Lesson 17: Explaining Organizational and Physical Security Concepts

Question 1

Define configuration management

Answer 1

Identifying and documenting all the infrastructure and devices installed at a site

Question 2

What are the different aspects of configuration management?

Answer 2

1. Service assets
2. Configuration Item (CI)
3. Baseline Document
4. Configuration management system

Question 3

Define a service asset

Answer 3

Things, processes, or people that contribute to the delivery of an IT service. Each asset must be identified by some sort of label.

Question 4

Define a configuration item (CI)

Answer 4

An asset that requires specific management procedures for it to be used to deliver the service. CIs are defined by their attributes.

Question 5

Define a baseline document

Answer 5

Approved or authorized state of a CI; This allows auditing processes to detect unexpected or unauthorized change. A baseline can be a configuration baseline (the ACL applied to a firewall, for instance) or a performance baseline.

Question 6

What is a configuration baseline?

Answer 6

Settings for services and policy configuration for a network appliance or for a server operating in a particular application role.

Question 7

Define a configuration management system (CMS)

Answer 7

A Configuration Management System (CMS) is the tools and databases that collect, store, manage, update, and present information about CIs.

Question 8

Define change management

Answer 8

Process for approving, preparing, supporting, and managing new or updated business processes or technologies.

Question 9

Summarize a standard change management process

Answer 9

The need or reasons for change and the procedure for implementing the change is captured in a Request for Change (RFC) document and submitted for approval. The RFC will then be considered at the appropriate level and affected stakeholders will be notified.

Question 10

What is the purpose of a request for change (RFC) document?

Answer 10

To have the pending changes in writing and allows for approval at appropriate level.

Question 11

Define a standard operating procedure (SOP)

Answer 11

Documentation of best practice and work instructions to use to perform a common administrative task.

Question 12

Define an audit report

Answer 12

Detailed and specific evaluation of a process, procedure, organization, job function, or system, in which results are gathered and reported to ensure that the target of the audit is in compliance with the organization’s policies, regulations, and legal responsibilities.

Question 13

What is the difference between an audit report and an assessment report?

Answer 13

An audit report focuses on identifying and documenting assets, an assessment report evaluates the configuration and deployment of those assets, such as deviation from baseline configuration or performance.

Question 14

What is system life cycle?

Answer 14

Method to track the life cycle phases of one or more hardware, service, or software systems.

Question 15

What are the types of physical network diagrams?

Answer 15

1. Floor plan
2. Wiring Diagram
3. Distribution Frame
4. Wireless Site Survey

Question 16

What is the purpose of a distribution frame diagram?

Answer 16

A port location diagram identifies how wall ports located in work areas are connected back to ports in a distribution frame or patch panel and then from the patch panel ports to the switch ports.

Question 17

What are the two types of distribution frames?

Answer 17

1. Intermediate Distribution Frame (IDF)
2. Main Distribution Frame (MDF)

Question 18

Define an Intermediate Distribution Frame (IDF)

Answer 18

Passive wiring panel providing a central termination point for access layer switches that serve a given area, such as a single office floor. Each IDF has a trunk link to the MDF.

Question 19

Define a Main Distribution Frame (MDF)

Answer 19

Passive wiring panel providing a central termination point for cabling. A MDF distributes backbone or “vertical” wiring through a building and connections to external access provider networks.

Question 20

What are types of logical network diagrams

Answer 20

1. Physical layer
2. Data link layer (L2)
3. IP Layer (L3)
4. Application layer (L4)

Question 21

What information would be included in a physical layer (L1) logical diagram

Answer 21

Asset IDs and cable links

Question 22

What information would be included in a data link layer (L2) logical diagram?

Answer 22

Interconnections between switches and routers, with asset IDs (or the management IP of the appliance), interface IDs, and link-layer protocol and bandwidth

Question 23

What information would be included in a logical network (L3) diagram?

Answer 23

IP addresses of router interfaces (plus any other static IP assignments) and firewalls, plus links showing the IP network ID and netmask, VLAN ID (if used), and DHCP scopes.

Question 24

What information would be included in a logical application layer (L4) diagram?

Answer 24

Server instances and TCP/UDP ports in use. You might also include configuration information and performance baselines.

Question 25

Define an incident response plan (IRP)

Answer 25

Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents.

Question 26

Define an incident

Answer 26

When security is breached or there is an attempted breach

Question 27

What are the main goals during incident response?

Answer 27

1. Protect confidential data and minimize impact
2. Preserve evidence
3. Follow-up analysis to prevent reoccurrence

Question 28

What is the main conflict when planning incident response?

Answer 28

Protecting data and minimizing impact while preserving evidence for analysis against efficiency and business continuity.

Question 30

Define a disaster recovery plan (DRP)

Answer 30

Documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.

Question 31

What is the purpose of a disaster recovery plan (DRP)

Answer 31

1. Identify scenarios for natural and non-natural disasters and options for protecting systems.
2. Identify tasks, resources, and responsibilities for responding to a disaster. Disaster recovery focuses on tasks such as switching services to failover systems or sites and restoring systems and data from backups.

Question 32

Define a business continuity plan (BCP)

Answer 32

Collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.

Question 33

How is a business continuity plan created?

Answer 33

By performing business impact analysis (BIA) and IT contingency planning (ITCP)

Question 34

What is the role of Business Impact Analysis (BIA) when creating a business continuity plan (BCP)?

Answer 34

Identifies mission essential and primary business functions and the risks that would arise if the organization cannot fulfill them.

Question 35

What is the role of IT contingency planning (ITCP) when creating a business continuity plan (BCP)?

Answer 35

Ensures that the business’ processes are supported by resilient IT systems, working to identify and mitigate all single points of failure from a process or function

Question 36

What is the purpose of a security policy?

Answer 36

Establishes a duty for each employee to ensure the confidentiality, integrity, and availability of any data assets or processing systems that they use as part of their job

Question 37

What are the best practice security measures that should be taken during the onboarding process?

Answer 37

1. Background check
2. Identity and access management (IAM) - creating user accounts and privileges
3. Asset allocation
4. Training on polices

Question 38

What are the best practice security measures that should be taken during the offboarding process?

Answer 38

1. Identity and access management (IAM) - disabling user accounts and privileges
2. Retrieving company assets
3. Returning personal assets
4. Resetting generic account credentials

Question 39

What is the purpose of a password policy?

Answer 39

Promotes user selection of strong passwords by specifying a minimum password length, requiring complex passwords, requiring periodic password changes, and placing limits on reuse of passwords

Question 40

What is best practice for password length?

Answer 40

12 to 16 characters - passphrases are best

Question 41

What is best practice for password complexity?

Answer 41

Varying the characters in the password makes it more resistant to dictionary-based attacks

Question 42

What is best practice for password age/history?

Answer 42

Requiring that the password be changed periodically and preventing the reuse of previously selected passwords

Question 43

What is the purpose of an acceptable use policy (AUP)?

Answer 43

Policy that governs employees’ use of company equipment and Internet services. ISPs may also apply AUPs to their customers.

Question 44

What is the purpose of a bring your own device policy (BYOD)?

Answer 44

The mobile is owned by the employee and can be used on the corporate network so long as it meets a minimum specification required by the company (in terms of OS version and functionality). The employee will have to agree on the installation of corporate apps and to some level of oversight and auditing

Question 45

Define a data breach

Answer 45

The theft or loss of confidential and/or personal information.

Question 46

What can be leveraged to prevent data breaches or lass of data?

Answer 46

Data loss prevention (DLP) software detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Question 47

What is the purpose of a service level agreement (SLA)?

Answer 47

Agreement that sets the service requirements and expectations between a consumer and a provider.

Question 48

What is typically in service level agreement (SLA)?

Answer 48

Aspects of the service, such as scope, performance characteristics, and responsibilities that are agreed upon between the service provider and the customer.

Question 49

Define a non-disclosure agreement (NDA)

Answer 49

Agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.

Question 50

What is a memorandum of understanding (MOU)?

Answer 50

A preliminary or exploratory agreement to express an intent to work together; intended to be relatively informal and not to act as binding contracts.

Question 51

What are 3 physical means of access control for an area/building/room?

Answer 51

1. Badge reader
2. Biometric
3. Access control vestibule (mantrap)

Question 52

Define an access control vestibule (mantrap)

Answer 52

Secure entry system with two gateways, only one of which is open at any one time.

Question 53

What are 3 physical access controls for IT assets?

Answer 53

1. Locking racks
2. Locking cabinets
3. Smart lockers with badge/biometric control

Question 54

What are the two detection based physical access controls?

Answer 54

1. Cameras (with audio as well)
2. Asset tags

Question 55

What type of asset tag allows for electronic tracking?

Answer 55

RFID asset tags allow detection to prevent theft

Question 56

What are two types of physical alarms

Answer 56

1. Circuit based
2. Motion detection

Question 57

Define a circuit based alarm

Answer 57

Sounds when the circuit is opened or closed; this could be caused by a door or window opening or by a fence being cut.

Question 58

What is the most secure from of circuit based alarm?

Answer 58

Closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit.

Question 59

How does motion detection function?

Answer 59

Alarm is linked to a sensor that detects moving heat sources with microwave radio reflection or passive infrared (PIR).

Question 60

Define a hardened Protected Distribution System (PDS)

Answer 60

Cabling is routed through sealed metal conduit and subject to periodic visual inspection.

Question 61

Define data remnants removal

Answer 61

Ensuring that no data is recoverable from hard disk drives (HDDs), flash devices or solid state drives (SSDs), tape media, CD, DVD ROMs, or paper documents before they are disposed of or put to a different use.

Question 62

What are the main methods of data destruction?

Answer 62

1. Incineration
2. Pulverization
3. Degaussing (HDDs, SSDs)

Question 63

Define zero-filling

Answer 63

From of sanitization/overwriting which just sets each bit to zero

Question 64

What is the most secure way to perform zero-filling?

Answer 64

Overwrite the content with one pass of all zeros, then a pass of all ones, and then one or more additional passes in a pseudorandom pattern.

Question 65

Define secure erase (SE)

Answer 65

Method of sanitizing a drive using the ATA command set to automatically preform a single pass of zero-filling.

Question 66

What is the downside to secure erase (SE)

Answer 66

Only works for HDDs due to how SSDs write memory

Question 67

Define Instant Secure Erase (ISE)

Answer 67

Media sanitization command built into self-encrypting HDDs and SSDs that works by erasing the encryption key, leaving remnants unrecoverable.

Question 68

Define IoT (Internet of Things)

Answer 68

Global network of personal devices, home appliances, home control systems, vehicles, and other items that have been equipped with sensors, software, and network connectivity.

Question 69

What are two types of consumer grade IoT devices?

Answer 69

1.Hub/control system
2. Smart devices
3. Physical access control system (PACS)

Question 70

What are examples of a Hub/control system?

Answer 70

Devices that require a communications hub to function; wireless speakers/headset

Question 71

What are examples of smart devices?

Answer 71

Devices are capable of compute, storage, and network functions; smart lightbulb, fridge, thermostat

Question 72

Define a physical access control system (PACS)

Answer 72

Components and protocols that facilitate the centralized configuration and monitoring of security mechanisms.

Question 73

What makes up physical access control system (PACS)?

Answer 73

A network of monitored locks, intruder alarms, and video surveillance cameras.

Question 74

What is a principal requirement of IoT networking technologies?

Answer 74

Low power consumption and low latency.

Question 75

Define the Z-Wave protocol

Answer 75

A wireless communications protocol used primarily for home automation and creates a mesh network topology

Question 76

Define Narrowband-IoT (NB-IoT) and its purpose

Answer 76

A low-power version of the Long Term Evolution (LTE) used for sending small packets with low latency