*** Most important. Based on blueprint

Question 1

CAPWAP

Answer 1

Encapsulates data between LWAP and WLC. Routable. Wireless IPS. Much more

Question 2

ARP

Answer 2

Operates between L2 and L3.

Question 3

ARP Ethertype

Answer 3

0x0806

Question 4

DNS Resolver

Answer 4

local client

Question 5

DNS Recursor

Answer 5

Internal DNS

Question 6

Bridges vs. Switches

Answer 6

Bridges use SW bridging logic. Switches use HW bridging logic.

Question 7

Cisco AMP

Answer 7

Advanced Malware Protection. Applies before, during, and after attack continuum. Examines SHA hash. Cloud tests files. Machine learning. Trajectory. Intel feeds.

Question 8

Cisco WSA

Answer 8

Web Security Appliance. URL Filtering. Websense type features.

Question 9

Cisco CWS

Answer 9

Cloud Web Security. Basically, Websense in the cloud. Request goes from ASA to CWS where decision is made.

Question 10

Cisco ESA

Answer 10

Email Security Appliance. Incoming reputation filter, outgoing DLP

Question 11

Cisco CES

Answer 11

ESA in the cloud

Question 12

Cisco Firepower

Answer 12

NGFW with VPN, IPS, AMP, DNS inspection, application visibility and control, reputation-based filtering, URL filtering, SSL decryption, and so on

Question 13

Netflow

Answer 13

Collects/monitors network traffic flow data.
Audit trail.
Unidirectional series of packets bet. source and destination.

Question 14

What does Netflow data contain?

Answer 14

Metadata
5 Tuple
Interfaces
Duration of comms
Transmission rate
Amount of data

Question 15

Netflow vs. IPS

Answer 15

Netflow looks at headers. IPS does deep packet analysis.

Netflow is information about comms. IPS can drop packets.

Question 16

Runbook automation

Answer 16

Automated reactions. Can minimize time bet. discovery and remediation.

Question 17

Runbook parts

Answer 17

Tools, Workflows, Processes

Question 18

Sliding Window

Answer 18

Relates to anomaly detection. Needs to be long enough to define normal traffic.

Question 19

Non-discretionary access control

Answer 19

Role Based AC. Job function related.

Question 20

Network vs. Host AV

Answer 20

Network AV takes action on files that are traversing the network.

Host AV is run by endpoints.

Question 21

Agent vs. Agentless

Answer 21

Netflow is agentless

Question 22

SIEM Capabilities

Answer 22

Monitoring
IR
Anomaly Detection
Real time rule based alerts
Correlation
Logging and reporting
Reports

Question 23

New Syslog name

Answer 23

rsyslog (old was syslogd)

Question 24

Syslog config file location

Answer 24

/etc/syslog.conf

Question 25

27002:2013

Answer 25

provides guidelines for organizational information, security standards, and information security management practices,

Question 26

Vulnerability management

Answer 26

identifying, classifying, remediating, and mitigating vulnerabilities in software, firmware, and hardware.

Question 27

Configuration management

Answer 27

process for establishing and maintaining consistency of a product's performance, functional requirements, and design throughout the product's life cycle.

Question 28

Digital signature creation

Answer 28

Hash the document Encrypt the hash with private key of signer Encrypted hash is appended to document

Question 29

Digital signature verification

Answer 29

Recipient check public key of the signer Recipient decrypts the signature using he public key leaving the hash Recipient rehashes the document. Hash match means it's authentic.

Question 30

CSR contains

Answer 30

System name, organization, location, enrolling systems public key info.

Question 31

TACACS+ Hashing algorithm

Answer 31

MD5

Question 32

MD5 vs. SHA-1

Answer 32

128 bit vs. 160 bit digest. | NIST recommends avoiding both

Question 33

ECDHE_ECDSA

Answer 33

Authentication and Key Exchange

Question 34

DSA

Answer 34

Assymetric. Digital Signature Algorithm. Creates digital sigs. (hashing)

Question 35

PRF

Answer 35

Pseudorandom Function

Question 36

Cipher Suite Contains...

Answer 36

``` Authentication Key Exchange Encryption Algorithm MAC (SHA) PRF ```

Question 37

TLS 1.2

Answer 37

Defines mandatory cipher suites (RSA, AES, SHA)

Question 38

TLS 1.2 Mandatory Cipher Squites

Answer 38

RSA, AES, SHA

Question 39

PKCS

Answer 39

Public Key Crypto Standard.. Numbered standards for RSA, DH, PKI Syntax and more

Question 40

Windows Process

Answer 40

Instance of an executing program

Question 41

Windows thread

Answer 41

Basic unit that OS allocates processing time to. Can execute any part of the process code.

Question 42

Windows object handle

Answer 42

Accesses resources (files, etc) on behalf of a process. Processes can't access resources directly. Must use handles.

Question 43

Windows Memory allocated to which modes

Answer 43

Kernel mode and User mode

Question 44

Transaction data

Answer 44

Log files for various services (HTTP, SMTP, Linux, etc.) Includes client action and system own action).

Question 45

Session data

Answer 45

Metadata similar to NetFlow or phone bill. 5 tuple info, time stamps, etc. Summary of comms bet. 2 parties.

Question 46

Extracted content

Answer 46

Mined from network traffic

Question 47

Facility

Answer 47

application or process that submits the log message.

Question 48

RFC 1918

Answer 48

Internal private addresses

Question 49

NSA Suite B

Answer 49

``` RFC 6739 Crypto algorithms devices must support to meet federal standards. AES 128-256 (CTR-GCM) ECDSA, ECDH SHA256-384 ```

Question 50

Linux PS command

Answer 50

Get information about processes

Question 51

ps -f

Answer 51

Full output

Question 52

ps -e

Answer 52

Everyone (all users)

Question 53

ps -f

Answer 53

Full output for everyone

Question 54

ps aux

Answer 54

ps -ef for BSD

Question 55

ps -fC sshd

Answer 55

-C used to filter by process

Question 56

Alert data

Answer 56

Generally produced by IPS/IDS

Question 57

packets, bytes, and bandwidth =

Answer 57

NetFlow

Question 58

Process# for forked process

Answer 58

0

Question 59

AV vs. Anti-Malware

Answer 59

AV: Signature/heuristics/behavior based. Low efficacy AM: Anomaly, Big data, continuous analysis, advanced analytics

Question 60

App visibility and control

Answer 60

Differentiating between parts of services (Allow IM, but not file transfer. Allow Facebook, but not facebook games)

Question 61

NextGen FW Connection Event

Answer 61

Blocked connections based on rules. Time, hosts, protocols, amount of data

Question 62

IPS/Intrusion Event

Answer 62

Based on IPS rule that triggers event. ``` Packet level info. Time 5 tuple Country Triggering rule ```

Question 63

NGFW Host event

Answer 63

Host profile IOC's Category Event type

Question 64

Network discovery events

Answer 64

Triggered by changes on the network

Question 65

Netflow event

Answer 65

Used to detect data loss using Cisco Stealthwatch. Flows denied by access rule

Question 66

NTP attacks

Answer 66

Amplification. Falsify time advertisement to throw off logs. Possible to auth time source (NTP Server)

Question 67

Web proxy log

Answer 67

Precise logging of browsing sessions and can help investigate web based attacks.

Question 68

Attack surface vs. Vulnerabilty

Answer 68

Surface is "total sum of all the vulnerabilities" Vulnerability is a defect in SW or HW.

Question 69

Attack surfaces

Answer 69

Software, physical, network, human

Question 70

SQL Injection

Answer 70

Can read, modify data, execute admin ops, and sometimes issue OS commands. Input validation.

Question 71

Command injection attacks (2)

Answer 71

SQL injection. XSS Input validation and IPS

Question 72

XSS

Answer 72

Injection of malicious scripts that run on client. Caused by weakness in client scripting languages

Question 73

XSS Countermeasures

Answer 73

Input validation, DNS block, web proxy, IPS, Education

Question 74

IPS Evasion methods

Answer 74

Traffic fragmentation Traffic substitution/insertion (Unicode characters) Encryption/Tunneling

Question 75

Traffic fragmentation

Answer 75

IP Fragmentation. Fragment all IP traffic if IPS doesn't do fragment reassembly. TCP fragmentation:

Question 76

TCP fragmentation

Answer 76

Fragment a TCP stream to overwrite/overlap previous TCP segment with new data. Hides attack

Question 77

Traffic substitution

Answer 77

Substitute payload with other data that has the same meaning. Unicode, case sensitivity change, substitute spaces with tabs.

Question 78

Evasion: Tunneling

Answer 78

Hide traffic over permitted protocol like DNS, HTTP. Or combine encryption & tunneling: HTTPS

Question 79

Protocol-level misinterpretation

Answer 79

Change aspects of packets to confuse IPS sensor. TCP checksum Big/Little Endian

Question 80

Hard links

Answer 80

Directories (not really links)

Question 81

Malware (3)

Answer 81

Virus, Work, Trojan)

Question 82

Remote vs. Local Exploit

Answer 82

Remote works over the network without prior access. Local exploit requires prior access (an account on the system). Lead to privilege escalation. (DOES NOT require physical access). Social engineering

Question 83

AES CTR

Answer 83

Part of NSA Suite B, though GCM is more common Both are counter mode