Application Monitoring Flashcards

1
Q

A list of permitted and denied network connections based on either IP addresses,
ports, or applications in use

A

Access Control List (ACL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Firewall logs can provide you with four types of useful security data

A

Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A Linux-based firewall that uses the syslog file format for its logs

A

iptables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A Windows-based firewall that uses the W3C Extended Log File Format

A

Windows Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed

A

Blinding Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet

A

Demilitarized Zone (DMZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Basic principles for configuring firewall ACLs

A

▪ Block incoming requests from internal or private, loopback, and
multicast IP address ranges
▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized
hosts and ports only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or
an ICMP port/protocol unreachable to the requester

A

Drop Versus Reject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command and Control servers

A

Egress Filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Best practices for configuring egress filters

A

▪ Only allow whitelisted application ports and destination addresses
▪ Restrict DNS lookups to trusted and authorized DNS services
▪ Block access to known bad IP address ranges (blacklist)
▪ Block all internet access from host subnets that don’t use it (e.g.,
ICS/SCADA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic

A

Black Hole

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Unused physical network ports or unused IP address space within a local network often used by attackers

A

Dark Nets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis

A

Sinkhole

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance

A

Forward Proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A server that redirects requests and responses for clients configured with the
proxy address and port

A

Nontransparent Proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A server that redirects requests and responses without the client being explicitly configured to use it

A

Transparent Proxy (Forced or Intercepting Proxy)

17
Q

A type of proxy server that protects servers from direct contact
with client requests

A

Reverse Proxy

18
Q

A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks

A

Web Application Firewall (WAF)

19
Q

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress

A

Intrusion Detection System (IDS)

20
Q

A software and/or hardware system that scans, audits, and monitors the security
infrastructure for signs of attacks in progress and can actively block the attacks

A

Intrusion Prevention System (IPS)

21
Q

An open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode

A

Snort (snort.org)

22
Q

An open-source IDS for UNIX/Linux platforms that contains a
scripting engine which can be used to act on significant events
(notices) by generating an alert or implementing some sort of
shunning mechanism

A

Zeek (zeek.org)

23
Q

An open-source Linux-based platform for security monitoring,
incident response, and threat hunting. It bundles Snort,
Suricata, Zeek, Wireshark, and NetworkMiner with log
management and incident management tools

A

Security Onion (securityonion.net)

24
Q

Refer to the blocking unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network

A

Port Security

25
Q

Physical access to the switch ports and switch hardware should be
restricted to authorized staff

A

Physical Port Security

26
Q

Applying an access control list to a switch or access point so that only
clients with approved MAC addresses can connect to it

A

MAC Filtering

27
Q

A general term for the collected protocols, policies, and hardware that
authenticate and authorize access to a network at the device level

A

Network Access Control (NAC)

28
Q

Network access control (NAC) provides the means to authenticate users and
evaluate device integrity before a network connection is permitted

A

NAC Configuration

29
Q

A standard for encapsulating EAP (Extensible Authentication Protocol)
communications over a LAN or wireless LAN and that provides port-based authentication

A

802.1X

30
Q

A switch (or router) that performs some sort of authentication of the attached device before activating the port

A

Port-based NAC

31
Q

The process of assessing the
endpoint for compliance with the
health policy

A

Posture Assessment

32
Q

The process and procedures that occur is a device does not meet the minimum-security profile

A

Remediation

33
Q

The point at which client devices are granted or denied access based on their compliance with a health policy

A

Pre- and Post-admission Control

34
Q

Defines access periods for given hosts using a time-based ACL

A

Time-based

35
Q

Evaluates the location of the endpoint requesting access using geolocation of its
IP, GPS, or other mechanisms

A

Location-based

36
Q

NAC method that re-evaluates a device’s authorization when it is used to do
something (also called adaptive NAC)

A

Role-based

37
Q

A complex admission policy that enforces a a series of rules which are written as
logical statements (IF …. AND …. OR)

A

Rule-based