Application Monitoring

Question 1

A list of permitted and denied network connections based on either IP addresses,
ports, or applications in use

Answer 1

Access Control List (ACL)

Question 2

Firewall logs can provide you with four types of useful security data

Answer 2

Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred

Question 3

A Linux-based firewall that uses the syslog file format for its logs

Answer 3

iptables

Question 4

A Windows-based firewall that uses the W3C Extended Log File Format

Answer 4

Windows Firewall

Question 5

A condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed

Answer 5

Blinding Attack

Question 6

A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet

Answer 6

Demilitarized Zone (DMZ)

Question 7

Basic principles for configuring firewall ACLs

Answer 7

▪ Block incoming requests from internal or private, loopback, and
multicast IP address ranges
▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized
hosts and ports only

Question 8

A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or
an ICMP port/protocol unreachable to the requester

Answer 8

Drop Versus Reject

Question 9

ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command and Control servers

Answer 9

Egress Filtering

Question 10

Best practices for configuring egress filters

Answer 10

▪ Only allow whitelisted application ports and destination addresses
▪ Restrict DNS lookups to trusted and authorized DNS services
▪ Block access to known bad IP address ranges (blacklist)
▪ Block all internet access from host subnets that don’t use it (e.g.,
ICS/SCADA)

Question 11

A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic

Answer 11

Black Hole

Question 12

Unused physical network ports or unused IP address space within a local network often used by attackers

Answer 12

Dark Nets

Question 13

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis

Answer 13

Sinkhole

Question 14

A server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance

Answer 14

Forward Proxy

Question 15

A server that redirects requests and responses for clients configured with the
proxy address and port

Answer 15

Nontransparent Proxy

Question 16

A server that redirects requests and responses without the client being explicitly configured to use it

Answer 16

Transparent Proxy (Forced or Intercepting Proxy)

Question 17

A type of proxy server that protects servers from direct contact
with client requests

Answer 17

Reverse Proxy

Question 18

A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks

Answer 18

Web Application Firewall (WAF)

Question 19

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress

Answer 19

Intrusion Detection System (IDS)

Question 20

A software and/or hardware system that scans, audits, and monitors the security
infrastructure for signs of attacks in progress and can actively block the attacks

Answer 20

Intrusion Prevention System (IPS)

Question 21

An open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode

Answer 21

Snort (snort.org)

Question 22

An open-source IDS for UNIX/Linux platforms that contains a
scripting engine which can be used to act on significant events
(notices) by generating an alert or implementing some sort of
shunning mechanism

Answer 22

Zeek (zeek.org)

Question 23

An open-source Linux-based platform for security monitoring,
incident response, and threat hunting. It bundles Snort,
Suricata, Zeek, Wireshark, and NetworkMiner with log
management and incident management tools

Answer 23

Security Onion (securityonion.net)

Question 24

Refer to the blocking unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network

Answer 24

Port Security

Question 25

Physical access to the switch ports and switch hardware should be
restricted to authorized staff

Answer 25

Physical Port Security

Question 26

Applying an access control list to a switch or access point so that only
clients with approved MAC addresses can connect to it

Answer 26

MAC Filtering

Question 27

A general term for the collected protocols, policies, and hardware that
authenticate and authorize access to a network at the device level

Answer 27

Network Access Control (NAC)

Question 28

Network access control (NAC) provides the means to authenticate users and
evaluate device integrity before a network connection is permitted

Answer 28

NAC Configuration

Question 29

A standard for encapsulating EAP (Extensible Authentication Protocol)
communications over a LAN or wireless LAN and that provides port-based authentication

Answer 29

802.1X

Question 30

A switch (or router) that performs some sort of authentication of the attached device before activating the port

Answer 30

Port-based NAC

Question 31

The process of assessing the
endpoint for compliance with the
health policy

Answer 31

Posture Assessment

Question 32

The process and procedures that occur is a device does not meet the minimum-security profile

Answer 32

Remediation

Question 33

The point at which client devices are granted or denied access based on their compliance with a health policy

Answer 33

Pre- and Post-admission Control

Question 34

Defines access periods for given hosts using a time-based ACL

Answer 34

Time-based

Question 35

Evaluates the location of the endpoint requesting access using geolocation of its
IP, GPS, or other mechanisms

Answer 35

Location-based

Question 36

NAC method that re-evaluates a device’s authorization when it is used to do
something (also called adaptive NAC)

Answer 36

Role-based

Question 37

A complex admission policy that enforces a a series of rules which are written as
logical statements (IF …. AND …. OR)

Answer 37

Rule-based