Section 3: Security Architecture Flashcards
Describes the structure, components, connections, and layout of security controls within an organization’s IT infrastructure
Security architecture
The practice of layering defenses to provide added protection
Defense in depth
A well-defined boundary between the organization and the outside world
Perimeter
Security model that emphasizes placing controls at the network and system levels to protect the information stored within
Network- or system-centric
Security model that emphasizes the protection of data regardless of its location
Data-centric
Perimeter that ensures secure access to the Internet for enterprise employees and guest users residing at all locations, including those included in telecommuting or remote work
Internet perimeter
True or false: VPN traffic is first filtered at the ingress point to the specific IP addresses and protocols that are part of the VPN service.
False: VPN traffic is first filtered at the egress point to the specific IP addresses and protocols that are part of the VPN service.
True or false: Modern IT architectures are usually decentralized and deperimeterized.
True
True or false: In distributed and decentralized architectures, the inherent risk is likely to increase, often as a function of moving critical applications, platforms, and infrastructure elements into the cloud.
False: In distributed and decentralized architectures, the THIRD-PARTY RISK is likely to increase, often as a function of moving critical applications, platforms, and infrastructure elements into the cloud.
Security architecture approach that develops a matrix showing columns that represent aspects of the enterprise that can be described or modeled and rows representing various viewpoints from which those aspects can be considered
Sherwood Applied Business Security Architecture (SABSA) Matrix
Security architecture approach that addresses security as an essential component of the overall enterprise design
The Open Group Architecture Framework (TOGAF)
Arrange the following layers of the OSI model from the bottom to the top layer:
\_\_ Data Link \_\_ Application \_\_ Session \_\_ Physical \_\_ Network \_\_ Presentation \_\_ Transport
Layer 1. Physical Layer 2. Data Link Layer 3. Network Layer 4. Transport Layer 5. Session Layer 6. Presentation Layer 7. Application
Please Do Not Tell Secret Password 2 All
All People Seem To Need Data Protection
OSI layer that manages signals among network systems
Physical Layer
OSI layer that divides data into frames that can be transmitted by the physical layer
Data Link Layer
OSI layer that translates network addresses and routes data from sender to receiver
Network Layer
OSI layer that ensures data are transferred reliably in the correct sequence
Transport Layer
OSI layer that coordinates and manages user connections
Session Layer
OSI layer that formats, encrypts, and compresses data
Presentation Layer
OSI layer that mediates between software applications and other layers of network services
Application Layer
Which of the following protocols reside at the application layer of the OSI model? Select all that apply.
a. HTTP
b. FTP
c. SMTP
d. NetBIOS
e. ARP
a. HTTP
b. FTP
c. SMTP
In the OSI model, physical addressing takes place in:
a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4
e. Layer 5
b. Layer 2 - Data Link Layer
Which of the following reside at the Physical layer of the OSI model? Select all that apply.
a. Router
b. Hub
c. Switch
d. Network cabling
e. Bridge
b. Hub
d. Network cabling
In the OSI model, data compression takes place in:
a. Layer 1
b. Layer 4
c. Layer 6
d. Layer 5
c. Layer 6 - Presentation Layer
Which OSI layer assumes responsibility for managing network connections between applications?
a. Layer 1
b. Layer 4
c. Layer 6
d. Layer 5
d. Layer 5 - Session Layer
What is the name of the data unit used at the OSI physical layer?
a. Bit
b. Frame
c. Packet
d. Segment
a. Bit
What is the name of the data unit used at the OSI data link layer?
a. Bit
b. Frame
c. Packet
d. Segment
b. Frame
What is the name of the data unit used at the OSI network layer?
a. Bit
b. Frame
c. Packet
d. Segment
c. Packet
What is the name of the data unit used at the OSI transport layer?
a. Bit
b. Frame
c. Packet
d. Segment
d. Segment
What is the name of the data unit used at the OSI session layer?
a. Data
b. Frame
c. Packet
d. Segment
a. Data
What is the name of the data unit used at the OSI presentation layer?
a. Data
b. Frame
c. Packet
d. Segment
a. Data
What is the name of the data unit used at the OSI application layer?
a. Data
b. Frame
c. Packet
d. Segment
a. Data
In the OSI model, Media Access Control (MAC) and Logical Link Control (LLC) sublayers are the components of:
a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4
b. Layer 2 - Data Link Layer
User Datagram Protocol (UDP) resides at which OSI layer?
a. Layer 4
b. Layer 5
c. Layer 6
d. Layer 7
a. Layer 4 - Transport Layer
Routers operate at which OSI layer?
a. Layer 2
b. Layer 3
c. Layer 4
d. Layer 5
b. Layer 3 - Network Layer
IP addressing takes place at which OSI layer?
a. Layer 2
b. Layer 3
c. Layer 4
d. Layer 5
b. Layer 3 - Network Layer
Data encryption and decryption typically takes place at which OSI layer?
a. Layer 4
b. Layer 5
c. Layer 6
d. Layer 7
c. Layer 6 - Presentation Layer
Which of the following devices resides at the OSI data link layer?
a. Router
b. Passive hub
c. Ethernet switch
d. Repeater
c. Ethernet switch
Which of the following protocols resides at the OSI session layer?
a. HTTP
b. UDP
c. SMTP
d. NetBIOS
d. NetBIOS
Protocol suite used as the de facto standard for the Internet
TCP/IP
The process of adding addressing information to data as it is transmitted down the OSI stack
Encapsulation
A connectionless protocol used where speed is more important than error-checking and guaranteed delivery
User Datagram Protocol (UDP)
Type of defense in depth implementation that creates a series of nested layers that must be bypassed in order to complete an attack
Concentric rings (or Nested layering)
Type of defense in depth implementation where two or more controls work in parallel to protect an asset
Overlapping redundancy
Type of defense in depth implementation that compartmentalizes access to an asset, requiring two or more processes, controls or individuals to access or use the asset
Segregation or compartmentalization
Type of defense in depth implementation that is effective in protecting very high value assets or in environments where trust is an issue
Segregation or compartmentalization
Type of defense in depth implementation that is most effective when each control is different
Ovrelapping redundancy
Type of defense in depth implementation from an architectural perspective where controls are placed in various places in the path of access for an asset (e.g. concentric ring model)
Horizontal defense in depth
Type of defense in depth implementation from an architectural perspective where controls are placed at different system layers - hardware, operating system, application, database, or user levels
Vertical defense in depth
What are the three types of defense in depth implementations?
- Concentric Rings (or Nested Layering)
- Overlapping Redundancy
- Segregation or Compartmentalization
A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment
Firewall
True or false: Effective firewalls should prevent individuals on the corporate network to access the Internet and simultaneously prevent others on the Internet from gaining access to the corporate network to cause damage.
False: Effective firewalls should ALLOW individuals on the corporate network to access the Internet and simultaneously prevent others on the Internet from gaining access to the corporate network to cause damage.
What are the four types of network firewalls?
- Packet filtering
- Application firewall systems
- Stateful inspection
- Next generation firewall (NGFW)
A type of firewall where a screening router examines the header of every packet of data traveling between the Internet and the corporate network
Packing filtering firewall
True or False: Packet headers contain information, including the IP address of the sender, along with the port numbers authorized to use the information transmitted.
False: Packet headers contain information, including the IP address of the sender AND THE RECEIVER, along with the port numbers authorized to use the information transmitted.
This type of firewall is most effective when implemented with basic security and monitoring in mind.
Packet filtering firewall
The following are the more common attacks against packet filter firewalls except:
a. IP spoofing
b. Source routing specification
c. Denial of service attack
d. Miniature fragment attack
c. Denial of service attack
This type of firewall allows information to flow between systems but do not allow the direct exchange of packets.
Application firewall system
This the only host computer that a company allows to be addressed directly from the public network. It is designed to screen the rest of its network from security exposure.
Bastion host
A type of firewall that employs the concept of bastion hosting in it handles all incoming requests from the Internet to the corporate network, such as FTP or web requests.
Application firewall system
True or false: The difference between an application-level gateway and a circuit-level gateway is that the former uses a proxy for each application-level service while the latter uses only one proxy for all services.
True: The difference between an application-level gateway and a circuit-level gateway is that the former uses a proxy for each application-level service while the latter uses only one proxy for all services.
This is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service.
Proxy server
It takes private internal network addresses, which are unusable on the Internet, and maps them to a table of public IP addresses assigned to the organization, which can be used across the Internet.
Network Address Translation (NAT)
A type of firewall that is also referred to as dynamic packet filtering
Stateful inspection firewall
A type of firewall that tracks the destination IP address of each packet that leaves the organization’s internal network. Whenever a response to a packet is received, its record is referenced to ascertain whether the incoming message was made in response to a request that the organization sent out.
Stateful inspection firewall
An adaptive network security system that is capable of detecting and blocking sophisticated attacks.
Next generation firewall
Utilizing a packet filtering router and a bastion host, this approach implements basic network layer security (packet filtering) and application server security (proxy services)
Screened-host firewall
An intruder in this configuration must penetrate two separate systems before the security of the private network is compromised. This is configured with the bastion host connected to the private network with a packet filtering router between the Internet and the bastion host.
N.B. This is a hybrid of packet filtering firewall and application firewall system.
This is a firewall system that has two or more network interfaces, each of which is connected to a different network.
Dual-homed firewall
This is a more restrictive form of a screened-host firewall in which a dual-homed bastion host is configured with one interface established for information servers and another for private network host computers.
This is a small, isolated network for an organization’s public servers, bastion host information servers, and model pools.
Demilitarized zone (DMZ) or screened-subnet firewall
DMZ connects untrusted network to the trusted network, but it exists in its own independent space to limit access and availability of resources. As a result, external systems can access only the bastion host and possibly information servers in the DMZ.
Groups of devices on one or more logically segmented LAN.
VLAN
A VLAN is set up by configuring ports on a switch, so devices attached to these ports may communicate as if they were attached to the same physical network segment, although the devices are actually located on different LAN segments.
A network segment that places limited systems, applications, and data in a public-facing segment.
Demilitarized zone (DMZ)
Refers to network communication coming in
Ingress
Refers to network communication going out
Egress
True or false: Host-based methods of detecting unknown malware use specific techniques to identify common malicious code behaviors and flag them as suspicious.
False: Heuristic-based methods of detecting unknown malware use specific techniques to identify common malicious code behaviors and flag them as suspicious.
A security element that works in conjunction with routers and firewalls by monitoring network usage anomalies.
IDS
The following are limitations of an IDS except:
a. Complex configuration
b. Application-level vulnerabilities
c. Back doors into applications
d. Weaknesses in identification and authentication schemes
a. Complex configuration
True or False: Using statistical-based IDS is better than using signature-based IDS.
False: Signature-based IDSs are not able to detect all types of intrusions due to limitations of their detection rules. On the other hand, statistical-based systems may report many events outside of the defined normal activity that are still normal activities on the network. A combination of signature-based and statistical-based models provides better protection.
The process of converting a plaintext message into a secure-coded form of text
Encryption
True or False: Encryption can prevent the loss of data.
False: Encryption is limited in that it cannot prevent the loss of data.
What are the key elements of cryptographic systems?
- Encryption algorithm
- Encryption key
- Key length
Mathematically based function or calculation that encrypts or decrypts data
Encryption algorithm
Piece of information similar to a password that makes the encryption or decryption process unique
Encryption key
Predetermined length for the key
Key length
True or False: The longer the key, the more difficult it is to compromise in a brute force attack where all possible key combinations are tried.
True
The use of a single, secret, bidirectional keys that encrypt and decrypt
Symmetric key system
Uses pairs of unidirectional, complementary keys that only encrypt or decrypt
Asymmetric key system
True or false: Public key systems are asymmetric cryptographic systems.
True
The most common symmetric key cryptographic system
Data Encryption Standard (DES)
True or False: DES uses blocks of 64 bits.
True
The following are examples of symmetric cryptographic system except:
a. DES
b. AES
c. IDEA
d. RSA
d. Rivest-Shamir-Adleman (RSA) is the most commonly used asymmetric algorithm (public key algorithm). It can be used both for encryption and for digital signatures. The security of RSA is generally considered equivalent to factoring, although this has not been proven.
The next generation of cryptography that may solve some of the existing procedures associated with current cryptographic system specifically the random generation and secure distribution of symmetric cryptographic keys
Quantum cryptography
A variant and more efficient form of public cryptography that demands less computation power and therefore offers more security per bit. Its 160-bit key offers the same security as an RSA-based system with a 1,024-bit key.
Elliptical Curve Cryptography (ECC)
It has replaced DES as the cryptographic algorithm standard.
Advanced Encryption Standard (AES)
The following are different versions of AES except:
a. AES-128
b. AES-192
c. AES-248
d. AES-256
c. AES-248
An electronic identification of a person or entity created by using a public key algorithm.
Digital signature
Defined as a cryptographic hashing algorithm
Checksum
Is composed of a public key and identifying information about the owner of the public key.
Digital signature
An authority in a network that issues and manages security credentials and public keys for message signature verification or encryption.
Certificate authority (CA)
An authority in a network that verifies the user requests for a digital certificate and tells the CA to issue it.
Registration Authority (RA)
An instrument for checking the continued validity of the certificates for which the CAS has responsibility
Certificate Revocation List (CRL)
A session- or connection-layered protocol widely used on the Internet for communication between browsers and web servers, in which any amount of data is securely transmitted while a session is established.
Secure Sockets Layer (SSL)
It is an application layer protocol that transmits individual messages or pages securely between a web client and server by establishing an SSL-type connection.
Hypertext Transfer Protocol Secure (HTTPS)
An IP network layer protocol that establishes VPN via transport and tunnel mode encryption methods
IPSec
A client-server program that opens a secure, encrypted command-line shell session from the Internet for remote logon
Secure Shell (SSH)
A standard secure email protocol that authenticates the identity of the sender and receiver, verifies message integrity, and ensures the privacy of a message’s contents, including attachments
Secure Multipurpose Internet Mail Extensions (S/MIME)
A protocol developed jointly by VISA and MasterCard to secure payment transactions among all parties involved in credit card transactions
Secure Electronic Transaction (SET)
Select all that apply. The Internet perimeter should:
a. Detect and block traffic from infected internal end points.
b. Eliminate threats such as email spam, viruses and worms.
c. Format, encrypt, and compress data.
d. Control user traffic bound toward the Internet.
e. Monitor and detect network ports for rogue activity.
a. Detect and block traffic from infected internal end points.
b. Eliminate threats such as email spam, viruses and worms.
d. Control user traffic bound toward the Internet.
e. Monitor and detect network ports for rogue activity.
The ___ layer of the OSI model ensures that data are transferred reliably in the correct sequence, and the ___ layer coordinates and manages user connections.
a. Presentation, data link
b. Transport, session
c. Physical, application
d. Data link, network
b. Transport, session
Select all that apply. The key benefits of the DMZ system are:
a. DMZs are based on logical rather than physical connections.
b. An intruder must penetrate three separate devices.
c. Private network addresses are not disclosed to the Internet.
d. Excellent performance and scalability as Internet usage grows.
e. Internal systems do not have direct access to the Internet.
b. An intruder must penetrate three separate devices.
c. Private network addresses are not disclosed to the Internet.
e. Internal systems do not have direct access to the Internet.
Which of the following best states the role of encryption within the overall cybersecurity program?
a. Encryption is the primary means of securing digital assets.
b. Encryption depends upon shared secrets and is therefore an unreliable means of control.
c. A program’s encryption elements should be handled by a third-party cryptologist.
d. Encryption is an essential but incomplete form of access control.
d. Encryption is an essential but incomplete form of access control.
The number and types of layers needed for defense in depth are a function of:
a. Asset value, criticality, reliability of each control and degree of exposure
b. Threat agents, governance, compliance and mobile device policy
c. Network configuration, navigation controls, user interface and VPN traffic
d. Isolation, segmentation, internal controls and external controls
a. Asset value, criticality, reliability of each control and degree of exposure
Which of the following is an example of a stream symmetric cryptography?
a. DES
b. AES
c. IDEA
d. RC4
d. RC4 is very fast and encrypts one bit of data at a time. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.
What are the two kinds of symmetric cryptography?
- Stream - very fast and encrypts one bit of data at a time
2. Block - divides the data into groups before encryption (e.g. 128-bit encryption, 64-bit encryption, etc.)
Select all that apply. Symmetric cryptography is also known as:
a. Private key cryptography
b. Secret key cryptography
c. Session key cryptography
d. Public key cryptography
a. Private key cryptography
b. Secret key cryptography
c. Session key cryptography
Public key cryptography is another term for asymmetric cryptography.
Which of the following is addressed by symmetric cryptography?
a. Confidentiality
b. Integrity
c. Authenticity
d. Non-repudiation
a. Confidentiality
In symmetric cryptography, what is the formula in determining how many keys to be used for N number of people?
2
True or False: To achieve privacy, the receiver’s public key is used to encrypt the message.
True: Using the receiver’s public key to send the message will allow the receiver to use his private key to decrypt and read the message. Since the private key is only known to him, privacy is achieved.
True or false: To achieve non-repudiation, the sender’s public key is used to encrypt the message.
False: The sender has to encrypt the message using his private key so that, when the receiver decrypts and reads the message using the sender’s public key, he can guarantee that it came from the sender and the sender alone.
True or false: Using a hashing function allows for the confidentiality of the encrypted message.
False: Using a hashing function allows for the integrity of the encrypted message.
How many keys do 5 people need when using asymmetric encryption?
a. 1
b. 5
c. 10
d. 20
c. 10
Formula for asymmetric cryptography is 2N.
Compare symmetric cryptography where number of keys =
N * (N-1)
———–
2
Select all that apply. Which of the following are asymmetric algorithms?
a. DSA
b. RSA
c. ECC
d. El Gamal
e. Diffie Hellman
f. Knapsack
g. IDEA
h. CAST
i. Blowfish
j. Two Fish
a. DSA
b. RSA
c. ECC
d. El Gamal
e. Diffie Hellman
f. Knapsack
Tip: For purposes of the exam, there are only six known asymmetric algorithms (see above) compared to a LOT of different symmetric algorithms. Hence, it would be more practical to remember the above six asymmetric algorithms rather than also trying to memorize all the symmetric algorithms.
The rule is: If it’s not one of the six, then they’re symmetric algorithms.
A type of asymmetric algorithm that is currently the standard of digital signature mechanism
RSA
It is the first asymmetric algorithm
Diffie-Hellman
Diffie-Hellman is a secure key agreement without pre-shared secrets. It is based on a discrete algorithm in a finite field.
A type of asymmetric algorithm that is very efficient but is only commonly used for handheld devices due to their limited processing capability.
Elliptical Curve Cryptography (ECC)
Which of the following hash has a 160-bit length?
a. MD5
b. SHA-1
c. SHA-2
d. SHA-3
a. SHA-1 = 160 bits
MD-5 = 128 bits
SHA-2 = 224, 256, 384 or 512 bits
(e.g. SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256); commonly used is SHA-256
SHA-3 = 224, 256, 384 or 512 bits (recently, from NIST competition)
A protocol used to streamline the process of verifying whether or not a certificate has been revoked.
Online Certificate Status Protocol (OCSP)
