CH04 Security Applications and Devices

Question 1

What is IDS ?

Answer 1

IDS = Intrusion Detection System.

device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack

IDS can only alert and log suspicious activity, they won’t be able to stop it.

Question 2

What are the 2 varieties of IDS ?

Answer 2

IDS = Intrusion Detection System.

It has 2 varieties :
HIDS - Host-based IDS
NIDS - Network-based IDS

Question 3

What is HIDS ?

Answer 3

HIDS = Host-based IDS

It is a software installed on a computer or server to protect it. It will log everything that seems suspicious.

HIDS logs are used to recreate the events after an attack has occurred

Question 4

What is NIDS ?

Answer 4

NIDS = Network-based IDS

hardware installed on your network and all the traffic goes through that switch, and then it will get a copy of that sent down to the Network Instruction Detection System. If suspicion is found, it will log it and alert on it.

Question 5

What is Signature-based detection method?

Answer 5

system is looking for a specific string of bytes that’ll trigger the alert

Question 6

What is Policy-based detection method?

Answer 6

rely on a specific declaration of the security policy. For example, if company has a policy that no one is allowed to use Telnet, any time this system sees somebody trying to connect on port 23, which is the port for Telnet, it’s going to flag it, log it, and alert on it

Question 7

What is Anomaly-based detection method ?

Answer 7

Analyzes the current traffic patterns against an established baseline and any time it sees something that goes outside the statistical norm, triggers an alert

Question 8

What are :
True positive alert
False positive alert
True negative alert
False negative alert

Answer 8

▪ True positive - Malicious activity is identified as an attack
▪ False positive - Legitimate activity is identified as an attack
▪ True negative - Legitimate activity is identified as legitimate traffic
▪ False negative - Malicious activity is identified as legitimate traffic

Question 9

What is IPS ?

Answer 9

IPS = Intrusion Prevention System
IPS can stop malicious activity from being executed

Question 10

What is DLP ?

Answer 10

DLP = Data Loss Prevention

monitors the data of a system to detect attempts to steal the data.

Question 11

What is Endpoint DLP system ?

Answer 11

DLP = Data Loss Prevention

Software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence

Question 12

What is Network DLP System ?

Answer 12

DLP = Data Loss Prevention

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Question 13

What is Storage DLP System ?

Answer 13

DLP = Data Loss Prevention

Software installed on servers in the datacenter to inspect the data at rest

Question 14

What is Cloud DLP System ?

Answer 14

DLP = Data Loss Prevention

Cloud software as a service that protects data being stored in cloud services

Question 15

What is BIOS ?

Answer 15

BIOS = Basic Input Output System

Firmware that provides the computer instructions for how to accept input and send output

Question 16

What is UEFI ?

Answer 16

UEFI = Unified Extensible Firmware Interface

More updated and robust version of BIOS

Question 17

What are the ways that we can secure BIOS ?

Answer 17

BIOS = Basic Input Output System

1. Flash the BIOS – ensures that it has the most up to date software on that chip.
2. Use a BIOS Password – this will prevent anyone from being able to log into the BIOS and change the boot order or other settings without having this administrative password.
3. Configure the BIOS boot order – only enable boot from the internal hard disk and then from the network card. This protects me from somebody putting in a bootable distribution OS on a CD and take control of my computer.
4. Disable external ports and devices that you do not use.
5. Enable the secure boot option - When secure boot option is enabled, your computer goes through additional processes as it boots up. When the BIOS is loaded, it’s going to go through and load the public key from the trusted platform module chip, known as the TPM, that’s sitting inside your processor. It’s going to use this to verify the code of the operating system that’s being loaded and ensure that it’s been digitally signed by the manufacturer and that it hasn’t been modified since. This ensures that you have a trusted boot device, and ensures that you have a protected boot process, and your system is going to be much more secure.

Question 18

What is NAS?

Answer 18

NAS = Network Attached Storage

▪ Storage devices that connect directly to your organization’s network
▪ NAS systems often implement RAID arrays to ensure high availability

Question 19

How do you secure SAN ?

Answer 19

SAN = Storage Area Network

1. Use Data encryption
2. Use proper authentication
3. Log NAS (Network Attached Storage) access

Question 19

What is SAN?

Answer 19

SAN = Storage Area Network

Network designed specifically to perform block storage functions that may consist of NAS (Network Attached Storage) devices connected together

Question 20

What is SED ?

Answer 20

SED = Self-Encrypting Drive

Storage device that performs whole disk encryption by using embedded hardware

Question 21

What are the encryption software most commonly used ?

Answer 21

FileVault (MAC)
BitLocker (Windows)

Question 22

What is TPM ?

Answer 22

TPM = Trusted Platform Module

Chip residing on the motherboard that contains an encryption key

Question 23

What is Advanced Encryption Standard ?

Answer 23

Symmetric key encryption that supports 128-bit and 256-bit keys

Question 24

What is HSM ?

Answer 24

HSM = Hardware Security Module

Physical devices that act as a secure cryptoprocessor during the encryption process

Question 25

What is HIDS / HIPS ?

Answer 25

HIDS = Host Intrusion Detection Systems
HIPS = Host Intrusion Prevention Systems

A type of IDS (Intrusion Detection Systems) or IPS (Intrusion Prevention Systems) that monitors a computer system for unexpected behavior or drastic changes to the system’s state on an endpoint

Question 26

What is EPP ?

Answer 26

EPP = Endpoint Protection Platform

A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS (Host Intrusion Detection Systems / Host Intrusion Prevention Systems), firewall, DLP (Data Loss Prevention), and file encryption

Question 27

What is EDR ?

Answer 27

EDR = Endpoint Detection and Response

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

EDR focuses more on behavioral and anomaly analysis. It starts logging the endpoint’s observables and indicators and combines that with analysis and tries to figure out what’s wrong.

EDR does not prevent initial execution, but instead, provides runtime and historical visibility into a compromise, and once you’ve been detected, it can start responding to that and it helps you as an incident responder to gather more information and facilitate your remediation to get it back to its original state.

Question 28

What is UEBA ?

Answer 28

UEBA = User and Entity Behavior Analytics

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

It is heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning