Part2 (ch 10-14) Flashcards

1
Q

packet filtering firewall

A

configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

stateful inspection firewall

A

tracks info about sessions, blocks malware attempts to start bogus sessions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Application Aware Firewalls

A

OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Appliance Firewall

A

Monitor traffic passing into & out of a network zone

OSI-2 or OSI-3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Network Operating System (NOS) firewall

A

Software-based firewall as a gateway/proxy for a network segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Host-based (personal firewall) firewall

A

protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

non-transparent proxy
vs
transparent (forced/intercepting) proxy

A

Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forward vs Reverse proxy server

A

Forward sends traffic

Reverse gets inbound (external) traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NIDS

A

Network Intrusion Detection System
capture network traffic with a sniffer

detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Signature-based detection

A

(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Behavioral-based detection

A

recognize baseline traffic or events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

heuristics

A

model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

User and entity behavior analytics (UEBA)

A

scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the best option for monitoring traffic passing from host-to-host on the same switch?

A

The only option for monitoring intra-switch traffic is to use a mirrored port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What sort of maintenance must be performed on signature-based monitoring software?

A

Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

WAF

A

A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.

17
Q

If a Windows system file fails a file integrity check, should you suspect a malware infection?

A

Yes, malware likely caused it

18
Q

What is the purpose of SIEM?

A

products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.

19
Q

Does Syslog perform all the functions of a SIEM?

A

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.

20
Q

What is the difference between a sensor and a collector, in the context of SIEM?

A

A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.

21
Q

What is SOAR for?

A

with SIEM, automates scan & analyze alerts that would overwhelm an analyst

22
Q

DNS & DHCP

A

While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names

23
Q

Domain hijacking

A

attackers gets company trade name (typo)

24
Q

DNS Poisoning

A

screws with IP for FQDN
Man-in-the-middle - LAN+ARP Poisoning = spoof
DNS Client Cache - HOSTS, redirect traffic
DNS Server cache - DoS, corrupt records

25
Q

What vulnerabilities does a rogue DHCP server expose users to?

A

Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance)

26
Q

DNSSEC

A

prevent spoofing & poisoning

27
Q

Simple Network Management Protocol (SNMP)

How to secure SNMPv2 service?

A

framework for management and monitoring for devices on IP network

Configure strong community names and use access control lists to restrict management operations to known hosts.

28
Q

What are the advantages of SASL over LDAPS?

A

The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.

29
Q

cipher suites

A

algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol. Prior to TLS 1.3,
a cipher suite would be written in the following form:
ECDHE-RSA-AES128-GCM-SHA256

30
Q

SFTP

SMTP

A

SSH File Transfer (fixes FTP privacy used by HTTP)

Simple Mail Transfer Protocol - TLS

31
Q

ESP

A
Encapsulation Security Payload - CIA
encrypts packet
IPSec modes:
Transport - Payload encrypted
Tunnel - IP Packet (head+payload) encrypted
32
Q

OOB - out of band

A

in-band shares traffic use VLAN

OOB - more secure but costly to separate network infrastructure

33
Q

What is Microsoft’s TLS VPN solution?

A

The Secure Sockets Tunneling Protocol (SSTP)

34
Q

AH

A

Authentication Header (AH) provides message authentication and integrity but not confidentiality

35
Q

Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with
user authentication?

A

Layer 2 Tunneling Protocol (L2TP).

36
Q

hardware Root of Trust (RoT)

A

trust anchor or a secure substation able to provide attestation (trusted by receiver)

Scan boot metrics & OS files to verify signatures

37
Q

What is TPM used for?

A

Its a cryptoprocessor (Hardware storing encryption keys) that establishes RoT
asymmetric key

38
Q

Secure Boot
Measured Boot
Boot Attestation

A

Check for malicious OS hijacks
TPM, kernel code, check each startup component
boot log shows compromise

39
Q

Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?

A

File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user’s decryption key to read the data.