Ch 10, 16, 19 QA

Question 1

What is a Content Filer?

Answer 1

It restricts web use to authorized site only.

i.e. schools or company

Question 2

How does a proxy server work?

Answer 2

On a store-and-forward model that deconstructs each packs, analyzes, removes suspicious content, rebuilds, forwards it on

i.e. A system has broken down a packet containing malicious content, and erases the suspicious content, before rebuilding the packet.

Filter traffic between user & internet. Added protection like a firewall/filter. Its a server with its own IP address like a computer but its like a gate between your house & the world

Question 3

How to configure a packet filtering firewall?

Answer 3

Specify a group of rules (ACL) defining the type of data in the pack and take action when the packet matches the rule.
i.e. A system admin builds rules based on source IP addresses allowing access to an intranet
Stateless (no info kept, can cause load balancer issues)

Question 4

What is an application firewall?

Answer 4

Inspects packets & analyzes HTTP headers & code.
Try to id if code matches a pattern in its threat database
Stateful (tracks info, allow established & related traffic if a new connection accepted)

Question 5

What is an appliance firewall?

Answer 5

Monitors all traffic passing into and out of a network segment, stand-alone hardware firewall

Question 6

How does a transparent proxy server work?

Answer 6

aka forced or inline
it intercepts client traffic without reconfiguring the proxy server address

A server that intercepts the connection between an end-user or device and the internet. It is called “transparent” because it does so without modifying requests and responses

Question 7

What does a network admin do with a non-transparent proxy server?

Answer 7

Configure the client with a proxy server address & port number to use it

Question 8

What is a caching server?

Answer 8

Does not require client-side configuration (transparent proxy server) Client is unaware of the server which redirects client requests without modification.
Saves web pages & requests for offline access

Question 9

A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need?

Answer 9

Reverse Proxy Server
Deployed on the network edge, it protects server from direct contact with client requests from the public network (internet)

Question 10

A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function?

Answer 10

A NAT gateway translates between a local and public network by substituting private IPs for a public IP and forwarding the requests to the public Internet, thereby concealing private addressing schemes.

Question 11

What does a Virtual firewall do?

Answer 11

Virtual firewalls often enact east-west security and zero-trust microsegmentation design paradigms. Virtual firewalls can inspect traffic as it passes from host-to-host or between virtual networks, rather than routing that traffic up to a firewall appliance and back.

Question 12

How are firewall ACL’s configured?

Answer 12

On the principle of least access/least privilege

Question 13

What is a function and two problems with a NIDS?

Answer 13

Network-based Intrusion Detection System
ID & Log hosts and application the admin can analyze
High chance of false positives & false negatives
Does not block traffic during an attack

Question 14

When implementing a NIDS, which sensor deployment is ideal if concern is for overloads and resiliency in case of a power loss?

Answer 14

Passive TAP (test access point) - monitor port receives every frame (corrupt or not) and load does not effect copying

Question 15

What is important to use when deploying an active TAP?

Answer 15

A model with a backup power, because an active TAP will fail during power loss

Question 16

What does an aggregation TAP do?

Answer 16

It rebuilds the upstream & downstream channels into a single channel, but will drop frames under a heavy load

Question 17

Are SPAN/mirror port sensors reliable?

Answer 17

Not completely, a switched port analyzer aka mirror may drop frames when under a heavy load or frames with errors will not be mirrored.

Question 18

What is a mirror port?

Answer 18

Setup one port to copy (mirror) packets

A switch sends those copies to another port to be analyzed

Question 19

What to consider when using a signature-based intrusion detection system?

Answer 19

The signatures & rules need to be updated regularly to protect against threat types

Question 20

Which system produces false positives & may block legitimate activity?

Answer 20

NBAD - Network behavior & anomaly detection engines use heuristics to create a baseline.
(creates false positives & negatives until it reaches “normal”)
Behavioral-based detection engines recognize baseline traffic/events generating an incident when anything deviates

Question 21

What system can detect zero-day attacks?

Answer 21

Behavioral-based detection software identifies zero-day, insider threats, and other malicious activity that has a signature which deviates from the baseline

Question 22

Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions?

Answer 22

SWG - secure web gateway
NGFW & UTM provide high confidentiality and integrity but lower throughput reduces availability.
Use SWG as a content filter so security solutions for server traffic are treated differently from user traffic.

Question 23

What does an IPS do?

Answer 23

Intrusion Prevention Systems are positioned like firewalls at borders between network zones, providing an active response to network threats.

Question 24

What does a TAP do?

Answer 24

Active or Passive Test Access Points are a hardware devices inserted into a cable to copy frames for analysis

Question 25

Which product can help fine-tune a firewall and appliance setting?

Answer 25

NIDS (network-based intrusion detection system)
Analyzing NIDS logs lets an administrator tune firewall rulesets, remove or block suspect hosts and processes from the network or deploys additional security controls to mitigate identified threats.

Question 26

What does a UTM do?

Answer 26

Unified threat management products centralize security controls, so it may not perform as well as a device with a single dedicated security function

Question 27

How does an IPS differ from an IDS?

Answer 27

An IDS is passive, but an instruction prevention system can provide an active response to any network threat it matches

Question 28

Name two types of SIEM log collection?

Answer 28

Agent-based (install agent on host to filter data that goes to the SIEM server for analysis & storage)

Listener/Collection - parse and normalize each log/monitoring source after configuring hosts to push updates to SIEM using syslog or SNMP

Question 29

What is log aggregation?

Answer 29

Normalizing data from different sources to its consistent & searchable but does not refer to a type of log collection

Question 30

What is packet capture?

Answer 30

Data captures from network sensors/sniffers plus netflow sources that provides both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis

Question 31

When does SIEM need AI & ML the most?

Answer 31

Analysis and Report Review
SIEM links events or data points (observables) into a meaningful indicator of risk or IoC

AI & Machine Learning drive correlation efforts for automated analysis

Question 32

How does data aggregation work?

Answer 32

With SIEM, it normalizes data from different sources so its consistent and searchable

Question 33

What is the first task of SIEM?

Answer 33

To collect data inputs from multiple sources (agent-based log collection, sensor/sniffer data, listener/collector protocols) such as syslog & SNMP (simple network management protocol)

Question 34

How does SIEM improve on traditional log management?

Answer 34

Performs correlation, linking observables (data points) into a meaningful indicator of risk or IoC

Question 35

What handles the problem from the volume of alerts overwhelming an analysts’ ability to respond.

Answer 35

SOAR - security orchestration, automation, & response

Alone or with SIEM, machine learning used for incident response & threat hunting

Question 36

Where does SIEM collect data from?

Answer 36

Agent-based, listener/collection, sensor (sniffer) to collect packet captures & traffic flow data

Question 37

True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.

Answer 37

False, all firewalls perform basic packet filtering (by IP address, protocol type, port number, and so on)

Question 38

What distinguishes host-based (personal) software firewall from a network firewall appliance?

Answer 38

A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. fi

A personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.

Question 39

What is usually the purpose of the default rule on a firewall?

Answer 39

Block any traffic not specifically allowed (implicit deny).

Question 40

True or false? Static NAT means mapping a single public/external IP address to a single private/ internal IP address.

Answer 40

True

Question 41

What is NAT?

Answer 41

A NAT gateway is a service that translates between the private addressing scheme used by hosts on the LAN and the public addressing scheme used by router, firewall, or proxy server on the network edge

Question 42

What is the purpose of SIEM

Answer 42

Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.

Question 43

Does Syslog perform all the functions of a SIEM

Answer 43

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.

Question 44

What areas of a business or workflow must you examine to assess multiparty risk?

Answer 44

Supply Chain dependencies
Customer relations (in case of a cyber incident disrupting business)

Question 45

What risk type arises from shadow IT?

Answer 45

Shadow IT is the deployment of hardware, software, or cloud services without the sanction of the system owner (typically the IT department). The system owner will typically be liable for software compliance/licensing risks.

Question 46

What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a
specific function or asset?

Answer 46

Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of Occurrence).

Question 47

What factors determine the selection of security controls in terms of an overall budget?

Answer 47

The risk (as determined by impact and likelihood) compared to the cost of the control. This metric can be calculated as Return on Security Investment (ROSI).

Question 48

What type of risk mitigation option is offered by purchasing insurance?

Answer 48

Risk transference.

Question 49

What is a risk register?

Answer 49

A document highlighting the results of risk assessments in an easily comprehensible format (such as a heat map or “traffic light” grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

Question 50

What is control risk?

Answer 50

Control risk arises when a security control is ineffective at mitigating the impact and/or likelihood of the risk factor it was deployed to mitigate. The control might not work as hoped, or it might become less effective over time.

the chance it will screw up

Question 51

What factor is most likely to reduce a system’s resiliency?

Answer 51

Single points of failure.

Question 52

True or false? RTO expresses the amount of time required to identify and resolve a problem within a single system or asset.

Answer 52

True

Question 53

What is measured by MTBF?

Answer 53

Mean Time Between Failures (MTBF) represents the expected reliability of a product over its lifetime.

Question 54

What is a tabletop exercise?

Answer 54

A discussion-based drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated.

Question 55

Why are exercises an important part of creating a disaster recovery plan?

Answer 55

Full-scale or functional exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan.

Question 56

Name the 5 steps in a Risk Management Process

Answer 56

1) Identify Mission Essential Functions (could cause the whole company to fail)
2) Identify Vulnerabilities (systems & assets)
3) Identify threats (sources & actors, why vulnerability exploited)
4) Analyze business Impacts (likelihood vulnerability will be activated by a threat & impact)
5) Identify Risk Response (id countermeasures for each risk & cost for extra security)

Question 57

Management of a company practices qualitative risk when assessing a move of systems to the cloud. How does the company indicate any identified risk factors?

Answer 57

Qualitative risk assessment uses categories or classifications such as Irreplaceable, High Value, Medium Value, and Low Value.

Question 58

What is EF?

Answer 58

An Exposure Factor (EF) is the percentage of the asset value that would be lost in the event of an incident.

Question 59

Management of a company identifies priorities during a risk management exercise. By doing so, which risk management approach does management use?

Answer 59

Risk posture is the overall status of risk management. Risk posture shows which risk response options management can identify and prioritize.

Question 60

Define inherent risk?

Answer 60

The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before attempting any type of mitigation.

Question 61

Define risk avoidance?

Answer 61

Risk avoidance means that management halts the activity that is risk-bearing. For example, management may discontinue a flawed product to avoid risk.

Question 62

What is MTD?

Answer 62

The Maximum Tolerable Downtime (MTD) is the longest period of time a business function outage may occur without causing irrecoverable business failure.

Question 63

Difference between RTO & RPO

Answer 63

Recovery Time Objective (RTO) is the period following a disaster an individual IT system may remain offline. It also represents the amount of time it takes to identify there is a problem and perform a recovery.

Recovery Point Objective (RPO) is the amount of data loss a system can sustain, measured in time. If a database is destroyed and has an RPO of 24 hours, the data can be recovered to a point not longer than 24 hours before the database was infected.

Question 64

What is WRT?

Answer 64

Work Recovery Time (WRT) is the additional time that it takes to restore data from backup, reintegrate different systems, and test overall functionality. This can also include briefing system users on any changes or different working practices so that the business function is again fully supported.

Question 65

What is KPI?

Answer 65

Key Performance Indicators (KPI) determines the reliability of each asset. Main KPIs include MTBF and MTTR.

Question 66

A company determines the mean amount of time to replace or recover a system. What has the company calculated?

Answer 66

Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. This is also known as a mean time to replace or recover and is important in determining the overall Recovery Time Objective (RTO).

Question 67

What is the difference between the role of data steward and the role of data custodian?

Answer 67

The data steward role is concerned with the quality of data (format, labeling, normalization, and so on). The data custodian role focuses on the system hosting the data assets and its access control mechanisms

Question 68

What range of information classifications could you implement in a data labeling project?

Answer 68

One set of tags could indicate the degree of confidentiality (public, confidential/secret, or critical/top secret).
Another tagging schema could distinguish proprietary from private/sensitive personal data.

Question 69

To what data state does a trusted execution environment apply data protection?

Answer 69

Data in processing/data in use.

Question 70

You take an incident report from a user trying to access a REPORT.docx file on a SharePoint site. The
file has been replaced by a REPORT.docx.QUARANTINE.txt file containing a policy violation notice.
What is the most likely cause?

Answer 70

This is typical of a data loss prevention (DLP) policy replacing a file involved in a policy violation with a tombstone file.

Question 71

Define Data Owner

Answer 71

A data owner has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset.
The owner is responsible for labeling the asset and ensuring it is protected with appropriate controls.

Question 72

Define Data Custodian

Answer 72

A data custodian is responsible for managing the system where data assets are stored, including responsibility for enforcing access control, encryption, and backup or recovery measures.

Question 73

Define Data Steward

Answer 73

The data steward is primarily responsible for data quality, such as ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format with values that comply with applicable laws and regulations.

Question 74

Define Privacy Officer

Answer 74

The privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by the company and ensures that the processing and disclosure of PII comply with the legal and regulatory frameworks.

Question 75

A new cloud-based application will replicate its data on a global scale, but will exclude residents of the European Union. Which concerns should the organization that provides the data to consumers take into consideration? (Select all that apply.)

Answer 75

Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.

Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow a choice of data centers for processing and storage.

Question 76

What is IRM?

Answer 76

A benefit of IRM is that file permissions can be assigned for different document roles, such as author, editor, or reviewer. Each role can have specific access such as sending, printing, and editing.

Printing and forwarding of documents can be restricted even when the document is sent as a file attachment. This means that just because a document is forwarded it may not have printing capabilities.

Printing and forwarding of email messages can be restricted.

Not Immune to screen captures