701 - Section 4 Flashcards
(216 cards)
1
Q
What makes up a secure baseline?
A
The specific device or applications foundational security policy
2
Q
In my working experience, what is a secure baseline that I have used?
A
STIG checklists
3
Q
What is it called to apply these foundational secure configurations to the associated system?
A
Hardening
4
Q
What are three general ways to harden a mobile device?
A
Always apply updates when ready, segment the company and user data, control with an MDM, which is a mobile device manager
5
Q
What are three ways to harden a workstation?
A
Apply and automate monthly patches, connect to a policy management system, such as active directory group policy, remove unnecessary software to limit the threats
6
Q
How do you harden network infrastructure devices?
A
Always check with the manufacturer because when they do put out security updates, while not frequent, they are usually very important.
7
Q
What are three ways to harden cloud infrastructure?
A
Apply least privilege to services, network settings, etc… configure endpoint detection and response (EDR), always have an offsite back up
8
Q
What are four general ways to harden a server?
A
Always apply all updates service packs, and patches… apply best practices to user accounts, limit network access, monitor and secure with antivirus anti-malware software
9
Q
How do you harden an embedded system because they can be difficult to upgrade?
A
Apply security patches when available, prevent access from unauthorized users
10
Q
How do you harden an RTOS?
A
Isolate the system, run with the minimum services needed, protect with a host-based firewall
11
Q
How do you harden IOT devices?
A
Change the default passwords, deploy updates quickly, segment these devices by putting them on their own VLAN
12
Q
What is another name for a map of an organizations wireless network?
A
A site survey
13
Q
What are some of the benefits of a site survey?
A
They identify existing access points, they allow you to lay out and plan for interference, they identify wireless signal strengths
14
Q
What is an especially helpful wireless survey tool?
A
Spectrum analyzer
15
Q
What are three Features that an MDM provides?
A
Centralize management of the mobile devices, sets policies on apps, data, camera… Manages access control for things like screen locks and PINs
16
Q
What does BYOD stand for?
A
Bring your own device
17
Q
What does COPE stand for? And what is it?
A
Corporate owned personally enabled… When the company buys and controls the device but allows you to use it as a personal device as well
18
Q
What are three security concerns with a cellular network?
A
Traffic monitoring, location tracking, worldwide access to any mobile device
19
Q
What are three securities concerns with the Wi-Fi network?
A
Data capture so encrypt your data, on path attacks, denial of service
20
Q
What is another name for Bluetooth?
A
PAN or personal area network
21
Q
How do we ensure that all wireless communication is confidential?
A
By encrypting the wireless data
22
Q
What is MIC? And what is it used for?
A
Message integrity check, and it is used to confirm that the received data is identical to the original #DATA sent
23
Q
What is the problem with WPA2?
A
It is vulnerable to a pre-shared key (PK) brute force attack
24
Q
What is a pre-shared key?
A
It is the wireless key that everyone uses when they connect
25
What protocol solves the WPA two PSK problem?
WPA3 and GCMP
26
What is GCMP and what does it offer?
Galois counter mode protocol. It offers #DATA confidentiality with AES, MIC with Galios message authentication code GMAC
27
How does W PA3 resolve the issues with WPA2?
It includes mutual authentication, creates a shared session key without sending that key across the network, no more four-way handshakes or ashes which eliminates the brute force attack vector
28
What is SAE stand for, and how does it work,
Simultaneous authentication of equals… it uses a Diffie-Hellman derived key exchange with an authentication component, uses a different session key even with the same pre-shared key, and includes an eye EEE standard the dragonfly handshake
29
Where do you configure security on a wireless network?
On your wireless access point or wireless router
30
What are three wireless security modes?
Open system, which means no authentication password is required, WPA3 personal or WPA3 PSK, WPA3 Enterprise or WPA3-802.1x
31
What does radius stand for?
Remote authentication dial-in user service
32
What is RADIUS? And what does it do?
One of the more common AAA protocols and is supported on a wide variety of platforms and devices… it’s centralizes the authentication for users
33
What is the AAA framework?
Authentication, authorization, accounting
34
What is EAP, and what standard is it integrated with?
Extensible authentication protocol. It is an authentication framework… It integrates with 802.1X
35
What is a primary methodology that developers can use to secure their application?
Validate the input fields
36
What is a secure cookie?
A cookie that has its secure attribute set a browser will only send it over HTTPS
37
True or false it is OK to store sensitive information within a cookie?
False, they are not designed to be secure storage
38
What are four methods for securing application code?
Static code analyzers, code signing, sandboxing, application security monitoring
39
What method of securing code uses automated tools to identify security flaws?
Static code analyzers also known as static application security testing SAST
40
What method of application code security is used to confirm that the application was written by a specific developer? And how does it work?
Code signing, which means the application code is digitally signed by the developers private key
41
Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?
Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes
42
Which form of application code security separates the application where it cannot access unrelated resources? And where else can it be used?
Sandboxing… it can be used in many different types of deployment, such as the M, mobile devices, browser Iframes
43
Which form of application security uses real time logging information?
Application security monitoring
44
What is this testing methodology called that throws random data at input fields on a form?
Fuzz testing
45
What is the name of the multi step process for requesting and obtaining goods and services?
Acquisition or procurement process
46
What does an organization use to track IT equipment purchased and who it is assigned to?
A central asset tracking system
47
What is the process called to completely remove #DATA so no usable information remains?
System disposal or decommissioning
48
What is usually contained on an asset tag?
Barcode, RF ID, visible tracking number, organization name
49
What can be used to physically destroy an asset like a hard drive?
Shredder or pulverizer, a drill or hammer, degaussing Which removes the magnetic field or incineration
50
When a third-party physically destroys an IT acid, what do you receive in return that confirms the assets has been destroyed and how it was destroyed?
A certificate of destruction
51
What is it called when you back up your data and keep it for a period of time?
Data retention
52
What are two reasons why data is retained?
Regulatory compliance or operation needs
53
Is vulnerability scanning the same thing as penetration testing?
No
54
What is it? An example of vulnerability scanning that I have used in the past? And what is one example within the scans?
ACAS or Nessus, a port scan to see what ports are open
55
What is SAST and what does it do?
Static application secure testing, and it is used to help identify security flaws within application code… it can identify security, vulnerabilities such as buffer, overflows, and database injections
56
True or false, knowing who the threat actors are is helpful with threat intelligence?
True
57
True or false, knowing who the threat actors are is helpful with threat intelligence?
True
58
What does OSINT stand for?
Open source intelligence
59
This type of threat intelligence is compiled and available for sale and is constantly monitoring for new threats so it’s always being updated?
Proprietary or third-party intelligence
60
What is CTA?
Cyber threat alliance… A member group who compiles, classifies threat intelligence for CTA members
61
What is the internet area where hacking groups provide tools and techniques and other information for sale, including credit cards and account and passwords?
Dark web… it is good to monitor this area for signs of your or your companies information..
62
The process of simulating and attack is called what?
Penetration testing
63
What is the organization that provides technical guides and testing and assessment procedures for penetration testing?
The national Institute of standards and technology… NIST
64
This is an important document that outlines the purpose and scope and makes everyone aware of the test parameters for the penetration test?
Rules of engagement
65
What are some of the items within the rules of engagement?
The type of testing (physical, internal/external)and schedule, and the rules
66
What are some of the rules that might be outlined and the rules of engagement?
IP address ranges, emergency contacts, how to handle sensitive information
67
What are some of the dangers of penetration testing?
Could cause a denial of service or loss of data, buffer overflows can cause instability, privilege escalations can occur
68
And penetration testing, once you were able to gain access to a system, what are some important moves to test?
Lateral movement or moving from system to system, which tests if the network is relatively unprotected, being persistent, and ensuring once in that you can get back in by setting up a back door building fake user accounts, changing or verifying default passwords
69
What is called a reward offered for discovery of vulnerabilities?
A bug bounty program
70
At what point is a vulnerability publicly announced?
After the manufacturer has created a fix
71
What is a vulnerability that is identified that doesn’t really exist called?
False positive
72
What is a vulnerability that exist but is not detected?
False negative
73
It is important to have the latest of these when performing vulnerability scans?
Signatures
74
What does CVSS stand for and what is it?
Common vulnerability scoring system… It provides a quantitative scoring of a vulnerability from 0 to 10
75
What does CVE stand for, and what is it?
Common vulnerabilities and Exposures… Each vulnerability is assigned a CV and contains a CVSS score
76
What types of systems are generally included in a vulnerability scan?
Desktop, mobile apps, web application, misconfigured firewalls, open ports
77
What is the loss of value or business activity if the vulnerability and an organization is exploited called?
The exposure factor and it’s usually expressed as a percentage… This is also a useful metric when assigning priority
78
This type of variable for assigning a vulnerability priority when it impacts things such as internal servers, public cloud, or test lab?
Environmental type
79
This type of variable for assigning a vulnerability priority when it impacts things such as hospitals or power plants?
Industry or Organizational impact
80
What is the amount of risk acceptable to an organization called?
Risk tolerance
81
What is the most common mitigation technique for vulnerability remediation?
Patching
82
An unscheduled patch that has the highest priority is generally for what type of vulnerability?
Zero day
83
What can an organization purchase for a cyber security event does occur that causes loss?
Cyber security liability insurance
84
To limit the scope of an exploit, an organization will separate devices into their own networks/VLANS… what is that called?
Segmentation
85
What type of segmentation is it when the application is completely disconnected from everything?
And air gap
86
What can be used to block unwanted unnecessary internal traffic between VLANs?
NGFWs
87
What are the two types of segmentation?
Physical and logical
88
What device is required when you want to communicate between VLANs?
A layer 3 device or router
89
What is it called when the optical security method may not be available so you apply this instead?
Compensating controls
90
Name several examples of compensating controls?
Disabling a problematic service, revoking access to an application, limiting external access
91
Sometimes these are given for a vulnerability, an example of this is a vulnerability that may require a local login only?
Exceptions and exemptions
92
What are two ways to validate the vulnerability remediation?
Rescan and QA testing
93
In my experience, what does the navy call the process of ongoing vulnerability processing?
Continuous monitoring
94
What is an SIEM? And what does it do?
Security information and event manager, it consolidates many different logs to a central database and allows alerting and reporting on the data collected
95
What are the different logs that can be consolidated into an SIEM?
Server logs, firewall logs, database logs, Internet server, logs, VPN logs
96
What can workstation/server scanning provide to an organization? And in my experience, what am I familiar with this type of software?
It is actively checking systems and devices, and reporting back operating system type and versions, device driver, versions and installed applications…Belarc
97
What are three uses for system scan software data?
It can report on number of devices that are up-to-date and in compliance, devices running older operating systems, and when a new vulnerability is found it can identify the number systems that may be vulnerable
98
What is the average period of time for a company to identify and contain a breach?
9 months
99
What are some of the pros and cons of SIEM alerts?
The alerts can enable quick response by sending up-to-date status information
There may be false positives, and false negatives to the alerts as they will require tuning over time.
100
What are some examples of events that may trigger and SIEM alert?
An increase in authentication errors, large file transfers
101
What is SCAP? And what does it do?
Security content automation protocol… through the standards created, It allows the many available security tools to identify and act on the same criteria
102
What are some of the advantages of SCAP?
SCAO content can be shared between tools, it is especially useful in large environments with many different operating systems and applications, and the specification standard enables automation between different tools
103
What is it called when an organization applies security best practices to everything and these are well documented? In my experience what have i used?
Benchmarks, STIG checklists
104
What are some example benchmarks for a mobile device?
Disable screenshots, disable screen recordings, prevent voice calls when locked, and force encryption back ups
105
What are the two types of compliance software?
Agent and agentless
106
This type of security compliance software is installed on the device always monitors for real time notifications but must be maintained and updated?
Agent
107
This type of security compliance software does not require a installation. It performs its checks and then disappears, but will not inform or alert if it is not running?
Agentless
108
True or false antivirus and anti-malware are effectively the same these days?
True
109
What is DLP? And what does it do?
Data loss prevention…when it detects sensitive data being transmitted across the network, it will block the data in real time and prevent it from being stolen
110
What is SNMP?
Simple network management protocol
111
What is MIB stand for, and what is it? And what does it contain?
Management information base, it is a database of data… it contains OIDs which are object identifiers
112
What does SNMP do?
It polls devices at fixed intervals in order to capture data
113
What port does SNMP use?
udp 161
114
What is an SNMP trap? And what port does it use?
It is an alert that can be configured on the monitor device that if a threshold is really reached, it will send a trap which will allow the monitoring station to react immediately… it uses UDP port 162
115
What gathers traffic statistics for all network traffic flows and can be used to watch network communications?
Netflow
116
Which firewall filters traffic by port number in which by application?
Traditional, NGFW
117
When you VPN between sites, what does a firewall do with the traffic?
It encrypt the traffic
118
What other function can a firewall serve and what are some of the things that they do in that function?
They can act as layer three devices or routers, perform network address translation and dynamic routing
119
An application layer gateway, a state full multi layer inspection, deep packet inspection… These are all different names for what device?
NGFW
120
What does an NGFW do?
It analyzes, categorizes and applies a security decision to every packet
121
Name the application that operates on these ports… TCP port 80 and 443, TCP port 22, TCP port 3389, UDP port 53, UDP port 123…
Web server, SSH server, RDP, DNS query, NTP
122
With fire wall rules, where are the more specific rules generally located at? And what about the more general rules?
Usually at the top, near the bottom
123
What do firewalls include at the bottom of the rules?
An implicit deny
124
Firewalls can also include these which allow or disallow traffic by category groupings source IP destination, IP time of day?
Access control list
125
What is an additional layer of security that organizations will place between you and the Internet that allows public access to public resources and that private data remains in accessible in the internal network?
A screened subnet
126
What is usually integrated into an NGFW?
An IPS
127
What are two ways that IPS rules can be built?
Signature based and anomaly based
128
What is the web filtering called when you control web traffic based on data within the content? And what are two types?
Contant filtering… URL filtering and website category filtering
129
What is the web filtering that allows or restricts based on the URL or URI?
URL scanning
130
What do organizations use for web filtering that is installed software on all user devices?
Agent based filters
131
This device also can perform Web filtering, and it sits between the users and the external network? In addition to Web filtering what other services can this device offer?
Proxy server… cashing, access control, content scanning
132
What are three other methods of Web filtering based on the URL or IP address?
Block rules, reputation, DNS filtering
133
This method of web filtering can be performed on a specific URL, cat category of site content, and can utilize different dispositions, for example allow and alert or block and alert?
Block rules
134
This method of web filtering, filters URLs, based on their perceived risk such as trustworthy, low risk, medium risk, high risk?
Reputation
135
This method of Web filtering utilizes the IP address combined with real time threat intelligence?
DNS filtering
136
What is the database that contains everything on the network, such as computers, useraccounts, fileshares, printers, groups… It is primarily window-based?
Active directory
137
What are some examples of functionality that can be performed on active directory?
Manage user accounts, centralized access control, reset passwords
138
What can be used to manage computer or users with such things as login script, network configurations, security parameters?
Group policy
139
This adds mandatory access control to Linux?
Security enhanced Linux or SELinux
140
In Linux… what is MAC and what is DAC? Which one is traditionally used by Linux?
Mandatory access control, and discretionary access control… Linux traditionally uses DAC
141
What does MAC provide to Linux?
Least privilege
142
What are some examples of unencrypted protocols? And what are their secure alternative?
Telnet, FTP, HTTP, IMAP
SSH, SFTP, HTTPS, IMAPS
143
True or false… A generally recognized secure port number always guarantees that security is being used on that port?
False, the port number does not guarantee security, you will need to confirm the security features are enabled
144
What are three other ways to ensure secure protocols will be used?
WPA3 when using 802.11 wireless and using a VPN
145
Why is it easy to spoof an email?
Because the protocols used to transfer emails include relatively few security checks
146
What can a reputable sender do to configure email validation?
Configure email validation on the senders DNS server
147
What can be set up to evaluate the source of inbound email messages and block it before it reaches the user if need be?
A mail gateway
148
What is SPF? And what does it do?
Sender policy framework… It is a list of authorized sending mail servers that are added to a DNSTXT record. The receiving mail server will perform a check to see if the incoming mail really did come from an authorized host.
149
What is DKIM? And what does it do?
Domain keys identified mail… The outgoing email server will digitally sign all outgoing email and the receiving email server will validate the signature… The public key is contained in the DKIM TXT record
150
What is DMARC? And what does it do?
Domain based message, authentication, reporting and conformance… This is an extension of SPF and DKIM and the policy is written into a DNS TXT record… the domain owner will decide what receiving email servers should do with emails not validated using SPF and DKIM. This data can be used for reporting purposes…
151
What is FIM? And what does it do?
File integrity monitoring… It monitors, important operating system, and application files For when changes occur…
152
What is windows FIM and what is Linux FIM?
System file checker SFC and tripwire
153
Where are three places that DLP systems are installed and what are they monitoring?
On individual computers for data and use, on a network for data in motion, on a server for data at rest
154
What is USB blocking?
It is deployed on workstation and bands, removable flash media and storage devices
155
In addition to local computer, server and network installations, where else can DLP be implemented?
Cloud and email… for the cloud it can manage access to URLs and block viruses and malware… For email it can monitor every inbound and outbound email including attachments
156
Why is the endpoint so important for security? And why is it so difficult?
Because it’s the common place for all inbound and outbound attacks… And it is difficult because there are so many different types of platforms to protect
157
What is it called to perform a health check on a device before connect to the network? And what sort of checks are performed?
Posture assessment… Is it a trusted device, is it running an up-to-date antivirus, or the applications installed trusted by the organization…
158
What are the three types of agents that perform a posture assessment?
Persistent agent, dissolvable agent, agentless NAC
159
Which posture assessment agent is permanently installed on a system and requires periodic updates?
Persistent agent
160
Which posture assessment agent requires no installation and runs during the posture assessment terminates when no longer required?
Dissolvable agent
161
Which posture assessment agent integrates with active directory, and the checks are made during login and log off?
Agentless NAC
162
What happens when a device fails a posture assessment
The device is not allowed to connect to the network… It can connect to a quarantine network in order to get the device up-to-date
163
What is EDR? And what does it do?
And point detection and response… It can detect, investigate, and respond to a threat
164
What does EDR use to detect a threat?
Behavioral analysis, machine learning, and process monitoring
165
What is XDR? And what does it do?
Extended detection and response… It is a further evolution of EDR that improves on miss detections, false positives, and long investigation times… It also can investigate and respond to network anomalies
166
How does XDR work?
It watches users, hosts, network traffic and creates a baseline of normal activity. After the baseline is established, it uses a set of rules pattern matching in statistical analysis to watch for anything unusual.
167
What is IAM? And what does it do?
Identity and access management… It ensures the right permissions are given to the right people at the right time to prevent unauthorized access
168
With IAM, every entity, both human and non-human gets a what?
Digital identity
169
An IAM what is it called to track and entities resource access?
Identity governance
170
AnIAM, what are the events that could cause provisioning and or deprovisioning to occur?
Hiring, transfers, promotions, job separation
171
In IAM, what is an important part of the process?
An initial checkpoint to limit access and nobody gets administrator access
172
In IAM, no privileged access is given to what?
The operating system
173
In IAM, How does identity proofing occur?
My validation using such things as password and security questions… And by verification/attestation using such things as a passport, drivers license, in person meeting…
174
What is it called when credentials are provided one time and that can be used across multiple resources and or systems?
Single sign on
175
What is LDAP? And what specification does it use?
Lightweight directory access protocol… X.500
176
How does LDAP work with X.500?
LDAP is the protocol used to query and update an X.500 directory
177
What structure is the X.500 directory? And what are the two objects called with examples?
Hierarchical or tree structure… Container object (country, organization, organizational unit), and leaf object (users, computers, printers, files)..
178
What is SAML? And what does it do?
Security assertion, markup language… It is an open standard for authentication and authorization
179
What is the authorization framework that was created by Twitter, Google and others that provides significant industry support?
OAuth
180
What is the process that allows authentication and authorization between several networks that also requires a trust relationship between them?
Federation
181
What is it where there are many different ways to communicate with an authentication server across multiple device types?
Interoperability
182
With authorization the process of ensuring only authorized rights are exercised is called what?
Policy enforcement
183
With authorization, the process of determining rights is called what?
Policy definition
184
This type of access control limits the object based on security levels, a label and predefined rules on those objects?
Mandatory access control or MAC
185
With this type of access control, it is used and most operating systems the owner establishes who can access their objects?
Discretionary access control, or DAC
186
This type of access control is defined by the role in the organization?
Role based access control or RBAC
187
This type of access control is determined through system enforced rules, and the rule is associated with the object?
Rule-based access control
188
This type of access control is considered a next generation authorization model which combines an evaluates multiple parameters, such as resource information, IP address, time of day, desired action, relationship to the data?
Attribute based access control or ABAC
189
An access control what is it called when you secure objects based on certain times or days of the week?
Time of day restrictions
190
What are the different factors in MFA?
Something you know, something you have, something you are, somewhere you are
191
In MTA, a password, a pin, a pattern or all what factor?
Something you know
192
In MTA, a smart card a USB security key, a hardware or software token or your phone or all what factor?
Something you have
193
In MTA, a biometric authentication such as a fingerprint, an Irish scan, a voice print are all examples of what factor?
Something you are
194
In MTA, an IP address or a mobile device location are examples of what factor?
Somewhere you are
195
What is password entropy?
The process of increasing a password complexity
196
What can be used to store all of your passwords?
Password manager
197
What are some examples of password less authentication?
Facial recognition or a security key
198
What type of authentication creates a time limited account where the credentials are used for one session and then are deleted?
Just in time permissions
199
What are the four steps to the incident response lifecycle?
Preparation, detection and analysis, containment/eradication/recovery, post incident activity
200
What are five ways to prepare for an incident?
Team communication methods, incident handling hardware and software, incident analysis resources, incident mitigation software, the policies needed for incident handling
201
True or false it is generally a good idea to let an incident run its course
False
202
After an incident occurs, what should occur within an organization after the incident has been resolved?
Lessons learned sessions
203
What can organizations do to test themselves before an actual event?
Perform an exercise or tabletop
204
What is the process to determine the ultimate cause of an incident by asking why?
Root cause analysis
205
What is the process to collect and protect information relating to an intrusion?
Digital forensics
206
What is a legal technique to preserve relevant information to prepare for impending litigation and is initiated by legal counsel?
A legal hold
207
What is usually required when needing to store copies of different data sources and data types during an investigation?
A separate repository for electronically stored information ESI
208
What is called to maintain the integrity of the data during investigation and includes everyone who contacts the evidence uses hashes and digital signatures
Chain of custody
209
During digital forensics, what is the process called to gather all of the needed data?
E discovery
210
True or false E discovery also includes analysis of the data
False
211
Name five types of log files instrumental in detecting and stopping an attack?
Security logs, firewall logs, application logs, endpoint logs, operating system, specific security logs, IPS and IDS logs, network logs
212
What is data that describes other data sources?
Meta-data
213
What can be used to detect a lack of security controls for example no firewall, no antivirus, no anti-spyware and miss configurations, like open shares, and guest access accounts?
Vulnerability scans
214
What can an SIEM produce that serve as an alert?
Automated reports, think SPLUNK
215
What can SIEMs Produce that display summaries on a single screen?
A dashboard
216
What can be used to solve complex application issues by viewing detailed network traffic information?
Packet capture
