Chapter 3 - Security foundations Flashcards
To remove malware from the network before it gets to the endpoint, you would use which of the following?
A. Packet filter
B. Application layer gateway
C. Unified threat management appliance
D. Stateful firewall
C. Unified threat management appliance
Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An application layer gateway knows about appli- cation layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.
If you were on a client engagement and discovered that you left an external hard drive with essential data on it at home, which security principle would you be violating?
A. Confidentiality B. Integrity
C. Nonrepudiation D. Availability
D. Avaliability
Confidentiality is about making sure secrets are kept secret. Integrity makes sure that data isn’t altered accidentally or by an unauthorized agent. Nonrepudiation makes sure someone can’t say a message didn’t originate with them if it came from their identity. Availability means making sure data is where it needs to be when it should be there. This includes ser- vices as well.
How would you calculate risk?
A. Probability * loss value
B. Probability * mitigation factor
C. (Loss value + mitigation factor) * (loss value/probability)
D. Probability * mitigation factor
A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss.
There is no mitigation factor that is quantified, so it could be put into a risk calculation.
Which of the following is one factor of a defense-in-depth approach to network design?
A. Switches
B. Using Linux on the desktop
C. Optical cable connections
D. Access control lists on routers
D. Access control lists on routers
Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don’t add any security features. You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems. Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detec- tion systems.
How would you ensure that confidentiality is implemented in an organization?
A. Watchdog processes
B. Encryption
C. Cryptographic hashes
D. Web servers
B. Encryption
Confidentiality is keeping secret information secret, which means unauthorized users can’t access it. Encryption is a good way to keep unauthorized users from data because to get to the data, they need to have the key. Watchdog processes are used to ensure that programs remain running. Cryptographic hashes are used to verify the integrity of data. Web servers are used to serve up information.
An intrusion detection system can perform which of the following functions?
A. Block traffic
B. Filter traffic based on headers
C. Generate alerts on traffic
D. Log system messages
C. Generate alerts on traffic
C. Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic. A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network. Syslog and the Windows event subsystem can be used to log system messages. Intrusion detection systems can be used to generate alerts on traffic.
Which of these would be an example of a loss of integrity?
A. User making changes to a file and saving it
B. Bad blocks flagged on disk
C. Credit cards passed in cleartext
D. Memory failures causing disk drivers to run incorrectly
D. Memory failures causing disk drivers to run incorrectly
If a user makes a change to a file and saves it, that’s an intentional act and the data is what the user expects and wants. If the disk drive has flagged bad blocks on the disk, the drive won’t write any data out to those blocks, so there will be no loss of integrity. Credit cards passed in cleartext would be a violation of confidentiality. Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.
What would you use a security information event manager for?
A. Aggregating and providing search for log data
B. Managing security projects
C. Escalating security events
D. Storing open source intelligence
A. Aggregating and providing search for log data
Security information event managers are used to aggregate event data, such as log information. Once the data has been aggregated, it can be searched and correlated. Even though it’s called an event manager, it isn’t used to manage security projects, nor is it used to escalate security events. Other tools can be used to gather and store open source intelligence.
- Why is it important to store system logs remotely?
A. Local systems can’t handle it.
B. Bandwidth is faster than disks.
C. Attackers might delete local logs.
D. It will defend against attacks.
C. C. Attackers might delete local logs.
Commonly, system logs are stored on the system that generated the log message. Certainly local systems can handle the logs they have generated. Log messages don’t typically consume a lot of space at an individual message level, so bandwidth isn’t a problem. Transmitting over a network is generally not faster than moving data within local disks. System logs can be used in identifying attacks, but the logs won’t defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.
What would be necessary for a TCP conversation to be considered established by a state-
ful firewall?
A. Final acknowledgment message
B. Three-way handshake complete
C. Sequence numbers aligned
D. SYN message received
B. Three-way handshake complete
B. In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection. While the sequence numbers are shared, they wouldn’t be called aligned, which might suggest that each end was using the same sequence number. A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection. Option A, “Final acknowledgment message,” is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.
- What is the purpose of a security policy?
A. To provide high-level guidance on the role of security
B. To provide specific direction to security workers
C. To increase the bottom line of a company
D. To align standards and practices
A. To provide high-level guidance on the role of security
Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.
- What additional properties does the Parkerian hexad offer over the CIA triad?
A. Confidentiality, awareness, authenticity
B. Utility, awareness, possession
C. Utility, possession, authenticity
D. Possession, control, authenticity
C. Utility, possession, authenticity
The Parkerian hexad takes the confidentiality, integrity, and availability of the CIA triad and adds utility, possession (or control), and authenticity.
- What important event can be exposed by enabling auditing?
A. System shutdown
B. Service startup
C. Package installation
D. User login
- D. User Login
While system shutdown, service startup, and package installation may be events that are logged, they are generally logged by normal system logging. Auditing functions are different between Windows and Linux/Unix, but audit systems for both will generate logs when a user logs into a system.
What can an intrusion prevention system do that an intrusion detection system can’t?
A. Generate alerts
B. Block or reject network traffic
C. Complete the three-way handshake to bogus messages
D. Log packets
B. B. Block or reject network traffic
While an intrusion prevention system can generate alerts, so can an intrusion detection system. Both systems may also be able to log packets, as needed. A bogus message likely wouldn’t result in a completed three-way handshake, and the handshake shouldn’t be com- pleted anyway. An intrusion prevention system can, however, block or reject network traffic, while an intrusion detection system can’t.
- Which of these is an example of an application layer gateway?
A. Web application firewall
B. Runtime application self-protection
C. Java applet
D. Intrusion prevention system
- A. Web application firewall
Runtime application self-protection is a plug-in used on an application server to prevent bad messages from impacting the application. A Java applet is an implementation of a Java program. An intrusion prevention system is used to detect and block potential intrusions. A web application firewall, however, makes decisions based on application layer traffic and will either allow or block that traffic. This makes it an application layer gateway.
