Domain 4: Security Operations Flashcards

Question 1

Q

Security techniques

Objective 4.1

Question 2

Q

Secure baselines

Answer

A

• Baseline

A documented and reviewed specification for system configuration. Serve as basis for secure configurations by only having necessary software installed-all unnecessary software has been removed and unnecessary features disabled

• established baseline

create system configuration for organization with only vital components included, security controls in place, services and ports disabled, and only secure protocols use utilized

• deploy baseline

Utilizing baseline configuration to build various systems images from

• maintain baseline

updating, patching and modifying configuration as organizational needs require

Question 3

Q

Hardening endpoints

Answer

A

• servers and workstations

• adhering to baseline security configuration

disabling a necessary services, ports
Closing unnecessary port
removing unused software
use of secure protocols
use of application allow list/block list

• patch management

• Regular backups

Question 4

Q

Hardening endpoints (continued)

Answer

A

• Anti-virus

A program specifically designed to detect many forms of malware and prevent them from infecting computers
The output of a specific ant bars program will vary. Every malicious software is detected, steps should be taken to investigate mitigate as needed.
anti-malware is a form of antivirus that focuses on polymorphic malware and malware that is delivered by zero day exploits

• Endpoint Detection and Response (EDR)

and integrated monitoring and collection of endpoint data with continuous monitoring and collection of endpoint data with rule based automated response and analysis capability

Question 5

Q

Hardening endpoint (continued)

Answer

A

• Data Loss Prevention (DLP) solutions

using a system or application to identify, monitor and protect confidential data within a centralized management framework
DLP products can send alerts, block users for moving files and quarantine files away from users

Question 6

Q

Hardening endpoints (continued)

Answer

A

• full disk encryption (FDE) / self-encrypting drive (SED)

Full disc encryption, FDE: the process of encrypting all the data on the hard drive used to boot a computer, including the computers, operating system, and permitting access to the data only after successful often authentication with the full disk description product
Self encrypting drive SED this that uses built-in hardware to encrypt/encrypt data stored on the drive

• file integrity monitoring (FIM)

software that generates, stores and compares message digest for files to detect changes made to the files
An unexpected change is detected in a file, the file and is changes should be inspected
Especially crucial with installation media, as it is possible to install a Trojan taken, and it is benign program. If the file integrity, check fails, the insulation is not what it seems.

Question 7

Q

Network devices

Answer

A

• use of encryption were possible on infrastructure devices, such as switches and routers

• use of encrypted protocols network management, consuls, and administrative task

• being able to control what traffic can go where on a network is vital for both the performance and security of the network

Question 8

Q

Cloud infrastructure

Answer

A

• monitor axis through use of a Cloud Access Security Broker (CASB)

• utilize secure protocols

• limit number of unused VM‘s

Question 9

Q

Mobile device management

Question 10

Q

Mobile device management

Answer

A

• Mobile device management (MDM)

mobile devices may contain sensitive information and information needs protection in case of loss/theft
mobile devices used for both personal and business purposes have additional management concerns
Application management:
- Determining what applications and applications installation sources will be allowed, often using an application whitelist
- Monitor application behaviors in a secure environment before adding to the whitelist. Even applications from an official App Store can turn out to be malicious.
Content management:
- ensure mobile devices in environments use company data securely
- Used to label files as being confidential or company-only information, preventing them from being transferred or shared against the DLP guidelines

Question 11

Q

Mobile device management (continued)

Answer

A

• Geofencing

using a devices location to enable or disable software in hardware on the device. Can also be used to trigger events or alerts.
Maybe used to ensure that sensitive data can only be assessed on site or to disable video/picture taking capabilities in a secure area

• Push notifications services

Notifications sent by applications on the device to the user, usually to notify/remind them of something applications specific

• Remote wipe

Ability to remotely insecurely remove all data from a mobile device
can be used in the event a device is stolen or a source of data theft/leakage is found

Question 12

Q

Mobile device management (continued)

Answer

A

• Screen locks

A password, pin, pattern or biometric that needs to be entered before a mobile device can be unlocked
In conjunction with data encryption, this can help secure, sensitive data on mobile devices
No authentication method is used, anyone who picks up the device has access to the data

• Passwords and PINs

Passwords and pins rely on complexity to be effective. A short or non-complex pin may be easily brute-forced

• Biometrics

Typically include fingerprint or face scanning
Generally more secure than a password- or pin-based lock, though false positives can occur

Question 13

Q

Mobile device and management (continued)

Answer

A

• Context-aware authentication

using data such as the users, location, time, and type of data being access to make a decision if the user trying to authenticate is actually the user
Rules can be simple or complex to incorporate multiple data points to make a decision

• Containerization

Running a separate virtual environment on a mobile device
container can have its own security policies separate from the users device itself

Question 14

Q

Mobile device management (continued)

Answer

A

• Storage segmentation

Separating out segments of storage to be used for specific purposes by designating different areas of memory for each data type
Provide a similar functionality to that of containerization, but does not create a separate virtual environment

• Full device encryption (FDE)

Everything on the device is encrypted, except for the master boot record, resulting in the need for authentication before accessing any data on the device
insures data will be protected if it advice is loss/stolen

Question 15

Q

ICS / SCADA

Answer

A

• industrial control systems are embedded systems

• Supervisory control and data acquisition systems interface with ICS devices

• typically, part of specialized network known as Operational Technology (OT) network

separate from typical data network
Access should be airgapped or heavily monitored

Question 16

Q

Mobile device administration

Answer

A

• ownership concerns

• Legal concerns.

• Connectivity

cellular
Wi-Fi
Bluetooth

• Deployment models

Bring-your-own-device
Corporate-owned, Personally-enabled (COPE)
Choose-your-own-device (COYD)

Question 17

Q

Bring-your-own-device

Answer

A

• policy where employees are allowed or encouraged to use their personal devices for business purposes. Poses the most security issues.

• things to consider:

Privacy
Data ownership
Support
On boarding/off boarding
legal concerns

Question 18

Q

Choose-your-own-device

Answer

A

• policy, where an organization offers a selection of devices for an employee to choose from

• very simple similar to COPE, with all the same issues involved

• Corporate-owned

Policy where the organization buys and maintains control over a device that the organization chooses
often referred to as corporate-owned, business only (COBO),as devices are to be used only for business purposes

Question 19

Q

Applications security

Question 20

Q

Input validation and sanitization

Answer

A

• the way applications handle input is important to prevent attacks such as SQL injection, directory transversal and cross-site scripting (XSS)

• feels that take a specific type of input can be more easily validated

• example: a phone number field should only except numerical strings up to the length of a phone number and has no reason to be excepting letters or other special characters

Question 21

Q

Secure cookies

Answer

A

• a type of HTTP cookie that have secure attribute set, which limits the scope of the cookie to “secure” channels

• when a cookie has a secure attribute, the user agent will include the cookie in an HTTP request. Only if the request is transmitted over HTTPS

Question 22

Q

Code analysis

Answer

A

• Static code analysis

used to analyze code before it is packaged into your application
static analysis does not actually execute the code itself
static analysis can help find certain types of vulnerability such as code injection flaws, and failure to sanitize inputs

• Dynamic code analysis

testing the code by simulating a real world environment, and attempting to provide it with all possible inputs to determine if there are any undesirable outcomes
An application may perform in ways the developers did not predict
to verify that input validation is working, pentesters may use a technique called fuzzing. Fuzzing is an automated process that repeatedly enters random input strings to see if some type of input abuse may be possible.
fuzzy tools, provide an application with random inputs to test the limits of input validation

Question 23

Q

Code signing

Answer

A

• insure and application has not been modified and confirms the author of an application

• accomplished through hashing file and signing this hash with the developers private key (asymmetric encryption) to provide a certificate-based digital signature

• provides integrity and non-repudiation

Question 24

Q

Asset management

Objective 4.2

Question 25

Q

Acquisition and procurement

Answer

A

• identifying hardware and software solution to suit the needs of the organization

• purchasing from reputable vendor, using genuine hardware with secure supply chain

• devices will create “paper trail” that can be investigated to determine origin of hardware after receiving device

• Asset tagging

semi permanent labels for inventory tracking of officially procured devices
No tag? No network access.

Question 26

Q

Assignment

Answer

A

Ownership
- Identifying and documenting the individual or office location device is provided for
- Keeping track of the devices we gave you
Classification
- Identifying and documenting the role, purpose of a device

Question 27

Q

Asset tracking and monitoring

Answer

A

Inventory
- List of physical assets acquired by organization
Enumeration
- List of network assets on organizations network
Are they the same? What if there is a difference?

Question 28

Q

Decommissioning

Answer

A

when removing a device from an organizations network, care must be taken that any sensitive data is purged from the device
How this is accomplished varies by device:
- spinning, disk, magnetic hard drives, for example, should be doused or shredded to ensure no residual data remains
- solid-state drives cannot be deeded. It should be securely erased or shredded.
- Network appliances (routers, switches) should have any configuration data reset and purged
- devices, such as scanners and printers should be evaluated according to manufactures documentation about how best to remove any possible data stored on the device

Question 29

Q

Disposal

Answer

A

• Sanitization

deleting sensitive data from drive

• Destruction

physically destroying the drive so that it cannot be used
- Example, drill, incinerate, grind up/shred

• Certification

Ensuring drive was delivered to technician to destroy drive
technician marks time/date of drive destruction

• Data Retention

Before disposal, check with regulations and policies on data retention requirements

Question 30

Q

Wireless security

Question 31

Q

Cryptographic protocols

Answer

A

WEP (Wired Equivalent Privacy - Great name, terrible protection)
- found to be crypto graphically insecure
- deprecated
WPA (Wi-Fi Protected Access) and WPA2
- WPA was created to replace wired equivalent privacy (WEP) when WEP was found to be insecure.
- WPA uses RC4 with the inclusion of temporal key integrated protocol (TKIP), which uses an encrypted hash with the sequence counter and a 48 bit IV to avoid the problems inherent in WEP
- WPA2 is a stronger version of WPA, using a EAS in conjunction with counter mode with cipher block changing message authentication code protocol (CCMP)

Question 32

Q

Cryptographic protocols (continued)

Answer

A

WPA3
- weakness is found in WPA2 drove development of WPA3
- replaces authentication scheme: uses simultaneous authentication of equals (SAE) to replace pre-shared key exchange protocol from WPA2 so attackers cannot intercept authentication credentials
- Encryption, baked in: encrypts traffic from endpoint to endpoint, even without a password
- replaces cryptographic protocols: replaces a AES CCMP with AES Galois Counter Mode Protocol (GCMP)
- easy connect: allows devices to scan a QR code to configure and join network

WPA3 = AES + GCMP

Question 33

Q

802.1x

Network Access Control (NAC)

Answer

A

IEEE 802.1x is a technical specification for authenticating users to provide network access
specification is embodied in framework called Extensible Authentication Protocol (EAP)
there are several implementations of EAP, to name a few:
- EAP-TLS
- EAP-TTLS
- PEAP
- EAP-FAST

Question 34

Q

RADIUS

Answer

A

Remote Authentication Dial-In User Service (RADIUS) uses a centralized server to provide authentication, authorization and accounting (AAA) to remote users in a scalable way
users connect to radius client (access point, switch, etc.) and provide the client with their credentials.
- The radius client does not store credentials. Instead, it forwards them to the AAA server in an encrypted access request package.
- The AAA server, decrypts and check the credentials, providing the radius client with an access response
- The radius client validates that the AAA information is from the server and intern response to the user to allow or deny access

Question 35

Q

Authentication protocols

Answer

A

Personal
- WPA2-PSK - a pre-shared key (password) for authenticating (on test, may be written as WPA2-Personal)
- WPA3-SAE - PAKE, Password-Authenticated key Exchange (on test, may be written as WOA3-Personal)
Enterprise
- WPA2-Enterprise
- WPA3-Enterprise
  - allows users to authenticate with their enterprise credentials
  - Both WPA2 and WPA3 utilize 802.1x authentication
  - 802.1x utilizes a RADIUS server to verify user credentials before joining network

Question 36

Q

Wireless installation

Answer

A

Site surveys
- Data collection of signal strength at a specified or measured location
Heat maps
- color visualization of the measured signal strength to provide at a glance interpretation of the site survey

Question 37

Q

Vulnerability management

Objective 4.3

Question 38

Q

Identifying vulnerabilities

Answer

A

vulnerability scan
- Enumerates house on network
- List detected vulnerabilities, according to signatures and definitions
Examples: Nessus, OpenVAS

Question 39

Q

Open-source intelligence

Answer

A

Data that is publicly available and can be used to further in attack
information found via email harvesting and social media profiling
Things that can be found using Google, Facebook, etc.
in a context of security, consider any information which is freely available as having the potential to further a spearfishing attack

Question 40

Q

Proprietary

Answer

A

Opposite of open source intelligence, close/proprietary information is not public and comes from specific sources
typically, commercial solutions and cost money to use
it is typically higher quality information than the information you would find in open source intelligence

Question 41

Q

Deep web/dark web

Answer

A

Deep web
- The unindicted pages of the information and cannot be reached by normal search engines or browsers
Dark web
- meeting place for hackers to share your legally obtain information and credentials
- (The Onion Router) - encrypted medium for obfuscating network traffic to anonymize activity on dark web
  - layer upon a layer of encrypted, convoluted traffic makes it extremely difficult to track a user
  - Layers like an onion, hence the name

Question 42

Q

Intelligence sharing

Answer

A

information sharing in analysis centers (ISACs)
** security information exchanges (SiX)
Public/private information sharing centers
- Collaborative efforts for sharing indicators of compromise, threat intelligence, and best practices
- Often industry specific or region base
- some organizations publish information regarding threat intelligence to be shared with clients or the public at large

Question 43

Q

Penetration testing

Answer

A

Penetration testing is simulating an attack with the goal of finding both weaknesses and strengths. It involves actively exploding vulnerabilities as they are discovered, to penetrate as far as possible into the target system.
```
 -  Look for common known exploits, as well as unknown exploits
```
Vulnerability scanning use a software to check for known vulnerabilities
- Generally, uses passive techniques and does not exploit any vulnerabilities which are found in the scan
- vulnerable scanning would likely be part of a penetration test

Question 44

Q

Responsible disclosure programs

Answer

A

Bug bounties
- Program offered by organizations to safely and securely disclosed vulnerabilities found found in their products, networks or systems for the purpose of being fixed
- mini bug bounty programs offer monetary war to books that are discovered
- information security professionals make a living from bounty programs alone
Example: Hacker1

Question 45

Q

System/process audit

Answer

A

Systemic review of information systems and operational processes of the organization
Maybe mandated by industry regulations such as HIPAA, Sarbanes-Oxley (SOC)
standards/frameworks for workflow available from NIST and ISO
benefits or organization by being able to identify problems before they arrive
May be carried out in house or by third-party, depending on regulatory requirements

Question 46

Q

Vulnerability analysis

Question 47

Q

Confirmation

Answer

A

True Positive
- when a scan and divisive vulnerability that does actually exist
True Negative
- when a scan reports no vulnerabilities present when one does not exist
False Positive
- when a scan identifies a vulnerability that does not actually exist
- consider the time which can be lost due to chasing down false positives
False Negative
- when a scanner reports no vulnerabilities present when one exists

Question 48

Q

Prioritization

Answer

A

Analyzing identified risk and determining the order in which each item should be addressed
Priority given to most worrisome based on measured risk(highest probability, greatest impact)
Priority might also be for a mitigations that are cheapest (no cost) to address

Question 49

Q

CVE

Answer

A

Common Vulnerabilities and Exposures (CVE)
- A reference method for publicly known information security vulnerabilities
- CVE IDs use the model CVE-YYYY-NNNNN, where YYYY is the year that the mobility is discovered and NNNNN is the arbitrary number assigned to the vulnerability

Question 50

Q

CVSS

Answer

A

Common Vulnerability Scoring System (CVSS)
- scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized
impact can be assessed based on the CIA triad

Question 51

Q

CVSS

Answer

A

Common Vulnerability Scoring System (CVSS)
- scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized
impact can be assessed based on the CIA triad

Question 52

Q

Vulnerability classification

Answer

A

categorizing vulnerability based on characteristics, such as the type of system, version of software, mall of hardware, etc.
Helps to clarify scope in nature of a particular threat

Question 53

Q

Exposure factor

Answer

A

The percentage of value of an asset that is lost if a specific thread comes to pass
Example: supposed a window is valued at $1000. If calculating the risk of a window breaking…
- Do you have to replace the whole window? (Cost $1000, so EF is 100%)
- Can you replace just one pane? (Cost is $500, EF is 50%)
- Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)

Question 54

Q

Exposure factor

Answer

A

The percentage of value of an asset that is lost if a specific thread comes to pass
Example: supposed a window is valued at $1000. If calculating the risk of a window breaking…
- Do you have to replace the whole window? (Cost $1000, so EF is 100%)
- Can you replace just one pane? (Cost is $500, EF is 50%)
- Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)

Question 55

Q

Environmental variables

Answer

A

when threat intelligence comes in about a particular vulnerability, the assessment performed by others may not apply to an organization particular set up
Organizations infrastructure, including the hardware, software, networks and other systems all play a role in determining how particular vulnerability may play out. The infrastructure may suppress the impact, or it may amplify the impact.
each organization set up is unique, so the specific impact of vulnerability is also unique

Question 56

Q

Impact

Answer

A

Impacts of vulnerability could have maybe:
- Financial loss
- Reputational Damage
- operational disruption
- Regulatory penalties
- business partnership loss
- Reputational harm, Customer aversion
Organizational impact
Industry impact

Question 57

Q

Risk tolerance

Answer

A

The measure of risk and organization is willing to accept
The level varies greatly depending on organization, size, strategic objectives, industry, regulations, etc.
Often identified in light of vulnerability and analysis and determining where to spend some resources safeguarding the network. At some point, organizations, decision makers will say this is good enough for now.

Question 58

Q

Vulnerability response

Question 59

Q

Patching

Answer

A

when vulnerabilities have been identified, organizations will seek to update the software or firmware
vendors make patches available for this purpose
Sometimes of vulnerability is discovered, and the patch is not available for a long time
- Segment the device away from network
- Monitor data coming and going from device

Question 60

Q

Insurance

Answer

A

cyber security insurance provides financial backing to minimize financial losses
Cyber insurance has requirements for coverage:
- regular security testing
- Operation in compliance with industries regulations
- documented security policies
- Evidence of employee training

Question 61

Q

Segmentation

Answer

A

Isolating systems from the organizations network or putting the networking device in his own network to safeguard the rest of the organization from infection
Limits scope of impact

Question 62

Q

Compensating controls

Answer

A

control designed as a back up to another control, to be used in the event that the main control is unable to provide sufficient levels of protection on his own
Controls can also involve the recovery of data if lost due to an attack/disaster
for example, an alarm that sounds after a lock door has been left open for certain period of time

Question 63

Q

Exceptions and exemptions

Answer

A

Exemption
- I identifying vulnerabilities and acknowledging their presence, but not taking any additional action
Exemption
- User or system that is not required to be in compliance with security policy for a specifics reason
Sometimes identified vulnerabilities are not problematic for the organization
May be a problem for others, but not here

Question 64

Q

Validation

Answer

A

ensuring the mitigations have taken care of a particular vulnerability or set of vulnerabilities

Validation process:

Rescan for vulnerabilities
Audit results to look for mitigations
verifying results (no false negatives)
Reporting findings through documentation

Answer 57

A

Systems
- System monitors watch host Health
Applications
- System monitors, cloud monitors, vulnerability, scanners, antivirus logs, DLP logs
Infrastructure
- Switches, access points, routers, firewall
- Watch processor load, memory load, state of connections, operating temperatures, data, throughput, errors, statistics

Answer 58

A

Log aggregation
- Collecting data
Scanning
- monitoring the data for known, defined or abnormal network activity
Alerting
- notifying personnel to suspicious or anomalous activity
Reporting
- providing overview of events and alerts
Archiving
- safeguarding in storing reports for compliance reasons

Answer 59

A

SCAP
Benchmarks
Agents
Security information and event management
Data Loss Prevention (DLP) solutions
SNMP traps
NetFlow
Vulnerability scanners

Answer 60

A

Security Content Automation Protocol
automated data format for exchanging vulnerability information from feed, checking systems for applicability and providing reports for compliance and mitigation purposes
enable continuous monitoring
Formats
- Open vulnerability and assessment language (OVAL)
  - xML-based, machine-readable format for providing system, state and pulling vulnerability reports and information
- Extensible configuration checklist description format (XCCDF)
  - XML-based, machine-readable format for developing and auditing configuration checklist

Answer 61

A

using widely excepted metrics to determine alignment with configuration recommendations
Helps track changes to network operations, identify alignment with best practices, provide documented growth goals
The center for Internet security publishes CIS benchmarks for various vendor supplied technologies

Answer 62

A

Security Information and Event Management (SIEM)
- a SIEM is an application that provides the ability to gather security. Log data from multiple information system components known as sensors.
- Aggregates and presents collected data as actionable information via a single interface
- Uses correlation to associate events and data with certain indications of risk and can provide alerts accordingly

Answer 63

A

Aggregation
- process of collecting data from many different sources to a common location. This data can be parse to assess the health of an environment.
- allows for a SIEM to be a one stop shop for looking at log information, as it will contain the essential log data from all applicable machines
Correlation
- process of separating out specific data points that are associated with a security event. This can help fine patterns that can help identify security threats.
- SIEM can be configured to send out alerts notifying of a possible security threat whenever a threat had been identified through correlated patterns

Answer 64

A

Automated alerts/triggers
- ability to be alerted or have an action taken based on certain events
- Generally, alerts will be sent to system and administrators and security team members to notify them that a potential security threat has occurred
- Triggers are the specific events which set off trigger and automated alert
Alert tuning
Quarantine

Answer 65

A

Time synchronization
- A SIEM must be able to normalize the timing of events from all sources into one time zone
- If the time is off, we constructing a security vent can be impossible, as knowing the correct chronological order of events is essential to figuring out when and how an attack happened
Event deduplication
- some errors were events can cause up to thousands of similar or identical error messages to be logged and sent to SIEM
- To avoid clogging its reporting mechanisms when this happens, SIEM has the ability to identify this flood of log info as corresponding to a single event

Answer 66

A

Secure logs/WORM
- to ensure logs are protected from tampering only system processes and secure, non-administrative account should be able to write to them and only by a pending date to the end of the log
- Right once, read many (WORM) media is another option for secure logging. Once data is written to worm media, you cannot be rewritten, though data can be appended to that which was previously recorded.

Answer 67

A

many network devices use utilizes Simple Network Management Protocol (SNMP)
Typically, SNMP messages are sent to a SNMP Management Information Base (MIB) after a request is sent from the MIB to the network device
if network device detects a problem, it can send an emergency message to the MIB without waiting for a request
SNMP trap is emergency message detected by the network device

Answer 68

A

NetFlow is a feature that allows customers to collect IP network traffic from Cisco routers
- NetFlow allows system administrators to destination of traffic, class of service, and causes of congestion
- NetFlow ICMP types include:
  - Echo reply
  - Destination unreachable
  - Redirect
  - Time exceeded
Network flow of packets can be used to determine the source and destination ports, IP addresses and subnets of packets in a network.
Investigating net flow reports can be used during the course of incident response

Answer 69

A

Software that aids in identifying hosts/host attributes and associated vulnerabilities
Scans a system by comparing its settings with a predefined set of non-vulnerable settings, and software types

Answer 70

A

Rules
- Top-Down
- Implicit deny
Access lists
Ports/protocols
Screened subnets

Answer 71

A

mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources
consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall

Answer 72

A

mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources
consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall

Answer 73

A

Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first
Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default
Implicit deny a rule that denies traffic unless a rule explicitly allows it

Answer 74

A

Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first
Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default
Implicit deny a rule that denies traffic unless a rule explicitly allows it

Answer 75

A

Slide 318

Answer 76

A

formally referred to as DMZ or demilitarized zone
A host or network segment asserted as a neutral zone between an organizations, private network, and the Internet
Add an additional layer of separation to protect internal systems from external traffic

Answer 77

A

Signature
- detection systems monitor for known activity, indicators of compromise, to alert, anomalous activity
- Vulnerability must be known in order for a signature to be published
- Drawback: may not catch new, zero day attacks
Trends
- alternative way to monitoring network is to do trend analysis. Rather than relying unknown, published signatures, this method monitors activity and watches how users are operating.
- Drawback: trigger more false positives

Answer 78

A

firewall can assist in filtering web Contant by directing traffic to proxy or using DNS reputation
- Agent-based
- Centralized proxy
- URL scanning - looking for malicious, untrustworthy domains
- Contant categorization— categorizing webpages based on content (gambling, explicit content, job search)
- Reputation-certain domains known to be malicious, these can’t get blocked (abused.com)
DNS filtering
- Filtering content based on the domain name
- certain explicit keywords may show up in every domain names, can be blocked at DNS level
- Example: pie hole ad blog does DNS filtering to limit wood, advertisements, and trackers make it to your network

Answer 79

A

firewall can assist in filtering web Contant by directing traffic to proxy or using DNS reputation
- Agent-based
- Centralized proxy
- URL scanning - looking for malicious, untrustworthy domains
- Contant categorization— categorizing webpages based on content (gambling, explicit content, job search)
- Reputation-certain domains known to be malicious, these can’t get blocked (abused.com)
DNS filtering
- Filtering content based on the domain name
- certain explicit keywords may show up in every domain names, can be blocked at DNS level
- Example: pie hole ad blog does DNS filtering to limit wood, advertisements, and trackers make it to your network

Answer 80

A

Group policy
- feature of windows using active directory that allows users to be put into containers called organizational units. Group policy can then apply to all members associated with that OU to grant or deny certain privileges, access, rights, and settings.
- If a change must be made, one change of configuration and it applies to all in that OU
SELinux
- Linux kernel security feature that provides access control policies, including Mandatory Access Control (MAC)
- Allows for fine-tuning permissions to provide high-level of security at the kernel and operating system level
- SEAndroid is an Android variant that provides same level security control features for android devices

Answer 81

A

Group policy
- feature of windows using active directory that allows users to be put into containers called organizational units. Group policy can then apply to all members associated with that OU to grant or deny certain privileges, access, rights, and settings.
- If a change must be made, one change of configuration and it applies to all in that OU
SELinux
- Linux kernel security feature that provides access control policies, including Mandatory Access Control (MAC)
- Allows for fine-tuning permissions to provide high-level of security at the kernel and operating system level
- SEAndroid is an Android variant that provides same level security control features for android devices

Answer 82

A

various protocols exist for a variety of data exchanges. For most, they started out as plane text, and a newer, encrypted, secure form has emerged.
there are not as many protocols to be aware of on the security plus as there are on the network plus, but you need to memorize several
be able to identify the purpose of the protocol,the port number, and transport mode (TCP or UDO)

Answer 83

A

Slide 324

Answer 84

A

** Domain face message authentication, reporting and conformance (DMARC)**
- System used to identify mail that is suspicious and is originating from unauthorized mail servers
** Domain keys identified Mail (DKIM)**
- A digital signature, added to outgoing mail, allowing the recipient to confirm the origin of the message
Sender policy framework (SPF)
- directions on how to handle messages not space specified in the DNS SPF record

Answer 85

A

A server which allows a network to send receive email communications from other networks. Generally used to receive email from outside the organization.
because all the email is being passed through this point, and they’ll Gateway offers the opportunity for inspection of emails and attachments for malicious links and content, as well as ensuring confidential information is not being emailed

Answer 86

A

IEEE 802.1x
A feature provided by some network appliances that provides access given valid credentials, and their results of health checks performed on the client device
If a client device does not need security in or update standards of the NAC policy, it will not be allowed access to the network

Answer 87

A

Dissolvable NAC uses an agent which is downloaded by a client upon requesting access. The agent runs the appropriate in a checks and allows access if the client passes. Provides one time authentication, as a new agent will need to be downloaded each time the network is excess.
Permanent NAC uses an agent which is installed onto the client system and is persistently running in the background, performing a NAC check each time network access is requested

Answer 88

A

Host health
- checking the health of the client to ensure compliance with NAC policies before allowing to access a resource
- mobile house may be checked for a rogue software or other issues. In some cases, a remedy may be offered for an outstanding issue.
Agent versus agentless
- an agent is software that runs on the system and then reports back with the results of the NAC policy compliance check determines whether or not system is allowed network access
- agentless means no agent is installed on system. Instead, a domain controller scans devices directly for NAC compliance as they request to join the domain.

Answer 89

A

identifying what is normal for a group of users in monitoring, gilling network activity for any anomalous activity. Anything that is out of the norm
- example: a server automatically upload the days back up to the cloud at a given time each night one night, it downloads a service update from an un Trust - Single. This could trigger and alert for further investigation. What was the update? Why did the back up fail? was back up down?

Answer 90

A

Account creation should not be a single individual person’s job
- Individuals privileged account could be a compromise
- Insider threat
- lack of documentation, tracking
Should have documentation for creating each account and removing each account
assigning permissions
- I justifying Work rules for the position and configuring appropriate rights and privileges to fulfill needs of the individual

Answer 91

A

Assuring an individual is who they claim to be by checking official documents and records

Answer 92

A

A collection of domains, sometimes separate companies that have established trust between each other. The level of trust me very, but typically includes authentication. It may include authorization.
Example: using Facebook credentials to authenticate with a web application

Answer 93

A

employees central authorization server to enable a user to authenticate once yet access all applications or machines which they are permitted to use
Reduces often greatly the number of times a user is required to enter their various usernames passwords

Answer 94

A

** Lightweight directory access protocol (LDAP)**
commonly used protocol for clearing and making updates to directories which followed the X .500 standard
associates objects in the directory with their full X .500 distinguished name
Example:

Answer 95

A

Lightweight directory access protocol (LDAP)
commonly used protocol for clearing and making updates to directories which followed the X .500 standard
associates objects in the directory with their full X .500 distinguished name
Example:

Answer 96

A

OAuth
- token based and OAUTH consumer uses a token to access user information stored on providers website control what a user is authorized to do on the consumer site
- example the ability to log into non-Google websites using your Google account
Open ID Connect
- Layer on top of the OAUTH protocol which simplifies the process of developing a single sign on mechanism
- Open ID connect was created to ease the complexity of the OAUTH protocol for developers by allowing consumer sites to request authentication only service

Answer 97

A

Security Assertions Markup Language (SAML) is a framework for exchanging authentication and authorization information, typically used by federal networks
SAML standardizes the representation of credentials in and extensible markup language (XML) format known as SAML token

Answer 98

A

Security Assertions Markup Language (SAML) is a framework for exchanging authentication and authorization information, typically used by federal networks
SAML standardizes the representation of credentials in and extensible markup language (XML) format known as SAML token

Answer 99

A

Solutions may need to span various systems
Important for a solution to be enter operable with other use cases
Often utilize standards, such as SAML

Answer 100

A

term for affirming the correctness or ability of information
Often required for regulatory or compliance reasons
Insurance that users only have access to data. They are authorized to have. Affirms authenticated users are correct and nothing has been errantly modified

Answer 101

A

Discretionary
Rule-based
- Mandatory (MBAC)
- Role-based (RBAC)
- Attribute-based (ABAC)
Time-of-day restrictions

Answer 102

A

giving users the lowest amount of privilege needed while still allowing them to be productive
not only protects you from the users mistakes, but also any attacker that compromises a users account, as their access to information will be limited to that users level of access

Answer 103

A

Privileged users
- privileged accounts have a higher permission level than regular user accounts and are thus more powerful
- privileged accounts can often grant and permissions to other accounts, as well as assigned them to various groups
- commonly used by system/network administrators
Privilege access
- Securely manage the accounts of users with elevated privileges to systems and resources

Answer 104

A

Just-in-time permissions
- permissions granted to a privileged user for the duration of the task or work being performed
Password vaulting
- storage of credentials and software vault which controls who has access, when and for how long
- Permissions can be context aware
Temporal accounts
- short lived, temporary accounts only useful for a limited time

Answer 105

A

Just-in-time permissions
- permissions granted to a privileged user for the duration of the task or work being performed
Password vaulting
- storage of credentials and software vault which controls who has access, when and for how long
- Permissions can be context aware
Temporal accounts
- short lived, temporary accounts only useful for a limited time

Answer 106

A

use of two or more authentication factors
Authentication factors:
- something you know (type 1)
- Something you have (type 2)
- Something you are (type 3)
- Something you do
- somewhere you are

Answer 107

A

something you know
- Using a secret such as a password or a pin as a factor of all authentication
- Also includes personally identified information like your name, address or birthday
Something you have
- refers to authenticating with a physical object that you can’t be carried
- Using keys, key cards, cell phone, etc., as a factor of authentication

Answer 108

A

something you are
- Using a physical aspect of a person for authentication
- Generally involves collecting biometric information by performing fingerprinting, Irish scans or facial recognition. The recorded information is appeared to forgiven when users request access to determine if there is a biometric match.
Something you do
- Using a unique action as a method of authentication
- Makes use of biometric information that is collected by analyzing behaviors rather than physical aspects
- examples include signature, writing typing and speaking patterns

Answer 109

A

somewhere you are
- Not to be confused with something you are authentication factor there somewhere you are factor involves authentication and uses based on their location information
- can be done using global location, GPS, local location, indoor positioning system, or IP address to determine network network based location

Answer 110

A

Biometrics
- Used to identify and authenticate and individual based on personal characteristics
- examples of personal characteristics include fingerprints, face, retina, iris, speech, handwriting, hand, geometry, and wrist, veins, and gate analysis
Heart token/soft tokens
Tokens can be hardware or software-based and are used to aid in providing authentication or for access is given
For example, a USB token could be used to prevent access to a machine until the token is provided
Access cards can be used simply as an identity badge, but they can also be turned to smartcards and used as a form of token
security key

Answer 111

A

length
- Enforcement links for passwords, limits week password
Complexity
- force use of range of characters limits weak passwords
Reuse
- prevent use of prior passwords, which would undermine purpose of setting a new password
Age
- force change of password after specified length of time

Answer 112

A

software that long, hard to remember text and password in an encrypted format
useful for keeping passwords different for each account while also being very long and complex
considering that it is putting all your eggs in one basket, so authenticating to a password manager should be very secure

Answer 113

A

authentication system that does not rely on knowledge base factors
- No password, no pin, no pictures, nothing to remember
utilizes tokens, keys, authenticator device, anything other than something you know

Answer 114

A

workforce and multiplier
- ability to be more productive with fewer personnel
consistency
- No forgotten steps, scripting in automation will provide same outcomes, each run
Shorter reaction time
- events can happen quick, often quicker than we can humanly react,
- Having automated response, increased ability to respond

Answer 115

A

workforce and multiplier
- ability to be more productive with fewer personnel
consistency
- No forgotten steps, scripting in automation will provide same outcomes, each run
Shorter reaction time
- events can happen quick, often quicker than we can humanly react,
- Having automated response, increased ability to respond

Answer 116

A

Complexity
- must have full understanding of the operations, systems, dependencies and interactions of systems to automate. Poor planning can create necessary, complexity, and make it hard to support.
cost
- The time and effort of creating an automated ecosystem is enormous
single point of failure
- if organization relies on a single script, it could have huge impact on administration of systems
technical debt
- Without thoroughly implementing automation, small problems can creep into bigger problems, overtime
Ongoing support of code
- supporting the script can be difficult, especially if the original author has moved on and or left no documentation

Answer 117

A

Preparation
detection
Analysis
Containment
Eradication
Recovery
Lessons learned

Answer 118

A

preparation
- In this phase, response, plans, documents, teams, and resources are put in place prior to an attack
  - employee training
  - Exercise/drills
  - Resources allocated by policy
  - Hardening systems
Identification
- this phase involves identifying if an incident has taken place and discovering as much information as possible regarding the events
  - Who caused the incident?
  - What were the effects?
  - How can the incident be stopped?

Answer 119

A

containment
- Is this stage, you want to prevent further damage to the environment and save as much data as possible by using the information gain in the identification step
  - Limit Internet access
  - Segment and network
  - Change passwords
  - Have a long and short term plan
Eradication
- Once the problem is contained, you can work on removing it completely. This may require internal or external experts to examine and clean/remove all systems and files which were affected during the incident.

Answer 120

A

recovery
- Once the problem has been identified, contained and eradicated, you can get your environment back to normal
- this involves making sure that it can be recovered, and that business operations can continue following an incident
Review/lessons learned
- The final phase of the incident response process is when the incident and the success/failure. Various response methods are examined.
- Determine what went wrong and what can be done to vented in the future
- this is also a good time to evaluate how well your incident response plan work and if adjustments are needed

Answer 121

A

A Tabletop is a discussion based exercise where personal go through their disaster, recovery rules and responsibilities. A tabletop exercise is done in a classroom setting to familiarize staff with the recovery procedures without actually simulating a disaster.
it is also possible to create like conditions to run fully simulated and in-depth test of the recovery process. Though these are often difficult to set up safely.

Answer 122

A

process of discovering the cause of a problem that started an instant
Could be very easy and straightforward to identify
Could be extremely complex and require input from designer/technicians and engineers of the equipment

Answer 123

A

process of productively and interactively searching through network/applications to detect isolate fans thread that evade existing security solutions

Answer 124

A

illegal hold is the concept of retaining evidence which may be relevant in illegal battle, and any lapse in the chain of custody can cause evidence to be rendered useless in the court of law

Answer 125

A

A process that tracks the movement of evidence through its collection, safeguarding, and anal Alicis life by document each person who handled the evidence. The date/time it was collected or transferred and the purpose for the transfer.
Tagging legal evidence and documenting it as it is discovered is imperative to upholding the integrity of evidence in court

Answer 126

A

write blockers
- in-line device that prohibits writing data to a hard drive. It electronically turns a normal drive into a read only drive.
- devices may be certified to test their ability to prevent changes on the drive
hashing
- create a hash or digital evidence. If one bit of this evidence is modified, the hatch will be completely different.
- Determining the same is proof that the evidence was not tempered with

Answer 127

A

Gathering all the information is necessary, but packaging that data into a full, intuitive format for easy comprehension by a specific audience is crucial
The report should be free from any opinion or conjecture. State just a fax as simply as possible. Avoid generalizations, illusions or Colorful language. Only stick to the fax but distill and present them in a digestible format to a pole to purpose of the report.

Answer 128

A

investigation can take a long time to conclude. Especially true in courts, where cases may span years.
critical strategy is in placed to preserve the data and the evidence collected and insure property chain of custody remains a place to prevent tampering

Answer 129

A

process of identifying, preserving, analyzing, reviewing a report, electronic information during litigation
Usually performed by a legal team and then reviewed for analysis. And digital forensics, forensics expert, analyze the electronic information in the report the discovery they make to a legal team.
E-discovery software usually does not go into as much detail about electronic information as a digital forensic expert may be able to find

Answer 130

A

Data from logs
Log sources/types
- Firewall
- Endpoint
- Operating system
- IDS/IPS logs
- network appliances
- metadata

Answer 131

A

Vulnerability scans
Automated reports
Dashboards
packet captures