Section 4 - Security Applications and Devices Flashcards

Question 1

Q

Software application that protects a single computer from unwanted
Internet traffic

These are also known as “host-based firewalls”

Answer

A

Personal Firewalls

Question 2

Q

How do personal firewalls work?

Answer

A

These firewalls work by applying a set of rules and policies against traffic that’s attempting to come into or go out of our protected computer.

Question 3

Q

With each of the following operating systems, what is the software-based firewall that applies to them?

Windows
Mac OSX
Linux

Answer

A

Windows Firewall (Windows)
▪ PF and IPFW (OS X)
▪ iptables (Linux)

Question 4

Q

Many ____ suites also contain software firewalls

Answer

A

anti-malware

Question 5

Q

What is an IDS?

Answer

A

Intrusion Detection System - Device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or
attack

Question 6

Q

Intrusion Detection Systems come in two different varieties, which are?

Answer

A

HIDS - Host-based IDS: This usually takes the form as a piece of software that’s installed on your computer or on a server and it will protect it. Now, the host-based Intrusion Detection System will sit there and log everything that it thinks is suspicious.

NIDS - Network-based IDS: This is a piece of hardware that’s installed on your network. And all the traffic goes through that switch, and then it will get a copy of that sent down to the Network Intrusion Detection System. If it’s suspicious, it’ll log it and it’ll alert on it.

Question 7

Q

Now, how do we know what HIDS or NIDS systems will alert on? Well, they’re going to use one of three different methods. Name these methods.

Answer

A

Signature Based
Policy Based
Anomaly Based

Question 8

Q

What is a signature-based detection method?

Answer

A

A specific string of bytes triggers an alert

This works like any other signature-based product.This computer is going to continually search over and over for a known specific key. And any time it sees that combination of letters or bytes, it knows that it’s malicious. It’ll flag it and it will alert on it.

Question 9

Q

What is a Policy-based detection method?

Answer

A

Relies on specific declaration of the security policy (i.e., ‘No Telnet
Authorized’)

This is going to rely on a specific declaration of the security policy. For example, if your company has a policy that no one is allowed to use Telnet, any time this system sees somebody trying to connect on port 23, which is the port for Telnet, it’s going to flag it, log it, and alert on it.

Question 10

Q

What is an Anomaly-based detection method?

Answer

A

Analyzes the current traffic against an established baseline and
triggers an alert if outside the statistical average

Often, this is referred to as just anomaly-based detection or statistical-based detection. This is going to analyze all of the current traffic patterns against an established baseline, and anytime it sees something that goes outside the statistical norm, it’s going to alert on it. So, if I’ve been watching your network for a while and I know what normal looks like, and everybody always works from nine in the morning
until five in the afternoon, and now I start seeing somebody downloading large amounts of data around two o’clock in the morning, that’s outside our normal baseline and we would flag that and alert on that.

Question 11

Q

What are the four different types of alerts?

Answer

A

True Positive
False Positive
True Negative
False Negative

Question 12

Q

What is a true positive alert?

Answer

A

Malicious activity is identified as an attack

Now, a true positive means something bad happened and the system flagged it and alerted on it. That’s good because it means our system is tuned properly.

Question 13

Q

What is a false positive alert?

Answer

A

Legitimate activity is identified as an attack

When we get into something like false positives, this is where some legitimate activity
is being as identified as an attack. For example, if you log on the computer and you start up Microsoft Word, that’s authorized. But if the system thought that was malicious and flagged it and alerted on it, that’s considered a false positive.

Question 14

Q

What is a true negative alert?

Answer

A

Legitimate activity is identified as legitimate traffic

A true negative means something good or normal happened and the system didn’t flag it. Again, that’s good, because our system’s working like it should.

Question 15

Q

What is a false negative alert?

Answer

A

Malicious activity is identified as legitimate traffic

Now, next we have what’s called a false negative. This is when something bad happens but it’s identified as legitimate activity. In other words, it isn’t flagged and it wasn’t alerted on. Let’s say you downloaded a virus, and you ran the virus and something bad happened, but your Intrusion Detection System didn’t see it, didn’t flag on it, and didn’t alert on it. This is a false negative.

Question 16

Q

It’s really important to realize that IDSs can only…? They won’t be able to stop anything. If you want the activity to be stopped, then you need to invest in an ___.

Answer

A

alert and log on suspicious activity

IPS - Intrusion Prevention System

Question 17

Q

How is IPS different from IDS?

Answer

A

IPS work very similarly to an IDS except they have the ability to stop malicious activity from being executed.

Question 18

Q

A concern with pop-up ads is that a lot of times, they’re being done through ___ ___ networks. And these are based on a pay-per-click model.

Answer

A

ad distribution

***Malicious attackers can purchase pay-per-click advertisements through these networks, as well. And sometimes, they can embed either a link to their website or a link to malicious code.

Question 19

Q

What is an issue you may run into when using an Adblocker?

Answer

A

Some websites you want to go to may not serve up content if you’re blocking advertisements. A lot of websites are working under a free model and their advertiser-supported. So, if you’re blocking the ads, they’re not making any money giving you content. And so, a lot of them have coded it so they won’t deliver the content you’re looking for unless you turn off your ad blocker.

Question 20

Q

The following describes what?

Blocking of external files containing JavaScript, images, or web pages
from loading in a browser

Answer

A

Content Filters

Question 21

Q

The best defense against unscrupulous advertisers though, is to ensure…?

Answer

A

your browser and its extensions are updated regularly

Question 22

Q

The following describes what?

Monitors the data of a system while in use, in transit, or at rest
to detect attempts to steal the data

Answer

A

Data Loss Prevention (DLP)

Question 23

Q

DLP comes in two different types of solutions, which are?

Answer

A

Software or hardware

Question 24

Q

What are the four types of DLP systems?

Answer

A

Endpoint
Network
Storage
Cloud

Question 25

Q

Which DLP system is the following describing?

Software-based client that monitors the data in use on a computer
and can stop a file transfer or alert an admin of the occurrence

Answer

A

Endpoint DLP System

***An endpoint system is usually a piece of software that’s installed on a workstation or a laptop, and it’s going to monitor the data that’s in use on that computer. And if someone tries to do a file transfer, it’ll either stop that file transfer, or it’ll alert the admin of the occurrence based on certain rules and policies. Very much like an IDS or an IPS would, but focused on data. DLPs can be set to detection mode or prevention mode.

Question 26

Q

Which DLP system is the following describing?

Software or hardware-based solution that is installed on the
perimeter of the network to detect data in transit

Answer

A

Network DLP System

***The next one we have is a network DLP system. This is a piece of software or hardware that’s a solution placed at the perimeter of your network. It’s sole function in life is to check all of the data going into and out of your network, with a special focus on things going out of the network. They want to detect data in transit that shouldn’t be leaving the building.

Question 27

Q

Which DLP system is the following describing?

Software installed on servers in the datacenter to inspect the data
at rest

Answer

A

Storage DLP system

*** This is a software that’s installed on a server in the data center and inspects the data while its at rest on the server. This is usually because they’ve encrypted it or watermarked it, and we want to make sure that nobody’s accessing the data at times that they shouldn’t be. For example, if someone starts downloading large amounts of data at two in the morning, that’s probably against your policy and the DLP could catch it.

Question 28

Q

Which DLP system is the following describing?

Cloud software as a service that protects data being stored in
cloud services

Answer

A

Cloud DLP system

*** These systems are usually offered as software-as-a-service, and it’s part of your cloud service and storage needs. They’re going to protect your data when it’s stored inside those cloud services. For example, my company uses Google Drive and we have data loss prevention as part of a cloud service, offered by Google.

Question 29

Q

What does BIOS stand for?

Answer

A

Basic Input Output System

Question 30

Q

What is the BIOS?

Answer

A

BIOS is a type of firmware which is software on a chip. It’s firmware that provides the computer’s instructions for how it’s going to accept input and send output. So, anytime the motherboard is going to talk to a keyboard, a mouse, a network card, a hard drive, a video card, whatever it is, it has to have instructions on how to do that. That’s what the BIOS provides.

Question 31

Q

Most modern computers don’t have a traditional or legacy BIOS anymore. Instead, they use a…?

Question 32

Q

What does UEFI stand for?

Answer

A

Unified Extensible Firmware Interface

*** This is essentially the same thing as the BIOS. It’s just more of an updated and robust version of it.

Question 33

Q

Now, when your computer boots up, it loads the BIOS, and the BIOS tells it how it’s going to check the hard drive and figure out what the ___ is. Should it boot from the hard drive, the floppy disk, the CD, or the USB drive first? The BIOS controls that.

Answer

A

boot order

Question 34

Q

What does it mean to secure the BIOS?

Answer

A

We’re talking about securing everything up to the point when Windows is loaded.

Question 35

Q

What are the five steps to securing the BIOS?

Answer

A

o 1. Flash the BIOS
o 2. Use a BIOS password
o 3. Configure the BIOS boot order
o 4. Disable the external ports and devices
o 5. Enable the secure boot option

Question 36

Q

What does it mean to “flash the BIOS”?

Answer

A

Flashing the BIOS is simply ensuring that it has the most up-to-date software on that chip.

Because it’s firmware, you have to do a process called flashing the BIOS to upgrade the BIOS. This allows you to remove what’s currently on the chip and replace it with a newer, more updated version.

*** Any time there’s going to be a new update to the BIOS, the manufacturer releases it on their website. Generally, they’ll give you a process that you can install it to a thumb drive, boot from that thumb drive, and then run a program to flash the BIOS.

Question 37

Q

When setting a BIOS password, what are some things to consider?

Answer

A

You want to make sure that you’re using a good long and strong password
It should be one that’s unique to your BIOS and not the same as your Windows machine

Question 38

Q

Why is it important to set a BIOS password?

Answer

A

This’ll prevent anyone from being able to log into the BIOS and change the boot order or other settings without having this administrative password.

Question 39

Q

What does it mean to configure the BIOS boot order?

Answer

A

Configuring the BIOS boot order means ensuring that you’ve selected and deselected the methods in which someone has the ability to boot from your machine. So if you’re not using your disk drive, CD drive and/or the USB drive because you’re booting from the internal hard disk and network card then you would deselect those options. By controlling the boot order, you control what is loaded.

Question 40

Q

What happens when you enable the secure boot option?

Answer

A

When you enable the secure boot option, your computer is going to go through additional processes as it boots up. When the BIOS or the UEFI is loaded, it’s going to go through and load the public key from the trusted platform module chip, known as the TPM, that’s sitting inside your processor. It’s going to use this to verify the code of the operating system that’s being loaded and ensure that it’s been digitally signed by the manufacturer and that it hasn’t been modified since. This ensures that you have a trusted boot device, and ensures that you have a protected boot process, and your system is going to be much more secure.

Question 41

Q

Removable media comes in many different formats, what are some examples of these?

Answer

A

floppy disks, cd’s, dvd’s, USB

Question 42

Q

When you’re placing your information onto a removable media format or external device, you have to make sure that it stays safe from prying eyes. We want to ensure confidentiality. To do this, we always want to…?

Answer

A

encrypt our files

Question 43

Q

The following describes what?

Technical limitations placed on a system in regards to the utilization of
USB storage devices and other removable media. These create administrative controls such as policies.

Answer

A

Removable media controls

*** Some organizations are a little more paranoid though and they want to ensure that nothing gets out of their organization (like a USB drive.) And they also want to make sure that nothing gets into their organization. To do that, they’ve implemented removable media controls.

Question 44

Q

What are two ways that we can encrypt our files?

Answer

A

On Windows 10, you can use BitLocker To Go, which will allow you to encrypt files using a software encryption.

Also, you could buy a USB thumb stick that already has hardware encryption built in,
something like an IronKey USB.

Question 45

Q

In addition to external devices and removable media, we also can store our data on our networks and we might do something called a…?

Question 46

Q

The following describes what?

Storage devices that connect directly to your organization’s network
▪ These systems often implement RAID arrays to ensure high availability

Answer

A

NAS - Network Attached Storage device

***These storage devices connect directly into your organization’s network. They often look like a big rack of hard drives with a network cable coming out of the back of them.

Question 47

Q

Why does a NAS often implement a RAID array?

Answer

A

Because these devices need to be accessed at all times because they’re acting as file servers for your organization,

Question 48

Q

Oftentimes, we’ll take different NASs and we’ll connect them together into what’s known as a…?

Answer

A

Storage Area Network or a SAN.

Question 49

Q

The following is describing what?

Network designed specifically to perform block storage functions that
may consist of NAS devices

Question 50

Q

When using a NAS, what are some tips to keep it secured?

Answer

A

Always use data encryption - If your NAS supports full disk data encryption, you should turn it on and implement it.
Use proper authentication - These things are acting as file servers. You want to make sure that it asks for credentials such as a username and password and that is individualized to each user so no one is sharing access across the organization.
Log NAS access - This way, if something goes wrong, you can go back and figure out who was the last person who accessed the NAS? Who downloaded those hundred terabytes worth of files? And what may have gone wrong? These are important things to know and without logs, you won’t be able to figure it out.

Question 51

Q

What is encryption?

Answer

A

Encryption scrambles data into unreadable information

Question 52

Q

There are two different types of encryption, which are?

Answer

A

hardware-based and software-based

Question 53

Q

What is a SED?

Answer

A

Self-Encrypting Drive (SED) - Storage device that performs whole disk encryption by using embedded hardware

*** this is an example of a hardware-based encryption option. It looks like an external hard drive, and it has embedded hardware that performs full disk or whole disk encryption. These are very fast, unfortunately, they’re also very expensive, so they’re not commonly used. Instead, most people use software-based encryption in the marketplace and in our organizations.

Question 54

Q

Luckily for us, there are two forms of whole disk encryption already embedded
into our operating systems if we’re using Mac or Windows. What are they?

Answer

A

FileVault - In a Mac, this system is where we can turn on whole disk encryption with a single click. This is located under your system preferences and under the security tab.

BitLocker - On Windows, this is a very easy system to turn on. f I want to encrypt my D drive I simply right-click it, turn on BitLocker, and then I’ll be able to encrypt the entire drive with a single click.

Question 55

Q

Both BitLocker and FileVault use the same type of encryption. This is called what?

Answer

A

They use Advanced Encryption Standard, also known as AES.

Question 56

Q

What is AES?

Answer

A

AES is a symmetric key encryption that supports 128-bit and 256-bit keys and is considered unbreakable as of the time of this recording.

Question 57

Q

What is TPM?

Answer

A

Trusted Platform Module - Chip residing on the motherboard that contains an encryption key

*** This is what BitLocker is going to use to encrypt your drive. So, if you’re going to take that hard drive out and put it into another system, you have to decrypt that drive first, otherwise, you’re not going to be able to decrypt it on the other system because it has a different TPM module and different secret key. If your motherboard doesn’t have TPM, you still can use BitLocker, but instead, you have to use an external USB drive as a key. It’ll store the key on that USB drive. But if you use that USB drive, you’re never going to be able to unlock that hard drive again. Because every time you boot up that computer, you have to make sure you have that USB key inserted so it can unlock the drive.

Question 58

Q

What is the drawback to using encryption?

Answer

A

Encryption adds security but has lower performance

***Encryption adds additional security for us, but it comes with a lower performance for your system. If I’m doing whole disk encryption, that means before I can even boot up the computer and read things from that drive, I have to decrypt it, and that takes time and processing. So, you have to remember there is a sacrifice in speed and performance when you’re using full disk encryption. Because of this performance hit, some people decide not to use full disk encryption. Instead, they rely on file-level encryption.

Question 59

Q

What is EFS?

Answer

A

In Windows, we use a system called EFS or the Encrypting File System.

*** For example, if I have a hard drive with a folder called finances in it, and I wanted to make sure nobody could read that particular folder but me, I could go in, right-click that folder, and set up the EFS to be enabled on it.

Question 60

Q

There is a way that we can speed up encryption. This is done using what?

Answer

A

Hardware based encryption

***This is much faster than using software-based encryption because we have dedicated hardware to do the processing for us. One of the ways we do that is using
a hardware security module, or HSM.

Question 61

Q

The following is describing what?

Physical devices that act as a secure cryptoprocessor during the
encryption process

Answer

A

HSM - Hardware Security Module

*** These devices are generally tamper-proof and they have a high level of security. But they’re also very expensive, so most people aren’t going to find these inside their organization. Most organizations still rely on software-based encryption.

Question 62

Q

HSMs come in many forms, but most commonly you’ll see them as…?

Answer

A

An adapter card that plugs in through a USB or a network-attached device.

Question 63

Q

What is endpoint analysis?

Answer

A

Endpoint analysis is used when we’re conducting monitoring, logging, and analysis of our endpoints. An endpoint is simply any device that we may use to connect to our network.

*** Now, for example, your desktop or your laptop at the office, that’s considered an endpoint, so is your smartphone or your tablet. As a cybersecurity analyst, you must be able to use tools to identify behavioral anomalies and then identify the techniques used by malware to achieve privilege escalation and persistence on your host.

Question 64

Q

There are five different endpoint security capabilities that we can use for analysis. These are:

Answer

A

Anti-virus (AV)
Host intrusion detection systems (HIDS/HIPS)
Endpoint protection platform (EPP)
Endpoint detection and response (EDR)
User and entity behavior analytics (UEBA)

Answer 62

A

Anti-virus (AV)

*** Often, you’ll hear this called antivirus or anti-malware.

Answer 63

A

Host-based IDS/IPS (HIDS/HIPS)

*** Now, most of these are going to use signature-based detection using log or file monitoring systems to figure out if something bad is trying to happen to your endpoint. They may use file system integrity monitoring too to see if your operating system files have been changed, or drivers have been changed, or an application has been changed.

Answer 64

A

Endpoint Protection Platform (EPP)

*** Essentially, it’s your Swiss army knife of security tools.

Answer 65

A

Endpoint Detection and Response (EDR)

*** Now, where EPP is mostly based on signature detection, EDR is focused more on behavioral and anomaly analysis. It starts logging the endpoint’s observables and indicators and combines that with analysis and tries to figure out what’s wrong. So, this is a software agent that’s going to collect system data and logs for analysis by monitoring the system to provide early detection of threats. Now, because of that, the aim of EDR is not to prevent an initial execution, but instead, to provide runtime and historical visibility into a compromise, and once you’ve been detected, it can start responding to that and it helps you as an incident responder to gather more information and facilitate your remediation to get it back to its original state.

Answer 66

A

User and Entity Behavior Analytics (UEBA)

*** Now, this solution is less about endpoint data collection and more about the actual process of analyzing the data you’re getting. The idea here is to have a baseline of good knowledge, and then we’re going to compare anything that goes outside that baseline and start thinking that might be suspicious and look into it further. Now, a lot of UEBA is focused on the analytics and because of that, there’s a lot of data that has to be processed. So, UEBA solutions are heavily dependent on advanced computing techniques, things like artificial intelligence and machine learning.

Brainscape's Knowledge GenomeTM

Section 4 - Security Applications and Devices Flashcards

Brainscape's Knowledge Genome^TM