Security Architecture Principles Flashcards

Question 1

Q

Definition: the practice of layering defenses to provide added protection.

Answer

A

defense in depth.

Question 2

Q

Many current security controls and architectures were developed with the concept of a security perimeter.

Answer

A

These models are network- or system-centric as opposed to data-centric.

Question 3

Q

The Internet perimeter should:

Answer

A

Route traffic between the enterprise & Internet
Prevent executable files from being transferred
Monitor network ports for rogue activity
Detect and block traffic from infected internal points
Control user traffic bound toward the Internet
ID and block potential attacks
Eliminate threats such as spam, viruses and worms
Enforce filtering policies

Question 4

Q

The perimeter should also provide protection for virtual private networks (VPNs):

Answer

A

Terminate VPN traffic from remote users
Provide a hub for terminating VPN traffic from remote sites
Terminate traditional dial-in users

Question 5

Q

Modern IT architectures are usually ________ and __________.

Answer

A

decentralized and deperimeterized

Question 6

Q

As a consequence of decentralized and deperimeterized, both the number of potential attack ______ outside the organizational boundary and the number of attack ______ have grown.

Answer

A

targets and vectors .

Question 7

Q

Models of security architecture typically fall into two categories:

Answer

A

process models – flexibility

framework models – directive

Question 8

Q

the Zachman framework and the Sherwood Applied Business Security Architecture (SABSA) framework share a similar approach of developing a

Answer

A

who, what, why, where, when and how matrix

Question 9

Q

SABSA Security Architecture Matrix viewpoints

Answer

A

contextual
conceptual
logical
physical
component
operational

Question 10

Q

The Open Group Architecture Framework (TOGAF) objective is to ensure

Answer

A

that architectural development projects meet business objectives,
that they are systematic and
that their results are repeatable.

Question 11

Q

In the Open Systems Interconnect (OSI) model for networks, each layer performs a specific function for the network:

Answer

A

Physical Layer—Manages signals
Data Link Layer–Divides data into frames > physical layer
Network Layer—Translates addresses & routes data Transport Layer—data transferred in the correct sequence
Session Layer— manages user connections
Presentation Layer–Formats, encrypts and compresses
Application Layer—Mediates between software applications and other layers of network services

Question 12

Q

TCP/IP

Answer

A

Transmission Control Protocol/Internet Protocol

Question 13

Q

The TCP/IP suite includes both _______ protocols and _______ protocols.

Answer

A

network-oriented and

application support

Question 14

Q

Name 3 types of defense in depth:

Answer

A

Concentric rings (nested)
Overlapping redundancy
Segregation or compartmentalization

Question 15

Q

defense in depth is from an architectural perspective of:

Answer

A

Horizontal defense in depth - controls placed in path (functionally equivalent to concentric ring model)
Vertical defense in depth - controls placed in layers

Question 16

Q

A _______ is defined as a system or combination of systems that enforces a boundary between two or more networks. They control the most vulnerable point between a corporate network and the Internet, and they can be as simple or complex as the corporate information security policy demands.

Question 17

Q

There are many different types of firewalls, but most of them enable organizations to:

Answer

A

Block access to particular sites.
Limit traffic on an organization’s public services to relevant addresses and ports.
Prevent certain users from accessing certain services.
Monitor and record communications.
Monitor and record communications to investigate or detect.
Encrypt packets by creating a VPN over the Internet (e.g., IP security [IPSec], VPN tunnels). The capabilities of some firewalls can be extended so they can also provide for protection against viruses and attacks directed to exploit known operating system vulnerabilities.

Question 18

Q

Generally, the types of network firewalls fall into three categories:

Answer

A

Packet filtering
Application firewall systems
Stateful inspection

Question 19

Q

Packet headers contain information, including the _____ and ______.

Answer

A

IP address of the sender and receiver, and the 
port numbers (application or service)

Question 20

Q

Packet filtering firewalls are therefore best suited for smaller networks, because the direct exchange of packets is permitted between outside systems and inside systems, the potential for an attack is determined by the total number of hosts and services.

Question 21

Q

Advantages of packet filtering firewalls:

Answer

A

Simplicity of one network “choke point”
Minimal impact on network performance
Inexpensive or free

Question 22

Q

Disadvantages of packet filtering firewalls:

Answer

A

Vulnerable to attacks from improperly configured filters
Vulnerable to attacks tunneled over permitted services
All network systems vulnerable when a single packet filtering router is compromised

Question 23

Q

Some of the more common attacks against packet filter firewalls are:

Answer

A

IP spoofing
Source routing specification
Miniature fragment attack

Question 24

Q

IP spoofing

Answer

A

In this type of attack, the attacker fakes the IP address of either an internal network host or a trusted network host. This enables the packet being sent to pass the rule base of the firewall and penetrate the system perimeter. If the spoofing uses an internal IP address, the firewall can be configured to drop the packet on the basis of packet flow direction analysis. However, attackers with access to a secure or trusted external IP address can spoof on that address, leaving the firewall architecture defenseless.

Question 25

Q

Source routing specification

Answer

A

This type of attack centers around the routing that an IP packet must take when it traverses the Internet from the source host to the destination host. In this process, it is possible to define the route so it bypasses the firewall. However, the attacker must know the IP address, subnet mask and default gateway settings to accomplish this. A clear defense against this attack is to examine each packet and drop packets whose source routing specification is enabled. Note that this countermeasure will not be effective if the topology permits a route that skips the choke point.

Question 26

Q

Miniature fragment attack

Answer

A

Using this method, an attacker fragments the IP packet into smaller ones and pushes it through the firewall. This is done with the hope that only the first sequence of fragmented packets will be examined, allowing the others to pass without review. This is possible only if the default setting is to pass residual packets. Miniature fragment attacks can be countered by configuring the firewall to drop all packets where IP fragmentation is enabled.

Question 27

Q

In contrast to packet filtering routers, application- and circuit-level gateways allow information to flow between systems but do not allow the direct exchange of packets. Therefore, application firewall systems provide greater protection capabilities than packet filtering routers. They work at the application level of the OSI model.

Question 28

Q

There are two types of application firewall systems:

Answer

A

Application-level gateways—Application-level gateways are systems that analyze packets through a set of proxies—one for each service (e.g., Hypertext Transmission Protocol [HTTP] proxy for web traffic, FTP proxy). The implementation of multiple proxies, however, impacts network performance. When network performance is a concern, a circuit-level gateway may be a better choice.
Circuit-level gateways—Commercially, circuit-level gateways are quite rare. Because they use one proxy server for all services, they are more efficient and also operate at the application level. There, TCP and UDP sessions are validated, typically through a single, general-purpose proxy before opening a connection. This differs from application-level gateways, which require a special proxy for each application-level service.

Question 29

Q

Both application firewall systems (Application-level gateways and Circuit-level gateways) employ the concept of bastion hosting in that they handle all incoming requests from the Internet to the corporate network, such as FTP or web requests. Bastion hosts are heavily fortified against attack.

Question 30

Q

Application firewalls have the following advantages:

Answer

A

Provide security for commonly used protocols
Generally hide the network from outside untrusted networks
Ability to protect the entire network by limiting break-ins to the firewall itself
Ability to examine and secure program code

Question 31

Q

What is the disadvantage of application firewalls?

Answer

A

Poor performance and scalability as Internet usage grows.

Question 32

Q

A stateful inspection firewall, also referred to as dynamic packet filtering, tracks the destination IP address of each packet that leaves the organization’s internal network.

Question 33

Q

Stateful inspection firewalls have the following advantages:

Answer

A

Provide greater control over the flow of IP traffic

2. Greater efficiency in comparison to CPU-intensive, full-time application firewall systems

Question 34

Q

What is the disadvantage of stateful inspection firewalls?

Answer

A

Complex to administer

Question 35

Q

Commonly used firewall implementations available today include:

Answer

A

Screened-host firewall
Dual-homed firewall
Demilitarized zone (DMZ) or screened-subnet firewall—

Question 36

Q

Screened-host firewall—Utilizing a packet filtering router and a bastion host, this approach implements basic network layer security (packet filtering) and application server security (proxy services). An intruder in this configuration must penetrate two separate systems before the security of the private network can be compromised. This firewall system is configured with the bastion host connected to the private network with a packet filtering router between the Internet and the bastion host. Router filtering rules allow inbound traffic to access only the bastion host, which blocks access to internal systems. Since the inside hosts reside on the same network as the bastion host, the security policy of the organization determines whether inside systems are permitted direct access to the Internet, or whether they are required to use the proxy services on the bastion host.

Question 37

Q

Dual-homed firewall—This is a firewall system that has two or more network interfaces, each of which is connected to a different network. A dual-homed firewall usually acts to block or filter some or all of the traffic trying to pass between the networks. A dual-homed firewall system is a more restrictive form of a screened-host firewall system in which a dual-homed bastion host is configured with one interface established for information servers and another for private network host computers.

Question 38

Q

Demilitarized zone (DMZ) or screened-subnet firewall—This is a small, isolated network for an organization’s public servers, bastion host information servers and modem pools. The DMZ connects the untrusted network to the trusted network, but it exists in its own independent space to limit access and availability of resources. As a result, external systems can access only the bastion host and possibly information servers in the DMZ. The inside router manages access to the private network, accepting only traffic originating from the bastion host. The filtering rules on the outside router require the use of proxy services by accepting only outbound traffic on the bastion host. The key benefits of this system are that an intruder must penetrate three separate devices, private network addresses are not disclosed to the Internet, and internal systems do not have direct access to the Internet.

Question 39

Q

Problems faced by organizations that have implemented firewalls include the following:

Answer

A

Configuration errors
Monitoring demands—monitoring activities may not always occur on a regular basis.
Policy maintenance—Firewall policies may not be maintained regularly.
Vulnerability to application- and input-based attacks—Most firewalls operate at the network layer; therefore, they do not stop any application-based or input-based attacks, such as SQL injection and buffer-overflow attacks. Newer-generation firewalls are able to inspect traffic at the application layer and stop some of these attacks.

Question 40

Q

A VLAN is set up by configuring ports on a switch, so devices attached to these ports may communicate as if they were attached to the same physical network segment, although the devices are actually located on different LAN segments.

Question 41

Q

The key benefits of a DMZ system are:

Answer

A

An intruder must penetrate three separate devices
Private network addresses are not disclosed to the Internet
Internal systems do not have direct access to the Internet

Question 42

Q

egress IS also known as ______.

Answer

A

data exfiltration

Question 43

Q

Strong DLP (data loss prevention) solutions cover three primary states of information:

Answer

A

Data at rest - Crawler applications
Data in motion - Deep packet inspection (DPI)
data in use - agent software to set rules for data use

Question 44

Q

Anti-malware can be controlled through many different mechanisms, including:

Answer

A

Restriction of outbound traffic
Policies and awareness
Multiple layers of anti-malware software using a combination of signature identification and heuristic analysis

Question 45

Q

Broad categories of IDSs include:

Answer

A

Network-based IDSs—These identify attacks within the monitored network and issue a warning to the operator. If a network-based IDS is placed between the Internet and the firewall, it will detect all the attack attempts, regardless of whether they enter the firewall. If the IDS is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (i.e., it will detect intruders). The IDS is not a substitute for a firewall, but rather it complements the function of a firewall.
Host-based IDSs—These are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack. They can detect the modification of executable programs, detect the deletion of files and issue a warning when an attempt is made to use a privileged command.

Question 46

Q

Components of an IDS are:

Answer

A

Sensors responsible for collecting data in the form of network packets, log files, system call traces, etc.
Analyzers that receive input from sensors and determine intrusive activity
An administration console
A user interface

Question 47

Q

Types of IDSs include:

Answer

A

Signature-based—These IDS systems protect against detected intrusion patterns. The intrusive patterns they can identify are stored in the form of signatures.
Statistical-based—These systems need a comprehensive definition of the known and expected behavior of systems.
Neural networks—An IDS with this feature monitors the general patterns of activity and traffic on the network and creates a database. It is similar to the statistical model but with added self-learning functionality.

Question 48

Q

The features available in an IDS include:

Answer

A

Intrusion detection
Ability to gather evidence
Automated response
Security policy
Interface with system tools
Security policy management

Question 49

Q

An IDS cannot help with the following weaknesses:

Answer

A

Weaknesses in the policy definition
Application-level vulnerabilities
Back doors into applications
Weaknesses in identification & authentication

Question 50

Q

An intrusion prevention system (IPS) predicts an attack before it occurs. It does this by monitoring key areas of a computer system and looking for “bad behavior,” such as worms, Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures since it does not rely on identifying and distributing threat signatures or patches.

Question 51

Q

Some advantages of IPSs include:

Answer

A

Protection at the application layer
Prevention of attacks rather than simply reacting
Defence in depth
Real-time event correlation

Question 52

Q

Encryption is part of a broader science of secret languages called cryptography, which is generally used to:

Answer

A

Protect information stored
Protect data in transit
Deter and detect accidental or intentional alterations of data
Verify authenticity of a transaction or document

Question 53

Q

Key elements of cyptographic systems include:

Answer

A

Encryption algorithm
Encryption key
Key length

Question 54

Q

Effective cryptographic systems depend upon a variety of factors including:

Answer

A

Algorithm strength
Secrecy and difficulty of compromising a key
Nonexistence of back doors by which an encrypted file can be decrypted without knowing the key
Inability to decrypt parts of a ciphertext message and prevent known plaintext attacks
Properties of the plaintext known by a perpetrator

Question 55

Q

There are two types of cryptographic systems:

Answer

A

Symmetric Key Systems—These use single, secret, bidirectional keys that encrypt and decrypt.
Asymmetric Key Systems—These use pairs of unidirectional, complementary keys that only encrypt or decrypt. Typically, one of these keys is secret, and the other is publicly known.

Question 56

Q

The most common symmetric key cryptographic system is the Data Encryption Standard (DES). DES is based on a public algorithm that operates on plaintext in blocks. This type of algorithm is known as a block cipher. DES uses blocks of 64 bits. DES is being replaced with AES, a public algorithm that supports keys from 128 bits to 256 bits.

Question 57

Q

There are two main advantages to symmetric key cryptosystems such as DES or AES:

Answer

A

The user only has to remember/know one key for both encryption and decryption.
Symmetric key cryptosystems are generally less complicated and, therefore, use up less processing power than asymmetric techniques. They are ideally suited for bulk data encryption.

Question 58

Q

There are two main disadvantages to symmetric key cryptosystems such as DES or AES:

Answer

A

Difficulty distributing keys
Limitations of shared secret—A symmetric key cannot be used to sign electronic documents or messages due to the fact that the mechanism is based on a shared secret.

Question 59

Q

Asymmetric keys are often used for short messages such as encrypting DES symmetric keys or creating digital signatures. If asymmetric keys were used to encrypt bulk data (long messages), the process would be very slow; this is the reason they are used to encrypt short messages such as digests or signatures.

Question 60

Q

A variant and more efficient form of public key cryptography is elliptical curve cryptography (ECC), which is gaining prominence as a method for increasing security while using minimum resources. It is believed that ECC demands less computational power and therefore offers more security per bit. For example, an ECC with a 160-bit key offers the same security as an RSA-based system with a 1,024-bit key. ECC works well on networked computers requiring strong cryptography. However, it has some limitations such as bandwidth and processing power.

Question 61

Q

Quantum cryptography is the next generation of cryptography that may solve some of the existing problems associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. It is based on a practical application of the characteristics of the smallest “grains” of light (photons) and the physical laws governing their generation, propagation and detection. Initial commercial usage has already started.

Question 62

Q

AES has replaced the DES as the cryptographic algorithm standard. NIST announced that it had selected Rijndael as the algorithm for the AES.

Question 63

Q

Rijndael is a symmetric block cipher with variable block and key length. For AES the block length was fixed to 128 bits, and three different key sizes (128, 192 and 256 bits) were specified. Therefore, AES-128, AES-192 and AES-256 are three different versions of AES.

Question 64

Q

A ________ is an electronic identification of a person or entity created by using a public key algorithm.

Answer

A

digital signature

Answer 49

A

“signs” the document with the sender’s digital signature for message authenticity. nonrepudiation

Answer 50

A

Data integrity—Any change to the plaintext message would result in the recipient failing to compute the same message hash.
Authentication—The recipient can ensure that the message has been sent by the claimed sender since only the claimed sender has the secret key.
Nonrepudiation—The claimed sender cannot later deny generating and sending the message.

Answer 51

A

A distinguishing username
An actual public key
The algorithm used
A certificate validity period

Answer 52

A

the certification practice statement (CPS),
RAs and
certificate revocation lists (CRLs).

Answer 53

A

personal authentication functions
Verifying the right to requested certificate attributes
proof of possession (POP)
Reporting key compromise or termination
Assigning names for identification purposes
Generating shared secrets for initialization and certificate pick-up phases
Initiating registration process with CA for the subject end entity
Initiating the key recovery processing
Distributing the physical tokens (such as smart cards) containing the private keys
Certification practice statement

Answer 54

A

The controls that an organization observes
The method it uses to validate the authenticity of certificate applicants
The CA’s expectations of how its certificates may be used

Answer 55

A

Peer negotiation for algorithm support
Public key, encryption-based key exchange and certificate-based authentication
Symmetric cipher-based traffic encryption

Answer 56

A

Confidentiality
Integrity
Authentication

Answer 57

A

two or more hosts,
two or more subnets, or
hosts and subnets

Answer 58

A

S/MIME - Secure Multipurpose Internet Mail Extensions

Answer 59

A

Secure Electronic Transactions (SET)

Brainscape's Knowledge GenomeTM

Security Architecture Principles Flashcards

Brainscape's Knowledge Genome^TM