2.1 Defense In Depth

Question 1

The principle that system protections need to be layered and deployed across a wide range of controls. It involves the CIA triad and risk assessment.

Answer 1

Defense in depth

Question 2

These three things comprise the CIA triad

Answer 2

Confidentiality, integrity, availability

Question 3

What is the “secure by design” concept?

Answer 3

The concept that security of the application is not an afterthought but a prerequisite for each building block of the solution.

Question 4

This is considered the foundation of defense in depth

Answer 4

Filtering

Question 5

These are four examples of network filtering

Answer 5

Firewalls, anti-DDoS, proxy servers, mail relays

Question 6

These are two examples of host filtering

Answer 6

Anti-malware, application control

Question 7

A way of filtering that will allow only approved applications to run

Answer 7

Application control

Question 8

Intermediate systems that handle requests to resources on behalf of other systems. They also tend to perform some kind of content filtering.

Answer 8

Proxy servers

Question 9

The four approaches to defense in depth

Answer 9

Uniform protection, protected enclaves, information centric, threat vector analysis

Question 10

This DiD approach involves segmenting your network, involving VLANs and filtering traffic between sections of the network.

Answer 10

Protected enclaves

Question 11

Also known as port isolation this is a technique in computer networking where a VLAN contains switch ports that are restricted so that they can only communicate with a given uplink.

Answer 11

Private VLAN

Question 12

DiD approach where your organization uses multiple layers to access confidential information.

Answer 12

Information centric

Question 13

DiD approach where we prevent a threat from “crossing the bridge” or using a vector. Such as disabling USB drives.

Answer 13

Vector oriented

Question 14

This model is a compliment to DiD. Every request regardless if it comes from inside or outside the network must be authenticated and authorized.

Answer 14

Zero trust model

Question 15

Enables you to dynamically change access based upon conditions and points that are accumulated.

Answer 15

Zero trust, variable trust

Question 16

IAAA

Answer 16

Identification, authentication, authorization, accountability

Question 17

The discipline of establishing a known baseline condition and then managing that condition. Ideally based on reputed established standards.

Answer 17

Configuration management

Question 18

Tracking logging and validating every change.

Answer 18

Change control

Question 19

The four general methods for cracking passwords

Answer 19

Dictionary attack, hybrid attack, brute Force attack, pre-computation attack

Question 20

Three authentication factors

Answer 20

Something you know, something you have, something you are

Question 21

These are based on an irreversible hash function. Transforms the input to a fixed length output called a digest.

Answer 21

Key derivation function KDF

Question 22

an additional input for the kdf, a random string of characters added to the password before hashing. This is stored next to the password.

Answer 22

Salt

Question 23

An additional input for kdf, a random string of characters added to the password before hashing. It is stored in a secure location locally. Unique per application.

Answer 23

Pepper

Question 24

A list of hashed passwords available online, either cracked or not cracked.

Answer 24

Password dump

Question 25

Generally a number of hashing iterations. Intended to slow down brute Force attacks.

Answer 25

Difficulty factor

Question 26

The fastest method for cracking passwords. It tests all the words and a dictionary or word file against password hashes.

Answer 26

Dictionary attack

Question 27

This builds on the dictionary attack method by adding numerals and symbols to dictionary words.

Answer 27

Hybrid attack

Question 28

The most powerful password cracking method. It will always succeed no matter how complex, it's just a matter of time.

Answer 28

Brute Force attack

Question 29

Password cracking attack where hashes are pre-computed of possible passwords and stored in a rainbow table, saving CPU time.

Answer 29

Pre-computation attack

Question 30

A file containing pre-computed password hash values

Answer 30

Rainbow table

Question 31

The process of calculating hashes that is split up over large amounts of processing units or CPU cores

Answer 31

Data parallelism

Question 32

This refers to limiting a password cracking attack to a certain password structure or password policy. For example minimum of eight characters with complexity, etc.

Answer 32

Masking

Question 33

A method of authentication which access is only granted after being presented with more than one authenticator.

Answer 33

Multifactor authentication

Question 34

Term for using the context of a request to determine the required authentication level.

Answer 34

Adaptive authentication

Question 35

Data in the /etc/passwd file that contains user data such as full names, addresses, phone numbers, and more.

Answer 35

GECOS data

Question 36

A consensus document of 20 crucial controls designed to begin the process of establishing a prioritized baseline of information security measures and controls.

Answer 36

CIS controls

Question 37

This is the most effective security control that you can deploy today. only the trusted and expected executables can execute on a system, and no others. Allow list of software.

Answer 37

Application control