Study Guide - Chapter 2: System and Network Architecture Flashcards
1- Naomi wants to make her applications portable and easy to move to new environments without the overhead of a full operating system. What type of solution should she select?
- An x86 architecture
- Virtualization
- Containerization
- A SASE solution
Containerization
Naomi should containerize her application. This will provide her with a lightweight option that can be moved between services and environments without requiring her to have an OS included in her container. Virtualization would include a full operating system. SASE is a solution for edge‐focused security, whereas x86 is a hardware architecture.
SASE
- secure access service (secure) edge
- network architecture design that combines software-defined wide area networking (SD-WAN) with security functions to secure networks
- designed to ensure security at the endpoint and network layer
Key aspects of SASE include:
* Leveraging security functions such as cloud access security brokers (CASBs), zero trust, firewalls as a service, and antimalware tools.
* Focusing on securing access to resources regardless of location.
* Addressing the shift to software as a service (SaaS) as the common model for service delivery.
* Integrating cloud security services with zero-trust networking
3- Tom wants to set an appropriate logging level for his Cisco networking equipment while he’s troubleshooting. What log level should he set?
- 1
- 3
- 5
- 7
7
Tom knows that log level 7 provides debugging messages that he will need during troubleshooting. Once he’s done, he’ll likely want to set a lower log level to ensure that he doesn’t create lots of noise in his logs.
4- Which of the following is not a common use of network segmentation?
Decreasing attack surfaces
Limiting the scope of regulatory compliance
Reducing availability
Increasing the efficiency of a network
Reducing availability
Segmentation is sometimes used to increase availability by reducing the potential impact of an attack or issue—intentionally reducing availability is unlikely to be a path chosen by most organizations.
5- Ric’s organization wants to implement zero trust. What concern should Ric raise about zero trust implementations?
They can be complex to implement.
Zero trust does not support TLS inspection.
Zero trust is not compatible with modern software‐defined networks.
They are likely to prevent users from accomplishing their jobs.
They can be complex to implement.
Ric knows that zero trust can be complex to implement. Zero trust does not specifically prevent TLS inspection or conflict with SDN, and a successful zero trust implementation needs to validate user permissions but allow them to do their jobs.
6- Michelle has a security token that her company issues to her. What type of authentication factor does she have?
Biometric
Possession
Knowledge
Inherence
Possession
Michelle’s security token is an example of a possession factor, or “something you have.” A password or PIN would be a knowledge factor or “something you know,” and a fingerprint or retina scan would be a biometric, or inherence, factor.
Inherence
inherence refers to a biometric factor, or “something you are” in multifactor authentication
7- Which party in a federated identity service model makes assertions about identities to service providers?
RPs
CDUs
IDPs
APs
IDPs
Identity providers (IDPs) make assertions about identities to relying parties and service providers in a federation. CDUs and APs are not terms used in federated identity designs.
8- What design concept requires that each action requested be verified and validated before it is allowed to occur?
Secure access service edge
Zero trust
Trust but verify
Extended validation network
Zero trust
Zero trust requires each action or use of privileges to be validated and verified before it is allowed to occur. Secure access service edge combines software‐defined networking with other security products and services to control edge device security rather than requiring a secured central service or network. Trust but verify and extended validation network are not design concepts.
10- Jen’s organization wants to ensure that administrator credentials are not used improperly. What type of solution should Jen recommend to address this requirement?
SAML
CASB
PAM
PKI
PAM
A privilege access management (PAM) system would not only allow Jen’s organization to manage and monitor privilege use for administrator accounts but would be helpful for other privileges as well. SAML is an XML‐based language used to send authorization and authentication data, a CASB is a cloud access security broker used to manage cloud access rights, and PKI is a public key infrastructure used to issue and manage security certificates.
Financial and medical records are an example of what type of data?
CHD
PCI
PII
TS/SCI
PII
Common examples of PII include financial records, addresses and phone numbers, and national or state identification numbers like Social Security numbers, passport numbers, and driver’s license numbers in the United States. CHD is cardholder data. PCI is the payment card industry, which defines the PCI DSS security standard. TS/SCI is a U.S. classification label standing for Top Secret/Sensitive Compartmented Information.
CHD
Cardholder data
PCI
Payment Card Industry
PCI-DSS
Payment Card Industry Data Security Standard
TS/SCI
Top Secret/Sensitive Compartmented Information
12- Which of the following is not part of cardholder data for credit cards?
The cardholder’s name
The CVV code
The expiration date
The primary account number
The CVV code
The primary account number (PAN), the cardholder’s name, and the expiration date of the card are considered cardholder data. Sensitive authentication data includes the CVV code, the contents of the magnetic stripe and chip, and the PIN code if one is used.
13- Sally wants to find configuration files for a Windows system. Which of the following is not a common configuration file location?
The Windows Registry
C:\Program Files\
directory:\Windows\Temp
C:\ProgramData\
directory:\Windows\Temp
The temporary files directory is not a common location for configuration files for programs. Instead, the Registry, ProgramData, and Program Data directories are commonly used to store configuration information.
15- What protocol is used to ensure that logs are time synchronized?
TTP
NTP
SAML
FTP
NTP
NTP (Network Time Protocol) is the underlying protocol used to ensure that systems are using synchronized time.
16- OAuth, OpenID, SAML, and AD FS are all examples of what type of technology?
Federation
Multifactor authentication
Identity vetting
PKI
Federation
OAuth, OpenID, SAML, and AD FS are all examples of technologies used for federated identity. They aren’t MFA, identity vetting, or PKI technologies.
17- Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from the others using network security devices. What concept is Example Corporation using for their network security?
- Segmentation
- Software‐defined networking
- Single‐point‐of‐failure avoidance
- Zoned routing
Segmentation
Example Corporation is using segmentation, separating different risk or functional groupings. Software‐defined networking is not mentioned, as no code‐based changes or configurations are being made. There is nothing to indicate a single point of failure, and zoned routing was made up for this question—but the zone routing protocol is a network protocol used to maintain routes in a local network region.
ZRP
zone routing protocol
- a wireless network protocol
- used to send information over a network by dividing it into zones and maintaining routing information for nodes within each zone
18- During a penetration test of Anna’s company, the penetration testers were able to compromise the company’s web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future?
Using full‐disk encryption
Using log rotation
Sending logs to a syslog server
Using TLS to protect traffic
Sending logs to a syslog server
Sending logs to a remote log server or bastion host is an appropriate compensating control. This ensures that copies of the logs exist in a secure location, allowing them to be reviewed if a similar compromise occurred. Full‐disk encryption leaves files decrypted while in use and would not secure the log files from a compromise, whereas log rotation simply means that logs get changed out when they hit a specific size or time frame. TLS encryption for data (including logs) in transit can keep it private and prevent modification but wouldn’t protect the logs from being deleted.
Bastion host
- aka jump box or jump server
- a hardened server that acts as a single point of entry to a network or system
- provides a secure way to access systems located behind a firewall or within a protected networ
20- Gabby is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time‐based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done?
One
Two
Three
Four
Two
While it may seem like Gabby has implemented three different factors, both a PIN and a passphrase are knowledge‐based factors and cannot be considered distinct factors. She has implemented two distinct factors with her design. If she wanted to add a third factor, she could replace either the password or the PIN with a fingerprint scan or other biometric factor.
