Network Security Concepts and Policies

Question 1

How can unauthorized access by a hacker to a company’s information hurt that company?

Answer 1

1) It can cause damage or destruction to proprietary data
2) It can negatively affect company productivity
3) It can impede the capability to compete
4) It can harm relationships with customers and business partners who question the capability of the company to protect it’s confidential information.

Question 2

Though Individuals and corporations benefit from the elastic deployment of services in the cloud, what have these dramatic changes in business services done?

Answer 2

They have exacerbated the risks in protecting data and the entities using it (Individuals, businesses, governments, etc).

Question 3

What are four (4) things to consider when planning network security?

Answer 3

1) Examine the need for security
2) Look at what you are trying to protect
3) Examine the different trends for attacks and protection
4) Examine principles of secure network design

Question 4

As companies move more of their business functions to the public network what should they do?

Answer 4

There is a need for them to take precautions to ensure that:

1) the data cannot be compromised
2) The data is not accessible to anyone who is not authorized to see it.

Question 5

What are the Basic Security Assumptions?

Answer 5

1) Modern networks are very large, interconnected and run both ubiquitous and proprietary protocols. Therefore, they care often open to access, and a potential attacher can with relative ease attach to, or remotely access, such networks. Widespread IP inter-networking increases the probability that more attacks will be carried out over large, heavy interconnected networks such as the internet.
2) Computer systems and applications that are attached to these networks are becoming increasingly complex. In terms of security, it becomes more difficult to analyze, secure, and properly test the security of the computer system and applications. It is even more so when virtualization is involved. When these systems and their applications are attached to the large network, the risk to computing dramatically increases.

Question 6

What are the three (3) things that must be guaranteed in order to provide adequate protection of network resources?

Answer 6

1) Confidentiality - guarantees that only authorized users can view sensitive information.
2) Integrity - guarantees that only authorized users can change sensitive information and provides a way to detect whether data has been tampered with during transmission; this might also guarantee authenticity of data.
3) Availability of systems and data - provides uninterrupted access by authorized users to important computing resources and data.

Question 7

When designing network security what are the 4 things a designer must be aware of?

Answer 7

1) The threats (possible attacks) that could compromise security
2) The associated risks of the threats (how relevant those threats are for a particular system)
3) The cost to implement the proper security countermeasures for a threat
4) A cost vs benefit analysis to determine whether it’s worthwhile to implement the security countermeasure.

Question 8

True or false?

Although viruses, worms and hackers monopolize the headlines about information security, risk management is the most important aspect of security architecture for administrators.

Answer 8

True

Risk management is based on specific principles and concepts that are related to asset protection and security management.

Question 9

What is an asset?

Answer 9

An asset is something of value to an organization.

By knowing which assets you are trying to protect, as well as their value, location, and exposure, you can more effectively determine the time, effort, and money to spend in securing those assets.

Question 10

What is a vulnerability?

Answer 10

It is a weakness in a system or it’s design that could be exploited by a threat.

Vulnerabilities can be found in protocols, operating systems, applications, written security policies, etc

Question 11

What is a threat?

Answer 11

A threat is any potential danger to assets. It is realized when someone or something identifies a specific vulnerability and exploits it, creating exposure.

A latent threat is one that exists theoretically but has not yet been exploited.

The entity that takes advantage of the vulnerability is known as a threat agent or threat vector.

Question 12

What is a risk?

Answer 12

A likelihood that a particular threat using a specific attack will exploit a particular vulnerability of a system that results in an undesirable consequence.

Question 13

If you have A vulnerability but there is no threat toward the vulnerability, technically you have no risk.

Answer 13

If you have a vulnerability but there is no threat toward the vulnerability, technically you have no risk.

Question 14

What is an exploit?

Answer 14

An Exploit is an attack performed against a vulnerability

Question 15

What is a countermeasure?

Answer 15

A countermeasure is a safeguard/protection that mitigates the potential risk.

Question 16

What kind of data has little or no confidentiality, integrity or availability requirements and therefore little effort is made to secure it.

Answer 16

Unclassified Data

Question 17

What kind of data if leaked could have undesirable effects on the organization?

Answer 17

Restricted data.

This classification is common among NATO countries but not used by all nations.

Question 18

What kind of data must comply with confidentiality requirements

Answer 18

Confidential Data. It is the lowest level of classified data in this scheme.

Question 19

What kind of data would you take significant effort to keep secure because its disclosure could lead to serious damage?

Answer 19

Secret Data.

The number of individuals who have access to Secret Data is usually considerably fewer than the number who are authorized to access confidential data.

Question 20

What kind of data would you make great effort and sometimes incur considerable costs to guarantee its secrecy since disclosure could lead to exceptionally grave damage.

Answer 20

Top Secret Data

Usually a small number of individuals have access to top-secret data, on condition that there is a need to know.

Question 21

What data classification, popular among governments, designates data that could prove embarrassing if revealed, but no great security breach would occur.

Answer 21

Sensitive But Unclassified (SBU)

SBU is a broad category that also includes the “For Official Use Only” designation.

Question 22

Private Sector Classification Scheme:

What classification designates data that’s often displayed in marketing literature or on publicly accessible websites?

Answer 22

Public

Question 23

Private Sector Classification Scheme:

What classification designates data that if disclosed potentially leads to embarrassment but no serious security breach?

Answer 23

Sensitive

Data in this classification is similar to the SBU classification in the government model

Question 24

Private Sector classification Scheme:

What data classification designates data that is important to an organization.

Answer 24

Private

You make an effort to maintain the secrecy and accuracy of this data.

Question 25

Private Sector Classification Scheme:

What data classification designates data that companies make the greatest effort to secure? e.g. Trade secrets, employee personnel files

Answer 25

Confidential

Question 26

What factors are considered when classifying data?

Answer 26

Value - #1 Criterion. Not all data has the same value
Age - For many types of data, its importance changes with time
Useful life - Data is usually valuable for only a set window of time. After the window expires its usually declassified.
Personal association - data of this type usually involves something of a personal nature. Steps are usually taken to protect this data until the person is deceased.

Question 27

What are the most common roles associated with data?`

Answer 27

Owner
Custodian
User

Question 28

Which role is ultimately responsible for the information?

Answer 28

Owner

Usually a senior-level manager who is in charge of a business unit. The owner:
Classifies the data
Selects the custodian of the data
Directs the actions of the custodian
Should periodically review classified data
Is Ultimately responsible.

Question 29

Which role is usually a member of the IT staff who has the day-to-day responsibility for data maintenance?

Answer 29

Custodian

The custodian marks the data to enforce the security controls (decided by owner).
Custodian maintains availability of data by regularly backing up data and ensuring backup media are secure.
Review security settings of the data as part of their maintenance responsibility.

Question 30

Which role bears no responsibility for the classification or maintenance of classified data?

Answer 30

Users

Users bear responsibility for using the data in accordance with established operational procedures in order to maintain the security of the data while it’s in their possession.

Question 31

What are the broad categories used to classify vulnerabilities?

Answer 31

Policy flaws
Design errors
Protocol weaknesses
Software vulnerabilities
Misconfiguration
Hostile code
Human Factor

Question 32

What are the three countermeasure category classifications

Answer 32

Administrative - Controls are are largely policies and procedures
Technical - Controls that involve electronics, hardware, software, etc
Physical - Controls that are mostly mechanical

Question 33

The following controls are examples of which control category?

Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees

Answer 33

Administrative Controls

Question 34

The following controls are examples of which control category?

Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees

Answer 34

Administrative Controls

Question 35

The following controls are examples of which control category?

Firewalls
Intrusion Prevention Systems
Virtual Private Network (VPN) concentrators and clients
TACACS+ and RADIUS servers
One-Time Password (OTP) solutions
Smart carts
Biometric authentication devices
Network Admission Control (NAC) systems
Routers with ACLs

Answer 35

Technical Controls

Question 36

The following controls are examples of which control category?

Locked doors
Intruder detection systems
Locks
Safes
Racks
Uninterruptible power supplies (UPS)
Fire-Suppression systems
Positive air-flow systems

Answer 36

Physical controls

Question 37

What are the three (3) types of controls?

Answer 37

Preventive: the control prevents access
Deterrent: the control deters access
Detective: the control detects access

All three categories of controls (Administrative, Technical or Physical) can be one of the three types (Preventive, deterrent or detective).

Question 38

True or false? A security control is any mechanism that you put in place to reduce risk of compromise of any of the three CIA objectives.

Answer 38

True

Question 39

Preventative controls exist to prevent compromise.

A good security design also prepares for failure, recognizing that prevention will not always work. Detective controls enable you to detect a security breach and to determine how the network was breached.

Without detective controls it’s extremely difficult to determine what you need to change.

Answer 39

True

Question 40

Deterrent controls are designed to scare away a certain percentage of adversaries to reduce the number of incidents.

Answer 40

True

Question 41

What are the two key questions involved in risk management?

Answer 41

What does the cost-benefit analysis of your security system tell you?

How will the latest attack techniques play out in your network environment

Question 42

What are the 4 ways to deal with [Security] risks?

Answer 42

Mitigate
Ignore
Accept
Transfer

Question 43

What 4 activities contribute to reducing/mitigating risks?

Answer 43

Limitation/Avoidance - Creating a secure environment by not allowing actions that would cause risks to occur… eg. installing a firewall, using encryption systems, strong authentication.

Assurance - Ensuring policies, standards and practices are followed.

Detection - Detecting intrusion attempts and taking appropriate action to terminate the intrusion.

Recovery - Restoring the system to operational state

Question 44

What are the key factors you should consider when designing a secure network?

Answer 44

Business needs
Risk Analysis
Security Policy
Industry best practices
Security Operations

Question 45

What are the key factors you should consider when designing a secure network?

Answer 45

Business needs
Risk Analysis
Security Policy
Industry best practices
Security Operations