Chapter 3 - Security foundations Flashcards

1
Q

To remove malware from the network before it gets to the endpoint, you would use which of the following?

A. Packet filter
B. Application layer gateway
C. Unified threat management appliance
D. Stateful firewall

A

C. Unified threat management appliance

Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An application layer gateway knows about appli- cation layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If you were on a client engagement and discovered that you left an external hard drive with essential data on it at home, which security principle would you be violating?

A. Confidentiality B. Integrity
C. Nonrepudiation D. Availability

A

D. Avaliability

Confidentiality is about making sure secrets are kept secret. Integrity makes sure that data isn’t altered accidentally or by an unauthorized agent. Nonrepudiation makes sure someone can’t say a message didn’t originate with them if it came from their identity. Availability means making sure data is where it needs to be when it should be there. This includes ser- vices as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How would you calculate risk?
A. Probability * loss value
B. Probability * mitigation factor
C. (Loss value + mitigation factor) * (loss value/probability)
D. Probability * mitigation factor

A

A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss.
There is no mitigation factor that is quantified, so it could be put into a risk calculation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is one factor of a defense-in-depth approach to network design?
A. Switches
B. Using Linux on the desktop
C. Optical cable connections
D. Access control lists on routers

A

D. Access control lists on routers

Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don’t add any security features. You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems. Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detec- tion systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How would you ensure that confidentiality is implemented in an organization?
A. Watchdog processes
B. Encryption
C. Cryptographic hashes
D. Web servers

A

B. Encryption

Confidentiality is keeping secret information secret, which means unauthorized users can’t access it. Encryption is a good way to keep unauthorized users from data because to get to the data, they need to have the key. Watchdog processes are used to ensure that programs remain running. Cryptographic hashes are used to verify the integrity of data. Web servers are used to serve up information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An intrusion detection system can perform which of the following functions?
A. Block traffic
B. Filter traffic based on headers
C. Generate alerts on traffic
D. Log system messages

A

C. Generate alerts on traffic

C. Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic. A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network. Syslog and the Windows event subsystem can be used to log system messages. Intrusion detection systems can be used to generate alerts on traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of these would be an example of a loss of integrity?
A. User making changes to a file and saving it
B. Bad blocks flagged on disk
C. Credit cards passed in cleartext
D. Memory failures causing disk drivers to run incorrectly

A

D. Memory failures causing disk drivers to run incorrectly

If a user makes a change to a file and saves it, that’s an intentional act and the data is what the user expects and wants. If the disk drive has flagged bad blocks on the disk, the drive won’t write any data out to those blocks, so there will be no loss of integrity. Credit cards passed in cleartext would be a violation of confidentiality. Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What would you use a security information event manager for?
A. Aggregating and providing search for log data
B. Managing security projects
C. Escalating security events
D. Storing open source intelligence

A

A. Aggregating and providing search for log data

Security information event managers are used to aggregate event data, such as log information. Once the data has been aggregated, it can be searched and correlated. Even though it’s called an event manager, it isn’t used to manage security projects, nor is it used to escalate security events. Other tools can be used to gather and store open source intelligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Why is it important to store system logs remotely?
    A. Local systems can’t handle it.
    B. Bandwidth is faster than disks.
    C. Attackers might delete local logs.
    D. It will defend against attacks.
A

C. C. Attackers might delete local logs.

Commonly, system logs are stored on the system that generated the log message. Certainly local systems can handle the logs they have generated. Log messages don’t typically consume a lot of space at an individual message level, so bandwidth isn’t a problem. Transmitting over a network is generally not faster than moving data within local disks. System logs can be used in identifying attacks, but the logs won’t defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What would be necessary for a TCP conversation to be considered established by a state-
ful firewall?
A. Final acknowledgment message
B. Three-way handshake complete
C. Sequence numbers aligned
D. SYN message received

A

B. Three-way handshake complete

B. In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection. While the sequence numbers are shared, they wouldn’t be called aligned, which might suggest that each end was using the same sequence number. A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection. Option A, “Final acknowledgment message,” is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What is the purpose of a security policy?
    A. To provide high-level guidance on the role of security
    B. To provide specific direction to security workers
    C. To increase the bottom line of a company
    D. To align standards and practices
A

A. To provide high-level guidance on the role of security

Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. What additional properties does the Parkerian hexad offer over the CIA triad?
    A. Confidentiality, awareness, authenticity
    B. Utility, awareness, possession
    C. Utility, possession, authenticity
    D. Possession, control, authenticity
A

C. Utility, possession, authenticity

The Parkerian hexad takes the confidentiality, integrity, and availability of the CIA triad and adds utility, possession (or control), and authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What important event can be exposed by enabling auditing?

A. System shutdown
B. Service startup
C. Package installation
D. User login

A
  1. D. User Login

While system shutdown, service startup, and package installation may be events that are logged, they are generally logged by normal system logging. Auditing functions are different between Windows and Linux/Unix, but audit systems for both will generate logs when a user logs into a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What can an intrusion prevention system do that an intrusion detection system can’t?
A. Generate alerts
B. Block or reject network traffic
C. Complete the three-way handshake to bogus messages
D. Log packets

A

B. B. Block or reject network traffic

While an intrusion prevention system can generate alerts, so can an intrusion detection system. Both systems may also be able to log packets, as needed. A bogus message likely wouldn’t result in a completed three-way handshake, and the handshake shouldn’t be com- pleted anyway. An intrusion prevention system can, however, block or reject network traffic, while an intrusion detection system can’t.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of these is an example of an application layer gateway?

A. Web application firewall
B. Runtime application self-protection
C. Java applet
D. Intrusion prevention system

A
  1. A. Web application firewall

Runtime application self-protection is a plug-in used on an application server to prevent bad messages from impacting the application. A Java applet is an implementation of a Java program. An intrusion prevention system is used to detect and block potential intrusions. A web application firewall, however, makes decisions based on application layer traffic and will either allow or block that traffic. This makes it an application layer gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which information would a packet filter use to make decisions about what traffic to allow
into the network?
A. HTTP REQUEST message
B. Ethernet type
C. UDP source port
D. SNMP OID

A

C

17
Q

Which of the following products might be used as an intrusion detection system?
A. Elastic Stack
B. Prewikka
C. Snort
D. Snorby

A

C. Snort

ElasticStack is an implementation of a security information event manager. Prewikka can be used along with an intrusion detection system as a dashboard. Snorby is an auxiliary program used with Snort. Snort is an intrusion detection program.

18
Q

Which of these isn’t an example of an attack that compromises integrity?
A. Buffer overflow
B. Man in the middle
C. Heap spraying
D. Watering hole

A

D. D. Watering hole

A buffer overflow attack is used to execute attacker-supplied code by altering the return address in the stack. A man-in-the-middle attack can be used to intercept and potentially alter a conversation between two systems. A heap spraying attack sends a lot of data into the heap to overwrite what’s there. A watering hole attack does not compromise integrity since its purpose is to introduce malware to a system. The malware might eventually compromise integrity, but the watering hole attack itself does not.

19
Q
  1. What type of attack is a compromise of availability?
    A. Watering hole
    B. DoS
    C. Phishing
    D. Buffer overflow
A
  1. B. DoS

A watering hole attack looks to compromise a system that visits a website. A phishing attack looks to gather information from victims, potentially by compromising the victim’s system. A buffer overflow attack tries to introduce code provided by the attacker. A denial- of-service attack, however, has the intention of making a service unavailable for users.

20
Q
  1. What important function can EDR offer to security operations staff?
    A. Host isolation
    B. Malware detection
    C. Remote data collection
    D. All of the above
A

D. An endpoint detection and response solution can be used to provide host isolation to endpoints as well as remote evidence collection and malware detection. Some companies use EDR solutions to replace anti-malware software since it can do that as well as perform other functions.