Chapter 7

Question 1

Layered Security

Answer 1

This means that each layer of security includes additional protections that help prevent a hole or flaw in another layer from allowing an attacker in.

Question 2

Physical Segmentation

Answer 2

Involves running on separate physical infrastructure or networks.

Question 3

System Isolation

Answer 3

Is handled by ensuring that the infrastructure is separated, and can go as far as using an air gap

Question 4

Air Gap

Answer 4

Ensures that there is no connection at all between the infrastructures

Question 5

Virtual Segmentation

Answer 5

Takes advantage of virtualization capabilities to separate functions to virtual machines or containers, although some implementations of segmentation for virtualization also run on separate physical servers in addition to running separate virtual machines.

Question 6

Network Segmentation

Answer 6

Or compartmentalization is a common element of network design. It provides a number of advantages: The number of systems that are exposed to attackers (commonly called the organization’s attack surface) can be reduced by compartmentalizing systems and networks. It can help to limit the scope of regulatory compliance efforts by placing the systems, data, or unit that must be compliant in a more easily maintained environment separate from the rest of the organization. In some cases, segmentation can help increase availability by limiting the impact of an issue or attack. Segmentation is used to increase the efficiency of a network. Larger numbers of systems in a single segment can lead to network congestion, making segmentation attractive as networks increase in size.

Question 7

Jump box

Answer 7

Which is a system that resides in a segmented environment and is used to access and manage the devices in the segment where it resides. Jump boxes span two different security zones and should thus be carefully secured, managed, and monitored.

Question 8

Product Diversity

Answer 8

(using products from multiple vendors) is sometimes used to create an additional layer of security. The intent of using diverse products is to eliminate a single point of failure by ensuring that a vulnerability or design flaw found in one product does not make an entire network or system vulnerable to exploit. For example, in a network design, this might mean using Juniper border routers, Cisco core routers, and Palo Alto security devices. If a vulnerability existed in the Cisco core routers, the other devices would be less likely to suffer from the same issue, meaning that attackers should not be able to exploit them, thus potentially limiting the impact of an attack.

Question 9

VPN’s

Answer 9

Although VPNs do not technically have to provide an encryption layer to protect the traffic they carry, almost all modern implementations will use encryption while providing a secure connection that makes a remote network available to a system or device.

Question 10

Physical Network Architecture

Answer 10

Is composed of the routers, switches, security devices, cabling, and all the other network components that make up a traditional network. You can leverage a wide range of security solutions on a physical network, but common elements of a security design include the following: Firewalls; IPS’s & IDS’s; Content filtering and caching devices; NAC; Network Scanners; UTM

Question 11

Firewalls

Answer 11

Control traffic flow between networks or systems.

Question 12

IPS’s & IDS’s

Answer 12

IPS - Which can detect and stop attacks

IDS - Which only alarm or notify when attacks are detected

Question 13

Content Filtering and caching devices

Answer 13

Used to control what information passes through to protected devices

Question 14

Network Access Control (NAC)

Answer 14

Technology that controls which devices are able to connect to the network and which may assess the security state of devices or require other information before allowing a connection.

Question 15

Network Scanners

Answer 15

That can identify systems and gather information about them, including the services they are running, patch levels, and other details about the systems.

Question 16

Unified Threat Management (UTM)

Answer 16

Devices that combine a number of these services often including firewalls, IDSs/IPSs, content filtering, and other security features.

Question 17

Software-Defined Networking (SDN)

Answer 17

Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.

Question 18

Software-Defined Networking (SDN)

Answer 18

Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.

Question 19

Virtualization

Answer 19

Uses software to run virtual computers on underlying real hardware.

Question 20

Virtual Desktop Infrastructure (VDI)

Answer 20

Which runs desktop OS like Windows 10 on central hardware and streams the desktops across the network to systems.

Question 21

Containerization

Answer 21

Provides an alternative to virtualizing an entire system, and instead permits applications to be run in their own environmnet with their own required components, such as libraries, config files, and other dependencies, in a dedicated container.

Question 22

Serverless

Answer 22

Computing in a broad sense describes cloud computing, but much of the time when it used currently it describes technology called FaaS. Serverless computing relies on a system that executes functions as they are called.

Question 23

Asset Management

Answer 23

Securing assets effectively requires knowing what assets you have and what their current state is. These paired requirements drive organizations to implement asset management tools and processes.

Question 24

Asset Tagging

Answer 24

Can help discourage theft, help identify systems more easily, and can make day-to-day support work easier for support staff who can quickly look up a system or device in an asset inventory list to determine what it is, who the device was issued to, and what its current state should be

Question 25

Active Defense

Answer 25

Describes offensive actions taken to counter adversaries.

Question 26

Honeypots

Answer 26

Honeypots are systems that are designed to look like an attractive target for an attacker. Capture attack traffic, techniques, and other information as attackers attempt to compromise them.

Question 27

Virtual Private Cloud (VPC)

Answer 27

Is an option delivered by cloud service providers that builds an on-demand semi-isolated environment. A VPC typically exists on a private subnet and may have additonal security to ensure that intersystem communications remain secure

Question 28

Cloud Access Security Broker (CASB)

Answer 28

CASB tools are policy enforcement points that can exist either locally or in the cloud, and enforce security policies when cloud resources and services are used. CASBs can help with data security, antimalware functionality, service usage and access visibility, and risk management.

Question 29

Security Controls

Answer 29

Based upon two categories: How they are implemented or when they react relative to the security incident or threat

Question 30

Technical Controls

Answer 30

Include firewalls, IDS’s, IPS’s, network segmentation, authentication and authorization systems and a variety of other systems and technical capabilities designed to provide security through technical means.

Question 31

Administrative Controls

Answer 31

Involve processes and procedures like those found in incident response plans, account creation and management, as well as awareness and training efforts. Change Control, Config management, Monitoring and response policies, personnel security controls, business continuity & disaster recovery controls, Human Resource controls like background checks and terminations

Question 32

Physical Controls

Answer 32

Include locks, fences, and other controls that control or limit physical access, as well as controls like fire extinguishers that can help prevent physical harm to property.

Question 33

Preventive Controls

Answer 33

Are intended to stop an incident from occurring by taking proactive measures to stop the threat. Preventive controls include firewalls, training, and security guards.

Question 34

Detective Controls

Answer 34

Work to detect an incident and to capture information about it, allowing a response, like alarms or notifications.

Question 35

Corrective Controls

Answer 35

Either remediate an incident or act to limit how much damage can result from an incident. Corrective controls are often used as part of an incident response process. Examples of corrective controls include patching, antimalware software, and system restores from backups.

Question 36

Compensating Controls

Answer 36

Controls that satisfy a requirement that isn’t able to be met by an existing security measure - either bc it is too difficult to implement or bc it does not fully meet the needs

Question 37

Deterrent Controls

Answer 37

Warn attackers that they shouldn’t attack

Question 38

Directive Controls

Answer 38

Intended to lead to a desired outcome

Question 39

Recovery Controls

Answer 39

Provide ways to respond to a breach

Question 40

Firewalls

Answer 40

That block or allow traffic based on rules that use information like the source or destination IP address, port, or protocol used by traffic. They are typically used between different trust zones. There are a number of different types of firewall technologies, as well as both host and network firewall devices.

Question 41

IPSs

Answer 41

Are used to monitor traffic and apply rules based on behaviors and traffic content. Like firewalls, IPSs and IDSs (intrusion detection systems) rely on rules, but both IPSs and IDSs typically inspect traffic at a deeper level, paying attention to content and other details inside the packets themselves. Although the CySA+ exam materials reference only IPSs that can stop unwanted traffic, IDSs that can only detect traffic and alert or log information about it are also deployed as a detective control. Or an IPS may be configured with rules that do not take action when such an action might cause issues.

Question 42

DLP

Answer 42

Systems and software work to protect data from leaving the organization or systems where it should be contained. A complete DLP system targets data in motion, data at rest and in use, and endpoint systems where data may be accessed or stored. DLP relies on identifying the data that should be protected and then detecting when leaks occur, which can be challenging when encryption is frequently used between systems and across networks. This means that DLP installations combine endpoint software and various means of making network traffic visible to the DLP system.

Question 43

EDR

Answer 43

Is a relatively new term for systems that provides continuous monitoring and response to advanced threats. They typically use endpoint data gathering and monitoring capabilities paired with central processing and analysis to provide high levels of visibility into what occurs on endpoints. This use of data gathering, search, and analysis tools is intended to help detect and respond to suspicious activity. The ability to handle multiple threat types, including ransomware, malware, and data exfiltration, is also a common feature for EDR systems.

Question 44

NAC

Answer 44

Is a technology that requires a system to authenticate or provide other information before it can connect to a network. NAC operates in either a preadmission or postadmission mode, either checking systems before they are connected or checking user actions after systems are connected to the network. NAC solutions may require an agent or software on the connecting system to gather data and handle the NAC connection process, or they may be agentless. When systems do not successfully connect to a NAC-protected network, or when an issue is detected, they may be placed into a quarantine network where they may have access to remediation tools or an information portal, or they may simply be prevented from connecting.

Question 45

Sinkholing

Answer 45

Redirects traffic from its original destination to a destination of your choice. Although the most common implementation of sinkholing is done via DNS to prevent traffic from being sent to malicious sites, you may also encounter other types of sinkholing as well.

Question 46

Port Security

Answer 46

Is a technology that monitors the MAC (hardware) addresses of devices connecting to switch ports and allows or denies them access to the network based on their MAC address. A knowledgeable attacker may spoof a MAC address from a trusted system to bypass port security.

Question 47

Sandboxing

Answer 47

Refers to a variety of techniques that place untrusted software or systems into a protected and isolated environment. Sandboxing is often used for software testing and will isolate an application from the system, thus preventing it from causing issues if something goes wrong. Virtualization technologies can be used to create sandboxes for entire systems, and organizations that test for malware often use heavily instrumented sandbox environments to determine what a malware package is doing.

Question 48

Malware Signatures

Answer 48

Used to be simply composed of recognizable file patterns or hashes that could be checked to see if a given file or files matched those from known malware. As malware has become more complex, techniques that help obfuscate the malware by changing it to prevent this via techniques like mutation, expanding or shrinking code, or register renaming have made traditional signature-based identification less successful. Signatures can be created by analyzing the malware and creating hashes or other comparators that can be checked to see if packages match.

Question 49

Behavior-based Detection

Answer 49

Looks at the actions that an executable takes such as accessing memory or the filesystem, changing rights, or otherwise performing suspicious actions.

Question 50

Dynamic Analysis

Answer 50

Is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.

Question 51

Automated Malware Signature Creation

Answer 51

Is done using these techniques so that antimalware providers can provide signatures more quickly. Example: VirusTotal

Question 52

Separation of Duties

Answer 52

When individuals in an organization are given a role to perform, they can potentially abuse the rights and privileges that that role provides. Properly implemented separation of duties requires more than one individual to perform elements of a task to ensure that fraud or abuse do not occur. A typical separation of duties can be found in financially significant systems like payroll or accounts payable software. One person should not be able to modify financial data without being detected, so they should not have modification rights and also be charged with monitoring for changes.

Question 53

Succession Planning

Answer 53

This is important to ensure continuity for roles, regardless of the reason a person leaves your organization. A departing staff member can take critical expertise and skills with them, leaving important duties unattended or tasks unperformed. When a manager or supervisor leaves, not having a succession plan can also result in a lack of oversight for functions, making it easier for other personnel issues to occur without being caught.

Question 54

Cross Training

Answer 54

Focuses on teaching employees skills that enable them to take on tasks that their coworkers and other staff members normally perform. This can help to prevent single points of failure due to skillsets and can also help to detect issues caused by an employee or a process by bringing someone who is less familiar with the task or procedure into the loop.

Question 55

Dual Control

Answer 55

Dual control is useful when a process is so sensitive that it is desirable to require two individuals to perform an action together. The classic example of this appears in many movies in the form of a dual-control system that requires two military officers to insert and turn their keys at the same time to fire a nuclear weapon. Of course, this isn’t likely to be necessary in your organization, but dual control may be a useful security control when sensitive tasks are involved because it requires both parties to collude for a breach to occur. This is often seen in organizations that require two signatures for checks over a certain value. Dual control can be implemented as either an administrative control via procedures or via technical controls.

Question 56

Mandatory Vacation

Answer 56

This process requires staff members to take vacation, allowing you to identify individuals who are exploiting the rights they have. Mandatory vacation prevents employees from hiding issues or taking advantage of their privileges by ensuring that they are not continuously responsible for a task.

Question 57

Operational Views

Answer 57

Describe how a function is performed, or what it accomplishes. This view typically shows how information flows but does not capture the technical detail about how data is transmitted, stored, or captured. Operational views are useful for understanding what is occurring and often influence procedural or administrative controls.

Question 58

Technical Views

Answer 58

(sometimes called service-oriented, or systems-based, views) focus on the technologies, settings, and configurations used in an architecture. This can help identify incorrect configurations and insecure design decisions. An example of a technical view might include details like the TLS version of a connection, or the specific settings for password length and complexity required for user accounts.

Question 59

Logical View

Answer 59

Is sometimes used to describe how systems interconnect. It is typically less technically detailed than a technical view but conveys broader information about how a system or service connects or works. The network diagrams earlier in this chapter are examples of logical views.

Question 60

Heartbeat Link

Answer 60

Devices communicate through this link which provides status and synchronization information. Firewall to Firewall; Router to Router; Switches to Switches

Question 61

Continual Improvement Processes

Answer 61

Are designed to provide incremental improvements over time. A security program or design needs to be assessed on a recurring basis, making a continuous improvement process important to ensure that the design does not become outdated.