Infrastructure Security and Controls Flashcards
Susan needs to explain what a jump box is to a member of her team. What should she tell them?
A. It is a secured system that is exposed in a DMZ.
B. It is a system used to access and manage systems or devices in the same security zone.
C. It is a system used to skip revisions during updates.
D. It is a system used to access and manage systems or devices in another security zone.
Answer:
D. Jump boxes are used to access and manage devices that are in another security zone from where the user is. This means they have connectivity into both zones, either via a VPN or similar technology. Option A may be tempting, but jump boxes aren’t only used for DMZs. Remember this when you’re studying—often questions will have a likely looking answer that isn’t fully correct.
Ben sets up a system that acts like a vulnerable host in order to observe attacker behavior. What type of system has he set up?
A. A sinkhole
B. A blackhole
C. A honeypot
D. A beehive
Answer:
C. Ben has set up a honeypot, a system intended to be attractive to attackers, allowing defenders to observe their behavior while gathering information and potentially capturing copies of their tools. Sinkholes are systems or devices that are used as a destination for redirected traffic. Often, this is used defensively to redirect traffic via DNS. Blackholes and beehives are not common terms.
Cameron builds a malware signature using a hash of the binary that he found on an infected system. What problem is he likely to encounter with modern malware when he tries to match hashes with other infected systems?
A. The malware may be polymorphic.
B. The hashes may match too many malware packages.
C. The attackers may have encrypted the binary.
D. The hash value may be too long.
Answer:
A. Polymorphic techniques change malware each time it infects a system, making simple hashing unable to be used to check if the malware matches. More advanced techniques include behavior monitoring–based techniques as well as other more in-depth analytical techniques that identify components of the malware package.
Ric is reviewing his organization’s network design and is concerned that a known flaw in the border router could let an attacker disable their Internet connectivity. Which of the following is an appropriate compensatory control?
A. An identical second redundant router set up in an active/passive design
B. An alternate Internet connectivity method using a different router type
C. An identical second redundant router set up in an active/active design
D. A firewall in front of the router to stop any potential exploits that could cause a failure of connectivity
Answer:
B. Ric’s best option is to implement backup Internet connectivity using a different make and model of router. This reduces the chance of the same exploit being able to take down both types of device while removing the single point of failure for connectivity. Adding a second identical router in either active/active or active/passive mode does not work around the flaw since an attacker could immediately repeat the attack to take down the matching router. A firewall might help, but in many cases attacks against routers take place on a channel that is required for the router to perform its function.
Fred wants to ensure that only software that has been preapproved runs on workstations he manages. What solution will best fit this need?
A. Blacklisting
B. Antivirus
C. Whitelisting
D. Virtual desktop infrastructure (VDI)
Answer:
C. Whitelisting technologies can be used to only allow programs that have been preapproved to run on systems that use it. Blacklisting prevents specific programs from running. An antivirus uses a number of techniques to identify malicious software and might even include blacklisting and whitelisting capabilities, but we cannot assume that is the case. VDI provides virtualized desktops and can be useful for controlling systems but does not specifically provide this capability.
A member of Susan’s team recently fell for a phishing scam and provided his password and personal information to a scammer. What layered security approach is not an appropriate layer for Susan to implement to protect her organization from future issues?
A. Multifactor authentication
B. Multitiered firewalls
C. An awareness program
D. A SIEM monitoring where logins occur
Answer:
B. A multitier firewall is least likely to be an effective security control when Susan’s organization deals with compromised credentials. Multifactor authentication would require the attacker to have the second factor in addition to the password, an awareness program may help Susan’s employees avoid future scams, and a SIEM monitoring for logins that are out of the ordinary may spot the attacker logging in remotely or otherwise abusing the credentials they obtained.
Chris is in charge of his organization’s Windows security standard, including their Windows 7 security standard, and has recently decommissioned the organization’s last Windows 7 system. What is the next step in his security standard’s life cycle?
A. A scheduled review of the Windows standards
B. A final update to the standard, noting that Windows 7 is no longer supported
C. Continual improvement of the Windows standards
D. Retiring the Windows 7 standard
Answer:
D. Retirement is the last step at the end of the life cycle for a standard or process. Of course, this means that if the process is retired, a final update to it is not needed! The standards for other, currently maintained operating systems should undergo regular scheduled review, and staff who support them may participate in a continuous improvement process to keep the standards up to date.
Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from the others using network security devices. What concept is Example Corporation using for their network security?
A. Segmentation
B. Multiple-interface firewalls
C. Single-point-of-failure avoidance
D. Zoned routing
Answer:
A. Example Corporation is using network segmentation to split their network up into security zones based on their functional requirements. They may use multiple-interface firewalls for this, and they may try to avoid single points of failure, but the question does not provide enough information to know if that is the case. Finally, zoned routing is a made-up term—zone routing is an actual technical term, but it is used for wireless networks.
Which of the following layered security controls is commonly used at the WAN, LAN, and host layer in a security design?
A. Encryption of data at rest
B. Firewalls
C. DMZs
D. Antivirus
Answer:
B. Firewalls are commonly used to create network protection zones, to protect network borders, and at the host level to help armor the host against attacks. Encryption at rest is most frequently used at the host layer, whereas DMZs are typically used at the edge of a network for publicly accessible services. Antivirus is sometimes used at each layer but is most commonly found at the host layer.
After a breach that resulted in attackers successfully exfiltrating a sensitive database, Jason has been asked to deploy a technology that will prevent similar issues in the future. What technology is best suited to this requirement?
A. Firewalls
B. IDS
C. DLP
D. EDR
Answer:
C. Data loss prevention (DLP) tools attempt to identify sensitive or controlled data and to prevent it from being removed from systems or the local network. In this case, Jason’s answer should be to use a DLP and to tag sensitive data to help ensure that another sensitive database is not stolen. He should also make sure that management is aware that a DLP cannot always detect all data that might leave, and that encrypted or otherwise obscured data may still be at risk.
During a penetration test of Anna’s company, the penetration testers were able to compromise the company’s web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future?
A. Using full-disk encryption
B. Using log rotation
C. Sending logs to a syslog server
D. Using TLS to protect traffic
Answer:
C. Sending logs to a remote log server or bastion host is an appropriate compensating control. This ensures that copies of the logs exist in a secure location, allowing them to be reviewed if a similar compromise occurred. Full-disk encryption leaves files decrypted while in use and would not secure the log files from a compromise, whereas log rotation simply means that logs get changed out when they hit a specific size or timeframe. TLS encryption for data (including logs) in transit can keep it private and prevent modification but wouldn’t protect the logs from being deleted.
Which of the following controls is best suited to prevent vulnerabilities related to software updates?
A. Operating system patching standards
B. Centralized patch management software
C. Vulnerability scanning
D. An IPS with appropriate detections enabled
Answer:
B. While each of the items listed can help as part of a comprehensive security architecture, using centralized patch management software will typically have the largest impact in an organization’s handling of vulnerabilities related to software updates. Vulnerability scanning can help detect issues, and an IPS with the appropriate detections enabled may help prevent exploits, but both are less important than patching itself. Similarly, standards for patching help guide what is done but don’t ensure that the patching occurs.
Ben’s organization uses data loss prevention software that relies on metadata tagging to ensure that sensitive files do not leave the organization. What compensating control is best suited to ensuring that data that does leave is not exposed?
A. Mandatory data tagging policies
B. Encryption of all files sent outside the organization
C. DLP monitoring of all outbound network traffic
D. Network segmentation for sensitive data handling systems
Answer:
B. Since Ben must assume that data that leaves may be exposed, his best option is to enforce encryption of files that leave the organization. Mandatory data tagging and DLP monitoring can help catch data that is accidentally sent, and network segmentation can help reduce the number of points he has to monitor, but encryption is the only control that can have a significant impact on data that does leave.
James is concerned that network traffic from his datacenter has increased and that it may be caused by a compromise that his security tools have not identified. What SIEM analysis capability could he use to look at the traffic over time sent by his datacenter systems?
A. Automated reporting
B. Trend analysis
C. BGP graphing
D. Log aggregation
Answer:
B. Trend analysis using historical data will show James what his network traffic’s behavior has been. James may notice an increase since a new storage server with cloud replication was put in, or he may notice that a DMZ host has steadily been increasing its outbound traffic. Automated reporting might send an alarm if it has appropriate thresholds set, and log aggregation is the foundation of how a SIEM gathers information, but neither will individually give James the view he needs. BGP is a routing protocol, and graphing it won’t give James the right information either.
Angela needs to implement a control to ensure that she is notified of changes to important configuration files on her server. What type of tool should she use for this control?
A. Antimalware
B. Configuration management
C. File integrity checking
D. Logging
Answer:
C. File integrity checking tools like Tripwire can notify an administrator when changes are made to a file or directory. Angela can implement file integrity monitoring for her critical system files, thus ensuring she is warned if they change without her knowledge. Antimalware tools only detect behaviors like those of malware and may not detect manual changes or behaviors that don’t match the profile they expect. Configuration management tools can control configuration files but may not note changes that are made, and logging utilities often don’t track changes to files.
