Communication and network security Flashcards
The most important protocol at Layer 2 is
the Address Resolution Protocol (ARP)
The most important protocol at Layer 2 is the Address Resolution Protocol (ARP). This might be thought of as a technology-independent protocol, as
one side deals with Media Access Control (MAC) addresses and the other with IP addresses; but it has no need to be involved with or aware of the details of the other communications protocols used at Layer 2.
At layer 2 two other protocols (aside from ARP) provide the mechanisms for establishing a Layer 2 connection between two systems, such as an internet service provider (ISP) and a customer device
PPP and PPPoE
Layer 2: What are polling protocols
In the polling protocols model, each station is permitted a specific amount of time when it has exclusive access to the infrastructure. As the number of devices on the network increases, the bandwidth available to each device degrades in a more predictable manner. This approach is often characterized as a deterministic network.
Layer 2: Name the two main contention based protocols
CSMA/CD and CSMA/CA
Layer 2: What are bridges
Bridges are Layer 2 devices that filter traffic between segments based on MAC addresses In addition, they amplify signals to facilitate physically larger networks.
Network administrators can use —— —— to connect dissimilar Layer 2 architectures, such as Ethernet to Token Ring.
translator bridges
A common type of bridge for many organizations is a wireless bridge based upon …
one of the IEEE 802.11 standards
Layer 2 Since VLANs acts as discrete networks, communications between VLANs must be enabled through
services at higher layers of the protocol stack (i.e., Layer 3/routers, Layer 6/gateways and other devices).
Virtual local area networks (VLANs) allow network administrators to use switches to create
software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports.
Layer 2: VLANs do not guarantee a network’s security. At first glance, it may seem that traffic cannot be intercepted because communication within a VLAN is restricted to member devices. However, there are attacks that allow a malicious user to see traffic from other VLANs. This is called
VLAN Hopping or 802.1Q attacks
Layer 3: Five different forms of transmission are defined at Layer 3
Unicast
Broadcast
Multicast
Anycast
Geocast
Layer 3: How is anycast different from unicast
Anycast provides a different approach to unicast, in that its intention is one-to-one transmission of data, but it uses the services of a group of devices to facilitate this. As a result, it’s often referred to as one-to-one-of-many. In effect, the “destination” address is a don’t care: the sending node wants somebody in its anycast group to receive the message and process it.
Layer 3: What is a common use of Anycast
Content distribution networks will use this to manage the push of continuous content to regional sub-distribution servers, for example.
Layer 3: IPv4 and IPv6 use a different packet header to provide addressing and other information, and thus
the same network cannot operate IPv4 and IPv6 simultaneously.
Layer 3: Why can the same network not operate IPv4 and IPv6
IPv4 and IPv6 use a different packet header to provide addressing and other information
Layer 3: How do we solve the problem of IPv4 not being on same network as IPv6
- Protocol and address translation is performed between network segments, which allows organizations a reasonably straightforward way to transition subnets or segments from IPv4 to IPv6.
- Dual stack: Uses specialized devices which can handle both protocols.
- Tunneling: Allows IPv6 to run in native mode on some segments of your network, while encapsulating those packets when they have to transit the IPv4 connections.
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.0.0.0
16,777,214
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.255.0.0
65,534
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.255.255.0
254
Layer 3: What is always in the form of 169.254.x.x where the values at x are automatically generated by using an offset algorithm and the real-time clock value
Automatic Private IP Addressing (APIPA)
Layer 3: How many addresses can ipv6 support
2 to the power of 128 (128 Bits)
Layer 3: Operating across both Layers 2 and 3 of the OSI model, this link-state routing protocol calculates the optimal path when communications between devices is initiated and informs its peers of the “label” for that route. Future communications use the label (without further lookups to determine the optimal path) to move the traffic.
Multiprotocol Label Switching (or MPLS)
Layer 3: The advantages of MPLS are significant. These include:
Traffic-engineering: The protocol provides much more control to network operators to determine where and how traffic is routed on their networks, improving capacity management, service prioritization and minimizing traffic congestion.
Multi-service networks: MPLS can support a variety of data transport services, as well as IP routing, across the same packet switched network infrastructure.
Network resiliency: Capabilities like MPLS Fast Reroute provides the ability to reroute traffic to meet QoS requirements for certain types of traffic. Despite these advantages, many organizations are choosing software-defined wide area networks (SD-WAN) as an alternative to MPLS because of the potential cost advantages. SD-WAN will be further developed in other chapters.
Layer 3: A number of protocols use the routing infrastructure but do not directly contribute to its operation (and hence are called routed protocols). Security professionals should be aware of two of these,
The Internet Control Message Protocol (ICMP) is used for the exchange of control messages between hosts and gateways and is used for diagnostic tools such as ping and traceroute.
Internet Group Management Protocol (IGMP) is used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission.
Layer 3: Smurf attacks
using multiple attack platforms to attempt to overwhelm the target with echo requests
Layer 3: Threats at Layer 3 can exploit protocol or network vulnerabilities by means of
Routing (RIP) attacks
ICMP attacks
Ping flooding
Smurf attacks (using multiple attack platforms to attempt to overwhelm the target with echo requests)
IP address spoofing
Packet sniffing
Layer 3: Countermeasures at Layer 3 can include the following:
Securing ICMP
Proper router configuration
Better packet filtering and inspection (NGFW, perhaps)
Use router access control lists (ACLs) more effectively
Proper VLAN configuration
Layer 2 Intrusion detection/prevention
Move toward zero trust architecture
Microsegmentation of LAN
Layer 3: How is distance-vector different from link-state routing protocols?
Distance-vector calculates cost based upon hop count; link-state can use bandwidth.
Layer 3: Internet Group Management Protocol (IGMP) is used to send what kind of messages?
Multicast
Transport Layer protocols
TCP UDP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
2. Names and directory services
LDAP, DNS
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
3. Network operational support and management
DHCP, NTP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
4. Web page operation
HTTP, HTTPS
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
5. Email
POP IMAP SMTP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
6. Administrative and miscellaneous
FTP SSH Telnet
Level 4: On the Transport Layer what is port 20/21
File Transfer Protocol FTP
Level 4: On the Transport Layer what is port 23
Telnet
Level 4: On the Transport Layer what is port 25 or 587
SMTP (587 is secure via TLS)
Level 4: On the Transport Layer what is port 37
Time
Level 4: On the Transport Layer what is port 53
Domain Name Service (DNS)
Level 4: On the Transport Layer what is port 69
Trivial File Transfer Protocol (TFTP)
Level 4: On the Transport Layer what is port 161
Simple Network Management Protocol (SNMP)
Level 4: On the Transport Layer what is port 162
SNMP Trap
Level 4: On the Transport Layer what is port 179
Border Gateway Protocol
Level 4: Threats at the transport layer include
Routing protocol attacks (such as against RIP)
ICMP attacks, such as ping floods
Network Time Protocol (NTP) desynchronization attempts
Fraggle (UDP broadcast flood)
TCP sequence prediction
IP address spoofing, packet sniffing, and port scanning
Level 4 Counter measures at the transport layer include
TCP intercept and filtering
DoS prevention services
Using allowed and blocked lists for IP addresses, URLs, and URIs
More complete, properly configured use of TLS
Secure versions of all protocols for file transfer and shell program access (i.e., SFTP instead of file transfer protocol (FTP), SSH instead of Telnet)
Fingerprint scrubbing
What Layer 2 device connects two network segments together and then controls traffic flow between the two segments?
A Bridge While both bridges and switches operate at Layer 2, a bridge only has two ports and is used to connect segments. A switch, having more ports, learns what devices are connected to each port and switches traffic according to the destination address.
Where in the OSI are segments created?
Segments are created at Layer 4, packets at Layer 3, frames at Layer 2 and the signal or bits at Layer 1.
Where in the OSI are logical addresses translated to physical addresses?
It is through the Data Link Layer that the Address Resolution Protocol (ARP) maps logical to physical and physical to logical addresses. The other layers do not provide address translation.
ISO 7498-2 specifies that
no security services are provided in the Session Layer; therefore, it is imperative to address vulnerabilities revealed by applying security services either above or below the Session Layer.
Instead, use encryption services provided at other layers, such as VPNs (Transport and Network Layers), other bulk encryption (Transport Layer), Presentation Layer encryption services, or Application Layer protocols such as HTTPS.
Layer 5 Attacks against Session Layer activities are on the increase, as attackers seek to find additional paths across their target’s threat surfaces. These include but are not limited to:
Session hijack, man-in-the-middle (MITM)
ARP, DNS, and poisoning of local hosts files
SSH downgrade attempt
Man-in-the-Browser (MITB): Trojans in browser helpers, add-ons or other software
Layer 5 Countermeasures at the Session Layer include:
Replace weak password authentication protocols
Migrate to strong identity management and access control
Use PKI
Verify DNS is correctly configured
Active monitoring and alarm of Session Layer
More robust IDS, IPS (and SIEM alarms)
Session Layer protocols include the following:
PAP – Password authentication protocol
EAP – Extensible authentication protocol
PEAP – Protected extensible authentication protocol
CHAP – Challenge-handshake authentication protocol
Data conversion or bit order reversal and compression are other functions of the
Presentation layer
While typically discussed as a Layer 6 service, encryption services can be managed by
layers above and below layer 6
Commonly referenced Layer 6 encryption protocols include
TLS and Secure Multipurpose Internet Mail Extensions (S/MIME). Both protocols also use services normally associated with different layers of the OSI model.
Layer 6 common threats
Data integrity
Application access
Network Basic Input Output Systems (NetBIOS),
Server Message Blocks (SMB), and
SSL have been favorite targets of attackers.
Layer 6 Counter measures
Replace/upgrade apps using weak authentication or protection
Deep inspection of application traffic for:
Signs of attack?
Policy violations?
Migrate to more secure applications protection:
Web Application Firewall (WAF)
Applications Delivery Platform (ADP)
Migrate to zero trust architecture
True or False: The Presentation Layer is needed to translate the output from unlike systems to similar formats.
True
Which layer is the target-rich environment for hackers of all levels of sophistication.
The Application Layer
Threats at the application layer include
SQL injection
Encryption downgrade attempts
Rogue DHCP service, DNS poisoning, Lightweight Directory Access Protocol (LDAP) injection, or other attacks on address and name resolution services
Simple Network Management Protocol (SNMP) abuse
HTTP floods, DDoS, parameter tampering, or malformed input attacks on applications and web pages
Cross-site scripting attacks, session hijacks, malware (including drive-by malware attacks)
Layer 7 Countermeasures should include at a minimum:
Monitor and block access to suspicious or hazardous sites
Block known or suspected bots
Implement stronger access control (multifactor)
Perform deep inspection of application traffic
Migrate to more secure applications protection:
Web Application Firewall (WAF)
Applications Delivery Platform (ADP)
Migrate to zero trust architecture
Strengthen end users’ security skills and attitudes
What layer of the OSI is responsible for information formatting?
The Presentation Layer is responsible for compression and decompression, encryption and decryption and data formatting.
If a user lost a connection to a remote system, which layer of the OSI would attempt to re-establish the network connection?
The Session Layer establishes, maintains and tears down a communication between two nodes.
Which Lightweight Directory Access Protocol (LDAP) attribute defines a portion of a directory access protocol name that can resolve by Domain Name Service (DNS)?
A domain component is the only item that is an attribute of LDAP and that can be resolved by DNS.
___________ is a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption.
IPSec
Because IPSec interprets the change of IP address within packet headers as an attack, ______ does not work well with IPSec.
NAT
Because IPSec interprets the change of IP address within packet headers as an attack, NAT does not work well with IPSec. To resolve the incompatibility of the two protocols, NAT-Transversal (NAT-T) does what?
encapsulates IPSec within UDP port 4500
In IPSec an ___________________ is used to prove the identity of the origin node and ensure that the transmitted data has not been tampered with.
Authentication Header
IP sec how does the Authentication Header work
Before each packet (headers + data) is transmitted, a hash value of the packet’s contents, that is based on a shared secret, is inserted in the last field of the AH.
In IPSec What is the Encapsulating Security Payload
The Encapsulating Security Payload (ESP) encrypts IP packets and ensures their integrity. ESP contains four sections:
Header: Contains information showing which security association to use and the packet sequence number. Like the AH, the ESP sequences every packet to thwart replay attacks.
Payload: The payload contains the encrypted part of the packet.
Trailer: May include padding (filler bytes) if required by the encryption algorithm or to align fields.
Authentication: If authentication is used, this field contains the integrity check value (hash) of the ESP packet.
A ____________ defines the mechanisms that an endpoint will use to communicate with its partner.
A security association (SA)
Endpoints communicate with IPSec using either
transport or tunnel mode
Internet key exchange (IKE) is one of the most widely used methods that allows two devices to …
“exchange” symmetric keys for the use of encrypting in AH or ESP.
IKE relies primarily on the use of either ________or the use of ___________
Diffie-Hellman-Merkle key exchange or the use of public key certificates.
This approach is often seen in SSO environments in which a single sign-on gets a user onto the organizational LAN (or WAN), from which they have visibility, if not access, to a significantly large fraction of the organization’s information systems and assets.
Trust but verify
a design approach, which recognizes that even the most robust access control systems have their weaknesses. In the extreme, it insists that every process or action a user attempts to take must be authenticated and authorized;
Zero trust
Zero trust networks are often __________, with firewalls (next generation or other) at nearly every connecting point
microsegmented networks
At what plane can you locate routers and switches in a software-defined network (SDN)?
Routers and switches are in the data plane.
What is 802.1X NAC
802.1X is a port-based network access control (or PNAC) protocol, which provides the authentication control for devices attempting to connect to both local area networks (LANs) and wireless local area networks (or WLANs).
Consisting of three components: the supplicant (users’ device), the authenticator (a switch or access point) and an authentication server. This protocol will provide many of the functions that are considered “NAC Best Practices.”
802.1X NAC
Currently there are a number of vendors and consortiums working on developing standards to provide interoperability for NAC devices and solutions, with perhaps the biggest three being
Cisco’s CNAC (Cisco network access control) architecture. Proprietary and hardware based
Microsoft’s NAP (network access protection) Software based
Trusted Computing Group’s (TNC) standard - vendor neutral standards and APIs
The adoption of RFC _____ in _______ provided an open standard for VoIP systems.
2453 1999
The adoption of RFC 2543 in 1999 provided an open standard for
VoIP systems.
Session Initiation Protocol (SIP) is designed to
manage multimedia connections
Wireless network communications are governed by the
IEEE 802.11
Do not confuse 802.11x with 802.1x — the first is a Wi-Fi standard and the second is
an authentication technology not related to wireless.
Authentication of wireless devices is often done with protocols such as
EAP, PEAP, and a lighter-weight version of PEAP called (predictably enough) LEAP
A virtual private network (VPN) is a point-to-point connection that
extends a private network across a public network.
Virtual Private Networks (VPNs) through Tunneling. Name three protocols
Point to point tunneling protocol PPTP
Layer 2 Tunneling protocol L2TP
SSL and TLS
SSL has been determined to be insecure, and therefore should not be used, it has been replaced by
Transport Layer Security (TLS),
True or false TLS VPNs are restricted to applications that use HTTP
False With the aid of plug-ins, such as Java, users can have access to back-end databases, and other non-web-based applications
TLS VPNs have several advantages over IPSec. .
- They are easier to deploy on client workstations than IPSec because they require a web browser only
- almost all networks permit outgoing HTTP.
- TLS VPNs can be operated through a proxy server.
– applications can restrict users’ access based on criteria, such as the network the user is on, which is useful for building extranets with several organisations.
What is the security problem with working from home
issues such as visitor control, physical security, and network control are almost impossible to address with teleworkers
what should the remote access policy consider?
Here the answer is, it is essential to define session management. It is critical to determine
- who is connecting,
- when are they connecting and
= where are they connecting from?
- All new devices are onboarded and verified as part of the mobile access policy.
A circuit-switched network uses a dedicated circuit between endpoints. What does this mean
Neither endpoint starts communicating until the circuit is completely established. The endpoints have exclusive use of the circuit and its bandwidth.
The best example of a circuit-switched network is the
plain old telephone service (POTS) or dedicated T- or E-class point-to-point circuits.
Virtual circuits provide a connection between endpoints over high-bandwidth, multiuser cable or fiber that behaves as if
the circuit were a dedicated physical circuit.
There are two types of virtual circuits based on when the routes in the circuit are established:
permanent virtual circuit (PVC) and switched virtual circuit (SVC).
The modern virtualization of networks and the associated technology is called
network function virtualization (NFV) or alternately referred to as virtual network function.
True or False: Both SSL and TLS can be used to create a secure session key for VPNs.
Encryption via Secure Socket Layer (SSL) created the opportunity to implement virtual private networks (VPNs), which in essence created a tunnel between two IP addresses by encrypting the original IP packet, including its header. SSL has since been determined to be insecure, and therefore should not be used. It has been replaced by Transport Layer Security (TLS), which is fully compatible
True or False: Layer 2 Tunneling Protocol (L2TP) relies on IPSec to provide encryption.
L2TP does not provide encryption, but it relies upon IPSec to provide encryption.
What is a HIPS
Host Intrusion Protection System (for inside network)
What is a NIDS
Network intrusion detection system
What is a NIPS
Network intrusion protection system
How can MLZ be assured that everyone engaged in the project is working with the same security posture?
A SOC 2 Type II is an auditor’s report that includes confidentiality, integrity, availability, privacy, and general security features – all over a period of time. You will want this in the scenario because you need all of these elements to align with MLZ’s security posture and to ensure there are no breaks in security.
What is the purpose of the Clear to Send message?
A) It tells a node that it can transmit in a wireless network.
B) It tells all nodes that a collision has now been cleared.
C) It tells a node that it can transmit in a ring network.
D) It tells a node that it can transmit in a mesh network.
The correct answer is A. Used in the Institute of Electrical and
Electronics Engineers (IEEE) 802.11 (wireless) standard, it is used
by carrier sense multiple access/collision avoidance (CSMA/CA) to
advise other connected nodes to stay off a given frequency and
thus helps avoid collisions. In collision-prone topologies such as
bus and mesh, all nodes are notified if a collision has occurred but
not that it has cleared. Collisions do not occur within a ring network
because of the use of the token.
What network-based attack allows an attacker to pose as an intermediate system?
The correct answer is D. Address Resolution Protocol (ARP) is used to resolve an IP to MAC address. If successful, an ARP spoofing attack allows all of a victim’s traffic to be sent through the attacker. The result of ARP spoofing does create a man-in-the-middle (MITM) situation, but this is a general term for an attack in which an attacker places themselves in the middle of a communication.
A teardrop attack is a
denial of service (DoS) and involves sending fragmented packets, which the receiver cannot reassemble correctly.
Route poisoning is not an attack but a
mechanism used in Routing Information Protocol (RIP) to shut down traffic along a path that is no longer valid.
What is A one-to-one-of-many transmission
Anycast, a method where one single destination can be reached by multiple network paths.
What does a firewall do?
A) Separates trusted from less trusted network segments
B) Filters outbound traffic
C) Enforces policies
D) Filters inbound traffic
The correct answer is A. Answers B, C and D are how a firewall creates separation boundaries. Answer A is a form of an access control device, and it is what a firewall does.
Which of the following provides layer 2 services?
A) Internet Protocol (IP)
B) Transmission Control Protocol (TCP)
C) Point-to-Point Tunneling Protocol (PPTP)
D) User Datagram Protocol (UDP)
The correct answer is C. A Point-to-Point Tunneling Protocol
(PPTP) provides services at the data link layer, which is layer 2.
Internet Protocol (IP) operates at layer
3, the network layer.
An acknowledgment of a signal being received.
ACK
Used at the Media Access Control (MAC) layer to provide for direct communication between two devices within the same LAN segment.
ARP
An open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs).
Bluetooth (Wireless Personal Area Network IEEE 802.15)
Network in which devices are connected at Layer 1 by means of physical cables, wires, or fiber. Often referred to as wired networks. Ethernet networks, or by wiring or cable standard used, e.g., fiber network, Cat 5 or Cat 6 network. See also unbound (wireless) networks.
Bound Network(s)
Primarily advertise routes that external hosts can use to reach internal ones.
Boundary Routers
Every call’s data is encoded with a unique key, then the calls are all transmitted at once.
Code-Division Multiple Access (CDMA)
Multiplex connected devices into one signal to be transmitted on a network.
Concentrators
A large, distributed system of servers deployed in multiple data centers, which moves content to achieve quality of service and availability requirements.
Content Distribution Network (CDN)
Control of network functionality and programmability is directly made to devices at this layer. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces.
Control Plane
A protocol that combines (or converges) standard protocols (such as TCP/IP) with proprietary or other non-standard protocols. These can sometimes provide greatly enhanced functionality and security to meet the needs of specific situations or industries. Adopting them can also complicate enterprise-wide security engineering efforts by requiring additional specialist knowledge and skills to manage and secure.
Converged Protocols
This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
Domain Name Service (DNS)
Software layer that provides an interface for accessing the functions of hardware devices. Typically used by the operating system.
Software layer that provides an interface for accessing the functions of hardware devices. Typically used by the operating system.
Dynamic or Private Ports
49152-65535
Network data traffic that flows laterally across a set of internal systems, networks, or subnetworks within an IT architecture.
East-West Data Flow (or Traffic)
A LAN standard, defined by ANSI X3T9.5, specifying a 100-Mbps token-passing network using fiber-optic cable, with transmission distances of up to two kilometers.
Fiber Distributed Data Interface (FDDI)
A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP layer.
Fibre Channel over Ethernet (FCoE)
Computer programs and data stored in hardware ― typically in read-only memory (ROM) or programmable read-only memory (PROM) ― such that the programs and data cannot be dynamically written or modified during execution of the programs. Source: IETF RFC 4949 Ver 2
Firmware
Data represented at Layer 2 of the Open Systems Interconnection (OSI) model.
Frame
A firewall or other device sitting at the edge of a network to regulate traffic and enforce rules.
Gateway Device
An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.
Internet Control Message Protocol (ICMP) - Ping
Used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission.
Internet Group Management Protocol (IGMP)
A virtual network made up of small, dedicated-use devices that are typically designed as small form factor, embedded hardware with a limited functionality operating system (OS). They may interface with the physical world and tend to be pervasively deployed where they exist.
IOT
Two different sets of servers and communications elements using network protocol stacks to communicate with each other and coordinate their activities with each other.
Internetworking
A generalized attack model consisting of actions on the objective and six broad, overlapping sets of operational activities: reconnaissance, weaponization, delivery, exploitation, installation, command and control.
Kill Chain, Cyber Kill Chain
Authentication is specified as simple (basic), simple using SSL/TLS, or Simple Authentication and Security Layer (SASL).
Lightweight Directory Access Protocol (LDAP)
One of two sublayers that together make up the data link layer in the OSI.
Logical Link Control (LLC)
Identification of network traffic flows (see also east-west or north-south data flows) that lead to creating granular policy schemes to isolate access for and that are based upon specific
Microsegmentation
Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places a firewall at every connection point.
Microsegmented Networks, Microsegmentation
A wide area networking protocol that operates at both Layer 2 and 3 and does label switching.
Multiprotocol Label Switching (MPLS)
Alternately referred to as virtual network function. The objective is to decouple functions, such as firewall management, intrusion detection, network address translation, and name service resolution, away from specific hardware implementation and move them into software solutions.
Network Function Virtualization (NFV)
Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.
Network Management
An interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm.
Open Shortest Path First (OSPF)
A technique called _______________ is used in VoIP communications to mask the effect of dropped packets.
Packet Loss Concealment (PLC)
Networks that do not use a dedicated connection between endpoints.
Packet-Switched Networks
Provides a standard method for transporting multiprotocol datagrams over point-to-point links.
Point-to-Point Protocol (PPP)
An extension to network address translation (NAT) to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value.
Port Address Translation (PAT)
Refers to the capability of a network to provide better service to selected network traffic over various technologies, including frame relay, asynchronous transfer mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies.
Quality of Service (QoS)
Ports 1024-49151. These ports typically accompany non-system applications associated with vendors and developers.
Registered Ports
A protocol that enables one system to execute instructions on other hosts across a network infrastructure.
Remote Procedure Call (RPC)
Hardware-based mechanisms that guarantee the integrity of the hardware prior to loading the operating system of a computer.
Root of Trust (RoT)
(1) Data representation (or datagram name) at Layer 4 of the OSI 7 Layer model. (2) A portion of a larger network, usually isolated by firewalls or routers at either end from other portions of the network. See also microsegmented networks, microsegmentation.
Segment
An IP protocol for collecting and organizing information about managed devices on IP networks. It can be used to determine the “health” of networking devices including routers, switches, servers, workstations, printers, and modem racks.
SNMP
ICMP Echo Request sent to the network broadcast address of a spoofed victim causing all nodes to respond to the victim with an Echo Reply.
Smurf
An extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration
Software-Defined Wide Area Network (SD-WAN)
Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.
Teardrop Attack
A command line protocol designed to give command line access from one host to another.
Telnet
A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.
Trusted Platform Module (TPM)
Network in which Physical Layer interconnections are done using radio, light, or other means not confined to wires, cables, fibers, etc.
Unbound (Wireless) Network
Allow network administrators to use switches to create software-based LAN segments that can be defined based on factors other than physical location.
Virtual Local Area Networks (VLANs)
A software-based firewall, which monitors and filters exchanges between an applications program and a host.
Web Application Firewall (WAF)
WiMAX
A well-known example of wireless broadband. WiMAX can potentially deliver data rates of more than 30 megabits per second.
Which security engineering technical process provides security-related system data and information?
What is the IEEE 802.1d (Spanning Tree Protocol) used for?
A) Connecting network segments together
B) Connecting different VLANs together
C) Preventing broadcast storms
D) Defining the size or span of a network
The correct answer is C. Broadcast storms occur when a switch is misconfigured, allowing a loop to be created and, basically, sending traffic in an endless loop. In seconds or minutes, this will increase the network traffic to a point where the network will stop functioning. A switch connects different network segments (choice A), while a router is used to connect different VLANs together (choice B). (Reference: Chapter 5, Module 3)
How many root domain name servers are there
13
What is the protocol id for AH
51
In software-defined networking (SDN), what happens at the control plane?
Node functionality is managed. The control plane manages network functionality and programmability and is connected via the southbound interfaces to the data plane.
When addressing an organization’s forensic investigation requirement, which ISO standard addresses assuring suitability and adequacy of incident investigation methods?
Question 150 options:
A) 27037
B) 27041
C) 27042
D) 27043
B 27041
The NIST SP 800-61, Computer Security Incident Handling Guide, structures incident response activities in a four-phase lifecycle, but which of the following is taken from ISO/IEC 27035 and not NIST?
A) Preparation
B) Detection and analysis
C) Response
D) Post-incident activity
The correct answer is C. SP 800-61 does not have a specific response phase; instead, it defines Phase 3 as consisting of containment, eradication and recovery.
Information Technology Infrastructure Library (ITIL) distinguishes levels of change based on their urgency. Which of the following is not one of those levels?
Question 147 options:
A) Standard
B) Critical
C) Normal
D) Emergency
The correct answer is B. Standard changes (choice A) are relatively low-risk and follow established procedures. Emergency changes (choice D) are those that must be implemented immediately. Normal changes (choice C) do not fall into either of the other two levels.
Once a forensic investigation is initiated, according to the NIST forensic cycle, it will be conducted in four broad phases. During which phase should an organization’s forensic readiness be addressed?
Question 151 options:
A) Collection
B) Examination
C) Analysis
D) Reporting
The correct answer is A. Forensic investigations are carried out by specialists, trained in the uses of the appropriate tools and techniques. It is during the collection phase where the incident response team may become involved — securing the scene, identifying potential sources of evidence. Mistakes made here might have a negative impact on a potential investigation.
Which root cause analysis technique uses a visualization tool to focus on causes?
Question 152 options:
A) Pareto analysis
B) Five why’s
C) Fishbone
D) Fault tree
C Fishbone
How many steps does NISTs cybersecurity framework (CSF) have?
A) Three
B) Four
C) Five
D) Six
Five
In business terms, something is at risk if there are circumstances outside of the organization’s control or influence that could cause that at-risk item to be lost. Risk can be calculated from four basic perspectives. Which of the following is not one of them?
Question 174 options:
A) Threat-based
B) Income-based
C) Vulnerability-based
D) Asset-based
The correct answer is B. Income-based is not one of the four perspectives. The missing risk perspective is outcome-based; this viewpoint identifies the important goals or objectives the organization must achieve and links them to the core business processes.
When an organization believes that their way of doing business, products, or services is unique and that no other experience in the industry or marketplace can compare, what type of risk assessment is commonly used for measuring risk that occurs with this belief?
Question 177 options:
A) Qualitative
B) Quantitative
C) Either
D) Both
Qualitative
The Declaration of Geneva is an example of which of the following?
Question options:
A) A code of conduct
B) A code of ethics
C) A set of legal standards
D) A global framework
B
What are prudent actions?
Question options:
A) Actions prescribed by management
B) Actions prescribed by policies
C) Actions taken by people with similar backgrounds
D) Actions taken after careful consideration
C) Actions taken by people with similar backgrounds
Where is governance derived from?
Question options:
A) The board of directors
B) The C-suite
C) Legal and regulatory authorities
D) Varies depending on the organizational type
C) Legal and regulatory authorities
Which of the following was the most recent control that was designed to protect the exchange of personal data between the U.S. and the European Union?
Question options:
A) Safe Harbor
B) Privacy Shield
C) Individual contracts
D) General Data Protection Regulations (GDPR)
B Privacy Shield
Which Amendment under U.S. law provides protection from unreasonable search and seizure?
Question options:
A) First
B) Third
C) Fourth
D) Sixth
The correct answer is C.
As of 2021, how many countries are members of the Asia-Pacific Economic Council (APEC)?
Question options:
A) 4
B) 11
C) 21
D) 22
21
In what year did Chile (a member of APEC) introduce a constitutional change that declared data privacy a human right?
Question options:
A) 2016
B) 2018
C) 2019
D) 2020
2018
A common definition of a cybercrime includes all of the following except the use of which?
Question options:
A) Information
B) Information systems
C) Information technology
D) Known software flaws
The correct answer is D. A software flaw would be included in both A and B. (Reference: Chapter 1, Module 4)
The original defense-in-depth model defined all but which of the following as a layer of defense?
Question options:
A) Data controls
B) Software controls
C) Application controls
D) Host controls
The correct answer is B.
Data controls (choice A) protect the actual data, application controls (choice C) protect the application itself and host controls (choice D) are placed at the endpoints. The other controls defined are internal network, perimeter, physical and policies (including procedures and awareness). (Reference: Chapter 1, Module 5)
In IT asset management, what is one of the most useful first steps?
Question options:
A) Defining an asset
B) Assigning a value
C) Assigning a classification
D) Assigning an owner
A) Defining an asset
Network and systems security is what type of asset?
Question options:
A) Hardware
B) Software
C) Information
D) Firmware
Information
Who is responsible for the data content and context and the associated business rules?
Question options:
A) The data owner
B) The data controller
C) The data custodian
D) The data steward
The correct answer is D. The data owner (choice A) is accountable for determining the value of the data and how it should be protected. The data controller (choice B) is assigned with the accountability of protecting the value of the data in the absence of the data owner and determines the way personal data is processed. The data custodian (choice C) is responsible for the protection of the data while it is in their custody, including safe custody, transport, storage and processing of the data.
In almost all cases, organizations and their security teams should be able to define sets or patterns of user activities that are acceptable and expected, in most, if not all circumstances. What is this process known as?
Question options:
A) User behavior review
B) User behavior audit
C) User behavior management
D) User behavior control
The correct answer is A. While this activity is a part of an audit (choice B), the audit process is the collection of a user’s behavior data, with a formal review being the conclusion. Managing or controlling a user’s behavior (choices C and D) would best be defined in policies and enforced via procedures.
What function does a credential management system perform?
Question options:
A) It is a repository for user and computer accounts.
B) It is the binding between an authenticator and an identifier.
C) It is used to create user accounts.
D) It is used to create machine accounts.
The correct answer is B. Credentials are used to identify and verify a user, machine or other entity identity claim. The credential management system (CMS) is an established form of issuing and managing those credentials, based on software. The creation of user and machine accounts (choices C and D) would be a part of the identity management process.
Which component in security assertion markup language (SAML) defines how attributes, authentication and authorization are exchanged?
Question options:
A) Profiles
B) Protocols
C) Bindings
D) Assertions
D Assertions
Which security engineering technical process provides security-related system data and information?
Question options:
A) Business and mission analysis
B) System requirements and definition process
C) Design definition process
D) System analysis process
C) Design definition process
The business and mission analysis process (choice A) assists the engineering team to understand the scope, basis, and drivers of the business. The systems requirements and definition requirements (choice B) looks at two elements: (1) system requirements, during this phase an assessment of the current or predicted hardware is made during this phase, i.e., will the system be fast enough? does it have enough memory? (2) definition, which is when the function of a system or software is evaluated, i.e., does it match the business need? The system analysis process (choice D) provides a security view to system analyses and contributes specific system security analyses. (Reference: Chapter 4, Module 1)
e are, perhaps, familiar with the concepts of platform as a service (PaaS) and infrastructure as a service (IaaS), but these have been extended to include those in the following list of possible answer choices. All of these are defined under ISO/IEC 17788 except which one?
Question options:
A) Communication as a service (CaaS)
B) Compute as a service (CompaaS)
C) Network as a service (NaaS)
D) Data storage as a service (DSaaS)
Network as a service (NaaS)
What encryption system, invented in 1882 by Frank Miller, is unbreakable?
A) The one-time pad
What is HAVAL?
A message integrity checker that produces a variable length output
Kerberos might be susceptible to which type of attack?
Pass the hash
A switch is considered a filter or forward device and establishes one collision domain per port. What information does a layer 2 switch use to make the decision to filter or forward?
MAC Address
Can the Spanning Tree Protocol (STP) be used as a means of attack?
Question options:
A) Yes, but it requires a physical re-wiring of a switch.
B) No.
C) Yes, by sending STP frames claiming to be a new root bridge.
D) Yes, but the attacker has to insert new branches into the spanning tree first.
Yes, by sending STP frames claiming to be a new root bridge.
At what layer of the OSI 7-Layer Model does multiprotocol label switching (MPLS) operate?
Question options:
A) Layer 2
B) Layer 3
C) Layer 4
D) Layer 2.5
The correct answer is D. While officially there is not a layer 2.5, MPLS is often referred to as a 2.5-layer protocol as it operates across both layers 2 and 3. The data link layer (layer 2, choice A) is where we apply MAC addressing. The network layer (layer 3, choice B) is where we apply IP addressing and the transport layer (layer 4, choice C) is responsible for the reliable delivery of the datagram.
DORA describes the four steps taken to obtain an IP address. Which of the following is not one of those steps?
Question options:
A) Discover
B) Offer
C) Reply
D) Acknowledge
The correct answer is C. There is no reply but rather a request.
Lightweight Directory Access Protocol (LDAP) is a lookup protocol that uses a hierarchical tree structure for data entries. Common attributes for LDAP include all but one of the following?
Question options:
A) Distinguished name (DN)
B) Real distinguished name (RDN)
C) Common name (CN)
D) Organizational unit (OU)
B) Real distinguished name (RDN)
In software-defined networking (SDN), what happens at the control plane?
Question options:
A) Business applications are managed.
B) Node functionality is managed.
C) Network elements can be found.
D) None of the above.
B) Node functionality is managed.
Procedural and object-oriented programming provide ways to handle the management of complex sets of software. Which of the following is not one of them?
Question options:
A) Code reuse
B) Reforming
C) Refactoring
D) Data modeling
Reforming
What is a software library a repository for?
Question options:
A) Pre-written code
B) Scripts
C) Procedures
D) All of these
All of these
Which level in the Software Engineering Institute’s Software Capability Maturity Model (SW-CMM) defines processes as controlled using quantitative techniques?
Question options:
A) Repeatable
B) Defined
C) Managed
D) Optimized
The correct answer is C. At the repeatable phase (choice A), processes are repeatable and can be rapidly transferred across various groups in the organization without problems. At the defined stage (choice B), standard processes are formalized and all new developments happen with new, stricter and standardized processes. At the optimized phase (choice D), practices are continuously improved to enhance the organization’s capability.
Which industry or region-specific standard is produced by the UK National Cyber Security Centre?
Question options:
A) Critical infrastructure protection (CIP)
B) Cyber Essentials
C) ISAE 3000
D) Customer Security Control Framework
The correct answer is B. Cyber Essentials is a UK government-backed initiative designed to assist organizations in protecting themselves from cyber attacks. CIP (choice A), or the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), is a set of requirements for the protection of the electrical supply system within North America. ISAE 3000 (choice C) is an EU audit standard. The Customer Security Control Framework (choice D), created by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network is directed at international financial transactions. (Reference: Chapter 7, Module 1)
What are the five criteria for SOC2 controls
Security, Availability, Confidentiality, Privacy, and Process integrity
The SOC 2 (System and Organization Controls) defines five Trust Services Criteria. Which of the following is not one of them?
Question options:
A) Security
B) Authentication
C) Privacy
D) Process integrity
Authentication
Supply chain failures can devastate the operations of any organization. Which is the driving process necessary to ensure a safe and secure supply chain?
Question options:
A) Identify your suppliers
B) Identify your supplier’s locations
C) Identify the risks
D) Identify the need
The correct answer is C. An organization’s risk assessment starts by identifying the risks to the business. This is equally true when evaluating the supply chain. Choices A, B and D would all be a part of identifying risk.
Which of the following regulations drives the need for diligent log review of financial and account practices?
Question options:
A) GLBA
B) HIPAA
C) PCI DSS
D) SOX
The correct answer is C. The Payment Card Industry Data Security Standard (PCI DSS), mandates that the processor of credit card data track all network resource access and cardholder data
ISO 27001:2013 control item 12.4.2 specifies which of the following about logging?
Question options:
A) It is a requirement.
B) Its facilities and log information must be protected.
C) Storing customer data requires prior permission.
D) It is an optional activity.
The correct answer is B. In most regulatory standards, logging is a requirement but log files can contain sensitive information about the organization and, in particular, about its customers. Logging must be a protected process.
If an organization’s security assessment and testing plans include both internal and external testing, in what order should the test be performed?
Question options:
A) Internal testing should be performed first.
B) Always choose based on a cost/benefit analysis.
C) External testing should always be performed first.
D) Internal and external should be performed simultaneously.
The correct answer is C. External testing is performed first so as not to provide leakage from insider information to outsider environments. Internal and external testing would not be done simultaneously (choice D); otherwise, the identification of vulnerabilities’ sources could be misconstrued.
Tests are generally categorized in one of two ways: either compliance tests or______ tests.
substantive
What type of synthetic performance monitoring measures the availability of an organization’s website, service or application?
Question options:
A) TCP port monitoring
B) Website monitoring
C) Database monitoring
D) Service-level agreement validationThe correct answer is A. TCP port monitoring allows you to specify the server and TCP port for the operations manager to monitor. Website monitoring (choice B) performs HTTP requests to check availability and measure performance of a web page, website or web application. Typically carried out in real-time, database monitoring, (choice C) is the process used to measure and track database performance according to key metrics.
The correct answer is A. TCP port monitoring allows you to specify the server and TCP port for the operations manager to monitor. Website monitoring (choice B) performs HTTP requests to check availability and measure performance of a web page, website or web application. Typically carried out in real-time, database monitoring, (choice C) is the process used to measure and track database performance according to key metrics.
Which publication, framework or guidance includes the following management review activities?
Exemptions from normal activities
Information related to previous reviews
Ongoing metrics related to outcomes
Results of audits
When security objectives have been met
Question options:
A) ISO 27001:2013
B) NIST
C) ITIL
D) All of these
The correct answer is D. Periodic management reviews ensure that security process data is being used as intended and that required controls are functioning as intended.
What is the key difference between training and awareness?
Question options:
A) Training is a serious process whereas awareness is lighthearted.
B) Training is focused on skill, and awareness is focused on issues.
C) Training is aimed at everyone whereas awareness is aimed at only a select few.
D) Awareness is aimed at everyone whereas training is aimed at only a select few.
The correct answer is D. Awareness programs are more general in nature and should ideally be available and delivered to all employees on a regular basis. Training activities tend to focus on specific knowledge acquisition to perform a task.
Which of the following can be likened to peering into the future?
Question options:
A) KPIs
B) KRIs
C)Log files, as what has happened before is likely to happen again!
D) Assessment programs
The correct answer is B. Key risk indicators (KRIs) use modeling, analysis or educated guesswork to set anticipated levels for risk indicators as a prediction of events yet to occur.
Logging attempts to capture signals generated by events. Which of the following is an event that might appear in a log file?
Question options:
A) A central processing unit (CPU) fan speed increases
B) Active sessions being disconnected
C) Logons occurring at odd times
D) All of these
The correct answer is D. Events are any actions that occur within a system that indicate a change in activity or the status or condition of a resource.
IDS/IPS systems can detect malicious activity in a number of different ways. Which detection mechanism looks for known attack patterns?
Question options:
A) Pattern matching
B) Signature matching
C) Deviation
D) Heuristics
B) Signature matching
Mitigating an attack involves two logically separate tasks: eradication and _____.
Question options:
A) identification
B) containment
C) remediation
D) recovery
The correct answer is B. Containment prevents the spread of the damage, and eradication safely removes the harmful agents.
What is continuous data protection (CDP)?
A type of snapshotting. A snapshot occurs in virtualized storage environments and takes advantage of the environment to capture mirrors of the data blocks on the media without disrupting production operations. With CDP, every time a data block changes, the block is snapshotted.
What is typically used to validate the integrity of a backup?
Question options:
A) Measuring the size of the original data and comparing it to the size of the backup
B) Some form of integrity check
C) An algorithm developed by the backup software manufacturer
D) Restoration of the backup to a different location and then an integrity check
The correct answer is D.
High availability of service will include all of the following elements, but which one provides a redundancy solution for data?
Question options:
A) Uninterruptable power supplies (UPS)
B) Clustering
C) Sufficient spare components
D) RAID
The correct answer is D. Redundant array of independent disks (RAID) provides a failover solution to protect data in the event of a single disk failure
The Uptime Institute is an industry organization that provides data center operators with certification of their facilities. Their tiered classification system consists of four tiers. Which tier requires a concurrently maintainable site infrastructure?
A) Tier I
B) Tier II
C) Tier III
D) Tier IV
The correct answer is C Tier III. Tier I (choice A) describes the basic site infrastructure. Tier II (choice B) requires redundant site infrastructure and component capacity. Tier IV (choice D) requires a full, fault-tolerant site infrastructure.
The Uptime Institute is an industry organization that provides data center operators with certification of their facilities. Their tiered classification system consists of four tiers. Which tier requires redundant site infrastructure and component capacity
Tier II
The Uptime Institute is an industry organization that provides data center operators with certification of their facilities. Their tiered classification system consists of four tiers. Which tier requires a full, fault-tolerant site infrastructure.
Tier IV
Which of the following is an example of a privacy framework?
Question options:
A) GDPR
B) PMF
C) OECD
D) All of these
All
Which cybersecurity framework provides a certifiable framework aimed at providing healthcare organizations a mechanism to demonstrate compliance is being provided in a constant manner?
Question options:
A) RMF
B) CSF
C) STAR
D) ISO 27xxx
B CSF - The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
Following a series of dramatic and severe financial industry sector scandals in the 1980s, which of the following was created to suggest guidelines and practices to address financial reporting irregularities and fraud?
Question options:
A) ISO Standard 31000
B) ISACA RISK IT
C) COSO
D) NIST SP 800-37
The correct answer is C. Since the formation of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, its publications have been widely accepted and adopted by many large organizations. ISO 31000 (Risk Management—Principles and Guidelines; choice A) discusses risk from a holistic organizational perspective, specifically relating to IT. ISACA RISK IT (choice B) is a comprehensive view of all risks related to the use of information technology (IT) in organizations. NIST SP 800-37 (choice D) is a guide for Applying the Risk Management Framework to Federal Information Systems.
What is the first step in a digital forensic investigation?
Question options:
A) Create and maintain a chain of custody
B) Create bit-level backups
C) Appoint an evidence custodian
D) Make copies of original evidence
C) Appoint an evidence custodian
Which of the following is the precondition of a system, workplace or environment that could lead to an event?
Question options:
A) Vulnerability
B) Risk
C) Hazard
D) Threat
The correct answer is C. A hazard is a potential source of harm. Any event or set of circumstances has the potential to cause a security event. A risk (choice B) is a possible event that can have a negative impact upon the organization. A vulnerability (choice A) is an inherent weakness or flaw in a system or component. A threat (choice D) is a human actor or group that makes the deliberate, intentional decision to exploit a target organization’s systems vulnerabilities.
Because it is imperative that the organization applies the same risk-management methodologies to the supply chain as the organization does for its own internal operations, which of the following operations should the organization apply?
Question options:
A) Governance reviews
B) Site surveys
C) Formal security audits
D) All of these, plus penetration testing
The correct answer is D. These are all steps or processes that an organization would include in its own risk assessment given that an organization is often heavily reliant on its supply chain. However, this is often untenable, and organizations tend to rely on audit reports prepared by certified third parties.
