CH12 Perimeter Security Flashcards
You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization’s normal business operations?
a. Honeypot
b. Jumpbox
c. Sandbox
d. Containerization
a. Honeypot
A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration.
A jumpbox is a hardened server that provides access to other hosts.
A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion.
Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
a. Proxy server
b. Authentication Server
c. IPS
d. IDS
d. IDS
An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
a. SSL
b. UTM
c. DLP
d. MDM
c. DLP
Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue.
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
a. Permit 143.27.43.32 161.212.71.14 RDP 3389
b. Permit 143.27.43.32/24 161.212.71.14/24 RDP 3389
c. Permit 143.27.43.32/24 161.212.71.14 RDP 3389
d. Permit 143.27.43.32 161.212.71.14/24 RDP 3389
a. Permit 143.27.43.32 161.212.71.14 RDP 3389
OBJ-4.4: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?
a. Statistical matching
b. Exact data match
c. Document matching
d. Classification
b. Exact data match
OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret
Review the following packet captured at your NIDS:
23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389
Flags [P.], Seq 1834:1245, ackl win 511, options
[nop, nop, TS val 253451334 erc 482862734, length 125
After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?
a. DENY TCP ANY HOST 71.168.10.45 EQ 3389
b. DENY IP HOST 86.18.10.3 EQ 3389
c. DENY IP HOST 71.168.10.45 ANY EQ 25
D. DENY TCP ANY HOST 86.18.10.3 EQ 25
a. DENY TCP ANY HOST 71.168.10.45 EQ 3389
OBJ-4.4: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
(This is a simulated performance-based question.)
Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?
DMZ
FTP Web Email
192.168.0.5 192.168.0.6 192.168.0.7
Internet Workstations
Backup HR IT
172.16.1.2 172.16.13 172.16.14
Data Center
Sales Confidential Files
192.168.1.10 192.168.1.11 192.168.1.12
(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)
a. 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW
b. 172.16.1.12, 192.168.1.3/24, 445, TCP, ALLOW
c. 192.168.1.12, 172.16.1.3, 445, UDP, DENY
d. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW
d. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW
OBJ-3.3: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).
