Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP: Domain 4 - Security Architecture and Engineering > CISSP Domain 4: Assessing and Implementing Secure Principles in Network Architectures > Flashcards

CISSP Domain 4: Assessing and Implementing Secure Principles in Network Architectures Flashcards

1
Q

What’s Keep it Simple?

A
  • complexity is the worst enemy of security
  • best-in-suite over best-in-breed solutions are one approach used to simplify defense in-depth
  • simplicity helps to avoid configuration mistakes
  • enables organizations to move forward improving incrementally, rather than demanding perfection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does Best-in-Suite mean?

A
  • a software solution that offers a comprehensive and integrated set of functionalities within a single package or suite
  • a software vendor strives to deliver a cohesive and unified solution where different modules or components seamlessly work together
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does Best-in-Breed mean?

A
  • software approach that focuses on selecting and integrating individual software applications or solutions that are considered the best or most specialized in their respective domains
  • prioritizes functionality and performance over integration and consolidation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which IEEE standard defines bluetooth?

A

802.15

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of network architecture is bluetooth?

A

Personal Area Network (PAN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How are connections set up with bluetooth?

A

with pairing where primary device scans the 2.4 GHz radio frequencies for available devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What mechanism prevents accidental pairing?

A

4 digit code (often 0000)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What’s bluejacking?

A
  • annoyance where pranksters push unsolicited messages to engage or annoy other nearby bluetoth users by taking advantage of a loophole in the technology’s messaging options
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What’s bluesnarfing?

A
  • data theft
  • thieves wirelessly connect to some early bluetooth enabled mobile devices without the owner’s knowledge to download and/or alter phonebooks, calendars or worse
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What’s bluebugging?

A
  • attack that grants hackers remote control over he feature and functions of a bluetooth device
  • could include the ability to turn on the microphone to use the phone as an audio bug
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do wireless networks announce their SSID on a regular basis?

A

broadcast with a beacon frame

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hiding SSID is considered which security technique?

A

security through obscurity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does SSID stand for?

A

Service Set Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is TKIP and what does it stand for?

A
  • Temorary Key Integrity Protocol
  • designed to replace WEP without the need to replace legacy hardware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What was TKIP implemented to?

A

802.11 wireless networking under the name WPA (WI-Fi Protected Access)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What’s CCMP?

A
  • Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
  • uses AES 128
  • created to replace WEP and TKIP (WPA)
  • used with WPA2, which replaced WEP and WPA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What’s Fibre Channel?

A

a form of network data storage solution (SAN) or NAS, that allows for high-speed file transfers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What’s Fibre Channel Over Ethernet (FCoE)?

A

used to encapsulate Fibre Channel communication over Ethernet networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What’s iSCSI

A
  • stands for Internet Small Computer System Interface
  • networking storage standard based on IP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What’s Site Survey?

A

process of investigating the presence of strength and reach of wireless access points deployed in the environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does EAP stand for?

A

Extensible Authentication Protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What’s PEAP?

A
  • encapsulates EAP methods with a TLS tunnel that provides authentication and potenially encryption
  • P stands for Protected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s LEAP?

A
  • Cisco’s proprietary alternative to TKIP and WPA
  • developed to address deficincies in TKIP before 802.11i/WPA2 system was ratified as a standard
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are different antena types? (7)

A
  • monopole
  • panel
  • dipole
  • loop
  • cantenna
  • yagi
  • parabolic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is loop antenna used for and how does it receive signal?
* used for TV and RFID systems * omnidirectional if horizontally mounted
26
What is monopole antenna used for and how does it receive signal?
* can send and receive signals in all directions perpendicular to the line of the antenna itself * used with wifi routers
27
What is dipole antenna used for and how does it receive signal?
* omnidirectional antenna essentially composed of two monopoles * generates powerful signal in restricted space
28
What is panel antenna?
flat devices that focus from only **one side** of the panel
29
What is parabolic antenna?
used to focus signals from very long distances or weak sources
30
What is yagi antenna?
crafted from straight bar with cross sections to catch specific radio frequencies in the direction of the main bar
31
What is cantenna antenna?
* constructed from tubes with one sealed end * focus along the direction of the open end of the tube
32
What are examples of some of the private circuit technologies?
* PPP * SLIP * ISDN * DSL * dedicated or leased lines
33
What are examples of packet switching WAN technologies
* use virtual circuits - efficient and cost effective * X.25, Frame Relay * Asynchronous Transfer Mode (ATM) * Synchornous Data Link Control (SDLC) * High-Level Data Link Control (HDLC)
34
What's a circuit-level firewall?
* firewall that operates at the session layer (Layer 5) of the OSI model * works by monitoring the TCP handshaking process between two network endpoints (usually a client and a server) without inspecting the contents of the actual data being transmitted
35
What's the main function of a circuit-level firewall?
* establish and manage network connections or sessions between internal and external networks * ensures that the connections are legitimate and authorized based on a set of predefined rules * once a connection is established, the circuit-level firewall creates a virtual circuit, or "stateful connection," allowing subsequent packets to pass through without further inspection. It maintains information about the state of the connection, including source and destination IP addresses, ports, and connection status
36
Do circuit-level firewalls inspect content?
they **do not** inspect the content of the data packets, making them less effective at detecting and blocking specific types of attacks or malicious activities
37
What's an example of a circtuit-level firewall?
SOCKS (Socket Secure)
38
What's deep packet inspection?
packet inspection that inspects and filters both the header and payload of a packet that is transmitted through an inspection point
39
Describe IDS
* analyzes whole packets - both headers and payload, looking for known events * when a known event is detected, a log message is generated * reports and alerts
40
Describe IPS
* analyzes whole packets - both headers and payload, looking for known events * when a known event is detected, packet is rejected * blocks
41
What's Behavior Based IDS?
* creates a baseline of activity to identify normal behavior and then measures system performance against the baseline to detect abnormal behavior * can detect unknown attack methods
42
What's Knowledge Based IDS?
* uses signatures similar to the signature definitions used by ant-malware software * only effective against known attacke methods
43
What's a bastion host?
computer or appliance that is **exposed on the internet** and has been **hardened** by removing unnecessary elemets such as services, programs, protocols and ports
44
What's Screened Host?
firewall-protected system logically positioned just inside a private network
45
What's screened subnet?
similar to the screened host in concept, except a subnet is placed between two routers or firewalls and the bastion host(s) is located within that subnet
46
What's the purpose of Honeypot?
* only entice, not entrap * attackers shouldn't be able to download items with enticement * allowing to download a fake payroll file would be entrapment, which has different implications with law enforcement
47
What's the goal of Honeypot?
distract attackers from real assets and isolate in a padded cell until they can be tracked down
48
What's Zigbee?
low-power, low-data-rate wireless communication standard designed for applications in home automation, industrial automation, and sensor networks
49
What are the frequency bands of Zigbee?
2.4 GHz or sub-GHz frequency bands
50
What are the priorities of Zigbee?
1. efficient energy consumption 2. long battery life 3. device interoperability
51
What are Zigbee security risks?
* weak encryption or insecure key management * unauthorized device pairing * network vulnerabilities
52
What does Li-Fi stand for?
Light Fidelity
53
What does Li-Fi use to transmit data?
* visible light or infrared signals * leverages light-emitting diodes (LEDs) to transmit data by modulating the light intensity at high speeds
54
What are advantages of Li-Fi?
1. high data rates 2. increased security 3. resistance to electromagnetic interference
55
What are disadvantages of Li-Fi?
1. limited range 2. requires a direct line of sight (cannot penetrate walls)
56
What are the main advantages of satellite communication?
1. communication over long distances 2. enables connectivity in areas where traditional terrestrial networks may not be available or practical
57
What is the download speed range for 5G?
gigabits per second (Gbps)
58
What is the latency range for 5G?
single-digit milliseconds range
59
What security improvements does 5G offer?
1. stronger encryption algorithms 2. secure authentication protocols 3. network segment isolation
60
What happens when a user requests content from CDN?
1. CDN's edge server determines the closest PoP to the user and delivers the content from that location 2. the content may be cached at the edge server, or if it's not available, the edge server retrieves it from the origin server and caches it for future requests
61
What's CDN?
geographically distributed network of servers and data centers that work together to deliver content efficiently over the internet
62
What's hosted CDN?
* type of CDN service that is provided and managed by a third-party company or service provider * content provider (such as a website owner) contracts with a CDN provider to use their distributed network of servers to store and deliver content on their behalf * CDN provider takes care of managing the infrastructure, network, and delivery mechanisms, allowing the content provider to offload the burden of content distribution and delivery from their own origin serve
63
Name some companies that provide hosted CDN services
* CloudFlare * CloudFront * Akama's Edge
64
What are the 7 types of CDN?
1. Private CDN 2. Peer-to-Peer CDN (P2P CDN) 3. Telco CDN 4. Hybrid CDN 5. Software-Defined CDN (SD-CDN) 6. Transparent CDN
65
Describe Private CDN
dedicated content delivery network that is exclusively owned and operated by a single organization
66
Describe Peer-to-Peer CDN (P2P CDN)
* utilize the combined resources of users' devices (peers) to distribute and deliver content * when a user requests content, the CDN software on their device fetches the content from both the origin server and other nearby users who have already cached the content
67
Describe Telco CDN
* operated by telcos * leverage the telcos' extensive network infrastructure to cache and deliver content to end-users
68
Describe Hybrid CDN
* combines elements of both private CDNs and hosted CDNs * organization may operate its private CDN for specific content and regions while also using a hosted CDN service for additional global coverage or to handle spikes in traffic
69
Describe Software-Defined CDN
* CDNs that utilize software-defined networking (SDN) principles to provide dynamic and flexible content delivery capabilities * SD-CDNs can adapt to changing network conditions, traffic patterns, and content availability, optimizing content delivery based on real-time data and analytics
70
Describe Transparent CDN
* integrated with a website or application at the network level, so end-users are unaware that they are accessing content through a CDN * ensure that the user experience remains seamless and that the content is delivered efficiently without any visible changes to the URL or browsing experience
71
Describe Wi-Fi Infrastructure Mode
* most common mode of operation in Wi-Fi networks * devices connect to a central wireless access point (AP) or router * devices do not directly communicate with each other; instead, they send and receive data through the access point * typically used in home and enterprise environments where multiple devices need to connect to the same network and access shared resources like the internet or networked printers
72
Describe Wi-Fi Wired Mode
* access point is physically connected to a wired network infrastructure, such as an Ethernet LAN * AP uses a wired connection to communicate with the rest of the network and the internet * commonly used when the access point is deployed in areas where running Ethernet cables is feasible, such as in office buildings or large homes
73
Describe Wi-Fi Ad hoc Mode
* also known as peer-to-peer mode * allows devices to connect directly with each other without the need for a central access point * devices create a temporary network on the fly, allowing them to share files, data, or services directly with each other * useful in situations where a quick and direct connection between devices is needed, and no centralized infrastructure is available
74
Describe Wi-Fi Standalone Mode
* default operation of an individual wireless access point * access point operates independently and is not part of a larger controller-based system * functions as a single entity, providing wireless connectivity to connected devices and managing its settings and configurations on its own * commonly used in small to medium-sized environments where a single access point can adequately cover the required area
75
What does PAP stand for?
Password Authentication Protocol
76
Where is PAP primarly used?
Point-to-Point Protocol (PPP) connections
77
Where are Point-to-Point Protocol (PPP) connections commonly employed?
* dial-up connections * Virtual Private Networks (VPNs) * some types of broadband connections
78
Are credentials protected when being sent in PAP?
username and password are sent in cleartext - PAP is considered a weak authentication method from a security perspective
79
What authentication steps are involved in PAP?
1. User Initiation 2. Username and Password Exchange 3. Authentication Check
80
What CHAP stand for?
Challenge Handshake Authentication Protocol
81
What's CHAP and where is it used?
* authentication protocol used in Point-to-Point Protocol (PPP) connections * commonly used in dial-up connections, Virtual Private Networks (VPNs), and other network scenarios
82
What are the security advantages of CHAP?
* encrypts both username and password * performs periodic reauthentication * protects against replay attacks
83
What's the authentication process of CHAP?
* Challenge * when a client initiates a connection to a server, the server sends a random challenge value to the client * Response * client combines the challenge value with its password (or shared secret) and creates a one-way hash * hash is sent back to the server as the response * Authentication Check * server performs the same hash calculation using its copy of the client's password (or shared secret) and the challenge value * calculated hash matches the received response, the authentication is successful, and the server grants access to the client
84
What's EAP?
authentication framework used in computer networks **to support various methods for secure authentication between a client and a server**
85
Where is EAP commonly used?
wireless networks (e.g., Wi-Fi) and Virtual Private Networks (VPNs)
86
Why is EAP known as "extensible"?
* because it allows for the incorporation of different authentication methods, known as EAP methods or EAP types * each EAP method defines its specific way of authenticating users, such as using passwords, digital certificates, smart cards, or other authentication mechanisms
87
What's the EAP authentication process?
* Initiation * when a client device tries to connect to a network or server, the EAP process is initiated * Method Selection * client and server negotiate and agree on the specific EAP method to be used for authentication * Authentication Exchange * chosen EAP method defines the authentication exchange between the client and server * can involve multiple steps, such as the exchange of challenge-response pairs or the use of digital certificates for mutual authentication * Authentication Result * after the exchange is completed, the server verifies the client's identity based on the authentication method used * if the authentication is successful, the server grants access to the client
88
What's the purpose of SD-WAN?
provide centralized control and management of multiple WAN connections, allowing organizations to dynamically route traffic based on performance, security, and policy requirements
89
What can be used to combine existing networks or to divide a network into multiple segments?
Virtual Network
90
What does make firewall design two tier?
If it has 2 protected zones (not counting outside zone)
91
What are two primary advantages that 5G networks have over 4G networks?
* enhanced subscriber identity protection * mutual authentication capabilities * stronger authentication methods and more advanced encryption techniques compared to 4G
92
What layer of SDN implementation uses programs to communicate needs for resources via API?
application
93
What are the types of NAC systems in existence (8)?
1. Pre-Admission NAC 2. Post-Admission NAC 3. Agent-Based NAC 4. Agentless NAC 5. Hybrid NAC 6. Cloud-based NAC 7. VLAN-based NAC 8. Identity-Based NAC
94
How does Pre-Admission NAC assess devices and users?
* before granting access to the network * performs checks on the device's security posture, operating system, antivirus software, and other factors to determine if it meets the organization's security standards * if the device passes the pre-admission checks, it is granted access to the network; otherwise, access is denied or restricted
95
How does Post-Admission NAC assess devices and users?
* grants network access first and then performs security checks after the device is connected * if the system detects any non-compliant behavior or security issues during the post-admission check, it may quarantine the device or limit its access until the issues are resolved
96
Explain Agent-Based NAC
* require the installation of software agents on end-user devices * help monitor and enforce security policies, report device information to the NAC server, and ensure compliance with network access rules
97
Explain Agentless NAC
* do not require any software installation on end-user devices * instead, they rely on various techniques like deep packet inspection, MAC address authentication, and other network-based methods to identify and control devices attempting to connect to the network
98
Explain Hybrid NAC
* combines elements of both agent-based and agentless NAC systems * provides flexibility in how devices are managed and secured based on different factors such as device type, location, and user role
99
Explain Cloud-based NAC
* hosted in the cloud and provide access control and security services to remote users and devices * often preferred for their scalability, ease of management, and the ability to handle dispersed or mobile workforces
100
Explain VLAN-based NAC
* devices are placed in separate Virtual LANs (VLANs) based on their compliance with security policies * non-compliant devices may be placed in restricted VLANs with limited access to resources until they meet the required security standards
101
Explain Identity-Based NAC
* focus on user authentication and apply access controls based on user identities and roles * may integrate with directory services such as Active Directory to enforce security policies
102
What's the main disadvantage of clientless NAC?
it cannot check as many things as the client can
103
What does Defense in Depth suggest?
using multiple security controls to **achieve the same control objective**
104
What's virtual network used for?
combine existing networks or to divide network into multiple segments
105
What can happen if a PC is simultaneously connected to a secure and non-secure network like the internet?
it may act as a bridge, bypassing security controls located at the edge of the corp network
106
PPTP, L2F, L2TP and IPsec are used for what purpose?
VPN
107
What type of protocol is PPP?
dial-up
108
How to secure bluetooth?
use bluetooth only for activities not confidential, change defult PIN, turn off discovery mode when it's not active
109
What type of issues can’t a strictly post-admission policy NAC handle?
since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection
110
What type of device should be placed between networks, if one supports IPv6 and the other IPv4?
gatway
111
What does DCE (system) stand for?
Distributed Computing Environment (DCE)
112
What's DCE system?
* system in which computing resources, such as processing power, storage, and memory, are spread across multiple interconnected computers or nodes * the nodes collaborate to perform tasks and solve problems by sharing their resources and working together, often across a network
113
What's the primary security concern of DCE?
* interconnectedness of the components * configuration could allow for error or malware propagation as well - if an adversary compromises one component, it may grant them the ability to compromise other components in the collective through pivoting and lateral movement
114
What is a security risk of an embedded system that is not commonly found in a standard PC?
because an embedded system is often in control of a mechanism in the physical world, a security breach could cause harm to people and property (aka cyber-physical)
115
What does RTOS stand for?
real-time operating system
116
What are the characteristics of RTOS?
minimize latency and delay, store code in ROM, and optimized for mission-critical operations
117
Describe Arduino
* type of microcontroller * stores code on a flash chip * has a limited C++ based instruction set * not suited for mission-critical operations
118
Describe Distributed Control System (DCS)
* open source hardware and software organization that creates single-board 8-bit microcontrollers for building digital devices * used to manage small-scale industrial processes * can execute C++ programs specifically written to its limited instruction set * not designed as a near-real-time solution * may be used to manage mission-critical operations
119
Is LEAP example of an actual EAP method?
yes
120
Is EAP-VPN example of an actual EAP method?
no
121
Is EAP-SIM example of an actual EAP method?
yes
122
Is EAP-FAST example of an actual EAP method?
yes
123
Is EAP-MBL example of an actual EAP method?
no
124
Is EAP-MD5 example of an actual EAP method?
yes
125
Is VEAP example of an actual EAP method?
no
126
Is EAP-POTP example of an actual EAP method?
yes
127
Is EAP-TLS example of an actual EAP method?
yes
128
Is EAP-TTLS example of an actual EAP method?
yes
129
What does Fog computing rely on?
sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing.
130
What are cyber-physical systems?
devices that offer a computational means to control something in the physical world
131
How does deduplication work?
* replaces multiple copies of a file with a pointer to one copy * if the one remaining file is damaged, then all of the linked copies are damaged or inaccessible as well
132
What are the concerns of when company technicians use 4G/5G during their travels?
* evesdropping * rogue towers * reliability of establishing a connection
133
What's nonpersistent system or static system?
* computer system that does not allow, support, or retain changes * between uses and/or reboots, the operating environment and installed software are exactly the same * changes may be blocked or simply discarded after each system use * nonpersistent system is able to maintain its configuration and security in spite of user attempts to implement change
134
What are the potential areas of concern related to third-party connectivity?
* those in which an actual outsider is to be directly connected to on-premises networks; these situations include: * business partnerships * cloud services * telecommuting
135
Can agent-based quarantine noncompliant devices and implement updates automatically?
yes
136
Can preadmission-based NAC require a system to meet all current security requirements (such as patch application and malware scanner updates) before it is allowed to communicate with the network?
yes
137
Does NAC require the use of IEEE 802.1X?
no
138
What can an agentless NAC do to determine whether devices are authorized and baseline compliant?
perform port scans, service queries, and vulnerability scans against networked systems to determine whether devices are authorized and baseline compliant
139
Can agentless NAC automatically quarantine and resolve security issues on hosts?
no
140
Describe L2F (Layer 2 Forwarding Protocol) protocol
* protocol from Cisco that aimed to tunnel PPP sessions * aims to establish a connection-oriented tunnel between the user's device and the VPN server, allowing PPP frames to be transported securely * largely overshadowed by newer and more advanced protocols
141
Describe L2TP (Layer 2 Tunneling Protocol)
* evolution of L2F that combines the best features of L2F and PPTP * provides a framework for tunneling various protocols, including PPP * used in conjunction with other encryption protocols like IPsec for enhanced security
142
Describe PPTP (Point-to-Point Tunneling Protocol)
* one of the earliest VPN protocols, originally developed by Microsoft * simple to set up but not secure due to known vulnerabilities * not recommended for secure VPN connections
143
Why is PEAP secure?
because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session

CISSP: Domain 4 - Security Architecture and Engineering (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions