMAPS

143
Q

True or false… A generally recognized secure port number always guarantees that security is being used on that port?

A

False, the port number does not guarantee security, you will need to confirm the security features are enabled

144
Q

What are three other ways to ensure secure protocols will be used?

A

WPA3 when using 802.11 wireless and using a VPN

145
Q

Why is it easy to spoof an email?

A

Because the protocols used to transfer emails include relatively few security checks

146
Q

What can a reputable sender do to configure email validation?

A

Configure email validation on the senders DNS server

147
Q

What can be set up to evaluate the source of inbound email messages and block it before it reaches the user if need be?

A

A mail gateway

148
Q

What is SPF? And what does it do?

A

Sender policy framework… It is a list of authorized sending mail servers that are added to a DNSTXT record. The receiving mail server will perform a check to see if the incoming mail really did come from an authorized host.

149
Q

What is DKIM? And what does it do?

A

Domain keys identified mail… The outgoing email server will digitally sign all outgoing email and the receiving email server will validate the signature… The public key is contained in the DKIM TXT record

150
Q

What is DMARC? And what does it do?

A

Domain based message, authentication, reporting and conformance… This is an extension of SPF and DKIM and the policy is written into a DNS TXT record… the domain owner will decide what receiving email servers should do with emails not validated using SPF and DKIM. This data can be used for reporting purposes…

151
Q

What is FIM? And what does it do?

A

File integrity monitoring… It monitors, important operating system, and application files For when changes occur…

152
Q

What is windows FIM and what is Linux FIM?

A

System file checker SFC and tripwire

153
Q

Where are three places that DLP systems are installed and what are they monitoring?

A

On individual computers for data and use, on a network for data in motion, on a server for data at rest

154
Q

What is USB blocking?

A

It is deployed on workstation and bands, removable flash media and storage devices

155
Q

In addition to local computer, server and network installations, where else can DLP be implemented?

A

Cloud and email… for the cloud it can manage access to URLs and block viruses and malware… For email it can monitor every inbound and outbound email including attachments

156
Q

Why is the endpoint so important for security? And why is it so difficult?

A

Because it’s the common place for all inbound and outbound attacks… And it is difficult because there are so many different types of platforms to protect

157
Q

What is it called to perform a health check on a device before connect to the network? And what sort of checks are performed?

A

Posture assessment… Is it a trusted device, is it running an up-to-date antivirus, or the applications installed trusted by the organization…

158
Q

What are the three types of agents that perform a posture assessment?

A

Persistent agent, dissolvable agent, agentless NAC

159
Q

Which posture assessment agent is permanently installed on a system and requires periodic updates?

A

Persistent agent

160
Q

Which posture assessment agent requires no installation and runs during the posture assessment terminates when no longer required?

A

Dissolvable agent

161
Q

Which posture assessment agent integrates with active directory, and the checks are made during login and log off?

A

Agentless NAC

162
Q

What happens when a device fails a posture assessment

A

The device is not allowed to connect to the network… It can connect to a quarantine network in order to get the device up-to-date

163
Q

What is EDR? And what does it do?

A

And point detection and response… It can detect, investigate, and respond to a threat

164
Q

What does EDR use to detect a threat?

A

Behavioral analysis, machine learning, and process monitoring

165
Q

What is XDR? And what does it do?

A

Extended detection and response… It is a further evolution of EDR that improves on miss detections, false positives, and long investigation times… It also can investigate and respond to network anomalies

166
Q

How does XDR work?

A

It watches users, hosts, network traffic and creates a baseline of normal activity. After the baseline is established, it uses a set of rules pattern matching in statistical analysis to watch for anything unusual.

167
Q

What is IAM? And what does it do?

A

Identity and access management… It ensures the right permissions are given to the right people at the right time to prevent unauthorized access

168
Q

With IAM, every entity, both human and non-human gets a what?

A

Digital identity

169
Q

An IAM what is it called to track and entities resource access?

A

Identity governance

170
Q

AnIAM, what are the events that could cause provisioning and or deprovisioning to occur?

A

Hiring, transfers, promotions, job separation

171
Q

In IAM, what is an important part of the process?

A

An initial checkpoint to limit access and nobody gets administrator access

172
Q

In IAM, no privileged access is given to what?

A

The operating system

173
Q

In IAM, How does identity proofing occur?

A

My validation using such things as password and security questions… And by verification/attestation using such things as a passport, drivers license, in person meeting…

174
Q

What is it called when credentials are provided one time and that can be used across multiple resources and or systems?

A

Single sign on

175
Q

What is LDAP? And what specification does it use?

A

Lightweight directory access protocol… X.500

176
Q

How does LDAP work with X.500?

A

LDAP is the protocol used to query and update an X.500 directory

177
Q

What structure is the X.500 directory? And what are the two objects called with examples?

A

Hierarchical or tree structure… Container object (country, organization, organizational unit), and leaf object (users, computers, printers, files)..

178
Q

What is SAML? And what does it do?

A

Security assertion, markup language… It is an open standard for authentication and authorization

179
Q

What is the authorization framework that was created by Twitter, Google and others that provides significant industry support?

A

OAuth

180
Q

What is the process that allows authentication and authorization between several networks that also requires a trust relationship between them?

A

Federation

181
Q

What is it where there are many different ways to communicate with an authentication server across multiple device types?

A

Interoperability

182
Q

With authorization the process of ensuring only authorized rights are exercised is called what?

A

Policy enforcement

183
Q

With authorization, the process of determining rights is called what?

A

Policy definition

184
Q

This type of access control limits the object based on security levels, a label and predefined rules on those objects?

A

Mandatory access control or MAC

185
Q

With this type of access control, it is used and most operating systems the owner establishes who can access their objects?

A

Discretionary access control, or DAC

186
Q

This type of access control is defined by the role in the organization?

A

Role based access control or RBAC

187
Q

This type of access control is determined through system enforced rules, and the rule is associated with the object?

A

Rule-based access control

188
Q

This type of access control is considered a next generation authorization model which combines an evaluates multiple parameters, such as resource information, IP address, time of day, desired action, relationship to the data?

A

Attribute based access control or ABAC

189
Q

An access control what is it called when you secure objects based on certain times or days of the week?

A

Time of day restrictions

190
Q

What are the different factors in MFA?

A

Something you know, something you have, something you are, somewhere you are

191
Q

In MTA, a password, a pin, a pattern or all what factor?

A

Something you know

192
Q

In MTA, a smart card a USB security key, a hardware or software token or your phone or all what factor?

A

Something you have

193
Q

In MTA, a biometric authentication such as a fingerprint, an Irish scan, a voice print are all examples of what factor?

A

Something you are

194
Q

In MTA, an IP address or a mobile device location are examples of what factor?

A

Somewhere you are

195
Q

What is password entropy?

A

The process of increasing a password complexity

196
Q

What can be used to store all of your passwords?

A

Password manager

197
Q

What are some examples of password less authentication?

A

Facial recognition or a security key

198
Q

What type of authentication creates a time limited account where the credentials are used for one session and then are deleted?

A

Just in time permissions

199
Q

What are the four steps to the incident response lifecycle?

A

Preparation, detection and analysis, containment/eradication/recovery, post incident activity

200
Q

What are five ways to prepare for an incident?

A

Team communication methods, incident handling hardware and software, incident analysis resources, incident mitigation software, the policies needed for incident handling

201
Q

True or false it is generally a good idea to let an incident run its course

A

False

202
Q

After an incident occurs, what should occur within an organization after the incident has been resolved?

A

Lessons learned sessions

203
Q

What can organizations do to test themselves before an actual event?

A

Perform an exercise or tabletop

204
Q

What is the process to determine the ultimate cause of an incident by asking why?

A

Root cause analysis

205
Q

What is the process to collect and protect information relating to an intrusion?

A

Digital forensics

206
Q

What is a legal technique to preserve relevant information to prepare for impending litigation and is initiated by legal counsel?

A

A legal hold

207
Q

What is usually required when needing to store copies of different data sources and data types during an investigation?

A

A separate repository for electronically stored information ESI

208
Q

What is called to maintain the integrity of the data during investigation and includes everyone who contacts the evidence uses hashes and digital signatures

A

Chain of custody

209
Q

During digital forensics, what is the process called to gather all of the needed data?

A

E discovery

210
Q

True or false E discovery also includes analysis of the data

A

False

211
Q

Name five types of log files instrumental in detecting and stopping an attack?

A

Security logs, firewall logs, application logs, endpoint logs, operating system, specific security logs, IPS and IDS logs, network logs

212
Q

What is data that describes other data sources?

A

Meta-data

213
Q

What can be used to detect a lack of security controls for example no firewall, no antivirus, no anti-spyware and miss configurations, like open shares, and guest access accounts?

A

Vulnerability scans

214
Q

What can an SIEM produce that serve as an alert?

A

Automated reports, think SPLUNK

215
Q

What can SIEMs Produce that display summaries on a single screen?

A

A dashboard

216
Q

What can be used to solve complex application issues by viewing detailed network traffic information?

A

Packet capture