Lesson 9: Evaluate Network Security Capabilities

Question 1

Define a ‘Secure baseline’

Answer 1

A set of standardized/minimum security controls and configurations for different types of IT assets, such as operating systems, networks, and applications.

Question 2

What are typical hardening techniques?

Answer 2

Disabling unnecessary services, configuring appropriate permissions, applying patches and updates, and ensuring adherence to secure configurations defined by the secure baselines.

Question 3

What is a Center for Internet Security (CIS) Benchmark?

Answer 3

Best practice guides for securing IT systems and data covering multiple domains.

Question 4

What domains make up the Center for Internet Security (CIS) Benchmark?

Answer 4

Networks, operating systems, and applications

Question 5

What are the Security Technical Implementation Guides (STIGs)?

Answer 5

Secure baseline for US DoD.

Question 6

Define ‘Hardening’

Answer 6

The process of reducing system vulnerabilities to make IT resources more resilient to attacks; Changing default configuration of an app or host to reduce attack surface.

Question 7

List ways to harden a switch/router

Answer 7

Change default creds; Disables unnecessary services/interfaces; Secure management protocols (SSH/HTTPS); ACLs/VLANS; Logging/Monitoring; Port security.

Question 8

List ways to harden a server or OS

Answer 8

Change default creds; Disables unnecessary services; Regular patches/updates; Least privilege access; Firewalls/IDS; Access controls (PAM/MFA); AV; Logging/monitoring.

Question 9

What is the function of a Wireless Access Point (WAP)?

Answer 9

Provides a connection between wireless devices wired networks; Forwards traffic to and from the wired switched network.

Question 10

How is an individual access point identified in a network?

Answer 10

By its MAC address, also referred to as its basic service set identifier (BSSID).

Question 11

What is the protocol/standard for authenticating and encrypting wireless networks?

Answer 11

Wi-Fi Protected Access (WPA)

Question 12

Define ‘Wi-Fi Protected Setup (WPS)’

Answer 12

A feature of WPA and WPA2 that allows enrollment in a wireless network based on an eight-digit PIN.

Question 13

Why is WPS insecure?

Answer 13

While the PIN is eight characters, one digit is a checksum and the rest are verified as two separate PINs of four and three characters making it very easy to brute force.

Question 14

What protocol was developed to replace Wi-Fi Protected Setup (WPS)?

Answer 14

Device Provisioning Protocol (DPP)

Question 15

How does the ‘Device Provisioning Protocol (DPP)’ function to provide protected setup?

Answer 15

Each participating device must be configured with a public/private key pair; Uses quick response (QR) codes or near-field communication (NFC) tags to communicate each device’s public key.

Question 16

What mechanisms make Wi-Fi Protected Access 2 (WPA2) secure enough to implement?

Answer 16

Uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Question 17

List Wi-Fi Protected Access 3 (WPA3) improvements

Answer 17

Simultaneous Authentication of Equals (SAE); Enhanced Open; Updated Cryptographic Protocols; Device Provisioning Protocol (DPP)

Question 18

Define ‘Simultaneous Authentication of Equals (SAE)’

Answer 18

Replaces the Pre-Shared Key (PSK) exchange protocol in WPA2, ensuring an attacker cannot intercept the Wi-Fi password even when capturing data from a successful login.

Question 19

Define ‘Enhanced Open’

Answer 19

Encrypts traffic between devices and the access point.

Question 20

How did WPA3 improve cryptography?

Answer 20

Replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation.

Question 21

List the 3 types of Wi-Fi authentication

Answer 21

1. Open
2. Personal
3. Enterprise

Question 22

What are the two methods of personal authentication?

Answer 22

1. Pre-shared key authentication (PSK)
2. Simultaneous authentication of equals (SAE)

Question 23

Define ‘pre-shared key authentication (PSK)’

Answer 23

Uses a shared passphrase to generate the key used to encrypt communications.

Question 24

Define a ‘pairwise master key (PMK)’

Answer 24

Output of a pre-shared key converted to a 256-bit 64 character hex value using the PBKDF2 key stretching algorithm.

Question 25

In WPA3 personal mode, what mechanism/protocol is used to derive session keys once the passphrase has been authenticated?

Answer 25

Password-Authenticated Key Exchange (PAKE)

Question 26

How does WPA3 improve authentication in comparison to WPA2?

Answer 26

Replaces the 4-way handshake with the dragonfly handshake.

Question 27

Define the ‘Dragonfly handshake’

Answer 27

D-H and ECC ciphers, combined with a hash of the password and device MAC address to authenticate the nodes.

Question 28

Define ‘enterprise authentication’

Answer 28

Wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.

Question 29

What wireless standard is used for enterprise authentication?

Answer 29

802.1x authentication

Question 30

Define ‘Network access control (NAC)’

Answer 30

Collection of protocols, policies, and hardware to authenticate users and devices before allowing access to the network but also checks and enforces compliance with established security policies.

Question 31

Define ‘dynamic VLAN assignment’

Answer 31

Network access control (NAC) that assigns a VLAN to a device based on the user’s identity attributes, device type, device location, or health check results.

Question 32

What are advantages of using an agent based Network access control (NAC)?

Answer 32

Enable features such as automatic remediation.

Question 33

How would an agentless Network access control (NAC) be deployed?

Answer 33

By implementing port-based network access control or network scans to evaluate devices.

Question 34

Define a ‘persistent agent’

Answer 34

Installed as a software application on the client.

Question 35

Define a ‘non-persistent’ agent

Answer 35

Dissolvable agent; Loaded into memory during posture assessment but is not installed on the device.

Question 36

You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?

Answer 36

EAP-TLS; requires that both server and client be installed with valid certificates.

Question 37

Define an ‘access control list (ACL)’

Answer 37

List of permissions associated with a network device, such as a router or a switch, that controls traffic at a network interface level.

Question 38

What packet info does an ACL use to determine access?

Answer 38

Source and destination IP addresses, port numbers, and the protocol.

Question 39

What is best practice for creating an ACL rule?

Answer 39

Create a written policy describing rule; Test the configuration and document the change.

Question 40

List two basic Perimeter ACL hardening techniques

Answer 40

1. Block incoming requests from internal or private IP addresses
2. Block incoming requests from protocols that should only function at a local network level, such as ICMP, DHCP, or routing protocol traffic.

Question 41

Define a screened subnet/DMZ

Answer 41

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

Question 42

What is the purpose of a screened network/DMZ?

Answer 42

Acts as a neutral zone, separating public-facing servers from sensitive internal network resources to reduce the exposure of the internal network resource to external threats.

Question 43

What services are typically found in a screened subnet/DMZ?

Answer 43

Web, email, DNS, or FTP services.

Question 44

What is the role of a firewall when coupled with a screened subnet?

Answer 44

The first firewall, between the Internet and the screened subnet, is configured to allow traffic to the services hosted in the screened subnet. The second firewall, between the screened subnet and the internal network, is configured to block most (practically all) traffic from the screened subnet to the internal network.

Question 45

Define ‘Host-based IDS/IPS (HIDS/HIPS)’

Answer 45

Installed on individual systems or servers, to monitor and analyze system behavior and configurations for suspicious activities.

Question 46

What is the purpose/function of Host-based IDS/IPS (HIDS/HIPS)?

Answer 46

Effective at identifying insider threats, detecting changes in system files, and monitoring non-network events like local logins and system processes.

Question 47

Define ‘Network-based IDS/IPS (NIDS/NIPS)’

Answer 47

Monitors network traffic; Looks for patterns or signatures of known threats and unusual network packet behavior.

Question 48

What is the purpose/function of Network-based IDS/IPS (NIDS/NIPS)?

Answer 48

Effective at identifying and responding to threats across multiple systems, like distributed denial-of-service (DDoS) attacks or network scanning activities.

Question 49

What is the purpose of an Intrusion detection systems (IDS)?

Answer 49

Designed to passively inspect network traffic detecting potential threats and generate alerts based on predefined rules or unusual behavior.

Question 50

What is the purpose of an Intrusion prevention systems (IPS)?

Answer 50

Proactively detects/identifies threats using signatures and can \take action to prevent or mitigate them.

Question 51

Define an ‘analysis engine’

Answer 51

The component in an IDS that scans and interprets the traffic captured by the sensor with the purpose of identifying suspicious traffic.

Question 52

What is the purpose of the analysis engine of an IDS/IPS?

Answer 52

Determines an event’s classification with typical options of ignore, log only, alert, and block (IPS).

Question 53

How does the analysis engine make determinations?

Answer 53

By a set of programmed rules.

Question 54

What are the 3 main types of rulesets used by an analysis engine to make determinations?

Answer 54

1. Signature-based detection
2. Behavioral- and Anomaly-Based Detection
3. Trend Analysis

Question 55

Define ‘signature-based detection’

Answer 55

Pattern-matching; Analysis engine is loaded with a database of attack patterns or signatures - If traffic matches a pattern then the engine generates an incident.

Question 56

Define ‘Behavioral-based detection’

Answer 56

Detects changes in normal operating data sequences and identifies abnormal sequences; The engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident.

Question 57

List the two forms of Behavioral-based detection that use machine learning

Answer 57

1. User and entity behavior analytics (UEBA)
2. Network traffic analysis (NTA)

Question 58

Define ‘User and entity behavior analytics (UEBA)’

Answer 58

Analysis engine scans indicators from multiple intrusion detection and log sources to identify anomalies; Often integrated with a security information and event management (SIEM) platform.

Question 59

Define ‘anomaly-based detection’

Answer 59

Specifically looking for irregularities in the use of protocols.

Question 60

Define ‘trend analysis’

Answer 60

Detecting patterns within a dataset over time, and using those patterns to make predictions about future events or to better understand past events.

Question 61

Define ‘web filtering’

Answer 61

A software application or gateway that filters client requests for various types of Internet content (web, FTP, IM, and so on).

Question 62

What is the purpose of web filtering?

Answer 62

Analyze web traffic in real time to restrict access based on various criteria such as URL, IP address, content category, or even specific keywords.

Question 63

What are two way to implement web filtering?

Answer 63

1. Agent based
2. Centralized

Question 64

What is the benefit of agent based web filtering?

Answer 64

Filtering policies remain in effect even when users are off the corporate network.

Question 65

What is the benefit of centralized web filtering?

Answer 65

Can effectively control and monitor all inbound and outbound web content.

Question 66

Define ‘Overblocking’

Answer 66

The filter is too restrictive; Inadvertently blocking access to legitimate and useful websites and negatively impacting employee productivity.

Question 67

Define ‘Underblocking’

Answer 67

The filter allows access to potentially harmful or inappropriate websites.

Question 68

What is the principal risk of deploying an intrusion prevention system with behavior-based detection?

Answer 68

Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious.

Question 69

The cybersecurity manager of a rapidly growing technology startup has just acquired a set of new Internet of Things (IoT) devices to enhance its smart office environment. However, the manager has concerns about the security of these devices due to recent reports of IoT vulnerabilities. To address this, what method would the organization use to enhance the security of these devices by changing their default configuration?

Answer 69

Secure baselines