2-Technologies and Tools

Question 1

What is the purpose of a Firewall?

Answer 1

To isolate one network from another

Question 2

Are firewalls hardware or software based?

Answer 2

They can be either

Question 3

How can firewalls be used internally?

Answer 3

They can segment one area from another i.e. PCI from R&D

Question 4

What types of Firewalls exist?

Answer 4

Packet Filtering
Proxy Firewall
Stateful Packet Inspection Firewall
Web Application Firewall

Question 5

What does a Packet Filtering firewall do?

Answer 5

Allows or blocks traffic based on port (i.e. HTTP on port 80)
No intelligence, but easy to setup.

Question 6

What does a Proxy firewall do?

Answer 6

Dual-homed firewall
Segments internal users from outside world
Masks IP address using NAT
Cache requests to improve perceived speed

Question 7

What does a Stateful Packet Inspection firewall do?

Answer 7

Examines packets and keeps packet table of every communication channel
SPI tracks the entire conversation
Only allows packets from known active connections
Possible to attack by overloading the State Table

Question 8

What does a Web Application Firewall do?

Answer 8

Operates at the application layer
designed with granular rules specifically to analyze traffic to web servers and prevent typical attacks such as SQL injection, XSS, Forged HTTP requests

Question 9

What is a VPN?

Answer 9

Creates a private network across a public network utilizing tunneling protocols such as L2TP, PPTP, IPSEC

Question 10

What is IPSeC?

Answer 10

Internet Security Protocol used to encrypt VPN traffic

Question 11

What is an Authentication Header?

Answer 11

Provides authentication and integrity by adding a header to the packet

Question 12

What is Encapsulating Secure Payload?

Answer 12

Provides confidentiality

Header, trailer and check value added to packet (ICV)

Question 13

What is a NIDS?

Answer 13

Network Intrusion Detection System
Logs alerts and events
Allows for reactive response/research

Question 14

What is a NIPS?

Answer 14

Network Intrusion Prevention System
Enables prevention (blocking IP, etc.)
False positives could be an issue

Question 15

What can NIDS and NIPS be used for?

Answer 15

Log, alert and/or take action when suspicious activity occurs on network.

Question 16

What is the difference between active and passive systems?

Answer 16

Active systems can take action to prevent an attack

Passive systems record activity for later analysis

Question 17

What are the components of a NIDS or NIPS and what is their purpose?

Answer 17

Alert - message generated by analyzer indicating an “interesting” event
Analyzer - processes data collected from one or more sensors and looks for suspicious activity
Data Source - raw data being analyzed - log files, audit logs, system logs, network traffic, etc.
Event - indication that suspicious activity may have occurred (can trigger an Alert or notification)
Manager - IDS console used to manage the system
Notification - Process by which operator is alerted to an event or incident
Operator - User, admin, etc.
Sensor - primary data collection point for the IDS

Question 18

What are the four approaches to IDS?

Answer 18

Behaviour Based - variations in behaviour, increased traffic, etc.
Signature Based - uses attack signatures and audit trails
Anomaly Detection - learns what is normal
Heuristic - utilizes algorithms

Question 19

What is Passive Response?

Answer 19

Logging issues for later analysis
Notifying admin or kick off some type of workflow
Shunning or ignoring the attack

Question 20

What is Active Response?

Answer 20

Issue some type of action
Block Ports
Reset Connections
Configuration changes

Question 21

What is Deception?

Answer 21

Using a honeypot.

Question 22

What is a Router?

Answer 22

Connects different networks together and routes traffic between them
Can provide firewall functionality

Question 23

What is the difference between a static and dynamic route?

Answer 23

Static are programmed manually

Dynamic are learned as routers communicate with each other

Question 24

What are four common routing protocols?

Answer 24

RIP
EIGRP
OSPF
BGP

Question 25

What are switches?

Answer 25

Multiport connectivity devices that improve network efficiency

Question 26

What is Port Security?

Answer 26

Can configure a switch so that it only learns one MAC address per port (can be set to trigger alert)
Can be used in conjunction with 802.1x to strengthen security at the wall jack

Question 27

What is 802.1x Authentication?

Answer 27

Extensible Authentication Access Protocol over LAN
Form of port security
Allows only EAPOL traffic over port until client authenticates with a RADIUS authentication server

Question 28

What is Loop Protection?

Answer 28

Layer 3 routers implement TTL
Each router hop decrements the TTL
Packet dropped once TTL expires

Question 29

What is Spanning Tree Protocol?

Answer 29

Typically enabled to prevent layer 2 loops

Switches can also “clamp down” once broadcasts hit a certain percentage

Question 30

What are Load Balancers?

Answer 30

Dynamically balance the load between devices
Typically servers but can be other devices as well
Hardware or software based

Question 31

What are the Load Balancing methods?

Answer 31

Affinity

Round-Robin

Question 32

What is a Web Security Gateway?

Answer 32

Proxy server with advanced features such as virus scanning, DLP, etc.
Can enable granular access to websites, block sites, etc.

Question 33

What are some basic ways to secure a wireless access point?

Answer 33

Don’t broadcast SSID
MAC filtering
Common Sense administration

Question 34

What is SIEM?

Answer 34

Security Information and Event Management (SIEM)
Software suites that provide:
Data aggregation
Correlation
Automated alerting and triggers
Time synchronization
Event deduplication
Logs/WORM

Question 35

What is DLP?

Answer 35

Data Loss Prevention

Detects potential breaches and exfiltration of data

Question 36

What are common methods of DLP?

Answer 36

Endpoint detection (in use)
Network Traffic (in transit)
Data Storage (at rest)
Email
USB
Cloud-based

Question 37

What are the three types of data to secure?

Answer 37

Data in-transit
Data at-rest
Data in-use

Question 38

What is Network Access Control?

Answer 38

Set of policies that define a minimal set of requirements each device must have before being allowed on the network
Devices can be denied access or places in a secure zone until requirements are met

Question 39

What is a NAC permanent agent?

Answer 39

Persistent agent that is installed on the host device and runs continuously

Question 40

What is a NAC dissolvable agent?

Answer 40

Agent that is run from a portal

User downloads the agent, runs it once then disappears.

Question 41

What is an agentless NAC?

Answer 41

Embedded within AD, NAC code verifies the host complies with access policies.

Question 42

What is Trust Platform Module?

Answer 42

Hardware chip embedded on a computer’s motherboard used to store cryptographic keys used for encryption

Question 43

What is a Hardware Security Module?

Answer 43

Similar to TPM, but are removable/external devices that can be added later
Used for encryption using RSA keys.

Question 44

What is a Mail Gateway?

Answer 44

Spam Filter
DLP
Encryption

Question 45

What should be established when assessing the security posture of an organization?

Answer 45

Security baseline to help understand what is normal and to help easily identify anomalies

Question 46

What is a protocol analyzer?

Answer 46

Packet sniffer

Captures packets as they traverse a network

Question 47

What are network scanners used for?

Answer 47

Network mapping, port scanning, vulnerability scanning, penetration testing

Question 48

What is a Port Scanner?

Answer 48

Can scan an IP address or range for open ports

Fingerprints what type of OS, apps, services a host is running

Question 49

What are Wireless Scanners/Crackers?

Answer 49

Tools that can crack WEP and WPA, find hidden networks, issue DOS attacks, MiTM attacks, etc.

Question 50

What are the top 5 things vulnerability scanners do?

Answer 50

Passively test security controls
Interpret results
Identify vulnerabilities
Identify lack of security controls
Identify common misconfigurations

Question 51

What are Exploitation Frameworks?

Answer 51

Toolset such as Metasploit that can be used offensively or defensively and are often used by pen testers as well as hackers.

Question 52

What is the difference between wiping and deleting data?

Answer 52

Deleting doesn’t destroy the data until it is overwritten

Wiping overwrites data x number of times to ensure it cannot be recovered

Question 53

How are SSD disks sanitized?

Answer 53

Reset the NAND and marks all blocks as empty

Question 54

What is the DoD 5220.22-M Standard for data sanitzation?

Answer 54

Pass 1: writes a zero and verifies the write
Pass 2: writes a one and verifies the write
Pass 3: writes a random character and verifies the write

Question 55

What is the RCMP CSEC ITSG-06 standard?

Answer 55

Pass 1: writes a one or zero
Pass 2: writes the complement of the previously written character
Pass 3: Writes a random character and verifies the write

Question 56

What is Secure Erase?

Answer 56

Pass 1: writes a binary one or zero

Very fast and only available for whole disk sanitization

Question 57

What is Steganography?

Answer 57

Hiding something inside of something else
Documents can be hidden inside MP3 files, images, video files
Difficult to detect

Question 58

What is a Honeypot?

Answer 58

Computers or hosts that are setup specifically to become targets of an attack so that attackers can be monitored

Question 59

What is a Honeynet?

Answer 59

Similar to Honeypot but larger in scale

Network setup intentionally for attack

Question 60

What is Banner Grabbing?

Answer 60

Used to provide information about a service running on a particular port
Common with Telnet or Netcat

Question 61

What is the issue with unencrypted credentials?

Answer 61

They are easily sniffed and captured while in transit or stored.

Question 62

How should logs and event anomalies be treated?

Answer 62

Logs should be monitored and reviewed
Triggers setup to capture events
Logs should be aggregated and correlated across devices
Identify patterns and establish baselines

Question 63

How should access violations be treated?

Answer 63

Baselines should be established in order to identify if the event was outside the norm

Question 64

What are some common security issues with certificates?

Answer 64

Can result in people having access they shouldn’t

Mechanisms not in place to quickly recall/replace compromised certificates

Question 65

What are examples of weak security protocols that should not be in use?

Answer 65

WEP, WPA, RC4, DES, 3DES

Question 66

How can personnel issues affect security?

Answer 66

Social engineering
Personal email
Insider threats
Policy violations
Social Media

Question 67

What are the issues with unauthorized software?

Answer 67

Pirated software often contains malware
Security implications if software is not vetted
Potential licensing and copyright violations
Unknown intent (i.e. steganography)

Question 68

Where should baselines be established?

Answer 68

Anything that needs to be monitored.

Question 69

Why is Asset Management important to security?

Answer 69

Compliance/Licensing
Patching/Updates
Hard to monitor what you don’t know about

Question 70

What are HIDS/HIPS?

Answer 70

Like NIDS/NIPS but host based

Question 71

What is an Antivirus?

Answer 71

Software that detects viruses, malware, and in some cases rootkits and ransomware.
Standalone or network based.

Question 72

What is file integrity checking?

Answer 72

Protects against tampering by ensuring that a file hasn’t been modified.
Compares current state to a known good state.

Question 73

What is a host-based firewall?

Answer 73

Protect single host only

usually by restricting applications

Question 74

What is application whitelising?

Answer 74

A list of applications that are allowed to run on a host

Question 75

What is application blacklisting?

Answer 75

Explicitly lists applications that are blocked. Allows others to run.

Question 76

What is Unified Threat Management?

Answer 76

Multi-purpose suite of tools that provide:
Firewall
NIDS/NIPS
Gateway Anti-virus/Anti-spam
VPN Functionality
Content filtering
Load Balancing
Data Loss Prevention

Question 77

What is Data Loss Prevention?

Answer 77

Tools that can reside locally on a host or centrally on a server/perimeter or be cloud based.
Scans for sensitive information leakage (at-rest, in-use, in-transit)
PII, PCI data

Question 78

What is Data Execution Prevention?

Answer 78

System-level memory protection
Marks pages of memory as non-executable, preventing code from bring run from those locations
protects again buffer overruns

Question 79

What is a Web Application Firewall?

Answer 79

Hardware or Software based

Protects HTTP communication from XSS, SQL injectiion, etc.

Question 80

What are some risks with cellular devices?

Answer 80

No password/PIN
Unpatched OS or apps
Jailbreaking/rooting
Unauthorized applications
Malware

Question 81

What are some methods to secure mobile devices?

Answer 81

Authentication/two-factor authentication
Verify and authenticate downloaded applications
anti-malware software
firewalls
remote disable/wiping
encryption

Question 82

What are some ways to secure WiFi?

Answer 82

Disable SSID
MAC filtering
Require secure connectivity protocols (WPA2-PSK AES)

Question 83

What is NFC?

Answer 83

Used commonly for things like contactless payment systems

Question 84

How can you secure NFC communications?

Answer 84

By encrypting

Question 85

What are some good corporate policies to implement around mobile devices?

Answer 85

Strong passwords
Lock screens/screensavers
Disabling unnecessary services
application/software control

Question 86

How can you help secure mobile device authentication?

Answer 86

PKI/Digital Certificates
Enforce password policies
VPN/Two-factor (RSA)

Question 87

What is Geo-Tagging?

Answer 87

Pictures and documents can be tagged with GPS coordinates of where it was made
Potential security risk as it can expose location

Question 88

What is Context-Aware Authentication?

Answer 88

Type of two-factor authentication (2FA) that provides a more frictionless experience
Uses pre-defined rules to determine authentication or if more stringent challenge should be used

Question 89

What are three mobile device deployment models?

Answer 89

BYOD - Bring Your Own Device
COPE - Corporate Owned, Personally Enabled
CYOD - Choose Your Own Device

Question 90

What is DNSSEC?

Answer 90

DNS Security Extensions
Designed to add security to DNS
All responses from DNSSEC servers are digitally signed, authenticating their origin
Does not provide confidentiality as data is not encrypted