Chapter 2

Question 1

Agent

Answer 1

A malicious software program distributed by a hacker to take over control of a victim’s computers. Also known as a bot or a zombie. Agents are commonly used to construct botnets.

Question 2

Annualized loss expectancy (ALE)

Answer 2

The calculation of the total loss potential across a year for a given asset and a specific threat. ALE calculations are part of risk assessment. ALE SLE ARO.

Question 3

Annualized rate of occurrence (ARO)

Answer 3

A probability prediction based on statistics and historical occurrences on the likelihood of how many times in the next year is a threat going to cause harm. ARO is used in the ALE calculation.

Question 4

Appliance firewall

Answer 4

A hardened hardware firewall.

Question 5

Application layer (Layer 7)

Answer 5

The top or seventh layer of the OSI model. This layer is responsible for enabling communications with host software, including the operating system. The Application Layer is the interface between host software and the network protocol stack. The sub-protocols of this layer support specific applications or types of data.

Question 6

Application firewall

Answer 6

A type of firewall that filters on a specific application’s content and session information.

Question 7

Application gateway

Answer 7

A type of firewall that filters on a specific application’s content and session information.

Question 8

Application proxy

Answer 8

A type of firewall that filters on a specific application’s content and session information.

Question 9

Asset value (AV)

Answer 9

The cumulative value of an asset based on both tangible and intangible values. AV supports the SLE calculation.

Question 10

Bastion host

Answer 10

A firewall positioned at the initial entry point where a network interfaces with the Internet. It serves as the first line of defense for the network. Also known as a sacrificial host.

Question 11

Border sentry

Answer 11

A description often applied to firewalls positioned on network zone transitions or gateway locations.

Question 12

Botnet

Answer 12

A network of zombie/bot/agent– compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet.

Question 13

Bots

Answer 13

Malicious software programs distributed by hackers to take over control of victims’ computers. Also known as agents or zombies. Bots are commonly used to construct botnets.

Question 14

Bump-in-the-stack

Answer 14

A term for a firewall that is implemented via software.

Question 15

Bump-in-the-wire

Answer 15

A term for a firewall that is a separate hardware implementation.

Question 16

Circuit

Answer 16

A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a state.

Question 17

Circuit firewall

Answer 17

A filtering device that allows or denies the initial creation of a circuit, session, or state, but performs no subsequent filtering on the circuit once established.

Question 18

Circuit proxy

Answer 18

A filtering device that allows or denies the initial creation of a circuit, session, or state, but performs no subsequent filtering on the circuit once established.

Question 19

Closed source

Answer 19

A type of software product that is pre-compiled and whose source code is undisclosed.

Question 20

Commercial firewall

Answer 20

A firewall product designed for larger networks. Usually a commercial firewall is a hardware device.

Question 21

Content filtering

Answer 21

A form of filtering that focuses on traffic content. Application proxies perform most content filtering.

Question 22

Cost/benefit analysis

Answer 22

The final equation of risk analysis to assess the relative benefit of a counter-measure against the potential annual loss of a given asset exposed to a specific threat.

Question 23

Data link layer (Layer 2)

Answer 23

The second layer of the OSI model responsible for physical addressing (MAC addresses) and supporting the network topology, such as Ethernet.

Question 24

Dead-man switch

Answer 24

A form of auto-initiation switch that triggers when the ongoing prevention mechanism fails. Common dead-man switches include firewalls and hand grenades. If the firewall stops functioning, the connection is severed. If a person dies while holding a live grenade, the safety latch opens and the grenade explodes.

Question 25

De-encapsulation

Answer 25

The action of processing the contents of a header, removing that header, and sending the remaining payload up to the appropriate protocol in the next higher layer in the OSI model.

Question 26

Dual-homed firewall

Answer 26

A firewall that has two network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic moving from one segment to another.

Question 27

Dynamic packet filtering

Answer 27

The process of auto-matically created temporary filters. In most cases, the filters allow inbound responses to previous outbound requests. Also called stateful inspection.

Question 28

Exposure factor

Answer 28

The potential amount of harm from a specific threat stated as a percentage. Used in the calculation of SLE.

Question 29

Fail-safe/Fail-secure

Answer 29

A failure response resulting in a secured or safe level of access or communication.

Question 30

Frame

Answer 30

The collection of data at the Data Link Layer (Layer 2) of the OSI model, defined by the Ethernet IEEE 802.3 standard, that consists of a payload from the Network Layer (Layer 3) to which an Ethernet header and footer have been attached.

Question 31

Gateway

Answer 31

An entrance or exit point to a controlled space. A firewall is often positioned at a gateway of a network to block unwanted traffic.

Question 32

Hardware address

Answer 32

The physical address assigned to a network interface by the manufacturer. Also known as the MAC address.

Question 33

Hardware firewall

Answer 33

An appliance firewall. A hardened computer product that hosts firewall software exclusively.

Question 34

Header

Answer 34

The additional data added to the front of a payload at each layer of the OSI model that includes layer-specific information.

Question 35

Host firewall

Answer 35

A software firewall installed on a client or server.

Question 36

Intangible costs and value

Answer 36

Costs or values not directly related to budgetary funds. They can include but are not limited to research and development, marketing edge, competition value, first to market, intellectual property, public opinion, quality of service, name recognition, repeat customers, loyalty, honesty, dependability, assurance, reliability, trademarks, patents, privacy, and so on.

Question 37

Internet COntrol Message Protocol (ICMP)

Answer 37

A commonly used protocol found in the Network Layer (Layer 3). ICMP rides as the payload of an IP packet. ICMP supports network health and testing. Commonly abused by hackers for flooding and probing attacks.

Question 38

IP address

Answer 38

The temporary logical address assigned to hosts on a network. An IP address is managed and controlled at the Network Layer (Layer 3) of the OSI model by IP (Internet Protocol). IPv4 addresses are 32-bit addresses presented in human-friendly dotted-decimal notation. IPv6 addresses are 128-bit address presented in a special hexadecimal grouping format.

Question 39

Load Balancer

Answer 39

A system or device (hardware or software) that takes the load coming into a set of servers and ensure that the load is balanced between or among the servers.

Question 40

Logical address

Answer 40

A temporarily assigned address given to a host. IP address is a common example of a logical address. Most logical addresses exist at the Network Layer (Layer 3) of the OSI model.

Question 41

Network Layer (layer 3)

Answer 41

The third layer of the OSI model. This layer is responsible for logical addressing (IP addresses) and routing traffic.

Question 42

Open source

Answer 42

A type of software product that may or may not be pre-compiled and whose source code is freely disclosed and available for review and modification.

Question 43

Packet

Answer 43

The collection of data at the Network Layer (Layer 3) of the OSI model. It consists of the payload from the Transport Layer (Layer 4) above and the Network Layer header. IP packets are a common example.

Question 44

Payload

Answer 44

The non-header component of a PDU/ segment/packet/frame. The payload is the data received from the layer above that includes the above layer’s header and its payload.

Question 45

Personal firewall

Answer 45

Typically a software host firewall installed on a home computer or network client. Can also refer to SOHO hardware firewalls such as those found on DSL and cable modems and wireless access points.

Question 46

Physical address

Answer 46

The hardware address assigned to a network interface by the manufacturer. Also known as the MAC address.

Question 47

Physical Layer (layer 1)

Answer 47

The bottom or first layer of the OSI model. This layer converts data into transmitted bits over the physical network medium.

Question 48

Port forwarding

Answer 48

The function of routing traffic from an external source received on a specific pre-defined IP address and port combination (also known as a socket) to an internal resource server. Also known as reverse proxy and static NAT.

Question 49

Port number

Answer 49

The addressing scheme used at the Transport Layer (Layer 4) of the OSI model. There are 65,535 ports, each of which can in theory support a single simultaneous communication.

Question 50

Presentation layer (Layer 6)

Answer 50

The sixth layer of the OSI model translates the data received from host software into a format acceptable to the network. This layer also performs this task in reverse for data coming from the network to host software.

Question 51

Public key infrastructure (PKI)

Answer 51

A combination of several cryptographic components to create a real-world solution that provides secure communications, storage, and identification services. Commonly uses symmetric encryption, asymmetric/public key encryption, hashing, and digital certificates. In most cases, when PKI refers to authentication, digital certificates are used as credentials.

Question 52

Reverse proxy

Answer 52

The function of routing traffic from an external source received on a specific pre-defined IP address and port combination (also known as a socket) to an internal resource server. Also known as port forwarding and static network address translation (NAT).

Question 53

risk assessment

Answer 53

Risk assessment is the process of examining values, threat levels, likelihoods, and total cost of compromise versus the value of the resource and the cost of the protection. This involves the use of values and calculations, such as AV, EF, SLE, ARO, ALE, and the cost/benefit equation.

Question 54

risk management

Answer 54

Performing risk assessment, and then acting on the results to reduce or mitigate risk. Often risk assessment establishes a new security policy and then aids in revising it over time.

Question 55

rule set

Answer 55

The list of rules on a firewall (or router or switch) that determine what traffic is and is not allowed to cross the filtering device. Most rule sets employ a first-match-apply-action process.

Question 56

rule

Answer 56

A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic. Also known as a filter or ACL.

Question 57

sacrificial host

Answer 57

A firewall positioned at the initial entry point where a network interfaces with the Internet serving as the first line of defense for the network. Also known as a bastion host.

Question 58

Screening router

Answer 58

A router that can perform basic static packet filtering services in addition to routing functions. A screening router is the predecessor of modern firewalls.

Question 59

Secure Sockets Layer (SSL)

Answer 59

A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. Netscape designed SSL in 1997 for secure Web e-commerce, but it can encrypt any traffic above the Transport Layer. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. SSL v3.0 is the last version of SSL; TLS is replacing SSL.

Question 60

Segment

Answer 60

The collection of data at the Transport Layer (Layer 4) of the OSI model. It consists of the payload from the Session Layer (Layer 5) above and the Transport Layer header. TCP segments are a common example. (Note: UDP segments are called datagrams as they are connectionless, rather than connection-oriented).

Question 61

Session

Answer 61

A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a circuit or a state.

Question 62

Session Layer (layer 5)

Answer 62

The fifth layer of the OSI model. This layer manages the communication channel, known as a session, between the endpoints of the network communication. A single transport layer connection between two systems can support multiple simultaneous sessions.

Question 63

Single Loss expectancy (SLE)

Answer 63

The calculation of the loss potential across of a single incident for a given asset and a specific threat. SLE calculations are part of risk assessment. SLE AV EF.

Question 64

Socket

Answer 64

The combination of an IP address and a port number as a complete address.

Question 65

Software Firewall

Answer 65

A host firewall installed on a client or server.

Question 66

Spoofing

Answer 66

The falsification of information. Often spoofing is the attempt to hide the true identity of a user or the true origin of a communication.

Question 67

State

Answer 67

A logical connection between a client and a resource server. May exist at Layer 3, 4, or 5 of the OSI model. Also known as a session or a circuit.

Question 68

Stateful inspection

Answer 68

The process of automatically tracking sessions or states to allow inbound responses to previous outbound requests. Also called dynamic packet filtering.

Question 69

Static NAT

Answer 69

The static coding of a translation pathway across a NAT service. Also known as port forwarding and reverse proxy.

Question 70

Static packet filtering

Answer 70

A method of filtering using a static or fixed set of rules to filter network traffic. The rules can focus on source or destination IP address, source or destination port number, IP header protocol field value, ICMP types, fragmentation flags, and IP options. Static packet filtering is therefore mainly focused on the Network Layer (Layer 3), but can also include Transport Layer (Layer 4) elements. Static packet filtering focuses on header contents and does not examine the payload of packets or segments.

Question 71

Tangible Costs and Value

Answer 71

Costs or values directly related to budgetary funds. They can include, but are not limited to: purchase, license, maintenance, management, administration, support, utilities, training, troubleshooting, hardware, software, updates/upgrades, and so forth.

Question 72

Transmission Control Protocol (TCP)

Answer 72

The connec-tion-oriented protocol operating at the Transport Layer (Layer 4) of the OSI model.

Question 73

Transport Layer (Layer 4)

Answer 73

The fourth layer of the OSI model. This layer formats and handles data transportation. This transportation is independent of and transparent to the application.

Question 74

Transport Layer security (TLS)

Answer 74

A security protocol that operates at the top of the Transport Layer (Layer 4) and resides as the payload of a TCP session. It uses public key certificates to identify the endpoints of session and uses symmetric encryption to protect transferred data. TLS 1.0 is the replacement for SSL 3.0.

Question 75

Transport mode encryption

Answer 75

A form of encryption also known as point-to-point or host-to-host encryption. Transport mode encryption protects only the payload of traffic and leaves the header in plain-text original form.

Question 76

triple-homed firewall

Answer 76

A firewall that has three network interfaces. Each network interface is located in a unique network segment. This allows for true isolation of the segments and forces the firewall to filter all traffic traversing from one segment to another.

Question 77

tunnel mode encryption

Answer 77

A form of encryption also known as site-to-site, LAN-to-LAN, gateway-to-gateway, host-to-LAN, and remote access encryption. Tunnel mode encryption performs a complete encapsulation of the original traffic into a new tunneling protocol. The entire original header and payload are encrypted and a temporary link or tunnel header guides the data across the intermediary network.

Question 78

User Datagram Protocol (UDP)

Answer 78

The connectionless protocol operating at the Transport Layer (Layer 4) of the OSI model.

Question 79

Zombie

Answer 79

A malicious software program distributed by a hacker to take over control of a victim’s computer. Also known as a bot or an agent. Zombies are commonly used to construct botnets (or zombie armies).

Question 80

Zone of risk

Answer 80

Any segment, subnet, network, or collection of networks that represent a certain level of risk. The higher the risk, the higher the security need to protect against that risk. The less the risk of a zone, the lower security need because fewer threats exist or existing threats are less harmful. The flip side of risk zones is zones of trust.

Question 81

Zone of trust

Answer 81

Any segment, subnet, network, or collection of networks that represent a certain level of trust. Highly trusted zones require less security, while low trusted zones require more security. The flip side of trust zones is zones of risk.