Chapter 7 Flashcards

1
Q

Layered Security

A

This means that each layer of security includes additional protections that help prevent a hole or flaw in another layer from allowing an attacker in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Physical Segmentation

A

Involves running on separate physical infrastructure or networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

System Isolation

A

Is handled by ensuring that the infrastructure is separated, and can go as far as using an air gap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Air Gap

A

Ensures that there is no connection at all between the infrastructures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Virtual Segmentation

A

Takes advantage of virtualization capabilities to separate functions to virtual machines or containers, although some implementations of segmentation for virtualization also run on separate physical servers in addition to running separate virtual machines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Network Segmentation

A

Or compartmentalization is a common element of network design. It provides a number of advantages: The number of systems that are exposed to attackers (commonly called the organization’s attack surface) can be reduced by compartmentalizing systems and networks. It can help to limit the scope of regulatory compliance efforts by placing the systems, data, or unit that must be compliant in a more easily maintained environment separate from the rest of the organization. In some cases, segmentation can help increase availability by limiting the impact of an issue or attack. Segmentation is used to increase the efficiency of a network. Larger numbers of systems in a single segment can lead to network congestion, making segmentation attractive as networks increase in size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Jump box

A

Which is a system that resides in a segmented environment and is used to access and manage the devices in the segment where it resides. Jump boxes span two different security zones and should thus be carefully secured, managed, and monitored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Product Diversity

A

(using products from multiple vendors) is sometimes used to create an additional layer of security. The intent of using diverse products is to eliminate a single point of failure by ensuring that a vulnerability or design flaw found in one product does not make an entire network or system vulnerable to exploit. For example, in a network design, this might mean using Juniper border routers, Cisco core routers, and Palo Alto security devices. If a vulnerability existed in the Cisco core routers, the other devices would be less likely to suffer from the same issue, meaning that attackers should not be able to exploit them, thus potentially limiting the impact of an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

VPN’s

A

Although VPNs do not technically have to provide an encryption layer to protect the traffic they carry, almost all modern implementations will use encryption while providing a secure connection that makes a remote network available to a system or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Physical Network Architecture

A

Is composed of the routers, switches, security devices, cabling, and all the other network components that make up a traditional network. You can leverage a wide range of security solutions on a physical network, but common elements of a security design include the following: Firewalls; IPS’s & IDS’s; Content filtering and caching devices; NAC; Network Scanners; UTM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Firewalls

A

Control traffic flow between networks or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IPS’s & IDS’s

A

IPS - Which can detect and stop attacks

IDS - Which only alarm or notify when attacks are detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Content Filtering and caching devices

A

Used to control what information passes through to protected devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Network Access Control (NAC)

A

Technology that controls which devices are able to connect to the network and which may assess the security state of devices or require other information before allowing a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Network Scanners

A

That can identify systems and gather information about them, including the services they are running, patch levels, and other details about the systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Unified Threat Management (UTM)

A

Devices that combine a number of these services often including firewalls, IDSs/IPSs, content filtering, and other security features.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Software-Defined Networking (SDN)

A

Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Software-Defined Networking (SDN)

A

Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Virtualization

A

Uses software to run virtual computers on underlying real hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Virtual Desktop Infrastructure (VDI)

A

Which runs desktop OS like Windows 10 on central hardware and streams the desktops across the network to systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Containerization

A

Provides an alternative to virtualizing an entire system, and instead permits applications to be run in their own environmnet with their own required components, such as libraries, config files, and other dependencies, in a dedicated container.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Serverless

A

Computing in a broad sense describes cloud computing, but much of the time when it used currently it describes technology called FaaS. Serverless computing relies on a system that executes functions as they are called.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Asset Management

A

Securing assets effectively requires knowing what assets you have and what their current state is. These paired requirements drive organizations to implement asset management tools and processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Asset Tagging

A

Can help discourage theft, help identify systems more easily, and can make day-to-day support work easier for support staff who can quickly look up a system or device in an asset inventory list to determine what it is, who the device was issued to, and what its current state should be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Active Defense

A

Describes offensive actions taken to counter adversaries.

26
Q

Honeypots

A

Honeypots are systems that are designed to look like an attractive target for an attacker. Capture attack traffic, techniques, and other information as attackers attempt to compromise them.

27
Q

Virtual Private Cloud (VPC)

A

Is an option delivered by cloud service providers that builds an on-demand semi-isolated environment. A VPC typically exists on a private subnet and may have additonal security to ensure that intersystem communications remain secure

28
Q

Cloud Access Security Broker (CASB)

A

CASB tools are policy enforcement points that can exist either locally or in the cloud, and enforce security policies when cloud resources and services are used. CASBs can help with data security, antimalware functionality, service usage and access visibility, and risk management.

29
Q

Security Controls

A

Based upon two categories: How they are implemented or when they react relative to the security incident or threat

30
Q

Technical Controls

A

Include firewalls, IDS’s, IPS’s, network segmentation, authentication and authorization systems and a variety of other systems and technical capabilities designed to provide security through technical means.

31
Q

Administrative Controls

A

Involve processes and procedures like those found in incident response plans, account creation and management, as well as awareness and training efforts. Change Control, Config management, Monitoring and response policies, personnel security controls, business continuity & disaster recovery controls, Human Resource controls like background checks and terminations

32
Q

Physical Controls

A

Include locks, fences, and other controls that control or limit physical access, as well as controls like fire extinguishers that can help prevent physical harm to property.

33
Q

Preventive Controls

A

Are intended to stop an incident from occurring by taking proactive measures to stop the threat. Preventive controls include firewalls, training, and security guards.

34
Q

Detective Controls

A

Work to detect an incident and to capture information about it, allowing a response, like alarms or notifications.

35
Q

Corrective Controls

A

Either remediate an incident or act to limit how much damage can result from an incident. Corrective controls are often used as part of an incident response process. Examples of corrective controls include patching, antimalware software, and system restores from backups.

36
Q

Compensating Controls

A

Controls that satisfy a requirement that isn’t able to be met by an existing security measure - either bc it is too difficult to implement or bc it does not fully meet the needs

37
Q

Deterrent Controls

A

Warn attackers that they shouldn’t attack

38
Q

Directive Controls

A

Intended to lead to a desired outcome

39
Q

Recovery Controls

A

Provide ways to respond to a breach

40
Q

Firewalls

A

That block or allow traffic based on rules that use information like the source or destination IP address, port, or protocol used by traffic. They are typically used between different trust zones. There are a number of different types of firewall technologies, as well as both host and network firewall devices.

41
Q

IPSs

A

Are used to monitor traffic and apply rules based on behaviors and traffic content. Like firewalls, IPSs and IDSs (intrusion detection systems) rely on rules, but both IPSs and IDSs typically inspect traffic at a deeper level, paying attention to content and other details inside the packets themselves. Although the CySA+ exam materials reference only IPSs that can stop unwanted traffic, IDSs that can only detect traffic and alert or log information about it are also deployed as a detective control. Or an IPS may be configured with rules that do not take action when such an action might cause issues.

42
Q

DLP

A

Systems and software work to protect data from leaving the organization or systems where it should be contained. A complete DLP system targets data in motion, data at rest and in use, and endpoint systems where data may be accessed or stored. DLP relies on identifying the data that should be protected and then detecting when leaks occur, which can be challenging when encryption is frequently used between systems and across networks. This means that DLP installations combine endpoint software and various means of making network traffic visible to the DLP system.

43
Q

EDR

A

Is a relatively new term for systems that provides continuous monitoring and response to advanced threats. They typically use endpoint data gathering and monitoring capabilities paired with central processing and analysis to provide high levels of visibility into what occurs on endpoints. This use of data gathering, search, and analysis tools is intended to help detect and respond to suspicious activity. The ability to handle multiple threat types, including ransomware, malware, and data exfiltration, is also a common feature for EDR systems.

44
Q

NAC

A

Is a technology that requires a system to authenticate or provide other information before it can connect to a network. NAC operates in either a preadmission or postadmission mode, either checking systems before they are connected or checking user actions after systems are connected to the network. NAC solutions may require an agent or software on the connecting system to gather data and handle the NAC connection process, or they may be agentless. When systems do not successfully connect to a NAC-protected network, or when an issue is detected, they may be placed into a quarantine network where they may have access to remediation tools or an information portal, or they may simply be prevented from connecting.

45
Q

Sinkholing

A

Redirects traffic from its original destination to a destination of your choice. Although the most common implementation of sinkholing is done via DNS to prevent traffic from being sent to malicious sites, you may also encounter other types of sinkholing as well.

46
Q

Port Security

A

Is a technology that monitors the MAC (hardware) addresses of devices connecting to switch ports and allows or denies them access to the network based on their MAC address. A knowledgeable attacker may spoof a MAC address from a trusted system to bypass port security.

47
Q

Sandboxing

A

Refers to a variety of techniques that place untrusted software or systems into a protected and isolated environment. Sandboxing is often used for software testing and will isolate an application from the system, thus preventing it from causing issues if something goes wrong. Virtualization technologies can be used to create sandboxes for entire systems, and organizations that test for malware often use heavily instrumented sandbox environments to determine what a malware package is doing.

48
Q

Malware Signatures

A

Used to be simply composed of recognizable file patterns or hashes that could be checked to see if a given file or files matched those from known malware. As malware has become more complex, techniques that help obfuscate the malware by changing it to prevent this via techniques like mutation, expanding or shrinking code, or register renaming have made traditional signature-based identification less successful. Signatures can be created by analyzing the malware and creating hashes or other comparators that can be checked to see if packages match.

49
Q

Behavior-based Detection

A

Looks at the actions that an executable takes such as accessing memory or the filesystem, changing rights, or otherwise performing suspicious actions.

50
Q

Dynamic Analysis

A

Is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.

51
Q

Automated Malware Signature Creation

A

Is done using these techniques so that antimalware providers can provide signatures more quickly. Example: VirusTotal

52
Q

Separation of Duties

A

When individuals in an organization are given a role to perform, they can potentially abuse the rights and privileges that that role provides. Properly implemented separation of duties requires more than one individual to perform elements of a task to ensure that fraud or abuse do not occur. A typical separation of duties can be found in financially significant systems like payroll or accounts payable software. One person should not be able to modify financial data without being detected, so they should not have modification rights and also be charged with monitoring for changes.

53
Q

Succession Planning

A

This is important to ensure continuity for roles, regardless of the reason a person leaves your organization. A departing staff member can take critical expertise and skills with them, leaving important duties unattended or tasks unperformed. When a manager or supervisor leaves, not having a succession plan can also result in a lack of oversight for functions, making it easier for other personnel issues to occur without being caught.

54
Q

Cross Training

A

Focuses on teaching employees skills that enable them to take on tasks that their coworkers and other staff members normally perform. This can help to prevent single points of failure due to skillsets and can also help to detect issues caused by an employee or a process by bringing someone who is less familiar with the task or procedure into the loop.

55
Q

Dual Control

A

Dual control is useful when a process is so sensitive that it is desirable to require two individuals to perform an action together. The classic example of this appears in many movies in the form of a dual-control system that requires two military officers to insert and turn their keys at the same time to fire a nuclear weapon. Of course, this isn’t likely to be necessary in your organization, but dual control may be a useful security control when sensitive tasks are involved because it requires both parties to collude for a breach to occur. This is often seen in organizations that require two signatures for checks over a certain value. Dual control can be implemented as either an administrative control via procedures or via technical controls.

56
Q

Mandatory Vacation

A

This process requires staff members to take vacation, allowing you to identify individuals who are exploiting the rights they have. Mandatory vacation prevents employees from hiding issues or taking advantage of their privileges by ensuring that they are not continuously responsible for a task.

57
Q

Operational Views

A

Describe how a function is performed, or what it accomplishes. This view typically shows how information flows but does not capture the technical detail about how data is transmitted, stored, or captured. Operational views are useful for understanding what is occurring and often influence procedural or administrative controls.

58
Q

Technical Views

A

(sometimes called service-oriented, or systems-based, views) focus on the technologies, settings, and configurations used in an architecture. This can help identify incorrect configurations and insecure design decisions. An example of a technical view might include details like the TLS version of a connection, or the specific settings for password length and complexity required for user accounts.

59
Q

Logical View

A

Is sometimes used to describe how systems interconnect. It is typically less technically detailed than a technical view but conveys broader information about how a system or service connects or works. The network diagrams earlier in this chapter are examples of logical views.

60
Q

Heartbeat Link

A

Devices communicate through this link which provides status and synchronization information. Firewall to Firewall; Router to Router; Switches to Switches

61
Q

Continual Improvement Processes

A

Are designed to provide incremental improvements over time. A security program or design needs to be assessed on a recurring basis, making a continuous improvement process important to ensure that the design does not become outdated.