4.5 Flashcards
Firewalls, web filtering, operating system security, secure protocols, email security, monitoring data, endpoint security
1
Q
A network device that sits inline in the network and makes decisions about whether traffic should be allowed or disallowed.
A
Firewall
2
Q
Traditional firewalls operate based on ____
A
Ports
3
Q
NGFWs operate based on ____
A
Applications AND ports
4
Q
True/False
Firewalls can be used as VPN concentrators that can encrypt/decrypt traffic
They can also perform routing services, like NAT and dynamic routing
A
True
5
Q
Most firewall rules start from the ____ of the rule base and go to the ____.
This also means that firewall rules start more ____ and become more ____.
A
Top-to-bottom
Specific; broad/generic
6
Q
Most firewalls include an ____ at the bottom of the rule base. That means that if a packet did not match any of the rules, it will be dropped.
A
Implicit deny
7
Q
A rule base/policy list in a firewall is also described as
A
ACL
8
Q
A part of the network that holds devices and services meant to be accessible to the internet. It does not contain any sensitive corporate data.
It is separated from the internal network so as to prevent attackers from gaining access to confidential data.
A
Screened subnet
AKA DMZ
9
Q
Screened subnet is AKA
A
DMZ
10
Q
IPS is often included in an ____
A
NGFW
11
Q
2 ways that an IPS identifies malicious traffic
A
Signature-based
Anomaly-based
12
Q
When an IPS tries to identify malicious traffic based on signatures, what is it looking for?
A
Perfect matches to known-bad code
13
Q
When an IPS tries to identify malicious traffic based on anomalous behavior, what is it looking for? (2)
A
Deviations from baselines
Pattern detection of malicious traffic
14
Q
Technology that controls traffic based on data within the content (web sites, files, etc.)
A
Content filtering
15
Q
Technology that allows or restricts access based on a URL
A
URL scanning
16
Q
URL stands for
A
Uniform Resource Locator
17
Q
URL is AKA
A
URI
18
Q
URI stands for
A
Uniform Resource Identifier
19
Q
URL scanning is often integrated into an ____
A
NGFW
20
Q
A content filter that is installed as software on the user’s device
A
Agent-based
21
Q
Why would content filter agents be installed on a user’s device, instead of existing only on the network’s firewall?
A
Many people work from home or travel for work. They will not always be in the corporate network that has the content filter.
22
Q
4 features of proxies other than NAT
A
Caching
Access control - limits which devices can communicate with the internet
URL filtering
Content scanning
23
Q
Forward proxy is AKA
A
Internal proxy
24
Q
A proxy that requires some configuration to let applications know how to use it
A
Explicit proxy
25
A proxy that requires no configuration with applications
Transparent proxy
26
Content/URL filters can filter based on content, FQDN, and ____
Reputation/risk
Trustworthy to high risk
27
2 ways to assign a reputation to a website for the use of a content/URL filter
Automated reputation - site is scanned and assigned a rep based on the content
Manual reputation - manager can assign a rep
28
A method of performing content filtering without a content/URL filter, NGFW, or firewall.
DNS filtering
29
How does DNS filtering work?
Real-time threat intelligence is constantly being updated. Administrators can configure the DNS server to not provide the user with the IP address of known-bad FQDNs.
30
What is one positive of using DNS filtering?
It does not work with just web pages.
If malware on a device is attempting to connect with a known-bad C2 server, the DNS server will block that.
31
A database containing all of the components of your network - computers, user accounts, file shares, printers, groups, etc.
It authenticates users, centralizes access control, and can perform administrative tasks like resetting passwords and removing accounts.
This solution is primarily Windows-based.
Active Directory
32
Security policies that enforce configuration settings and permissions for groups or individual users and devices.
Group Policy
33
A console that can configure login scripts when a user connects to the network, enforce QoS network configurations, and set security parameters that all users and devices must follow.
Group Policy Management Editor
34
Patches that enhance the security of Linux, including the addition of:
Mandatory access control
Least privilege
SELinux
35
Most default Linux distributions use ____ access control
Discretionary
36
A secure alternative to Telnet
SSH
37
A secure alternative to HTTP
HTTPS
38
A secure alternative to IMAP
IMAPS
39
A secure alternative to FTP
SFTP
40
True/False
Secure and insecure versions of the same protocol (ex. HTTP vs HTTPS) use different ports.
So if you use the "secure"-assigned port, you can be sure that your packets are encrypted.
False
Just because you use the port doesn't mean that you're actually using the secure protocol. To make sure, you need to use a sniffer to capture packets and verify that the secure version of the protocol is being used.
41
Instead of relying on your applications to encrypt the data, what can you do to ensure all information being sent over the network is encrypted? (2)
Configure an encryption protocol directly on the AP. That way, all data sent over the network will be encrypted. (ex. WPA3)
Or you can use a VPN.
42
A device that evaluates the source of the inbound email messages. It resides inside of the screened subnet/DMZ
It blocks any suspicious emails at the gateway before it reaches the user. This means it is either discarded entirely or put into your spam folder.
This device can be onsite or cloud-based.
It is often called the gatekeeper of the organization's email.
Mail gateway
43
SPF stands for
Sender Policy Framework
44
An email authentication system/protocol that defines which mail servers are allowed to send emails on your organization's behalf.
An administrator can manually add records of safe servers.
SPF
45
A list of mail servers authorized to send email message on your organization's behalf. Receiving mail servers can perform a check on this list to see if the incoming mail really did come from an authorized host.
SPF record
46
DKIM stands for
Domain Keys Identified Mail
47
DMARC stands for
Domain-based Message Authentication, Reporting, and Conformance
48
An authentication protocol that is used to verify the sender of an email. It does this by storing a list of the sender's public key(s) to verify digital signatures.
When the receiving email server checks the list of valid public keys, it will know that the supposed sender did indeed send the message.
This digital signature is verifying the email sender, NOT the integrity of the message. The end user does not see this signature.
DKIM
49
A list of public keys stored on an organization's network that helps receiving email servers verify that a message did indeed come from that organization.
DKIM TXT
AKA DKIM record
50
A record in text format that contain information about your domain. Which email servers you use, what you want to happen to emails that don't validate properly, and the public keys to your org's digital signatures are all on this type of record.
DNS TXT record
51
An email security protocol that allows an administrator to define what they want to happen to emails supposedly from their organization's address that do not authenticate properly.
DMARC
52
An email security protocol that creates and sends compliance reports to an administrator listing the statistics of how many emails from the organization were validated properly, and how many did not. This gives an idea of how many attackers are using your organization's email address to send out spoofed emails.
DMARC
53
The 2 primary functions of DMARC
Tells what to do with unable-to-be-validated emails
Produces compliance reports of how many emails validated correctly vs how many did not
54
Difference between DKIM and DMARC
DKIM attempts to verify whether an email is legitimate by validating public keys from the organization that the email was supposedly sent from
DMARC reaches out to the legitimate organization to find out what to do with emails that did not validate correctly. This could indicate that someone spoofed this organization's email address.
55
FIM stands for
File Integrity Monitoring
56
Software that monitors files and configurations that should rarely be changed (mainly OS components, application files). If these files change, this software alerts an administrator.
FIM
57
Windows' on-demand FIM software
SFC
58
SFC stands for
System File Checker
59
Linux's FIM software
Tripwire
60
True/False
HIPS can perform FIM functions, but NIPS cannot.
True
HIPS can look at all of the files on the host it is downloaded onto. But a NIPS cannot access these files so readily, since it does not reside on a host device.
61
A monitoring tool that can look for sensitive data being sent across the network, and block that data in real-time.
DLP
62
True/False
Because a DLP has to look at so many sources and destinations for data leakage, it is best practice to have multiple DLP solutions all in different places on the network.
True
63
DLP solutions that are installed on a device monitor data ____
in use
64
DLP solutions that sit inside of the network monitor data ____
in motion
65
DLP solutions that reside on a server monitor data ____
at rest
66
A DLP solution installed on a device is AKA
Endpoint DLP
67
A DLP function that prevents data exchange to/from a USB device
USB blocking
68
A DLP solution that can manage access to URLs, block viruses and malware, and block custom defined data strings that are unique to your organization.
Cloud-based DLP
69
A DLP solution that works by blocking keywords, identifying imposters, quarantining incoming messages, and blocking the exfiltration of sensitive corporate information.
It checks inbound and outbound emails--both internal systems or cloud-based.
Email-based DLP
70
The part of the network that is the link between the internal network and the internet. It is the "internet link"
Edge
71
How do you most commonly protect the edge of a network? (2)
Firewall
Access control - by group, location, what application to access the resource, etc.
72
True/False
Firewall rules change often, while access control rules are mainly static.
False
Firewall rules are mainly static, but access control rules can change at any time to reflect new security policies or give certain individuals more/less access.
73
This occurs when a computer is making a new connection with a network - especially for remote connections. It is a check to make sure that the computer is healthy, updated, provides full-disk encryption, and is running the necessary applications (and none of the banned applications).
Posture assessment
74
A posture assessment agent that is permanently installed onto a system.
Persistent agent
75
A posture assessment agent that requires no formal installation. It executes during a login/connection process, performs a check, and then removes itself from that system.
Dissolvable agent
76
A posture assessment agent that is integrated with Active Directory. It does not reside on the connecting client at any point. It runs checks during login and logoff. Checks cannot be scheduled since there is no local agent; it is integrated with the database instead.
Agentless NAC
77
3 types of posture assessment agents
Permanent agent
Dissolvable agent
Agentless NAC
78
A modern way of monitoring endpoint that exists as a lightweight agent on an endpoint. It utilizes root cause analysis, behavioral analysis, virus signatures, machine learning, and process learning. It correlates all of these together to determine whether a threat exists.
After it discovers a threat, it will isolate the system, quarantine the threat, and rollback to a known-good backup. This all happens automatically since it is API-driven.
EDR
79
An evolution of EDR that adds network-based detection, rather than just endpoint detection. It can correlate data and data types from endpoints, networks, and clouds to improve detections and simply security event investigations.
Beyond that, it also improves missed detections, false positives, and long investigation times.
XDR
80
XDR stands for
Extended Detection and Response
81
An XDR method of examining the behavior of users to build a baseline with which to compare anomalous traffic to. This analysis occurs in real-time.
User behavior analytics
