Chapter 12

Question 1

Selection of effective controls

Answer 1

A key component in securing networks and requires both an understanding of threats and the controls that can address them.

Question 2

Open Systems Interconnection (OSI)

Answer 2

Used to describe how devices and software operate together through networks. There are 7 Layers:
1. Physical Layer
2. Data Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Application Layer

Question 3

Security Zone

Answer 3

Network segments, physical or virtual network segments, or other components of an infrastructure that are able to be separate from less secure zones through logical or physical means.

Question 4

Connectivity Considerations

Answer 4

Include how the organization connects to the internet, whether it has redundant connections, how fast the connections are, what security controls the upstream connectivity provider can make available, and what type of connectivity is in use.

Question 5

Failed-Closed

Failure Mode States

Answer 5

A device/system that shuts down or restricts access when a failure occurs, prioritizing security over availability. This approach ensures that if a security mechanism fails—such as a firewall or authentication system—it blocks all access rather than allowing unauthorized entry.

Question 6

Failed-Open

Failure Mode States

Answer 6

A device/system that allows access when a failure occurs, prioritizing availability over security. If a security mechanism—like a firewall or authentication system—fails, it remains open, allowing traffic or users to continue operating without restriction.

Question 7

Network Taps

Answer 7

Devices used to monitor or access traffic.

Question 8

Active or Passive

Answer 8

The device/system is either powerdor not powered. A passive device can’t lose power.

Question 9

Physcial Isolation

Answer 9

Also known as air-gapped, the idea of separating devices so that there is no connection between them.

Question 10

Logical Segmentation

Answer 10

Done using software or settings rather than a physical separation.

Question 11

What are examples of secure protocols?

Implementation of secure protocols

Answer 11

The use of HTTPS (TLS) instead of unecrypted HTTP, using SSH instead of Telnet, and wrapping other services using TLS.

Question 12

Protocol Selection

Implementation of secure protocols

Answer 12

Defaults to using the secure protocol if it exists and is supported.

Question 13

Reputation

Answer 13

Describes services and data feeds that track IP addresses, domains, and hosts that engage in malicious activity.

Question 14

Software-Defined Networking

Answer 14

A network that is controlled and configured using code
and software.

Question 15

Software-Defined Wide Area Networking (SD-WAN)

Answer 15

A virtual wide area network design that can combine multiple connectivity services for organizations. Commonly used with Multiprotocol Label Switching (MPLS), 4G and 5G, and broadband route traffic based on application requirements while controlling costs by using less expensive connection methods.

Question 16

Multiprotocol Label Switching (MPLS)

Answer 16

A networking technique that speeds up data transmission by using labels instead of traditional IP routing. Instead of routers making independent forwarding decisions, MPLS establishes predefined paths for packets, improving efficiency and reducing latency.

Question 17

Secure Access Service Edge (SASE)

Answer 17

Combines virtual private networks, SD-WAN, and cloud-based security tools like firewalls, cloud access security brokers (CASBs) and zero-trust networks to provide secure access for devices regardless of their location.

Question 18

Network Segmentation

Answer 18

Divides a network into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organzation apply controls or assist with functionality.

Question 19

Broadcast Domain

Answer 19

A segment of a network in which all devices or systems can reach one antoher via packets sent as a broadcast at the Data Link Layer.

Question 20

Screened Subnets

Implementations of Network Segmentation

Answer 20

Often called Demilitarized Zones (DMZ), are networks zones that contain systems that are exposed to less trusted areas.

Question 21

Intranets

Implementations of Network Segmentation

Answer 21

Internal networks set up to provide information to employees or other members of an organization, and they are typically protected from external access.

Question 22

Extranets

Implementations of Network Segmentation

Answer 22

Networks that are set up for external access, typically by partners or customers rather than the public at large.

Question 23

Zero Trust Architecture (ZTA)

Answer 23

Zero Trust Architecture (ZTA) is a cybersecurity framework that eliminates implicit trust and continuously verifies users, devices, and network activity before granting access. Unlike traditional security models that assume everything inside a network is safe, ZTA operates under the principle of “never trust, always verify.”

Question 24

Subjects

Zero Trust Architecture (ZTA)

Answer 24

The users, services, or systems that request access or attempt to use rights.

Question 25

Policy Engines ## Footnote Zero Trust Architecture (ZTA)

Answer 25

Make policy decisions based on both rules and external systems.

Question 26

Policy Administrators ## Footnote Zero Trust Architecture (ZTA)

Answer 26

Not actual people. They are components that establish or remove the communication path between subjects and resources, including creating session-specific authentication tokens or credentials as needed.

Question 27

Policy Enforcement Points ## Footnote Zero Trust Architecture (ZTA)

Answer 27

They communicate with Policy Administrators to forward requests from subjects and to receive instruction from the policy adminstrators about connections to allow or end.

Question 28

Control Plane ## Footnote Zero Trust Planes

Answer 28

The control plane is compose of four components: 1. Adaptive Identity 2. Threat scope reduction 3. Policy drivien access control 4. Policy administrator

Question 29

Adaptive Identity ## Footnote Control Plane

Answer 29

Often called adaptive authentication, it leverages context- based authentication that considers data points like where the user is logging in from, what device they are logging in from, and whether the device meets security and configuration requirements.

Question 30

Threat Scope Reduction ## Footnote Control Plane

Answer 30

A key component in Zero Trust design. Limiting the scope of what a subject can do or what access to a resource allows limits what can go wrong if an issue does occur.

Question 31

Policy-Driven Access Control ## Footnote Control Plane

Answer 31

A core concept for Zero Trust policy engines that relies on policies as they make decisions that are then enforced by the security administrator and policy enforcement points.

Question 32

Data Plane ## Footnote Zero Trust Planes

Answer 32

Composed of three components: 1. Implicit Trust Zones 2. Subjects and systems 3. Policy Enforce Point

Question 33

Implicit Trust Zones ## Footnote Data Plane

Answer 33

Allow use and movement once a subject is authenticated by Zero Trust Policy Engine.

Question 34

Subjects and Systems ## Footnote Data Plane

Answer 34

(Subject/System) The devices and users that are seeking access.