701 - Section 4 Flashcards
What makes up a secure baseline?
The specific device or applications foundational security policy
In my working experience, what is a secure baseline that I have used?
STIG checklists
What is it called to apply these foundational secure configurations to the associated system?
Hardening
What are three general ways to harden a mobile device?
Always apply updates when ready, segment the company and user data, control with an MDM, which is a mobile device manager
What are three ways to harden a workstation?
Apply and automate monthly patches, connect to a policy management system, such as active directory group policy, remove unnecessary software to limit the threats
How do you harden network infrastructure devices?
Always check with the manufacturer because when they do put out security updates, while not frequent, they are usually very important.
What are three ways to harden cloud infrastructure?
Apply least privilege to services, network settings, etc… configure endpoint detection and response (EDR), always have an offsite back up
What are four general ways to harden a server?
Always apply all updates service packs, and patches… apply best practices to user accounts, limit network access, monitor and secure with antivirus anti-malware software
How do you harden an embedded system because they can be difficult to upgrade?
Apply security patches when available, prevent access from unauthorized users
How do you harden an RTOS?
Isolate the system, run with the minimum services needed, protect with a host-based firewall
How do you harden IOT devices?
Change the default passwords, deploy updates quickly, segment these devices by putting them on their own VLAN
What is another name for a map of an organizations wireless network?
A site survey
What are some of the benefits of a site survey?
They identify existing access points, they allow you to lay out and plan for interference, they identify wireless signal strengths
What is an especially helpful wireless survey tool?
Spectrum analyzer
What are three Features that an MDM provides?
Centralize management of the mobile devices, sets policies on apps, data, camera… Manages access control for things like screen locks and PINs
What does BYOD stand for?
Bring your own device
What does COPE stand for? And what is it?
Corporate owned personally enabled… When the company buys and controls the device but allows you to use it as a personal device as well
What are three security concerns with a cellular network?
Traffic monitoring, location tracking, worldwide access to any mobile device
What are three securities concerns with the Wi-Fi network?
Data capture so encrypt your data, on path attacks, denial of service
What is another name for Bluetooth?
PAN or personal area network
How do we ensure that all wireless communication is confidential?
By encrypting the wireless data
What is MIC? And what is it used for?
Message integrity check, and it is used to confirm that the received data is identical to the original #DATA sent
What is the problem with WPA2?
It is vulnerable to a pre-shared key (PK) brute force attack
What is a pre-shared key?
It is the wireless key that everyone uses when they connect
What protocol solves the WPA two PSK problem?
WPA3 and GCMP
What is GCMP and what does it offer?
Galois counter mode protocol. It offers #DATA confidentiality with AES, MIC with Galios message authentication code GMAC
How does W PA3 resolve the issues with WPA2?
It includes mutual authentication, creates a shared session key without sending that key across the network, no more four-way handshakes or ashes which eliminates the brute force attack vector
What is SAE stand for, and how does it work,
Simultaneous authentication of equals… it uses a Diffie-Hellman derived key exchange with an authentication component, uses a different session key even with the same pre-shared key, and includes an eye EEE standard the dragonfly handshake
Where do you configure security on a wireless network?
On your wireless access point or wireless router
What are three wireless security modes?
Open system, which means no authentication password is required, WPA3 personal or WPA3 PSK, WPA3 Enterprise or WPA3-802.1x
What does radius stand for?
Remote authentication dial-in user service
What is RADIUS? And what does it do?
One of the more common AAA protocols and is supported on a wide variety of platforms and devices… it’s centralizes the authentication for users
What is the AAA framework?
Authentication, authorization, accounting
What is EAP, and what standard is it integrated with?
Extensible authentication protocol. It is an authentication framework… It integrates with 802.1X
What is a primary methodology that developers can use to secure their application?
Validate the input fields
What is a secure cookie?
A cookie that has its secure attribute set a browser will only send it over HTTPS
True or false it is OK to store sensitive information within a cookie?
False, they are not designed to be secure storage
What are four methods for securing application code?
Static code analyzers, code signing, sandboxing, application security monitoring
What method of securing code uses automated tools to identify security flaws?
Static code analyzers also known as static application security testing SAST
What method of application code security is used to confirm that the application was written by a specific developer? And how does it work?
Code signing, which means the application code is digitally signed by the developers private key
Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?
Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes
Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?
Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes
Which form of application security uses real time logging information?
Application security monitoring
What is this testing methodology called that throws random data at input fields on a form?
Fuzz testing
What is the name of the multi step process for requesting and obtaining goods and services?
Acquisition or procurement process
What does an organization use to track IT equipment purchased and who it is assigned to?
A central asset tracking system
What is the process called to completely remove #DATA so no usable information remains?
System disposal or decommissioning
What is usually contained on an asset tag?
Barcode, RF ID, visible tracking number, organization name
What can be used to physically destroy an asset like a hard drive?
Shredder or pulverizer, a drill or hammer, degaussing Which removes the magnetic field or incineration
When a third-party physically destroys an IT acid, what do you receive in return that confirms the assets has been destroyed and how it was destroyed?
A certificate of destruction
What is it called when you back up your data and keep it for a period of time?
Data retention
What are two reasons why data is retained?
Regulatory compliance or operation needs
Is vulnerability scanning the same thing as penetration testing?
No
What is it? An example of vulnerability scanning that I have used in the past? And what is one example within the scans?
ACAS or Nessus, a port scan to see what ports are open
What is SAST and what does it do?
Static application secure testing, and it is used to help identify security flaws within application code… it can identify security, vulnerabilities such as buffer, overflows, and database injections
True or false, knowing who the threat actors are is helpful with threat intelligence?
True
True or false, knowing who the threat actors are is helpful with threat intelligence?
True
What does OSINT stand for?
Open source intelligence
This type of threat intelligence is compiled and available for sale and is constantly monitoring for new threats so it’s always being updated?
Proprietary or third-party intelligence
What is CTA?
Cyber threat alliance… A member group who compiles, classifies threat intelligence for CTA members
What is the internet area where hacking groups provide tools and techniques and other information for sale, including credit cards and account and passwords?
Dark web… it is good to monitor this area for signs of your or your companies information..
The process of simulating and attack is called what?
Penetration testing
What is the organization that provides technical guides and testing and assessment procedures for penetration testing?
The national Institute of standards and technology… NIST
This is an important document that outlines the purpose and scope and makes everyone aware of the test parameters for the penetration test?
Rules of engagement
What are some of the items within the rules of engagement?
The type of testing (physical, internal/external)and schedule, and the rules
What are some of the rules that might be outlined and the rules of engagement?
IP address ranges, emergency contacts, how to handle sensitive information
What are some of the dangers of penetration testing?
Could cause a denial of service or loss of data, buffer overflows can cause instability, privilege escalations can occur
And penetration testing, once you were able to gain access to a system, what are some important moves to test?
Lateral movement or moving from system to system, which tests if the network is relatively unprotected, being persistent, and ensuring once in that you can get back in by setting up a back door building fake user accounts, changing or verifying default passwords
What is called a reward offered for discovery of vulnerabilities?
A bug bounty program
At what point is a vulnerability publicly announced?
After the manufacturer has created a fix
What is a vulnerability that is identified that doesn’t really exist called?
False positive
What is a vulnerability that exist but is not detected?
False negative
It is important to have the latest of these when performing vulnerability scans?
Signatures
What does CVSS stand for and what is it?
Common vulnerability scoring system… It provides a quantitative scoring of a vulnerability from 0 to 10
What does CVE stand for, and what is it?
Common vulnerabilities and Exposures… Each vulnerability is assigned a CV and contains a CVSS score
What types of systems are generally included in a vulnerability scan?
Desktop, mobile apps, web application, misconfigured firewalls, open ports
What is the loss of value or business activity if the vulnerability and an organization is exploited called?
The exposure factor and it’s usually expressed as a percentage… This is also a useful metric when assigning priority
This type of variable for assigning a vulnerability priority when it impacts things such as internal servers, public cloud, or test lab?
Environmental type
This type of variable for assigning a vulnerability priority when it impacts things such as hospitals or power plants?
Industry or Organizational impact
What is the amount of risk acceptable to an organization called?
Risk tolerance
What is the most common mitigation technique for vulnerability remediation?
Patching
An unscheduled patch that has the highest priority is generally for what type of vulnerability?
Zero day
What can an organization purchase for a cyber security event does occur that causes loss?
Cyber security liability insurance
To limit the scope of an exploit, an organization will separate devices into their own networks/VLANS… what is that called?
Segmentation
What type of segmentation is it when the application is completely disconnected from everything?
And air gap
What can be used to block unwanted unnecessary internal traffic between VLANs?
NGFWs
What are the two types of segmentation?
Physical and logical
What device is required when you want to communicate between VLANs?
A layer 3 device or router
What is it called when the optical security method may not be available so you apply this instead?
Compensating controls
Name several examples of compensating controls?
Disabling a problematic service, revoking access to an application, limiting external access
Sometimes these are given for a vulnerability, an example of this is a vulnerability that may require a local login only?
Exceptions and exemptions
What are two ways to validate the vulnerability remediation?
Rescan and QA testing
In my experience, what does the navy call the process of ongoing vulnerability processing?
Continuous monitoring
What is an SIEM? And what does it do?
Security information and event manager, it consolidates many different logs to a central database and allows alerting and reporting on the data collected
What are the different logs that can be consolidated into an SIEM?
Server logs, firewall logs, database logs, Internet server, logs, VPN logs
What can workstation/server scanning provide to an organization? And in my experience, what am I familiar with this type of software?
It is actively checking systems and devices, and reporting back operating system type and versions, device driver, versions and installed applications…Belarc
What are three uses for system scan software data?
It can report on number of devices that are up-to-date and in compliance, devices running older operating systems, and when a new vulnerability is found it can identify the number systems that may be vulnerable
What is the average period of time for a company to identify and contain a breach?
9 months
What are some of the pros and cons of SIEM alerts?
The alerts can enable quick response by sending up-to-date status information
There may be false positives, and false negatives to the alerts as they will require tuning over time.
What are some examples of events that may trigger and SIEM alert?
An increase in authentication errors, large file transfers
What is SCAP? And what does it do?
Security content automation protocol… through the standards created, It allows the many available security tools to identify and act on the same criteria
What are some of the advantages of SCAP?
SCAO content can be shared between tools, it is especially useful in large environments with many different operating systems and applications, and the specification standard enables automation between different tools
What is it called when an organization applies security best practices to everything and these are well documented? In my experience what have i used?
Benchmarks, STIG checklists
What are some example benchmarks for a mobile device?
Disable screenshots, disable screen recordings, prevent voice calls when locked, and force encryption back ups
What are the two types of compliance software?
Agent and agentless
This type of security compliance software is installed on the device always monitors for real time notifications but must be maintained and updated?
Agent
This type of security compliance software does not require a installation. It performs its checks and then disappears, but will not inform or alert if it is not running?
Agentless
True or false antivirus and anti-malware are effectively the same these days?
True
What is DLP? And what does it do?
Data loss prevention…when it detects sensitive data being transmitted across the network, it will block the data in real time and prevent it from being stolen
What is SNMP?
Simple network management protocol
What is MIB stand for, and what is it? And what does it contain?
Management information base, it is a database of data… it contains OIDs which are object identifiers
What does SNMP do?
It polls devices at fixed intervals in order to capture data
What port does SNMP use?
udp 161
What is an SNMP trap? And what port does it use?
It is an alert that can be configured on the monitor device that if a threshold is really reached, it will send a trap which will allow the monitoring station to react immediately… it uses UDP port 162
What gathers traffic statistics for all network traffic flows and can be used to watch network communications?
Netflow
Which firewall filters traffic by port number in which by application?
Traditional, NGFW
When you VPN between sites, what does a firewall do with the traffic?
It encrypt the traffic
What other function can a firewall serve and what are some of the things that they do in that function?
They can act as layer three devices or routers, perform network address translation and dynamic routing
An application layer gateway, a state full multi layer inspection, deep packet inspection… These are all different names for what device?
NGFW
What does an NGFW do?
It analyzes, categorizes and applies a security decision to every packet
Name the application that operates on these ports… TCP port 80 and 443, TCP port 22, TCP port 3389, UDP port 53, UDP port 123…
Web server, SSH server, RDP, DNS query, NTP
With fire wall rules, where are the more specific rules generally located at? And what about the more general rules?
Usually at the top, near the bottom
What do firewalls include at the bottom of the rules?
An implicit deny
Firewalls can also include these which allow or disallow traffic by category groupings source IP destination, IP time of day?
Access control list
What is an additional layer of security that organizations will place between you and the Internet that allows public access to public resources and that private data remains in accessible in the internal network?
A screened subnet
What is usually integrated into an NGFW?
An IPS
What are two ways that IPS rules can be built?
Signature based and anomaly based
What is the web filtering called when you control web traffic based on data within the content? And what are two types?
Contant filtering… URL filtering and website category filtering
What is the web filtering that allows or restricts based on the URL or URI?
URL scanning
What do organizations use for web filtering that is installed software on all user devices?
Agent based filters
This device also can perform Web filtering, and it sits between the users and the external network? In addition to Web filtering what other services can this device offer?
Proxy server… cashing, access control, content scanning
What are three other methods of Web filtering based on the URL or IP address?
Block rules, reputation, DNS filtering
This method of web filtering can be performed on a specific URL, cat category of site content, and can utilize different dispositions, for example allow and alert or block and alert?
Block rules
This method of web filtering, filters URLs, based on their perceived risk such as trustworthy, low risk, medium risk, high risk?
Reputation
This method of Web filtering utilizes the IP address combined with real time threat intelligence?
DNS filtering
What is the database that contains everything on the network, such as computers, useraccounts, fileshares, printers, groups… It is primarily window-based?
Active directory
What are some examples of functionality that can be performed on active directory?
Manage user accounts, centralized access control, reset passwords
What can be used to manage computer or users with such things as login script, network configurations, security parameters?
Group policy
This adds mandatory access control to Linux?
Security enhanced Linux or SELinux
In Linux… what is MAC and what is DAC? Which one is traditionally used by Linux?
Mandatory access control, and discretionary access control… Linux traditionally uses DAC
What does MAC provide to Linux?
Least privilege
What are some examples of unencrypted protocols? And what are their secure alternative?
Telnet, FTP, HTTP, IMAP
SSH, SFTP, HTTPS, IMAPS
True or false… A generally recognized secure port number always guarantees that security is being used on that port?
False, the port number does not guarantee security, you will need to confirm the security features are enabled
What are three other ways to ensure secure protocols will be used?
WPA3 when using 802.11 wireless and using a VPN
Why is it easy to spoof an email?
Because the protocols used to transfer emails include relatively few security checks
What can a reputable sender do to configure email validation?
Configure email validation on the senders DNS server
What can be set up to evaluate the source of inbound email messages and block it before it reaches the user if need be?
A mail gateway
What is SPF? And what does it do?
Sender policy framework… It is a list of authorized sending mail servers that are added to a DNSTXT record. The receiving mail server will perform a check to see if the incoming mail really did come from an authorized host.
What is DKIM? And what does it do?
Domain keys identified mail… The outgoing email server will digitally sign all outgoing email and the receiving email server will validate the signature… The public key is contained in the DKIM TXT record
What is DMARC? And what does it do?
Domain based message, authentication, reporting and conformance… This is an extension of SPF and DKIM and the policy is written into a DNS TXT record… the domain owner will decide what receiving email servers should do with emails not validated using SPF and DKIM. This data can be used for reporting purposes…
What is FIM? And what does it do?
File integrity monitoring… It monitors, important operating system, and application files For when changes occur…
What is windows FIM and what is Linux FIM?
System file checker SFC and tripwire
Where are three places that DLP systems are installed and what are they monitoring?
On individual computers for data and use, on a network for data in motion, on a server for data at rest
What is USB blocking?
It is deployed on workstation and bands, removable flash media and storage devices
In addition to local computer, server and network installations, where else can DLP be implemented?
Cloud and email… for the cloud it can manage access to URLs and block viruses and malware… For email it can monitor every inbound and outbound email including attachments
Why is the endpoint so important for security? And why is it so difficult?
Because it’s the common place for all inbound and outbound attacks… And it is difficult because there are so many different types of platforms to protect
What is it called to perform a health check on a device before connect to the network? And what sort of checks are performed?
Posture assessment… Is it a trusted device, is it running an up-to-date antivirus, or the applications installed trusted by the organization…
What are the three types of agents that perform a posture assessment?
Persistent agent, dissolvable agent, agentless NAC
Which posture assessment agent is permanently installed on a system and requires periodic updates?
Persistent agent
Which posture assessment agent requires no installation and runs during the posture assessment terminates when no longer required?
Dissolvable agent
Which posture assessment agent integrates with active directory, and the checks are made during login and log off?
Agentless NAC
What happens when a device fails a posture assessment
The device is not allowed to connect to the network… It can connect to a quarantine network in order to get the device up-to-date
What is EDR? And what does it do?
And point detection and response… It can detect, investigate, and respond to a threat
What does EDR use to detect a threat?
Behavioral analysis, machine learning, and process monitoring
What is XDR? And what does it do?
Extended detection and response… It is a further evolution of EDR that improves on miss detections, false positives, and long investigation times… It also can investigate and respond to network anomalies
How does XDR work?
It watches users, hosts, network traffic and creates a baseline of normal activity. After the baseline is established, it uses a set of rules pattern matching in statistical analysis to watch for anything unusual.
What is IAM? And what does it do?
Identity and access management… It ensures the right permissions are given to the right people at the right time to prevent unauthorized access
With IAM, every entity, both human and non-human gets a what?
Digital identity
An IAM what is it called to track and entities resource access?
Identity governance
AnIAM, what are the events that could cause provisioning and or deprovisioning to occur?
Hiring, transfers, promotions, job separation
In IAM, what is an important part of the process?
An initial checkpoint to limit access and nobody gets administrator access
In IAM, no privileged access is given to what?
The operating system
In IAM, How does identity proofing occur?
My validation using such things as password and security questions… And by verification/attestation using such things as a passport, drivers license, in person meeting…
What is it called when credentials are provided one time and that can be used across multiple resources and or systems?
Single sign on
What is LDAP? And what specification does it use?
Lightweight directory access protocol… X.500
How does LDAP work with X.500?
LDAP is the protocol used to query and update an X.500 directory
What structure is the X.500 directory? And what are the two objects called with examples?
Hierarchical or tree structure… Container object (country, organization, organizational unit), and leaf object (users, computers, printers, files)..
What is SAML? And what does it do?
Security assertion, markup language… It is an open standard for authentication and authorization
What is the authorization framework that was created by Twitter, Google and others that provides significant industry support?
OAuth
What is the process that allows authentication and authorization between several networks that also requires a trust relationship between them?
Federation
What is it where there are many different ways to communicate with an authentication server across multiple device types?
Interoperability
With authorization the process of ensuring only authorized rights are exercised is called what?
Policy enforcement
With authorization, the process of determining rights is called what?
Policy definition
This type of access control limits the object based on security levels, a label and predefined rules on those objects?
Mandatory access control or MAC
With this type of access control, it is used and most operating systems the owner establishes who can access their objects?
Discretionary access control, or DAC
This type of access control is defined by the role in the organization?
Role based access control or RBAC
This type of access control is determined through system enforced rules, and the rule is associated with the object?
Rule-based access control
This type of access control is considered a next generation authorization model which combines an evaluates multiple parameters, such as resource information, IP address, time of day, desired action, relationship to the data?
Attribute based access control or ABAC
An access control what is it called when you secure objects based on certain times or days of the week?
Time of day restrictions
What are the different factors in MFA?
Something you know, something you have, something you are, somewhere you are
In MTA, a password, a pin, a pattern or all what factor?
Something you know
In MTA, a smart card a USB security key, a hardware or software token or your phone or all what factor?
Something you have
In MTA, a biometric authentication such as a fingerprint, an Irish scan, a voice print are all examples of what factor?
Something you are
In MTA, an IP address or a mobile device location are examples of what factor?
Somewhere you are
What is password entropy?
The process of increasing a password complexity
What can be used to store all of your passwords?
Password manager
What are some examples of password less authentication?
Facial recognition or a security key
What type of authentication creates a time limited account where the credentials are used for one session and then are deleted?
Just in time permissions
What are the four steps to the incident response lifecycle?
Preparation, detection and analysis, containment/eradication/recovery, post incident activity
What are five ways to prepare for an incident?
Team communication methods, incident handling hardware and software, incident analysis resources, incident mitigation software, the policies needed for incident handling
True or false it is generally a good idea to let an incident run its course
False
After an incident occurs, what should occur within an organization after the incident has been resolved?
Lessons learned sessions
What can organizations do to test themselves before an actual event?
Perform an exercise or tabletop
What is the process to determine the ultimate cause of an incident by asking why?
Root cause analysis
What is the process to collect and protect information relating to an intrusion?
Digital forensics
What is a legal technique to preserve relevant information to prepare for impending litigation and is initiated by legal counsel?
A legal hold
What is usually required when needing to store copies of different data sources and data types during an investigation?
A separate repository for electronically stored information ESI
What is called to maintain the integrity of the data during investigation and includes everyone who contacts the evidence uses hashes and digital signatures
Chain of custody
During digital forensics, what is the process called to gather all of the needed data?
E discovery
True or false E discovery also includes analysis of the data
False
Name five types of log files instrumental in detecting and stopping an attack?
Security logs, firewall logs, application logs, endpoint logs, operating system, specific security logs, IPS and IDS logs, network logs
What is data that describes other data sources?
Meta-data
What can be used to detect a lack of security controls for example no firewall, no antivirus, no anti-spyware and miss configurations, like open shares, and guest access accounts?
Vulnerability scans
What can an SIEM produce that serve as an alert?
Automated reports, think SPLUNK
What can SIEMs Produce that display summaries on a single screen?
A dashboard
What can be used to solve complex application issues by viewing detailed network traffic information?
Packet capture
