Part2 (ch 10-14)

Question 1

packet filtering firewall

Answer 1

configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users

Question 2

stateful inspection firewall

Answer 2

tracks info about sessions, blocks malware attempts to start bogus sessions

Question 3

Application Aware Firewalls

Answer 3

OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)

Question 4

Appliance Firewall

Answer 4

Monitor traffic passing into & out of a network zone

OSI-2 or OSI-3

Question 5

Network Operating System (NOS) firewall

Answer 5

Software-based firewall as a gateway/proxy for a network segment

Question 6

Host-based (personal firewall) firewall

Answer 6

protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network

Question 7

non-transparent proxy
vs
transparent (forced/intercepting) proxy

Answer 7

Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet

Question 8

Forward vs Reverse proxy server

Answer 8

Forward sends traffic

Reverse gets inbound (external) traffic

Question 9

NIDS

Answer 9

Network Intrusion Detection System
capture network traffic with a sniffer

detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations

Question 10

Signature-based detection

Answer 10

(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

Question 11

Behavioral-based detection

Answer 11

recognize baseline traffic or events

Question 12

heuristics

Answer 12

model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected

Question 13

User and entity behavior analytics (UEBA)

Answer 13

scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM

Question 14

What is the best option for monitoring traffic passing from host-to-host on the same switch?

Answer 14

The only option for monitoring intra-switch traffic is to use a mirrored port.

Question 15

What sort of maintenance must be performed on signature-based monitoring software?

Answer 15

Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.

Question 16

WAF

Answer 16

A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.

Question 17

If a Windows system file fails a file integrity check, should you suspect a malware infection?

Answer 17

Yes, malware likely caused it

Question 18

What is the purpose of SIEM?

Answer 18

products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.

Question 19

Does Syslog perform all the functions of a SIEM?

Answer 19

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.

Question 20

What is the difference between a sensor and a collector, in the context of SIEM?

Answer 20

A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.

Question 21

What is SOAR for?

Answer 21

with SIEM, automates scan & analyze alerts that would overwhelm an analyst

Question 22

DNS & DHCP

Answer 22

While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names

Question 23

Domain hijacking

Answer 23

attackers gets company trade name (typo)

Question 24

DNS Poisoning

Answer 24

screws with IP for FQDN
Man-in-the-middle - LAN+ARP Poisoning = spoof
DNS Client Cache - HOSTS, redirect traffic
DNS Server cache - DoS, corrupt records

Question 25

What vulnerabilities does a rogue DHCP server expose users to?

Answer 25

Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance)

Question 26

DNSSEC

Answer 26

prevent spoofing & poisoning

Question 27

Simple Network Management Protocol (SNMP)

How to secure SNMPv2 service?

Answer 27

framework for management and monitoring for devices on IP network

Configure strong community names and use access control lists to restrict management operations to known hosts.

Question 28

What are the advantages of SASL over LDAPS?

Answer 28

The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.

Question 29

cipher suites

Answer 29

algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol. Prior to TLS 1.3,
a cipher suite would be written in the following form:
ECDHE-RSA-AES128-GCM-SHA256

Question 30

SFTP

SMTP

Answer 30

SSH File Transfer (fixes FTP privacy used by HTTP)

Simple Mail Transfer Protocol - TLS

Question 31

ESP

Answer 31

Encapsulation Security Payload - CIA
encrypts packet
IPSec modes:
Transport - Payload encrypted
Tunnel - IP Packet (head+payload) encrypted

Question 32

OOB - out of band

Answer 32

in-band shares traffic use VLAN

OOB - more secure but costly to separate network infrastructure

Question 33

What is Microsoft’s TLS VPN solution?

Answer 33

The Secure Sockets Tunneling Protocol (SSTP)

Question 34

AH

Answer 34

Authentication Header (AH) provides message authentication and integrity but not confidentiality

Question 35

Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with
user authentication?

Answer 35

Layer 2 Tunneling Protocol (L2TP).

Question 36

hardware Root of Trust (RoT)

Answer 36

trust anchor or a secure substation able to provide attestation (trusted by receiver)

Scan boot metrics & OS files to verify signatures

Question 37

What is TPM used for?

Answer 37

Its a cryptoprocessor (Hardware storing encryption keys) that establishes RoT
asymmetric key

Question 38

Secure Boot
Measured Boot
Boot Attestation

Answer 38

Check for malicious OS hijacks
TPM, kernel code, check each startup component
boot log shows compromise

Question 39

Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?

Answer 39

File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user’s decryption key to read the data.