Lesson 9: Evaluate Network Security Capabilities Flashcards

1
Q

Define a ‘Secure baseline’

A

A set of standardized/minimum security controls and configurations for different types of IT assets, such as operating systems, networks, and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are typical hardening techniques?

A

Disabling unnecessary services, configuring appropriate permissions, applying patches and updates, and ensuring adherence to secure configurations defined by the secure baselines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Center for Internet Security (CIS) Benchmark?

A

Best practice guides for securing IT systems and data covering multiple domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What domains make up the Center for Internet Security (CIS) Benchmark?

A

Networks, operating systems, and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the Security Technical Implementation Guides (STIGs)?

A

Secure baseline for US DoD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define ‘Hardening’

A

The process of reducing system vulnerabilities to make IT resources more resilient to attacks; Changing default configuration of an app or host to reduce attack surface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List ways to harden a switch/router

A

Change default creds; Disables unnecessary services/interfaces; Secure management protocols (SSH/HTTPS); ACLs/VLANS; Logging/Monitoring; Port security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List ways to harden a server or OS

A

Change default creds; Disables unnecessary services; Regular patches/updates; Least privilege access; Firewalls/IDS; Access controls (PAM/MFA); AV; Logging/monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the function of a Wireless Access Point (WAP)?

A

Provides a connection between wireless devices wired networks; Forwards traffic to and from the wired switched network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How is an individual access point identified in a network?

A

By its MAC address, also referred to as its basic service set identifier (BSSID).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the protocol/standard for authenticating and encrypting wireless networks?

A

Wi-Fi Protected Access (WPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define ‘Wi-Fi Protected Setup (WPS)’

A

A feature of WPA and WPA2 that allows enrollment in a wireless network based on an eight-digit PIN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Why is WPS insecure?

A

While the PIN is eight characters, one digit is a checksum and the rest are verified as two separate PINs of four and three characters making it very easy to brute force.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What protocol was developed to replace Wi-Fi Protected Setup (WPS)?

A

Device Provisioning Protocol (DPP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does the ‘Device Provisioning Protocol (DPP)’ function to provide protected setup?

A

Each participating device must be configured with a public/private key pair; Uses quick response (QR) codes or near-field communication (NFC) tags to communicate each device’s public key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What mechanisms make Wi-Fi Protected Access 2 (WPA2) secure enough to implement?

A

Uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

List Wi-Fi Protected Access 3 (WPA3) improvements

A

Simultaneous Authentication of Equals (SAE); Enhanced Open; Updated Cryptographic Protocols; Device Provisioning Protocol (DPP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define ‘Simultaneous Authentication of Equals (SAE)’

A

Replaces the Pre-Shared Key (PSK) exchange protocol in WPA2, ensuring an attacker cannot intercept the Wi-Fi password even when capturing data from a successful login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define ‘Enhanced Open’

A

Encrypts traffic between devices and the access point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How did WPA3 improve cryptography?

A

Replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

List the 3 types of Wi-Fi authentication

A
  1. Open
  2. Personal
  3. Enterprise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the two methods of personal authentication?

A
  1. Pre-shared key authentication (PSK)
  2. Simultaneous authentication of equals (SAE)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define ‘pre-shared key authentication (PSK)’

A

Uses a shared passphrase to generate the key used to encrypt communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define a ‘pairwise master key (PMK)’

A

Output of a pre-shared key converted to a 256-bit 64 character hex value using the PBKDF2 key stretching algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

In WPA3 personal mode, what mechanism/protocol is used to derive session keys once the passphrase has been authenticated?

A

Password-Authenticated Key Exchange (PAKE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How does WPA3 improve authentication in comparison to WPA2?

A

Replaces the 4-way handshake with the dragonfly handshake.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Define the ‘Dragonfly handshake’

A

D-H and ECC ciphers, combined with a hash of the password and device MAC address to authenticate the nodes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Define ‘enterprise authentication’

A

Wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.

29
Q

What wireless standard is used for enterprise authentication?

A

802.1x authentication

30
Q

Define ‘Network access control (NAC)’

A

Collection of protocols, policies, and hardware to authenticate users and devices before allowing access to the network but also checks and enforces compliance with established security policies.

31
Q

Define ‘dynamic VLAN assignment’

A

Network access control (NAC) that assigns a VLAN to a device based on the user’s identity attributes, device type, device location, or health check results.

32
Q

What are advantages of using an agent based Network access control (NAC)?

A

Enable features such as automatic remediation.

33
Q

How would an agentless Network access control (NAC) be deployed?

A

By implementing port-based network access control or network scans to evaluate devices.

34
Q

Define a ‘persistent agent’

A

Installed as a software application on the client.

35
Q

Define a ‘non-persistent’ agent

A

Dissolvable agent; Loaded into memory during posture assessment but is not installed on the device.

36
Q

You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?

A

EAP-TLS; requires that both server and client be installed with valid certificates.

37
Q

Define an ‘access control list (ACL)’

A

List of permissions associated with a network device, such as a router or a switch, that controls traffic at a network interface level.

38
Q

What packet info does an ACL use to determine access?

A

Source and destination IP addresses, port numbers, and the protocol.

39
Q

What is best practice for creating an ACL rule?

A

Create a written policy describing rule; Test the configuration and document the change.

40
Q

List two basic Perimeter ACL hardening techniques

A
  1. Block incoming requests from internal or private IP addresses
  2. Block incoming requests from protocols that should only function at a local network level, such as ICMP, DHCP, or routing protocol traffic.
41
Q

Define a screened subnet/DMZ

A

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

42
Q

What is the purpose of a screened network/DMZ?

A

Acts as a neutral zone, separating public-facing servers from sensitive internal network resources to reduce the exposure of the internal network resource to external threats.

43
Q

What services are typically found in a screened subnet/DMZ?

A

Web, email, DNS, or FTP services.

44
Q

What is the role of a firewall when coupled with a screened subnet?

A

The first firewall, between the Internet and the screened subnet, is configured to allow traffic to the services hosted in the screened subnet. The second firewall, between the screened subnet and the internal network, is configured to block most (practically all) traffic from the screened subnet to the internal network.

45
Q

Define ‘Host-based IDS/IPS (HIDS/HIPS)’

A

Installed on individual systems or servers, to monitor and analyze system behavior and configurations for suspicious activities.

46
Q

What is the purpose/function of Host-based IDS/IPS (HIDS/HIPS)?

A

Effective at identifying insider threats, detecting changes in system files, and monitoring non-network events like local logins and system processes.

47
Q

Define ‘Network-based IDS/IPS (NIDS/NIPS)’

A

Monitors network traffic; Looks for patterns or signatures of known threats and unusual network packet behavior.

48
Q

What is the purpose/function of Network-based IDS/IPS (NIDS/NIPS)?

A

Effective at identifying and responding to threats across multiple systems, like distributed denial-of-service (DDoS) attacks or network scanning activities.

49
Q

What is the purpose of an Intrusion detection systems (IDS)?

A

Designed to passively inspect network traffic detecting potential threats and generate alerts based on predefined rules or unusual behavior.

50
Q

What is the purpose of an Intrusion prevention systems (IPS)?

A

Proactively detects/identifies threats using signatures and can \take action to prevent or mitigate them.

51
Q

Define an ‘analysis engine’

A

The component in an IDS that scans and interprets the traffic captured by the sensor with the purpose of identifying suspicious traffic.

52
Q

What is the purpose of the analysis engine of an IDS/IPS?

A

Determines an event’s classification with typical options of ignore, log only, alert, and block (IPS).

53
Q

How does the analysis engine make determinations?

A

By a set of programmed rules.

54
Q

What are the 3 main types of rulesets used by an analysis engine to make determinations?

A
  1. Signature-based detection
  2. Behavioral- and Anomaly-Based Detection
  3. Trend Analysis
55
Q

Define ‘signature-based detection’

A

Pattern-matching; Analysis engine is loaded with a database of attack patterns or signatures - If traffic matches a pattern then the engine generates an incident.

56
Q

Define ‘Behavioral-based detection’

A

Detects changes in normal operating data sequences and identifies abnormal sequences; The engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident.

57
Q

List the two forms of Behavioral-based detection that use machine learning

A
  1. User and entity behavior analytics (UEBA)
  2. Network traffic analysis (NTA)
58
Q

Define ‘User and entity behavior analytics (UEBA)’

A

Analysis engine scans indicators from multiple intrusion detection and log sources to identify anomalies; Often integrated with a security information and event management (SIEM) platform.

59
Q

Define ‘anomaly-based detection’

A

Specifically looking for irregularities in the use of protocols.

60
Q

Define ‘trend analysis’

A

Detecting patterns within a dataset over time, and using those patterns to make predictions about future events or to better understand past events.

61
Q

Define ‘web filtering’

A

A software application or gateway that filters client requests for various types of Internet content (web, FTP, IM, and so on).

62
Q

What is the purpose of web filtering?

A

Analyze web traffic in real time to restrict access based on various criteria such as URL, IP address, content category, or even specific keywords.

63
Q

What are two way to implement web filtering?

A
  1. Agent based
  2. Centralized
64
Q

What is the benefit of agent based web filtering?

A

Filtering policies remain in effect even when users are off the corporate network.

65
Q

What is the benefit of centralized web filtering?

A

Can effectively control and monitor all inbound and outbound web content.

66
Q

Define ‘Overblocking’

A

The filter is too restrictive; Inadvertently blocking access to legitimate and useful websites and negatively impacting employee productivity.

67
Q

Define ‘Underblocking’

A

The filter allows access to potentially harmful or inappropriate websites.

68
Q

What is the principal risk of deploying an intrusion prevention system with behavior-based detection?

A

Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious.

69
Q

The cybersecurity manager of a rapidly growing technology startup has just acquired a set of new Internet of Things (IoT) devices to enhance its smart office environment. However, the manager has concerns about the security of these devices due to recent reports of IoT vulnerabilities. To address this, what method would the organization use to enhance the security of these devices by changing their default configuration?

A

Secure baselines