2.1 - Enterprise Security

Question 1

Define Configuration Management.

Answer 1

Configuration Management is the process of maintaining systems, such as computer hardware and software, in a desired state. This includes identifying and and documenting hardware and software settings.

Question 2

Define a Network Diagram.

Answer 2

A diagram of the physical wire and devices within a network.

Question 3

Define a Physical data center layout.

Answer 3

A diagram of the datacenter that gives the layout of the datacenter and can include physical rack locations.

Question 4

Define a Device Diagram.

Answer 4

A diagram of the individual devices and individual cabling running to them.

Question 5

Define Baseline Configuration.

Answer 5

A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

Question 6

List some examples of things that should have a standard naming convention within a network.

Answer 6

1) Devices
2) Networks (ports)
3) Domain names and emails

Question 7

List some ways that data can be protected.

Answer 7

1) Encryption
2) Security Policies
3) Data permissions

Question 8

Define and explain Data Sovereignty.

Answer 8

Data that resides in a country is subject to the laws of that country (legal monitoring, court orders, etc.)

Laws may prohibit where data is stored. For example, data collected on EU citizens must be stored in the EU. GDPR (General Data Protection Regulation)

Question 9

Define Data Masking.

Answer 9

Hiding some of the data (like hashing out most of a debit card on a receipt). It may only be hidden from view, but it may be still in storage.

Data masking can be done via substituting, shuffling, encrypting, masking out, etc.

Question 10

Define Data Encryption.

Answer 10

Encoding information into unreadable data. The original information is plaintext, and the encrypted form is ciphertext.

Question 11

Define Diffusion.

Answer 11

Changing one character of the input, and many characters change of the output.

If you change one character of plaintext, the whole ciphertext changes.

Question 12

Define Data at-rest and how to protect it.

Answer 12

Data that is on a storage device.

The data can be encrypted or have permission assigned to it.

Question 13

Define Data in-transit and how to protect it.

Answer 13

Data that is transmitted over the network.

Can protect it with transport encryption (TLS or IPSec) or Network-based protections (Firewall or IPS).

Question 14

Define Data in-use.

Answer 14

Data that is actively processing in memory (system RAM, CPU registers and cache). This data is always decrypted.

Question 15

Define Tokenization.

Answer 15

Replacing sensitive data with a non-sensitive placeholder. The token and the data aren’t mathematically related.

This is common with credit card processing. It uses a temporary token during payment that isn’t useful if captured.

Question 16

Define Information Rights Management (IRM).

Answer 16

Controls how data is used. It restricts data access to unauthorized persons. Each user has their own set of rights.

Question 17

Define Data Loss Prevention (DLP).

Answer 17

An approach to data security that implements a set of processes, procedures, and tools to prevent the loss, misuse, or accessed by unauthorized users.

Question 18

Define Endpoint DLP.

Answer 18

DLP that analyzes an attempts to prevent the loss of data stored on devices.

Question 19

Define Network DLP.

Answer 19

DLP that attempts to prevent the loss of data in motion.

Question 20

What does DLP protect if it is on a server?

Answer 20

Data at rest.

Question 21

What does DLP software do?

Answer 21

Classifies regulated, confidential, and business critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically drive by regulatory compliance such as HIPAA, PCI-DSS, or GDPR.

Question 22

Define Cloud-based DLP.

Answer 22

DLP that focuses on keeping communications between the end user and the cloud protected.

It might block custom defined data strings, manage access to URLs, or block viruses and malware.

Question 23

What are some ways that DLP might be used to protect email?

Answer 23

1) Check every email inbound and outbound
2) Inbound: Block keywords, identify imposters,
quarantine email messages
3) Outbound: Fake wire transfers, W-2 transmissions,
employee information

Question 24

How might security by affected by geographical changes?

Answer 24

1) There are legal implications
- Business regulations vary between states
- Passports for recovery sites out of the country
2) Offsite backup
- Organization-owned site or 3rd-party secure
facility
3) Offsite recovery
- Travel considerations for staff
- Hosted in site the scope of the disaster

Question 25

What documentation should an organization have in the event of an attack?

Answer 25

Incident response plan - Documentation - Identify and contain the attack

Question 26

What are the goals of response and recovery controls?

Answer 26

Limit the impact of the attacker in regards to data exfiltration and access to sensitive data.

Question 27

Define SSL/TLS Inspection.

Answer 27

A test that involves capturing TLS or SSL packets in order to ensure that the data is safe. Typically, this test is run between client and server.

Question 28

What is a Certificate authority in SSL/TLS, and what does it do?

Answer 28

An entity or organization that assigns certificates to web sites. The browser only trusts web sites with certificates. It is up to the CA to verify the web site. The CA must sign the certificate for the encryption to work well.

Question 29

Define Hashing.

Answer 29

Representing data as a short string of text, a message digest. It is impossible to recover the original message from the hash. This is used to store passwords and confidential information. You will not get the same hash for the same text twice unless you have a hash collision (which is bad). It is also used for digital signatures.

Question 30

Define API (Application Programming Interface).

Answer 30

An application that controls either software or hardware programmatically.

Question 31

What are some attacks that could affect an API?

Answer 31

1) On-path attack - Intercept and modify API messages, replay API commands 2) API Injection: inject data into an API message 3) DDoS: one bad API call can bring down a system

Question 32

List some ways that you can secure an API.

Answer 32

1) Authentication - Limit API access to legitimate users, over secure protocols 2) Authorization - API should not allow extended access - Each user has a limited role - A read-only user should not be able to make changes 3) WAF (Web Application Firewall) - Apply rules to the API communication

Question 33

Define a Hot Site.

Answer 33

An exact replica of what is running in the production environment. Everything is already updated and ready to spill over. There is minimal downtime, but this is expensive.

Question 34

Define a Warm Site.

Answer 34

Between a hot and cold site. Hardware might already be ready, but the software and data will need to come over.

Question 35

Define a Cold Site.

Answer 35

There is no hardware in place. Data will have to be brought with you. Everything needs to be done, but this is the cheapest option.

Question 36

Define a Honeypot.

Answer 36

A system or a series of systems that is intended to attract attackers. This allows for recon into how an attacker might attack. There is a constant battle to trick the attacker into thinking that this is a real system.

Question 37

Define Honeynets.

Answer 37

A series of honeypots on a network.

Question 38

Define Honeyfiles.

Answer 38

Files that act as bait on a honeynet (ex. passwords.txt). An alert is sent if the file is accessed.

Question 39

Define Fake Telemetry.

Answer 39

The deliberate manipulation of telemetry data to mislead the AI system. If a machine that is being trained on how malware acts to stop malware based on actions, the attacker might send fake telemetry to make malicious malware look benign. Then, after the learning, they might send the malware.

Question 40

Define a DNS sinkhole.

Answer 40

A DNS that hands out incorrect IP addresses. An attacker can redirect users to malicious sites. It can, however, redirect known malicious domains to a benign IP address and watch for any users hitting that IP address. This is often integrated into a firewall or an IPS. Also known as a Blackhole DNS.