Part2 (ch 10-14) Flashcards

1
Q

packet filtering firewall

A

configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

stateful inspection firewall

A

tracks info about sessions, blocks malware attempts to start bogus sessions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Application Aware Firewalls

A

OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Appliance Firewall

A

Monitor traffic passing into & out of a network zone

OSI-2 or OSI-3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Network Operating System (NOS) firewall

A

Software-based firewall as a gateway/proxy for a network segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Host-based (personal firewall) firewall

A

protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

non-transparent proxy
vs
transparent (forced/intercepting) proxy

A

Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forward vs Reverse proxy server

A

Forward sends traffic

Reverse gets inbound (external) traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NIDS

A

Network Intrusion Detection System
capture network traffic with a sniffer

detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Signature-based detection

A

(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Behavioral-based detection

A

recognize baseline traffic or events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

heuristics

A

model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

User and entity behavior analytics (UEBA)

A

scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the best option for monitoring traffic passing from host-to-host on the same switch?

A

The only option for monitoring intra-switch traffic is to use a mirrored port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What sort of maintenance must be performed on signature-based monitoring software?

A

Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

WAF

A

A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.

17
Q

If a Windows system file fails a file integrity check, should you suspect a malware infection?

A

Yes, malware likely caused it

18
Q

What is the purpose of SIEM?

A

products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.

19
Q

Does Syslog perform all the functions of a SIEM?

A

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.

20
Q

What is the difference between a sensor and a collector, in the context of SIEM?

A

A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.

21
Q

What is SOAR for?

A

with SIEM, automates scan & analyze alerts that would overwhelm an analyst

22
Q

DNS & DHCP

A

While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names

23
Q

Domain hijacking

A

attackers gets company trade name (typo)

24
Q

DNS Poisoning

A

screws with IP for FQDN
Man-in-the-middle - LAN+ARP Poisoning = spoof
DNS Client Cache - HOSTS, redirect traffic
DNS Server cache - DoS, corrupt records

25
What vulnerabilities does a rogue DHCP server expose users to?
Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance)
26
DNSSEC
prevent spoofing & poisoning
27
Simple Network Management Protocol (SNMP) | How to secure SNMPv2 service?
framework for management and monitoring for devices on IP network Configure strong community names and use access control lists to restrict management operations to known hosts.
28
What are the advantages of SASL over LDAPS?
The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.
29
cipher suites
algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol. Prior to TLS 1.3, a cipher suite would be written in the following form: ECDHE-RSA-AES128-GCM-SHA256
30
SFTP | SMTP
SSH File Transfer (fixes FTP privacy used by HTTP) | Simple Mail Transfer Protocol - TLS
31
ESP
``` Encapsulation Security Payload - CIA encrypts packet IPSec modes: Transport - Payload encrypted Tunnel - IP Packet (head+payload) encrypted ```
32
OOB - out of band
in-band shares traffic use VLAN | OOB - more secure but costly to separate network infrastructure
33
What is Microsoft's TLS VPN solution?
The Secure Sockets Tunneling Protocol (SSTP)
34
AH
Authentication Header (AH) provides message authentication and integrity but not confidentiality
35
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?
Layer 2 Tunneling Protocol (L2TP).
36
hardware Root of Trust (RoT)
trust anchor or a secure substation able to provide attestation (trusted by receiver) Scan boot metrics & OS files to verify signatures
37
What is TPM used for?
Its a cryptoprocessor (Hardware storing encryption keys) that establishes RoT asymmetric key
38
Secure Boot Measured Boot Boot Attestation
Check for malicious OS hijacks TPM, kernel code, check each startup component boot log shows compromise
39
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user's decryption key to read the data.