Section 3: Security Architecture

Question 1

Describes the structure, components, connections, and layout of security controls within an organization’s IT infrastructure

Answer 1

Security architecture

Question 2

The practice of layering defenses to provide added protection

Answer 2

Defense in depth

Question 3

A well-defined boundary between the organization and the outside world

Answer 3

Perimeter

Question 4

Security model that emphasizes placing controls at the network and system levels to protect the information stored within

Answer 4

Network- or system-centric

Question 5

Security model that emphasizes the protection of data regardless of its location

Answer 5

Data-centric

Question 6

Perimeter that ensures secure access to the Internet for enterprise employees and guest users residing at all locations, including those included in telecommuting or remote work

Answer 6

Internet perimeter

Question 7

True or false: VPN traffic is first filtered at the ingress point to the specific IP addresses and protocols that are part of the VPN service.

Answer 7

False: VPN traffic is first filtered at the egress point to the specific IP addresses and protocols that are part of the VPN service.

Question 8

True or false: Modern IT architectures are usually decentralized and deperimeterized.

Answer 8

True

Question 9

True or false: In distributed and decentralized architectures, the inherent risk is likely to increase, often as a function of moving critical applications, platforms, and infrastructure elements into the cloud.

Answer 9

False: In distributed and decentralized architectures, the THIRD-PARTY RISK is likely to increase, often as a function of moving critical applications, platforms, and infrastructure elements into the cloud.

Question 10

Security architecture approach that develops a matrix showing columns that represent aspects of the enterprise that can be described or modeled and rows representing various viewpoints from which those aspects can be considered

Answer 10

Sherwood Applied Business Security Architecture (SABSA) Matrix

Question 11

Security architecture approach that addresses security as an essential component of the overall enterprise design

Answer 11

The Open Group Architecture Framework (TOGAF)

Question 12

Arrange the following layers of the OSI model from the bottom to the top layer:

\_\_ Data Link
\_\_ Application
\_\_ Session
\_\_ Physical
\_\_ Network
\_\_ Presentation
\_\_ Transport

Answer 12

Layer 1. Physical
Layer 2. Data Link
Layer 3. Network
Layer 4. Transport
Layer 5. Session
Layer 6. Presentation
Layer 7. Application

Please Do Not Tell Secret Password 2 All

All People Seem To Need Data Protection

Question 13

OSI layer that manages signals among network systems

Answer 13

Physical Layer

Question 14

OSI layer that divides data into frames that can be transmitted by the physical layer

Answer 14

Data Link Layer

Question 15

OSI layer that translates network addresses and routes data from sender to receiver

Answer 15

Network Layer

Question 16

OSI layer that ensures data are transferred reliably in the correct sequence

Answer 16

Transport Layer

Question 17

OSI layer that coordinates and manages user connections

Answer 17

Session Layer

Question 18

OSI layer that formats, encrypts, and compresses data

Answer 18

Presentation Layer

Question 19

OSI layer that mediates between software applications and other layers of network services

Answer 19

Application Layer

Question 20

Which of the following protocols reside at the application layer of the OSI model? Select all that apply.

a. HTTP
b. FTP
c. SMTP
d. NetBIOS
e. ARP

Answer 20

a. HTTP
b. FTP
c. SMTP

Question 21

In the OSI model, physical addressing takes place in:

a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4
e. Layer 5

Answer 21

b. Layer 2 - Data Link Layer

Question 22

Which of the following reside at the Physical layer of the OSI model? Select all that apply.

a. Router
b. Hub
c. Switch
d. Network cabling
e. Bridge

Answer 22

b. Hub

d. Network cabling

Question 23

In the OSI model, data compression takes place in:

a. Layer 1
b. Layer 4
c. Layer 6
d. Layer 5

Answer 23

c. Layer 6 - Presentation Layer

Question 24

Which OSI layer assumes responsibility for managing network connections between applications?

a. Layer 1
b. Layer 4
c. Layer 6
d. Layer 5

Answer 24

d. Layer 5 - Session Layer

Question 25

What is the name of the data unit used at the OSI physical layer?

a. Bit
b. Frame
c. Packet
d. Segment

Answer 25

a. Bit

Question 26

What is the name of the data unit used at the OSI data link layer?

a. Bit
b. Frame
c. Packet
d. Segment

Answer 26

b. Frame

Question 27

What is the name of the data unit used at the OSI network layer?

a. Bit
b. Frame
c. Packet
d. Segment

Answer 27

c. Packet

Question 28

What is the name of the data unit used at the OSI transport layer?

a. Bit
b. Frame
c. Packet
d. Segment

Answer 28

d. Segment

Question 29

What is the name of the data unit used at the OSI session layer?

a. Data
b. Frame
c. Packet
d. Segment

Answer 29

a. Data

Question 30

What is the name of the data unit used at the OSI presentation layer?

a. Data
b. Frame
c. Packet
d. Segment

Answer 30

a. Data

Question 31

What is the name of the data unit used at the OSI application layer?

a. Data
b. Frame
c. Packet
d. Segment

Answer 31

a. Data

Question 32

In the OSI model, Media Access Control (MAC) and Logical Link Control (LLC) sublayers are the components of:

a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4

Answer 32

b. Layer 2 - Data Link Layer

Question 33

User Datagram Protocol (UDP) resides at which OSI layer?

a. Layer 4
b. Layer 5
c. Layer 6
d. Layer 7

Answer 33

a. Layer 4 - Transport Layer

Question 34

Routers operate at which OSI layer?

a. Layer 2
b. Layer 3
c. Layer 4
d. Layer 5

Answer 34

b. Layer 3 - Network Layer

Question 35

IP addressing takes place at which OSI layer?

a. Layer 2
b. Layer 3
c. Layer 4
d. Layer 5

Answer 35

b. Layer 3 - Network Layer

Question 36

Data encryption and decryption typically takes place at which OSI layer?

a. Layer 4
b. Layer 5
c. Layer 6
d. Layer 7

Answer 36

c. Layer 6 - Presentation Layer

Question 37

Which of the following devices resides at the OSI data link layer?

a. Router
b. Passive hub
c. Ethernet switch
d. Repeater

Answer 37

c. Ethernet switch

Question 38

Which of the following protocols resides at the OSI session layer?

a. HTTP
b. UDP
c. SMTP
d. NetBIOS

Answer 38

d. NetBIOS

Question 39

Protocol suite used as the de facto standard for the Internet

Answer 39

TCP/IP

Question 40

The process of adding addressing information to data as it is transmitted down the OSI stack

Answer 40

Encapsulation

Question 41

A connectionless protocol used where speed is more important than error-checking and guaranteed delivery

Answer 41

User Datagram Protocol (UDP)

Question 42

Type of defense in depth implementation that creates a series of nested layers that must be bypassed in order to complete an attack

Answer 42

Concentric rings (or Nested layering)

Question 43

Type of defense in depth implementation where two or more controls work in parallel to protect an asset

Answer 43

Overlapping redundancy

Question 44

Type of defense in depth implementation that compartmentalizes access to an asset, requiring two or more processes, controls or individuals to access or use the asset

Answer 44

Segregation or compartmentalization

Question 45

Type of defense in depth implementation that is effective in protecting very high value assets or in environments where trust is an issue

Answer 45

Segregation or compartmentalization

Question 46

Type of defense in depth implementation that is most effective when each control is different

Answer 46

Ovrelapping redundancy

Question 47

Type of defense in depth implementation from an architectural perspective where controls are placed in various places in the path of access for an asset (e.g. concentric ring model)

Answer 47

Horizontal defense in depth

Question 48

Type of defense in depth implementation from an architectural perspective where controls are placed at different system layers - hardware, operating system, application, database, or user levels

Answer 48

Vertical defense in depth

Question 49

What are the three types of defense in depth implementations?

Answer 49

1. Concentric Rings (or Nested Layering)
2. Overlapping Redundancy
3. Segregation or Compartmentalization

Question 50

A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment

Answer 50

Firewall

Question 51

True or false: Effective firewalls should prevent individuals on the corporate network to access the Internet and simultaneously prevent others on the Internet from gaining access to the corporate network to cause damage.

Answer 51

False: Effective firewalls should ALLOW individuals on the corporate network to access the Internet and simultaneously prevent others on the Internet from gaining access to the corporate network to cause damage.

Question 52

What are the four types of network firewalls?

Answer 52

1. Packet filtering
2. Application firewall systems
3. Stateful inspection
4. Next generation firewall (NGFW)

Question 53

A type of firewall where a screening router examines the header of every packet of data traveling between the Internet and the corporate network

Answer 53

Packing filtering firewall

Question 54

True or False: Packet headers contain information, including the IP address of the sender, along with the port numbers authorized to use the information transmitted.

Answer 54

False: Packet headers contain information, including the IP address of the sender AND THE RECEIVER, along with the port numbers authorized to use the information transmitted.

Question 55

This type of firewall is most effective when implemented with basic security and monitoring in mind.

Answer 55

Packet filtering firewall

Question 56

The following are the more common attacks against packet filter firewalls except:

a. IP spoofing
b. Source routing specification
c. Denial of service attack
d. Miniature fragment attack

Answer 56

c. Denial of service attack

Question 57

This type of firewall allows information to flow between systems but do not allow the direct exchange of packets.

Answer 57

Application firewall system

Question 58

This the only host computer that a company allows to be addressed directly from the public network. It is designed to screen the rest of its network from security exposure.

Answer 58

Bastion host

Question 59

A type of firewall that employs the concept of bastion hosting in it handles all incoming requests from the Internet to the corporate network, such as FTP or web requests.

Answer 59

Application firewall system

Question 60

True or false: The difference between an application-level gateway and a circuit-level gateway is that the former uses a proxy for each application-level service while the latter uses only one proxy for all services.

Answer 60

True: The difference between an application-level gateway and a circuit-level gateway is that the former uses a proxy for each application-level service while the latter uses only one proxy for all services.

Question 61

This is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service.

Answer 61

Proxy server

Question 62

It takes private internal network addresses, which are unusable on the Internet, and maps them to a table of public IP addresses assigned to the organization, which can be used across the Internet.

Answer 62

Network Address Translation (NAT)

Question 63

A type of firewall that is also referred to as dynamic packet filtering

Answer 63

Stateful inspection firewall

Question 64

A type of firewall that tracks the destination IP address of each packet that leaves the organization’s internal network. Whenever a response to a packet is received, its record is referenced to ascertain whether the incoming message was made in response to a request that the organization sent out.

Answer 64

Stateful inspection firewall

Question 65

An adaptive network security system that is capable of detecting and blocking sophisticated attacks.

Answer 65

Next generation firewall

Question 66

Utilizing a packet filtering router and a bastion host, this approach implements basic network layer security (packet filtering) and application server security (proxy services)

Answer 66

Screened-host firewall

An intruder in this configuration must penetrate two separate systems before the security of the private network is compromised. This is configured with the bastion host connected to the private network with a packet filtering router between the Internet and the bastion host.

N.B. This is a hybrid of packet filtering firewall and application firewall system.

Question 67

This is a firewall system that has two or more network interfaces, each of which is connected to a different network.

Answer 67

Dual-homed firewall

This is a more restrictive form of a screened-host firewall in which a dual-homed bastion host is configured with one interface established for information servers and another for private network host computers.

Question 68

This is a small, isolated network for an organization’s public servers, bastion host information servers, and model pools.

Answer 68

Demilitarized zone (DMZ) or screened-subnet firewall

DMZ connects untrusted network to the trusted network, but it exists in its own independent space to limit access and availability of resources. As a result, external systems can access only the bastion host and possibly information servers in the DMZ.

Question 69

Groups of devices on one or more logically segmented LAN.

Answer 69

VLAN

A VLAN is set up by configuring ports on a switch, so devices attached to these ports may communicate as if they were attached to the same physical network segment, although the devices are actually located on different LAN segments.

Question 70

A network segment that places limited systems, applications, and data in a public-facing segment.

Answer 70

Demilitarized zone (DMZ)

Question 71

Refers to network communication coming in

Answer 71

Ingress

Question 72

Refers to network communication going out

Answer 72

Egress

Question 73

True or false: Host-based methods of detecting unknown malware use specific techniques to identify common malicious code behaviors and flag them as suspicious.

Answer 73

False: Heuristic-based methods of detecting unknown malware use specific techniques to identify common malicious code behaviors and flag them as suspicious.

Question 74

A security element that works in conjunction with routers and firewalls by monitoring network usage anomalies.

Answer 74

IDS

Question 75

The following are limitations of an IDS except:

a. Complex configuration
b. Application-level vulnerabilities
c. Back doors into applications
d. Weaknesses in identification and authentication schemes

Answer 75

a. Complex configuration

Question 76

True or False: Using statistical-based IDS is better than using signature-based IDS.

Answer 76

False: Signature-based IDSs are not able to detect all types of intrusions due to limitations of their detection rules. On the other hand, statistical-based systems may report many events outside of the defined normal activity that are still normal activities on the network. A combination of signature-based and statistical-based models provides better protection.

Question 77

The process of converting a plaintext message into a secure-coded form of text

Answer 77

Encryption

Question 78

True or False: Encryption can prevent the loss of data.

Answer 78

False: Encryption is limited in that it cannot prevent the loss of data.

Question 79

What are the key elements of cryptographic systems?

Answer 79

1. Encryption algorithm
2. Encryption key
3. Key length

Question 80

Mathematically based function or calculation that encrypts or decrypts data

Answer 80

Encryption algorithm

Question 81

Piece of information similar to a password that makes the encryption or decryption process unique

Answer 81

Encryption key

Question 82

Predetermined length for the key

Answer 82

Key length

Question 83

True or False: The longer the key, the more difficult it is to compromise in a brute force attack where all possible key combinations are tried.

Answer 83

True

Question 84

The use of a single, secret, bidirectional keys that encrypt and decrypt

Answer 84

Symmetric key system

Question 85

Uses pairs of unidirectional, complementary keys that only encrypt or decrypt

Answer 85

Asymmetric key system

Question 86

True or false: Public key systems are asymmetric cryptographic systems.

Answer 86

True

Question 87

The most common symmetric key cryptographic system

Answer 87

Data Encryption Standard (DES)

Question 88

True or False: DES uses blocks of 64 bits.

Answer 88

True

Question 89

The following are examples of symmetric cryptographic system except:

a. DES
b. AES
c. IDEA
d. RSA

Answer 89

d. Rivest-Shamir-Adleman (RSA) is the most commonly used asymmetric algorithm (public key algorithm). It can be used both for encryption and for digital signatures. The security of RSA is generally considered equivalent to factoring, although this has not been proven.

Question 90

The next generation of cryptography that may solve some of the existing procedures associated with current cryptographic system specifically the random generation and secure distribution of symmetric cryptographic keys

Answer 90

Quantum cryptography

Question 91

A variant and more efficient form of public cryptography that demands less computation power and therefore offers more security per bit. Its 160-bit key offers the same security as an RSA-based system with a 1,024-bit key.

Answer 91

Elliptical Curve Cryptography (ECC)

Question 92

It has replaced DES as the cryptographic algorithm standard.

Answer 92

Advanced Encryption Standard (AES)

Question 93

The following are different versions of AES except:

a. AES-128
b. AES-192
c. AES-248
d. AES-256

Answer 93

c. AES-248

Question 94

An electronic identification of a person or entity created by using a public key algorithm.

Answer 94

Digital signature

Question 95

Defined as a cryptographic hashing algorithm

Answer 95

Checksum

Question 96

Is composed of a public key and identifying information about the owner of the public key.

Answer 96

Digital signature

Question 97

An authority in a network that issues and manages security credentials and public keys for message signature verification or encryption.

Answer 97

Certificate authority (CA)

Question 98

An authority in a network that verifies the user requests for a digital certificate and tells the CA to issue it.

Answer 98

Registration Authority (RA)

Question 99

An instrument for checking the continued validity of the certificates for which the CAS has responsibility

Answer 99

Certificate Revocation List (CRL)

Question 100

A session- or connection-layered protocol widely used on the Internet for communication between browsers and web servers, in which any amount of data is securely transmitted while a session is established.

Answer 100

Secure Sockets Layer (SSL)

Question 101

It is an application layer protocol that transmits individual messages or pages securely between a web client and server by establishing an SSL-type connection.

Answer 101

Hypertext Transfer Protocol Secure (HTTPS)

Question 102

An IP network layer protocol that establishes VPN via transport and tunnel mode encryption methods

Answer 102

IPSec

Question 103

A client-server program that opens a secure, encrypted command-line shell session from the Internet for remote logon

Answer 103

Secure Shell (SSH)

Question 104

A standard secure email protocol that authenticates the identity of the sender and receiver, verifies message integrity, and ensures the privacy of a message’s contents, including attachments

Answer 104

Secure Multipurpose Internet Mail Extensions (S/MIME)

Question 105

A protocol developed jointly by VISA and MasterCard to secure payment transactions among all parties involved in credit card transactions

Answer 105

Secure Electronic Transaction (SET)

Question 106

Select all that apply. The Internet perimeter should:

a. Detect and block traffic from infected internal end points.
b. Eliminate threats such as email spam, viruses and worms.
c. Format, encrypt, and compress data.
d. Control user traffic bound toward the Internet.
e. Monitor and detect network ports for rogue activity.

Answer 106

a. Detect and block traffic from infected internal end points.
b. Eliminate threats such as email spam, viruses and worms.
d. Control user traffic bound toward the Internet.
e. Monitor and detect network ports for rogue activity.

Question 107

The ___ layer of the OSI model ensures that data are transferred reliably in the correct sequence, and the ___ layer coordinates and manages user connections.

a. Presentation, data link
b. Transport, session
c. Physical, application
d. Data link, network

Answer 107

b. Transport, session

Question 108

Select all that apply. The key benefits of the DMZ system are:

a. DMZs are based on logical rather than physical connections.
b. An intruder must penetrate three separate devices.
c. Private network addresses are not disclosed to the Internet.
d. Excellent performance and scalability as Internet usage grows.
e. Internal systems do not have direct access to the Internet.

Answer 108

b. An intruder must penetrate three separate devices.
c. Private network addresses are not disclosed to the Internet.
e. Internal systems do not have direct access to the Internet.

Question 109

Which of the following best states the role of encryption within the overall cybersecurity program?

a. Encryption is the primary means of securing digital assets.
b. Encryption depends upon shared secrets and is therefore an unreliable means of control.
c. A program’s encryption elements should be handled by a third-party cryptologist.
d. Encryption is an essential but incomplete form of access control.

Answer 109

d. Encryption is an essential but incomplete form of access control.

Question 110

The number and types of layers needed for defense in depth are a function of:

a. Asset value, criticality, reliability of each control and degree of exposure
b. Threat agents, governance, compliance and mobile device policy
c. Network configuration, navigation controls, user interface and VPN traffic
d. Isolation, segmentation, internal controls and external controls

Answer 110

a. Asset value, criticality, reliability of each control and degree of exposure

Question 111

Which of the following is an example of a stream symmetric cryptography?

a. DES
b. AES
c. IDEA
d. RC4

Answer 111

d. RC4 is very fast and encrypts one bit of data at a time. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

Question 112

What are the two kinds of symmetric cryptography?

Answer 112

1. Stream - very fast and encrypts one bit of data at a time

2. Block - divides the data into groups before encryption (e.g. 128-bit encryption, 64-bit encryption, etc.)

Question 113

Select all that apply. Symmetric cryptography is also known as:

a. Private key cryptography
b. Secret key cryptography
c. Session key cryptography
d. Public key cryptography

Answer 113

a. Private key cryptography
b. Secret key cryptography
c. Session key cryptography

Public key cryptography is another term for asymmetric cryptography.

Question 114

Which of the following is addressed by symmetric cryptography?

a. Confidentiality
b. Integrity
c. Authenticity
d. Non-repudiation

Answer 114

a. Confidentiality

Question 115

In symmetric cryptography, what is the formula in determining how many keys to be used for N number of people?

Answer 115

  2

Question 116

True or False: To achieve privacy, the receiver’s public key is used to encrypt the message.

Answer 116

True: Using the receiver’s public key to send the message will allow the receiver to use his private key to decrypt and read the message. Since the private key is only known to him, privacy is achieved.

Question 117

True or false: To achieve non-repudiation, the sender’s public key is used to encrypt the message.

Answer 117

False: The sender has to encrypt the message using his private key so that, when the receiver decrypts and reads the message using the sender’s public key, he can guarantee that it came from the sender and the sender alone.

Question 118

True or false: Using a hashing function allows for the confidentiality of the encrypted message.

Answer 118

False: Using a hashing function allows for the integrity of the encrypted message.

Question 119

How many keys do 5 people need when using asymmetric encryption?

a. 1
b. 5
c. 10
d. 20

Answer 119

c. 10

Formula for asymmetric cryptography is 2N.

Compare symmetric cryptography where number of keys =
N * (N-1)
———–
2

Question 120

Select all that apply. Which of the following are asymmetric algorithms?

a. DSA
b. RSA
c. ECC
d. El Gamal
e. Diffie Hellman
f. Knapsack
g. IDEA
h. CAST
i. Blowfish
j. Two Fish

Answer 120

a. DSA
b. RSA
c. ECC
d. El Gamal
e. Diffie Hellman
f. Knapsack

Tip: For purposes of the exam, there are only six known asymmetric algorithms (see above) compared to a LOT of different symmetric algorithms. Hence, it would be more practical to remember the above six asymmetric algorithms rather than also trying to memorize all the symmetric algorithms.

The rule is: If it’s not one of the six, then they’re symmetric algorithms.

Question 121

A type of asymmetric algorithm that is currently the standard of digital signature mechanism

Answer 121

RSA

Question 122

It is the first asymmetric algorithm

Answer 122

Diffie-Hellman

Diffie-Hellman is a secure key agreement without pre-shared secrets. It is based on a discrete algorithm in a finite field.

Question 123

A type of asymmetric algorithm that is very efficient but is only commonly used for handheld devices due to their limited processing capability.

Answer 123

Elliptical Curve Cryptography (ECC)

Question 124

Which of the following hash has a 160-bit length?

a. MD5
b. SHA-1
c. SHA-2
d. SHA-3

Answer 124

a. SHA-1 = 160 bits

MD-5 = 128 bits

SHA-2 = 224, 256, 384 or 512 bits
(e.g. SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256); commonly used is SHA-256

SHA-3 = 224, 256, 384 or 512 bits (recently, from NIST competition)

Question 125

A protocol used to streamline the process of verifying whether or not a certificate has been revoked.

Answer 125

Online Certificate Status Protocol (OCSP)