Ch 9, 11, 12, 13

Question 1

A recent security evaluation concluded that your company’s network design is too consolidated.
Hosts with wildly different functions and purposes are grouped together on the same logical area of the network. In the past, this has enabled attackers to easily compromise large swaths of network hosts. What technique(s) do you suggest will improve the security of the network’s design, and why?

Answer 1

In general, you should start implementing some form of network segmentation to put hosts with the same security requirements within segregated zones. For example, the workstations in each business department can be grouped in their own subnets to prevent a compromise of one subnet from spreading to another. Likewise, with VLANs, you can more easily manage the logical segmentation of the network without disrupting the physical infrastructure (i.e., devices and cabling)

Question 2

You are discussing a redesign of network architecture with a client, and they want to know what the
difference between an extranet and Internet is. How can you explain it?

Answer 2

The Internet is an external zone where none of the hosts accessing your services can be assumed trusted
or authenticated. An extranet is a zone allowing controlled access to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted because they are not under the administrative control of the organization (as they are owned by suppliers, customers, business partners, contractors, and so on).

Question 3

Why is subnetting useful in secure network design?

Answer 3

Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.

Question 4

How can an enterprise DMZ be implemented?

Answer 4

By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).

Question 5

What type of network requires the design to account for east-west traffic?

Answer 5

This is typical of a data center or server farm, where a single external request causes multiple cascading requests between servers within the data center. This is a problem for a perimeter security model, as funneling this traffic up to a firewall and then back to a server creates a performance bottleneck.

Question 6

Why might an ARP poisoning tool be of use to a threat actor performing network reconnaissance?

Answer 6

The attacker could trick computers into sending traffic through the attacker’s computer (performing a MitM/onpath attack) and, therefore, examine traffic that would not normally be accessible to him (on a switched network).

Question 7

How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port?

Answer 7

Enable the appropriate guards (portfast and BPDU Guard) on access ports.

Question 8

What port security feature mitigates ARP poisoning?

Answer 8

Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.

Question 9

What is a dissolvable agent?

Answer 9

Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host’s memory and CPU but not installed to a local disk.

Question 10

True or false? Band selection has a critical impact on all aspects of the security of a wireless network?

Answer 10

False—band selection can affect availability and performance but does not have an impact in terms of either confidentiality or integrity.

Question 11

The network manager is recommending the use of “thin” access points (aka antennas) to implement the wireless network. What additional appliance or software is required and what security advantages should this have?

Answer 11

You need a wireless controller to configure and manage the access points. This makes each access point more tamper-proof as there is no local administration interface. Configuration errors should also be easier to identify

Question 12

What is a pre-shared key?

Answer 12

This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS, for instance) is not available. The system depends on the strength of the passphrase used for the key

Question 13

Is the WPS (aka WPA) a suitable authentication method for enterprise networks?

Answer 13

No, an enterprise network will use RADIUS authentication. WPS (aka WPA) uses PSK and there are weaknesses in the protocol.

Question 14

You want to deploy a wireless network where only clients with domain-issued digital certificates can
join the network. What type of authentication mechanism is suitable?

Answer 14

EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.

Question 15

Why are many network DoS attacks distributed?

Answer 15

Most attacks depend on overwhelming the victim. This typically requires a large number of hosts, or bots.

Question 16

What is an amplification attack?

Answer 16

Where the attacker spoofs the victim’s IP in requests to several reflecting servers (often DNS or NTP servers).
The attacker crafts the request so that the reflecting servers respond to the victim’s IP with a large message,
overwhelming the victim’s bandwidth.

Question 17

What is meant by scheduling in the context of load balancing?

Answer 17

The algorithm and metrics that determine which node a load balancer picks to handle a request.

Question 18

What mechanism provides the most reliable means of associating a client with a particular server
node when using load balancing?

Answer 18

Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism.

Question 19

True or false? A virtual IP is a means by which two appliances can be put in a fault tolerant
configuration to respond to requests for the same IP address?

Answer 19

True

Question 20

What field provides traffic marking for a QoS system at layer 3?

Answer 20

Layer 3 refers to the DiffServ field in the IP header.

Question 21

What vulnerabilities does a rogue DHCP server expose users to?

Answer 21

Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance).

Question 22

Why is it vital to ensure the security of an organization’s DNS service?

Answer 22

DNS resolves domain names. If it were to be corrupted, users could be directed to spoofed websites. Disrupting DNS can also perform denial of service.

Question 23

True or false? The contents of the HOSTS file are irrelevant as long as a DNS service is properly configured.

Answer 23

False (probably)—the contents of the HOSTS file are written to the DNS cache on startup. It is possible to edit the registry to prioritize DNS over HOSTS, though.

Question 24

What is DNS server cache poisoning?

Answer 24

Corrupting the records of a DNS server to point traffic destined for a legitimate domain to a malicious IP address.

Question 25

What are the advantages of SASL over LDAPS?

Answer 25

The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security (& provides integrity)

Question 26

What steps should you take to secure an SNMPv2 service?

Answer 26

Configure strong community names and use access control lists to restrict management operations to known hosts.

Question 27

What type of attack against HTTPS aims to force the server to negotiate weak ciphers?

Answer 27

a downgrade attack

Question 28

A client and server have agreed on the use of the cipher suite ECDHE-ECDSA-AES256- GCM-SHA384 for a TLS session. What is the key strength of the symmetric encryption algorithm?

Answer 28

256-bit (AES).

Question 29

What security protocol does SFTP use to protect the connection and which port does an SFTP server listen on by default?

Answer 29

Secure Shell (SSH) over TCP port 22.

Question 30

Which port(s) and security methods should be used by a mail client to submit messages for delivery
by an SMTP server?

Answer 30

Port 587 with STARTTLS (explicit TLS) or port 465 with implicit TLS.

Question 31

When using S/MIME, which key is used to encrypt a message?

Answer 31

The recipient’s public key (principally). The public key is used to encrypt a symmetric session key and (for performance reasons) the session key does the actual data encoding. The session key and, therefore, the message text can then only be recovered by the recipient, who uses the linked private key to decrypt it.

Question 32

Which protocol protects the contents of a VoIP conversation from eavesdropping?

Answer 32

Encrypted VoIP data is carried over the Secure Real-time Transport Protocol (SRTP).

Question 33

True or false? A TLS VPN can only provide access to web-based network resources

Answer 33

False—a Transport Layer Security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application layer protocol type.

Question 34

What is Microsoft’s TLS VPN solution?

Answer 34

The Secure Sockets Tunneling Protocol (SSTP).
Port 443
VPN transport PPP traffic thru SSL/TLS with encryption + integrity

Question 35

What IPSec mode would you use for data confidentiality on a private network?

Answer 35

Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality

Question 36

Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?

Answer 36

Layer 2 Tunneling Protocol (L2TP).

Question 37

What is the main advantage of IKE v2 over IKE v1?

Answer 37

Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account
authentication method, such as Extensible Authentication Protocol (EAP)

Question 38

What bit of information confirms the identity of an SSH server to a client?

Answer 38

The server’s public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a Certificate Authority.

Question 39

What use is made of a TPM for NAC attestation?

Answer 39

The Trusted Platform Module (TPM) is a tamper-proof (at least in theory) cryptographic module embedded in the CPU or chipset. This can provide a means to sign the report of the system configuration so that a network access control (NAC) policy enforcer can trust it.

Question 40

Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?

Answer 40

The disk (or other storage) could be attached to a foreign system and the administrator could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user’s decryption key to read the data.

Question 41

What use is a TPM when implementing full disk encryption?

Answer 41

A trusted platform module provides a secure mechanism for creating and storing the key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick.

Question 42

What countermeasures can you use against the threat of malicious firmware code?

Answer 42

Only use reputable suppliers for peripheral devices and strictly controlled sources for firmware updates.
Consider use of a sheep dip sandboxed system to observe a device before allowing it to be attached to a host in the enterprise network. Use execution control software to allow only approved USB vendors.

Question 43

What type of interoperability agreement would be appropriate at the outset of two companies
agreeing to work with one another?

Answer 43

A memorandum of understanding (MOU).

Question 44

What type of interoperability agreement is designed to ensure specific performance standards?

Answer 44

A service level agreement (SLA). In addition, performance standards may also be incorporated in business partner agreements (BPAs).

Question 45

What is a hardened configuration?

Answer 45

A basic principle of security is to run only services that are needed

Question 46

True or false? Only Microsoft’s operating systems and applications require security patches.

Answer 46

False—any vendor’s or open source software or firmware can contain vulnerabilities that need patching.

Question 47

Antivirus software has reported the presence of malware but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?

Answer 47

The string identifying the malware. You can use this to reference the malware on the A-V vendor’s site and, hopefully, obtain manual removal and prevention advice.

Question 48

You are consulting with a medium-size company about endpoint security solutions. What advantages does a cloud-based analytics platform have over an on-premises solution that relies on signature updates?

Answer 48

Advanced persistent threat (APT) malware can use many techniques to evade signature-based detection. A cloud analytics platform, backed by machine learning, can apply more effective behavioral-based monitoring and alerting

Question 49

If you suspect a process of being used for data exfiltration but the process is not identified as
malware by A-V software, what types of analysis tools will be most useful?

Answer 49

You can use a sandbox with monitoring tools to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.

Question 50

Other than cost, which factor primarily constrains embedded systems in terms of compute and networking?

Answer 50

Power—many embedded systems must operate on battery power, and changing the batteries is an onerous task, so power-hungry systems like processing and high bandwidth or long-range networking are constrained.

Question 51

What addressing component must be installed or configured for NB-IoT?

Answer 51

A LTE-based cellular radio, such as narrowband-IoT, uses a subscriber identity module (SIM) card as an identifier. This can either be installed as a plug-in card or configured as an eSIM chip on the system board or feature in a SoC design

Question 52

Why should detailed vendor and product assessments be required before allowing the use of IoT
devices in the enterprise?

Answer 52

As systems with considerable computing and networking functionality, these devices are subject to the same sort of vulnerabilities and exploits as ordinary workstations and laptops

Question 53

How does VDI work as a mobile deployment model?

Answer 53

Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device.

Question 54

Company policy requires that you ensure your smartphone is secured from unauthorized access in
case it is lost or stolen. To prevent someone from accessing data on the device immediately after it
has been turned on, what security control should be used?

Answer 54

screen lock

Question 55

An employee’s car was recently broken into, and the thief stole a company tablet that held a great deal of sensitive data. You’ve already taken the precaution of securing plenty of backupsof that data. What should you do to be absolutely certain that the data doesn’t fall into the wrong hands?

Answer 55

Remotely wipe the device, also referred to as a kill switch.

Question 56

What is containerization?

Answer 56

A mobile app or workspace that runs within a partitioned environment to prevent other (unauthorized) apps from interacting with it

Question 57

What is the process of sideloading?

Answer 57

The user installs an app directly onto the device rather than from an official app store.

Question 58

Why might a company invest in device control software that prevents the use of recording devices within company premises?

Answer 58

To hinder physical reconnaissance and espionage.

Question 59

Why is a rooted or jailbroken device a threat to enterprise security?

Answer 59

Enterprise Mobility Management (EMM) solutions depend on the device user not being able to override their settings or change the effect of the software.

Question 60

How might wireless connection methods be used to compromise the security of a mobile device processing corporate data?

Answer 60

An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower (cellular) to perform eavesdropping or man-in-the-middle attacks. For Personal Area Network (PAN) range communications, there might be an opportunity for an attacker to run exploit code over the channel.

Question 61

Why might enforcement policies be used to prevent USB tethering when a smartphone is brought to
the workplace?

Answer 61

This would allow a PC or laptop to connect to the Internet via the smartphone’s cellular data connection. This could be used to evade network security mechanisms, such as data loss prevention or content filtering.

Question 62

True or false? A maliciously designed USB battery charger could be used to exploit a mobile device
on connection.

Answer 62

True (in theory)—though the vector is known to the mobile OS and handset vendors so the exploit is unlikely to be able to run without user authorization

Question 63

What is meant by a public cloud?

Answer 63

A solution hosted by a third party cloud service provider (CSP) and shared between subscribers (multi-tenant).
This sort of cloud solution has the greatest security concerns.

Question 64

What type of cloud solution would be used to implement a SAN?

Answer 64

This would usually be described as Infrastructure as a Service (IaaS).

Question 65

What is a Type II hypervisor?

Answer 65

Software that manages virtual machines that has been installed to a guest OS. This is in contrast to a Type I (or
“bare metal”) hypervisor, which interfaces directly with the host hardware

Question 66

What is a VDE?

Answer 66

A Virtual Desktop Environment (VDE) is the workspace presented when accessing an instance in a virtual desktop infrastructure (VDI) solution. VDI is the whole solution (host server and virtualization platform, connection protocols, connection/session broker, and client access devices).

Question 67

What is the risk from a VM escaping attack?

Answer 67

VM escaping refers to attacking other guest OSes or the hypervisor or host from within a virtual machine. Attacks
may be to steal information, perform Denial of Service (DoS), infect the system with malware, and so on.