Domain 5 - Protection of Information Assets

Question 1

What is the role of Certificate Authority (CA)?

Answer 1

1) A trusted third party that serves authentication infrastructures or organizations, and registers entities and issues them certificates

2) Maintains a directory of digital certificates for the reference of those receiving them

3) Manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication

Question 2

What is the primary role of Certificate Authority (CA)?

Answer 2

Check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.

Question 3

What is the role of Registration Authority (CA)?

Answer 3

The individual institution that validates an entity’s proof of identity and ownership of a key pair

Question 4

What is Certificate Revocation List (CRL)?

Answer 4

1) An instrument for checking validity of the certificates for which the CA has responsibility

2) Provide list of digital certificates that are no longer valid

Question 5

What is Certificate Practice Statement (CPS)?

Answer 5

1) Document that outlines the policies and practices followed by a Certification Authority (CA) to issue and manage digital certificates (incl. policy on revoking certificates)

2) Designed to provide transparency and establish trust between the CA and its users

Question 6

What is a Digital Certificate?

Answer 6

1) An electronic document that is used to verify the identity of a user, device, or organization

2) Contains information about the identity of the entity it is issued to, such as name, address, and public key

3) Issued by a trusted third party known as a Certificate Authority (CA)

Question 7

How Digital Certificate is used?

Answer 7

Used to establish secure communications over the internet and other networks, by allowing parties to verify the identity of each other and encrypting data to protect it from unauthorized access.

When a digital certificate is issued, it is signed by the CA using their private key, providing assurance that the certificate is authentic and has not been tampered with.

The certificate can then be used to authenticate the identity of the certificate holder, typically through the use of digital signatures or other cryptographic protocols (e.g. IPSec, SSH, S/MIME, etc.).

Question 8

What is the role of Directory Server in PKI?

Answer 8

Makes other users’ certificates available to applications

Question 9

What is Secure Socket Layer (SSL)?

Answer 9

It is a protocol used to establish a secure and encrypted communication channel over the internet.

Question 10

How SSL protects data?

Answer 10

1) User wants to access server, thus send request to the server to initiate secure connection using HTTPS protocol

2) Server responds by sending its digital certificate that contains the server’s public key & information about the certificate’s issuer

3) User checks the certificate to ensure it is valid by verifying the Certificate Authority’s digital signature contain in the certificate using the CA’s public key

4) Once verified, user generates symmetric session key & encrypts it with server’s public key

5) This is then send to server

6) An acknowledgement will be send after the server will decrypt with its private key to successfully receive the session key

7) The user & server can now use the session key to encrypt & decrypt all communication between them

Question 11

Types of IDS

Answer 11

1) Network-based = Operate by analyzing network traffic as it passes through a particular point on the network, such as a switch or router

2) Host-based = Operate on individual machines, analyzing system logs, file changes, and other activity

Question 12

Methods of detection used in Intrusion Detection System (IDS)

Answer 12

1) Statistical (Anomaly)= looks for deviations from normal patterns of behavior, which may indicate an attack

2) Signature-based = uses a database of known attack patterns, or signatures, to compare against network or system activity

3) Neural-based = Combines both statistical & signature-based IDS to create hybrid & better system

Question 13

Why Statistical-based IDS most likely generate false alarm?

Answer 13

This IDS relies on definition of known & expected behavior of systems. Because normal network activity may at times include unexpected behavior (e.g. sudden massive downloads), these will be flagged as suspicious.

Question 14

Categories of Power Failures/ Interruption

Answer 14

1) Total failure (blackout)

2) Severely reduced voltage (brownout)

3) Sags, Spikes & Surges

4) Electromagnetic Interference (EMI)

Question 15

What is blackout?

Answer 15

Complete loss of electrical power which often caused by weather conditions (e.g. storm, earthquake) or inability of an electrical utility company to meet user demands

Question 16

What is brownout?

Answer 16

Failure of electrical utility company to supply power within acceptable range which places strain on electronic equipment & may limit operational life or permanent damage

Question 17

What is Sags, Spikes & Surge?

Answer 17

Temporary & rapid decreases (sags) or increases (spikes & surges) in voltage levels which can cause loss of data, network transmission errors or hardware damages

Question 18

What is Electromagnetic Interference (EMI)?

Answer 18

Caused by electrical storms or noisy electrical equipment (e.g. motors, fluorescent lighting, radio transmitters) which may cause systems to hang or crash as well as damages similar to those by sags, spikes & surges

Question 19

Types of Power Interruption & how to control it?

Answer 19

1) Short-term: Those that last few seconds such as Sags, Spikes & Surges can be prevented using surge protector (e.g. power line conditioners)

2) Intermediate-term: Those that lasts from few seconds to 30 mins, can be controlled by Uninterruptible Power Supply (UPS) devices which provide constant power even if main power is lost

3) Long-term: Those that lasts few hours to several days, can be prevented using alternate power generators

Question 20

Types of Performance Indicators of Biometric System

Answer 20

1) False Acceptance Rate (FAR) = frequency of accepting an unauthorized person as authorized
2) False Rejection Rate (FRR) = frequency of rejecting an authorized person
3) Equal Error Rate (EER) = FAR equals FRR which measure the optimal accuracy of the Biometric

Question 21

What is the 2 sub-protocols in IPSec?

Answer 21

1) Encapsulating Security Payload (ESP) protocol
2) Authentication Header (AH) protocol

Question 22

What is Encapsulating Security Payload (ESP) protocol?

Answer 22

1) Encrypts the entire IP packet (including the original IP header) and encapsulates it with a new IP header

2) The new IP header has a destination IP address that is the ultimate destination of the packet, while the source IP address is the IP address of the device that is performing the encryption.

3) Provides confidentiality by encrypting the payload of the IP packet, as well as the original IP header.

4) Provides integrity and authentication by using a cryptographic hash function to compute a message authentication code (MAC) that is appended to the encrypted payload. The MAC ensures the payload has not been tampered or modified during transmission.

Question 23

What is Authentication Header (AH) protocol?

Answer 23

1) provides authentication & integrity of IP packets without encryption

2) sender computes a message digest (a hash) of the IP packet header & payload & adds it to the end of the packet.

3) receiver then performs the same calculation & compares the results to verify the integrity of the packet.

4) provides source authentication by adding an integrity check value (ICV) to the original IP packet header and payload

5) once received, ICV is recalculated using the same algorithm and the same secret key. If matches, then proves the packet was not tampered & the sender who they claimed to be.

Question 24

What is the 2 encryption modes in IPSec?

Answer 24

1) Transport mode = only the payload (data that is transferring) is encrypted. The IP packet header is not encrypted.

2) Tunnel mode = Both payload & packet header is encrypted.

Question 25

What is Dynamic Host Configuration Protocol (DHCP)?

Answer 25

Protocol that automatically assigns IP addresses to anyone connecting to the network.

With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.

Thus, reduces risk of unauthorized access to network.

Question 26

What is the major risk of implementing remote VPN access to its network?

Answer 26

When remote access is enabled, malicious code in a remote client could spread to the organization’s network.

One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through firewall.

This means that the firewall cannot adequately examine the traffic.

Question 27

Steps in Auditing the Configuration of Network

Answer 27

1) Understand the importance & role of the network device within the organization’s network topology.

2) Identify the good practices for the type of network devices deployed to ensure no anomalies within the configuration.

3) Identify whether components of the network are missing or subcomponents of the network are being used appropriately.

Question 28

Purpose of a “Raised floor” in a computer machine room

Answer 28

Enable ventilation systems, power cables & data cables to be installed underneath the floor.

This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor.

Raised floor won’t prevent water damage to machines if there’s overhead water pipe leakage

Question 29

What is port scanning?

Answer 29

Technique used by attackers to identify open ports on a computer or network in order to exploit vulnerabilities or gain unauthorized access.

It involves sending a series of requests to a target computer or network to determine which ports are open & which services are running on those ports.

By analyzing the responses, an attacker can identify vulnerable services & launch attacks against them.

This often target the external firewall of the organization. Use of wireless will not affect this.

Question 30

What is back door?

Answer 30

This is an opening implanted into or left in software that enables an unauthorized entry into a system.

Question 31

What is war driving?

Answer 31

Practice of driving or walking around with a wireless-enabled device such as a laptop or smartphone in search of wireless networks.

The purpose of war driving is to locate wireless access points (WAPs) & identify potential vulnerabilities in the wireless networks.

Uses a wireless Ethernet card, set in promiscuous mode, & a powerful antenna to penetrate wireless systems from outside.

Promiscuous mode is a mode of operation for a network card that allows it to intercept & read all network traffic that it receives, including those not addressed to the network card.

Question 32

Best method to maintain integrity of log files (e.g. firewall logs)?

Answer 32

Establishing a dedicated third-party log server & logging events in it.

When access control to the log server is adequately maintained, the risk of unauthorized log modification is mitigated, therefore improving the integrity of log information.

Question 33

What is “session border controllers (SBC)”?

Answer 33

1) Enhances security in a communication network that uses Voice over Internet Protocol (VoIP) technology

2) Provides protection against malicious attacks, such as scanning & denial-of-service (DoS) attacks

Question 34

How “session border controllers (SBC)” protects VoIP from scanning & DoS attack?

Answer 34

1) In the access network, an SBC hides the real address of the user & provides a managed public address that can be monitored. This minimizes the chances of attackers scanning the network for vulnerabilities.

2) It also allow clients behind firewalls to access the network while maintaining the firewall’s effectiveness.

3) In the core network, an SBC protects both the users and the network by hiding network topology & users’ real addresses. This means attackers cannot easily identify the location of the users or the network’s infrastructure.

4) It can monitor the network’s bandwidth & quality of service to ensure that users have a high-quality communication experience.

1) Core network is the central part of the network that provides connectivity between different sub-networks, such as LANs or WANs

2) Access network refers to portion of the network that connects endpoints such as IP phones to the service provider’s network, enabling voice traffic to be transmitted

Question 35

Steps in auditing logical access controls

Answer 35

1) obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, & conducting a risk assessment. Thus, ensure controls are adequate to address risk.

2) document the controls applied to the potential access paths to the system. This is to assess adequacy, efficiency & effectiveness of controls based on the risk assessed.

3) test controls over the access paths to determine if they are functional

4) evaluate the security environment in relation to written policies & practices to assess its adequacy against good practices

Question 36

What is Challenge response-based authentication?

Answer 36

A type of authentication system that verifies the identity of a user by challenging them to provide a response to a specific task or question (e.g. one-time code or token send by server to user).

It is prone to session hijacking or man-in-the-middle attacks.

Question 37

What is the typical line of defense within a network?

Answer 37

1) Network Firewall

2) Intrusion Detection Systems (IDS)

3) Endpoints firewall & Antivirus Software (e.g. personal computers)

Question 38

Types of Penetration Testing

Answer 38

1) Blind testing
2) Targeted testing
3) Double-blind testing
4) External testing

Question 39

What is Blind Testing?

Answer 39

1) Also known as black-box testing

2) The penetration tester is not given any information & is forced to rely on publicly available information

3) This test simulates a real attack, except that the target organization is aware of the test being conducted.

Question 40

What is Double-blind Testing?

Answer 40

1) This is also known as zero-knowledge testing

2) The penetration tester is not given any information & the target organization is not given any warning—both parties are “blind” to the test

3) This is the best scenario for testing response capability because the target will react as if the attack were real.

Question 41

What is Targeted Testing?

Answer 41

1) This is also known as white-box testing

2) The penetration tester is provided with information & the target organization is aware of the testing activities

3) In some cases, the tester is also provided with a limited-privilege account to be used as a starting point

Question 42

What is External Testing?

Answer 42

This refers to a test where an external penetration tester launches attacks on the target’s network perimeter from outside the target network (typically from the Internet).