Section 4: Security Applications and Devices

Question 1

What are Firewalls?

Answer 1

Dedicated pieces of hardware sat at the edge of your network and control inbound/outbound traffic

Question 2

What do Firewalls control

Answer 2

Inbound / Outbound traffic

Question 3

What are Personal Firewalls?

Answer 3

Software application that protects a single computer or server from unwanted internet traffic

• also referred to as Host-Based Firewalls
• apply set of rules or policies against inbound/outbound traffic

Question 4

What is port 80?

Answer 4

HTTP

Question 5

What is port 443?

Answer 5

HTTPS

Question 6

What is port 22?

Answer 6

SSH

Question 7

What is port 23?

Answer 7

Tel Net

Question 8

Should you allow traffic from Port 80 & 443 on a personal computer?

Answer 8

No, there is no need

Question 9

Does Windows have a built-in Firewall?

Answer 9

Yes
- Windows Firewall

Question 10

What are the 2 types of Windows Firewall?

Answer 10

1. Basic
2. Advanced

• Windows Firewall with Advanced Security
• wf.msc in cmd

Question 11

Does OS X have a built-in Firewall?

Answer 11

Yes
- PF (terminal version)
- Packet Filter

Question 12

Does Linux have a built-in Firewall?

Answer 12

Yes
- iptables
- configured from terminal using different accept / reject rules

Question 13

What are Host-Based Firewalls?

Answer 13

Same as Personal Firewalls. Installed directly on the computer as a software application

Question 14

Do Host-Based Firewalls need to be updated regularly?

Answer 14

Yes

Question 15

What do Host-Based Firewalls use up in a computer system?

Answer 15

Processing Power

Question 16

Due to Host-Based Firewalls using Processing Power, what do most organisations rely on instead?

Answer 16

1. Hardware Firewall
2. Network Firewall

• some routers have built-in firewalls
• still a good practice to run personal software firewall and network based firewall

Question 17

What does an IDS do?

Answer 17

Intrusion Detection System

• alerts and logs when a detection occurs

Question 18

What does an IPS do?

Answer 18

Intrusion Prevention (Protection) System

• alerts, logs, and takes action against the intrusion

Question 19

What is an IDS? (definition)

Answer 19

Device or software that monitors a system or network and analyses the data passing through it in order to identify an incident or attack

Question 20

What are the 2 different varieties of IDS?

Answer 20

1. HIDS
   - Host-based IDS
2. NIDS
   - Network-based IDS

Question 21

What is a HIDS?

Answer 21

Host-based IDS
- usually a software
- installed on computer/server
- logs everything suspicious

Question 22

What is a NIDS?

Answer 22

Network-based IDS
- hardware installed on network
- traffic goes through that switch
- copy gets passed down to NIDS
- if suspicious, it logs and alerts

Question 23

What are the 3 detection methods of IDS/IPS?

Answer 23

1. Signature
2. Policy
3. Anomaly-based

Question 24

How does Signature-based detection work?

Answer 24

A specific string of bytes trigger an alarm
- reads through database containing these strings and compares
- constantly searching for specific combination of letters/bytes

Question 25

How does Policy-based detection work?

Answer 25

Relies on specific security policy the user created
i.e. No Telnet Authorised
- if a system trying to connect to port 23, it will flag, log, and alert

Question 26

How does Anomaly-based (or Statistically Anomaly Based Detection) work?

Answer 26

Analyses current traffic against an established baseline, and triggers an alert if it is outside the statistical average
- e.g. monitoring a network
- everyone is working 9.5
- but someone is downloading large amounts of data at 2am which is outside the normal baseline
- it will be flagged & alerted

Question 27

What are the 4 types of Alert?

Answer 27

1. True Positive
2. True Negative
3. False Positive
4. False Negative

Question 28

What does True Positive mean?

Answer 28

The system is POSITIVE there is a threat and it is TRUE

Question 29

What does True Negative mean?

Answer 29

The system does NOT think there is a threat, and it is TRUE (works as intended)

Question 30

What does False Positive mean?

Answer 30

The system is POSITIVE that there is a threat but it is FALSE, there is no threat

Question 31

What does False Negative mean?

Answer 31

The system does NOT think there is a threat, but it is FALSE, there is a threat and it was not detected.

Question 32

Where does Host-based IDS (HIDS) saves logs?

Answer 32

On the individual’s computer

Question 33

What is a good practice to follow regarding HIDS which saves logs on the local machine?

Answer 33

Ensure that you have a syslog server and have those logs routinely get sent to a centralised server

• prevents an attacker from modifying/deleting localised logs

Question 34

What are HIDS logs used for after an attack?

Answer 34

To recreate the events of the attack
- recreate a ‘story’ of how the attack happened etc

Question 35

Can web-browsers block JavaScript created pop-ups?

Answer 35

Yes

Question 36

Are pop-ups sometime required for a website to function?

Answer 36

Yes

Question 37

How can malicious attackers use pop-up ads to their advantage?

Answer 37

Purchasing ads (pay per click) and inject them with malicious links/websites/code

Question 38

What is a solution to ad pop-ups?

Answer 38

AdBlocker

Question 39

What is a Content Filter?

Answer 39

It is a filter that can be enabled on a browser which blocks external files containing JavaScript, images, or web pages from loading in a browser

Question 40

What is the best solution for securing yourself from pop-ups or external files containing malicious scripts, images etc?

Answer 40

Keep your browser and its extensions up to date

Question 41

What is Data Loss Prevention (DLP)?

Answer 41

Software or Hardware that monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data

Question 42

What is an Endpoint DLP system?

Answer 42

Software-based client that monitors the data in use on a computer and can help stop a file transfer or alert an admin of the occurrence

Question 43

What are the 2 modes of DLP?

Answer 43

1. Detection Mode (doesn’t prevent)
2. Prevention Mode

Question 44

What is a Network DLP system?

Answer 44

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Question 45

What is a Storage DLP system?

Answer 45

Software installed on servers in the datacentre to inspect the data at rest

Question 46

What is a Cloud DLP system?

Answer 46

Cloud software as a service (SaaS) that protects data being stored in cloud services

Question 47

What are the 4 DLP solutions?

Answer 47

1. Endpoint DLP
2. Network DLP
3. Storage DLP
4. Cloud DLP

Question 48

What is a BIOS? (Basic Input Output System)

Answer 48

Firmware that provides the computer with instructions of how to accept input and send output

Question 49

What does UEFI stand for?

Answer 49

Unified Extensible Firmware Interface

Question 50

How do you secure the BIOS?

Answer 50

1. Flash the BIOS
2. Use BIOS password
3. Configure BIOS boot order
4. Disable external ports and devices
   - i.e. parallel or serial ports
5. Enable Secure Boot Option

Question 51

Should you always encrypt files on removable media?

Answer 51

Yes

Question 52

What are Removable Media Controls?

Answer 52

Technical limitations placed on a system in regards to the utilisation of USB storage devices and other removable media
- technical controls in your group policies by denying read and write access
- create administrative controls such as policies

Question 53

What is a Network Attached Storage (NAS)?

Answer 53

Storage device that connects directly to your organisation’s network

• NAS systems often implement RAID arrays to ensure high availability
• they are like racks connected to on-prem servers

Question 54

What is a Storage Area Network (SAN) ?

Answer 54

Network design specifically to perform block storage functions that may consist of NAS devices

Question 55

How do you secure NAS properly?

Answer 55

1. Data encryption
2. Proper authentication
3. Log NAS access

Question 56

What is Encryption?

Answer 56

Process that scrambles data into unreadable information

• no one can read it except the person that holds the secret key
• ensures confidentiality

Question 57

What are the 2 types of encryption?

Answer 57

1. Hardware based
2. Software based

Question 58

What is a Self-Encrypted Drive (SED - hardware) ?

Answer 58

Storage device that performs whole disk encryption using embedded hardware

Question 59

What is the most common method of encryption?

Answer 59

Software

Question 60

What is Mac OS software encryption called?

Answer 60

FileVault

Question 61

What is Win OS software encryption called?

Answer 61

BitLocker

Question 62

How does BitLocker work?

Answer 62

By using a hardware key residing on your motherboard called TPM

Question 63

What is a Trusted Platform Module (TPM)?

Answer 63

Chip residing on the motherboard that contains an encryption key

• if you transfer your encrypted drive to another system, you wont be able to decrypt it because you need the TPM module that holds the key

Question 64

What is the encryption standard used by BitLocker and FileVault?

Answer 64

Advanced Encryption Standard (AES)

Question 65

What is Advanced Encryption Standard (AES)?

Answer 65

Symmetric key encryption that supports 128-bit and 256-bit keys

Question 66

What is the benefit of encryption?

Answer 66

Adds layer of security

Question 67

What is the downside of encrypting a hard drive?

Answer 67

Speed and performance is sacrificed

Question 68

What can you use to encrypt a hard drive to not affect speed and performance?

Answer 68

• File level encryption
• Hardware based encryption (expensive)

Question 69

What is Encrypting File System (EFS)

Answer 69

Method of individually encrypting specific files instead of the whole disk

Question 70

What is a Hardware Security Module (HSM)?

Answer 70

Physical device that acts as a secure crypto-processor during the encryption process or during digital signing

Question 71

What does Endpoint Analysis include?

Answer 71

1. Monitoring
2. Logging
3. Analysis

of your endpoints

Question 72

What is an Endpoint?

Answer 72

Any device used to connect to your network

Question 73

What are Endpoint Security Solutions used for Analysis?

Answer 73

1. Antivirus
2. Host IDS, Host IPS (HIDS & HIPS)
3. Endpoint Protection Platform (EPP)
4. Endpoint Detection Response Platform (EDR)
5. User and Entity Behaviour Analytics (UEBA)

Question 74

What is an AntiVirus?

Answer 74

A software solution capable of detecting and removing virus infections

Question 75

What is a Host Based IDS/IPS?

Answer 75

Type of IDS or IPS that monitors a computer system for unexpected behaviour or drastic changes to the system’s state of an endpoint

• uses File System Integrity Monitoring
• Sees if changes occurred in:
  - OS files, drivers, applications

Question 76

What is an Endpoint Protection Platform (EPP)

Answer 76

Software agent and monitoring system that performs multiple security tasks such as AV, HIDS/HIPS, firewall, DLP, and file encryption

• Swiss army of sec tools
• based on signature detection

Question 77

What is an Endpoint Detection and Response (EDR)?

Answer 77

Software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

• based on behaviour and anomaly analysis
• aim is to provide runtime and historical visibility into a compromise
• best for incident response

Question 78

What is a User and Entity Behaviour Analytics (UEBA)?

Answer 78

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

• more about process of analysing data you are getting
• anything outside of the baseline it established can be considered suspicious

Question 79

What are 2 UEBA solutions?

Answer 79

1. Microsoft Advanced Threat Analytics
2. SPLUNK