Section 2 - Secure Network Architecture

Question 1

What are common edge services

Answer 1

Firewalls
Routers
Load Balancers
NAT Gateway for Cloud VPC
useful for cloud computing and uses Elastic IP’s that can be remapped to another instance

Internet Gateway - is a VPC component allowing traffic between VPC and Internet

Mail Security - DCOM/SPF

DDoS Protection
Rate Limiting
WAF
Blackhole Routing - drops all traffic -
not ideal
CSP provide DDoS protection
DDoS Mitigation Software/Appliance

Question 2

What is the difference between edge services vs application layer protection

Answer 2

Edge takes a broad approach to protecting network traffic by limiting protocols and traffic flows based on source and destination whereas application layer looks within the protocols to more fully interpret them.

They both can be combined or separate solutions

Question 3

What type of firewall allow for inspection of the content of the protocol traffic

Answer 3

Next-Generation Firewall (NGFW)

Question 4

What is the type of device/firewall that provides multiple security services in a single solution?

Answer 4

Unified Threat Management (UTM)
Content Filtering
DLP
SPAM
Anti-Virus
Geo-IP Filtering

Question 5

What device provides for protocol-specific outbound traffic and which type of proxy requires client configuration

Answer 5

Forward/Transparent Proxy

Non-Transparent proxy - typically 8080

Transparent Proxy must be implemented on a switch or router to operate

Question 6

What type of script allows a client to configure proxy settings and what protocol will allow for this

Answer 6

Proxy Autoconfiguration Script (PAC)

Web Proxy Autodiscovery (WPAD)

Question 7

What type of proxy is in the line of traffic from the “outside-in”

Answer 7

Reverse Proxy
Used for performance improvement by caching web content similar to a load balancer

Question 8

What are the deployment ways for a WAF

Answer 8

Network-Based - separate host configured for WAF

Host Based - runs on the same host as Web application server - ModSecurity is a popular which is Apache Based. for Application layer attacks

Cloud Based - provided by a service provider and delivered via a cloud platform . Less expensive than Network based on leverages expertly configured WAF Protection

Question 9

What is the special-cloud based service that is used to centralize the functions provided by API’s

Answer 9

API Gateway - can be detached from main application

XML Gateway - better suited for API only with similar protection

Question 10

What is the type of attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP Address of the attackers choosing and what can help mitigate against these types of attacks

Answer 10

DNS Spoofing or Poisoning

Domain Name Security Extensions (DNSSEC) - set of specifications designed to provide an added level of security to traditional DNS

Question 11

To extend traditional DNS with DNSSEC functionality what type of resource record must be setup

Answer 11

Resource Record Set (RRset) - all resource records for a domain that have the same type and use the Zone Signing Key in order for it to be verified as trustworthy. The Zone Signing Key is also signed using a Key Signing Key

Question 12

What two major tasks do VPN Performs

Answer 12

Creation of tunnel and protection of the data within it.

for example LT2P creates the tunnel and IPSec secures it

Question 13

What is the general term for the collected protocols, policies and hardware that authenticate and authorize access to the network at a device level

Answer 13

Network Access Control (NAC)

understand the use of a quarantine network - VLAN Jail

Question 14

What are the 3 analysis types of a NIDS

Answer 14

Signature Based
Anomaly Based - based on protocol
Behavior Based - learns traffic patterns

High volume of traffic and uses sensors and used Switched Port Analyzer (SPAN) port or port mirroring.

Question 15

What is a method of sniffing where a hardware device into a cable to copy frames for analsys

Answer 15

Test Access Port (TAP)

Question 16

What is the type of software that reviews system files to ensure that they have not been tampered with

Answer 16

File Integrity Monitoring (FIM)

Question 17

is SNMP a secure protocol

Answer 17

Not really - community names are sent in plain text avoid v1 or v2

Question 18

What is the Cisco developed means of reporting network flow information to a structured database. What is the equivalent of web standard

Answer 18

NetFlow -

sFlow - technically not a true flow protocol as it does not aggregate packets

Question 19

What are some common methods for Segmentation of Networks

Answer 19

Subnetting
VLANs

Question 20

What is the subnetting design that used two firewalls on either side of the DMZ

Answer 20

Screened Subnet

Question 21

What is the broad term for how objects can interact with each other in layer 3 switches and routers

Answer 21

Access Control Lists

Question 22

What is the difference between an Air Gapped Host and a Jump Box

Answer 22

Air Gapped is not physically connected to any network and is physically protected

Jump Box are specially configured, highly hardened and closely monitored used to perform administrative tasks or to access with servers

Question 23

What describes the capability of isolating workload from one another and protecting them individually

Answer 23

Microsegmentation

Cloud Centric and designed for more East-West traffic flows

Question 24

What is the general term and also within Azure for the creation of cloud resources within a private network that parallels the functionality of the same resources

Answer 24

Virtual Private Cloud (VPC) or Virtual Network (VNet) in Azure

Question 25

In a cloud environment, what is used to control inbound/outbound traffic

Answer 25

NAC List or nackles - stateless so both inbound and outbound traffic flows must be explicitly defined

Question 26

What works with NAC lists and are associated with individual instances and act as virtual firewalls

Answer 26

Policies/Security Groups

Question 27

What describes the state and location of data to help isolate and protect it.

Answer 27

Data Zones

Raw Zone - data from multiple sources
Structure/Curated Zone - quality checked
Analytical Zone - used for practical purposes

Question 28

What is the term for the defined perimeter of inside and outside called being deconstructed

Answer 28

Deperimeterization - well established barrier are breaking down to many initiatives such as cloud, wfh, etc.

Question 29

What are the key tenants of Zero Trust Architecture

Answer 29

Everything is considered external and designs adopt the adage:
“never trust, always verify” and “assume breach”

Question 30

Which NIST Publication defines ZTA

Answer 30

NIST 800-207
ZTA does not define security via network boundaries but instead via resources. this is where microsegmentation plays a key role

Question 31

T or F in order to setup a VPC Peering between Cloud and on-premise you need to establish a VPN

Answer 31

True

Question 32

What operates as guardians between two connected sites and are typically associated with military establishments

Answer 32

Cross Domain Solutions (CDS)

Question 33

What is the principal means of providing privilege management and authorization on an enterprise network and some protocols

Answer 33

Directory Services
LDAP protocol and widely used to to query and update X.500
Uses Distinguished Names (DN) as unique identifier.

Question 34

What is the difference in scaling servers horizontally and vertically

Answer 34

Horizontal is adding more servers to farm while vertically is adding more resources to existing servers

Question 35

List some examples of scalable designs

Answer 35

Content Delivery Network (CDN) - distributing and replicating components of a service to key service areas needing content delivery

Caching - used for maintaining consistent performance during file access and data processing. for Cloud can use API Gateways

Question 36

T or F using a single vendor product ideal for interoperability but not for providing a security layer

Answer 36

T - diversity adds complexity that can slow an adversary down.

Question 37

What is the term for the capability to spread workloads among multiple cooperating units.

Answer 37

Distributed Allocation - associated with cloud platforms to locate services across multiple region or Availability Zones

Question 38

During a failure of a single node of a 2 server cluster which type would potentially be impactful to users from a performance standpoint?

Answer 38

Active/Active - since they are tehncially load balanced then capacity would be cut in half

Question 39

What is the difference between a Type 1 and Type 2 Hypervisor

Answer 39

Type 1 - installed diretly onto the computer and manages access without going through a Host OS which would be a Type 2.

Type 1 - VMware ESXI, Hyper-V, Xen
Type 2 - VMware workstation, Parallels

Question 40

What is the method of virtualization called that does not use a Hypervisor but leverages the capabilities of the full OS and has a widely adopted platform called what?

Answer 40

Containerization and Docker

Question 41

What are the 3 models of VDI

Answer 41

Hosted - 3rd Party
Centralized - hosted within enterprise
Synchronized - remote VD and work in disconnected state

Question 42

In a cloud setting what describes the set of automated tasks to be part of the deployment of an instance

Answer 42

Bootstrapping

Question 43

In a cloud setting what is the ability to expand and contract the performance of workloads is limitless

Answer 43

Autoscaling

Question 44

What does SOAR follow from a task standpoint and what does that task automate

Answer 44

Playbook - checklist of actions
Runbook - automate as many stages of playbook as possible

Question 45

What are some of the common VM Exploits

Answer 45

VM Escape -
PrivEsc
Live VM Migration
Data Remnants - VM’s are abstract they can leave behind remnants of data

Question 46

List Common Coding Web Technologies

Answer 46

Web Servers - IIS, Apache
WebDev Frameworks - Angular, Ruby on Rails, Express.js, Django

Mark-up Language - HTML, XML, CSS, JSON

Programming Language - - Perl, C#,, JavaScript, Java, VB, .net, Python, Ruby

Databases - Postgres, SQL, MariaDB

Question 47

What parallels best practices in that they provide guidance on the secure implementation of various critical areas within an organization

Answer 47

Secure Design Patterns

Open Security Architecture
Carnegie Mellon Software Engineering Institute
Microsoft Azure

Question 48

What it is the difference between API and Middleware

Answer 48

API’s provide core mechanisms that enable integration and orchestration of the entire information systems while middleware describes more comprehensive software designed to integrate two systems together.

Question 49

What is the Development to Production Environments and how has access to them

Answer 49

Development - early stage and development has full access

Test/Integration - code from multiple developers merged into a single master

Staging/QA - mirrors production and focuses on regression testing

Production

Sandboxing - describes how the each of the development environments are segmented

Question 50

What is a software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology

Answer 50

Service-Orientated Architecture (SOA)

Open additional possibilities for information exchange and connectivity

Question 51

What are two elements of SecDevOps

Answer 51

Security as a Code (SaC) - automated methods of SAST and DAST

Infrastructure as a Code (IaC) leveraging configuration management tools to control change to infrastructure

Question 52

What is the principle that developers should commit and test updates often

Answer 52

Continuous Integration

Question 53

What is the principle of testing all of the infrastructure that supports the application

Answer 53

Continuous Delivery

Question 54

What is the principle of making changes to the production environment and name some popular configuration management tools

Answer 54

Continuous Deployment

Puppet
Ansible
Octopus Deploy

Question 55

What principle of delivery would utilize a SOAR System

Answer 55

Continuous Monitoring

Question 56

What is the delivery model that describes the requirements governing a software development project

Answer 56

Continuous Validation

Compliance testing process
fit-for-purpose

Question 57

What can be used to protect against issues relating to credential theft and misuse

Answer 57

Privileged Access Management (PAM)

Policies, procedures, and support software for managing accounts and credentials with administrative permissions

Question 58

What language can be used to assist with federated networks and what protocol supports the communications

Answer 58

Security Assertion Markup Language (SAML)

Simple Object Access Protocol (SOAP)

Question 59

What is an identity federation method that provides SSO and enables websites to make informed authorization decisions to protect online resources

Answer 59

Shibboleth

Used in Universities

Question 60

Name and explain the access control methods

Answer 60

Discretionary (DAC) -owner controlled and most flexible

Mandatory (MAC) -based on security clearance

Role-Based (RBAC) - centralized control over DAC - implicit rights given

Attribute (ABAC) - most fine grained

Rule Based - based on any sort of access controls are determined by a rule than users or objects - Firewalls are best example

Question 61

What is a AAA protocol used to manage remote and wireless authentication infrastructure and has stood the test of time

Answer 61

Remote Authentication Dial-In User Service (RADIUS) - the client is the access device - switch, AP, or VPN Gateway

Question 62

Which Protocol improved upon RADIUS and why

Answer 62

Diameter and it uses TCP vs UDP and has a failover mechanism. Not very widespread.

Question 63

What is the Cisco developed authentication control system specifically designed for managing network devices

Answer 63

Terminal Access Controller Access-Control System Plus (TACACS+)

Uses TCP Port 49

Question 64

Name some common Access Control and Authorization Systems

Answer 64

LDAP - extensitvle directory service protocol

LDAPS - method of implementing LDAP over SSL/TLS

Kerberos - SSO system based on time sensitive ticket granting system

Open Authorization (OAuth) - for restful API

Extensible Authentication Protocol (EAP) - framework for negotiating authentication methods that enable system to use hardware based systems such as fingerprint scanners.

802.1X - Standard for encapsulating EAP over a LAN

Question 65

What is the concept related to authentication where user is verified using various characteristics and credentials

Answer 65

Identity Proofing

Question 66

What is the difference in 2-Step verification of in vs out of band

Answer 66

Out of Band - using a mechanism or channel different that one being used - SMS, App, push, call ,etc

In-Band - same system such as credentials

Question 67

What is the algorithm that is used for token-based authentication such as FOB’s or Smartphones

Answer 67

HMAC-Based One-Time Password (HOTP)

The server is configured with a counter window to cope with the circumstances of the device and server move out of sync

Time-Based One-Time Password (TOTP) - refines the issue above by expiring tokens

Question 68

What is a cryptographic module embedded within a computer system that can endorse or trust execution

Answer 68

Hardware Root of Trust (RoT)

RoT is usually established by a type of crypto processor called a Trusted Platform Module (TPM) - can be managed via windows via TPM.msc

Question 69

What is the subset of JavaScript that is used in the representation state transfer (REST)

Answer 69

JavaScript Object Notation (JSON) Web Token (JWT)

this is protected with Message Authentication Code (MAC) - combining its hash with a shared secret

Question 70

What products/tools automate the discover and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization.

Answer 70

Data Loss Prevention (DLP)

Policy Server
Endpoint Agent
Network Agents

Question 71

What is the protection to control how digital content is used after publication

Answer 71

Digital Rights Management (DRM)

Question 72

What describes the mechanism to hide data and what encoding is poplular

Answer 72

Obfuscation and Masking
Base64

Question 73

What is a common technique in the credit card industry to represent sensitive data

Answer 73

Tokenization

Question 74

What is a software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology

Answer 74

Microservices

Question 75

What is the term describing the use of virtualization to manage all traditional hardware elements of an infrastructure through a single software-based solutions

Answer 75

Hyperconverged Infrastructure (HCI)

Question 76

What is the main difference between Emulation and Virtualization?

Answer 76

emulation unlike virtualization does not have to use the same hardware architecture such as x86. It is more resource intensive then virtualization and therefore slower. Better for older OS and gaming systems

QEMU, Wine, Android Studio

Question 77

What is the top cause of data breaches in the cloud.

Answer 77

Misconfiguration

The use of middleware (the plumbing) using frameworks such as SOAP, JSON and REST.

Question 78

What type of attack uses overly permissible access by querying metadata is typically

Answer 78

Server-Side Request Forgery (SSRF)

Question 79

What are some limitations of CSP’s associated with VPC’s

Answer 79

Overlapping CIDR Blocks
Transitive Peering

Question 80

What are the Cloud Storage Types

Answer 80

Object - application access needing access to docs, video, and images

File-Based

Block - high performance transactional such as databases

Blob - Unstructured and common for archive and backup sets

Question 81

What is the refinement of machine learning that enables machines to develop strategies for solving a task given a labeled dataset and without further explicit instructions

Answer 81

Deep Learning

a subset of creating virtualized images of real persons is called Deep Fakes