Security Architecture Principles Flashcards
1
Q
Definition: the practice of layering defenses to provide added protection.
A
defense in depth.
2
Q
Many current security controls and architectures were developed with the concept of a security perimeter.
A
These models are network- or system-centric as opposed to data-centric.
3
Q
The Internet perimeter should:
A
- Route traffic between the enterprise & Internet
- Prevent executable files from being transferred
- Monitor network ports for rogue activity
- Detect and block traffic from infected internal points
- Control user traffic bound toward the Internet
- ID and block potential attacks
- Eliminate threats such as spam, viruses and worms
- Enforce filtering policies
4
Q
The perimeter should also provide protection for virtual private networks (VPNs):
A
- Terminate VPN traffic from remote users
- Provide a hub for terminating VPN traffic from remote sites
- Terminate traditional dial-in users
5
Q
Modern IT architectures are usually ________ and __________.
A
decentralized and deperimeterized
6
Q
As a consequence of decentralized and deperimeterized, both the number of potential attack ______ outside the organizational boundary and the number of attack ______ have grown.
A
targets and vectors .
7
Q
Models of security architecture typically fall into two categories:
A
process models – flexibility
framework models – directive
8
Q
the Zachman framework and the Sherwood Applied Business Security Architecture (SABSA) framework share a similar approach of developing a
A
who, what, why, where, when and how matrix
9
Q
SABSA Security Architecture Matrix viewpoints
A
- contextual
- conceptual
- logical
- physical
- component
- operational
10
Q
The Open Group Architecture Framework (TOGAF) objective is to ensure
A
- that architectural development projects meet business objectives,
- that they are systematic and
- that their results are repeatable.
11
Q
In the Open Systems Interconnect (OSI) model for networks, each layer performs a specific function for the network:
A
Physical Layer—Manages signals
Data Link Layer–Divides data into frames > physical layer
Network Layer—Translates addresses & routes data Transport Layer—data transferred in the correct sequence
Session Layer— manages user connections
Presentation Layer–Formats, encrypts and compresses
Application Layer—Mediates between software applications and other layers of network services
12
Q
TCP/IP
A
Transmission Control Protocol/Internet Protocol
13
Q
The TCP/IP suite includes both _______ protocols and _______ protocols.
A
network-oriented and
application support
14
Q
Name 3 types of defense in depth:
A
- Concentric rings (nested)
- Overlapping redundancy
- Segregation or compartmentalization
15
Q
defense in depth is from an architectural perspective of:
A
Horizontal defense in depth - controls placed in path (functionally equivalent to concentric ring model)
Vertical defense in depth - controls placed in layers
16
Q
A _______ is defined as a system or combination of systems that enforces a boundary between two or more networks. They control the most vulnerable point between a corporate network and the Internet, and they can be as simple or complex as the corporate information security policy demands.
A
firewall
17
Q
There are many different types of firewalls, but most of them enable organizations to:
A
- Block access to particular sites.
- Limit traffic on an organization’s public services to relevant addresses and ports.
- Prevent certain users from accessing certain services.
- Monitor and record communications.
- Monitor and record communications to investigate or detect.
- Encrypt packets by creating a VPN over the Internet (e.g., IP security [IPSec], VPN tunnels). The capabilities of some firewalls can be extended so they can also provide for protection against viruses and attacks directed to exploit known operating system vulnerabilities.
18
Q
Generally, the types of network firewalls fall into three categories:
A
- Packet filtering
- Application firewall systems
- Stateful inspection
19
Q
Packet headers contain information, including the _____ and ______.
A
IP address of the sender and receiver, and the port numbers (application or service)
20
Q
Packet filtering firewalls are therefore best suited for smaller networks, because the direct exchange of packets is permitted between outside systems and inside systems, the potential for an attack is determined by the total number of hosts and services.
A
True.
21
Q
Advantages of packet filtering firewalls:
A
Simplicity of one network “choke point”
Minimal impact on network performance
Inexpensive or free
22
Q
Disadvantages of packet filtering firewalls:
A
Vulnerable to attacks from improperly configured filters
Vulnerable to attacks tunneled over permitted services
All network systems vulnerable when a single packet filtering router is compromised
23
Q
Some of the more common attacks against packet filter firewalls are:
A
- IP spoofing
- Source routing specification
- Miniature fragment attack
24
Q
IP spoofing
A
In this type of attack, the attacker fakes the IP address of either an internal network host or a trusted network host. This enables the packet being sent to pass the rule base of the firewall and penetrate the system perimeter. If the spoofing uses an internal IP address, the firewall can be configured to drop the packet on the basis of packet flow direction analysis. However, attackers with access to a secure or trusted external IP address can spoof on that address, leaving the firewall architecture defenseless.
25
Source routing specification
This type of attack centers around the routing that an IP packet must take when it traverses the Internet from the source host to the destination host. In this process, it is possible to define the route so it bypasses the firewall. However, the attacker must know the IP address, subnet mask and default gateway settings to accomplish this. A clear defense against this attack is to examine each packet and drop packets whose source routing specification is enabled. Note that this countermeasure will not be effective if the topology permits a route that skips the choke point.
26
Miniature fragment attack
Using this method, an attacker fragments the IP packet into smaller ones and pushes it through the firewall. This is done with the hope that only the first sequence of fragmented packets will be examined, allowing the others to pass without review. This is possible only if the default setting is to pass residual packets. Miniature fragment attacks can be countered by configuring the firewall to drop all packets where IP fragmentation is enabled.
27
In contrast to packet filtering routers, application- and circuit-level gateways allow information to flow between systems but do not allow the direct exchange of packets. Therefore, application firewall systems provide greater protection capabilities than packet filtering routers. They work at the application level of the OSI model.
True
28
There are two types of application firewall systems:
* Application-level gateways—Application-level gateways are systems that analyze packets through a set of proxies—one for each service (e.g., Hypertext Transmission Protocol [HTTP] proxy for web traffic, FTP proxy). The implementation of multiple proxies, however, impacts network performance. When network performance is a concern, a circuit-level gateway may be a better choice.
* Circuit-level gateways—Commercially, circuit-level gateways are quite rare. Because they use one proxy server for all services, they are more efficient and also operate at the application level. There, TCP and UDP sessions are validated, typically through a single, general-purpose proxy before opening a connection. This differs from application-level gateways, which require a special proxy for each application-level service.
29
Both application firewall systems (Application-level gateways and Circuit-level gateways) employ the concept of bastion hosting in that they handle all incoming requests from the Internet to the corporate network, such as FTP or web requests. Bastion hosts are heavily fortified against attack.
True.
30
Application firewalls have the following advantages:
1. Provide security for commonly used protocols
2. Generally hide the network from outside untrusted networks
3. Ability to protect the entire network by limiting break-ins to the firewall itself
4. Ability to examine and secure program code
31
What is the disadvantage of application firewalls?
Poor performance and scalability as Internet usage grows.
32
A stateful inspection firewall, also referred to as dynamic packet filtering, tracks the destination IP address of each packet that leaves the organization’s internal network.
True.
33
Stateful inspection firewalls have the following advantages:
1. Provide greater control over the flow of IP traffic
| 2. Greater efficiency in comparison to CPU-intensive, full-time application firewall systems
34
What is the disadvantage of stateful inspection firewalls?
Complex to administer
35
Commonly used firewall implementations available today include:
* Screened-host firewall
* Dual-homed firewall
* Demilitarized zone (DMZ) or screened-subnet firewall—
36
Screened-host firewall—Utilizing a packet filtering router and a bastion host, this approach implements basic network layer security (packet filtering) and application server security (proxy services). An intruder in this configuration must penetrate two separate systems before the security of the private network can be compromised. This firewall system is configured with the bastion host connected to the private network with a packet filtering router between the Internet and the bastion host. Router filtering rules allow inbound traffic to access only the bastion host, which blocks access to internal systems. Since the inside hosts reside on the same network as the bastion host, the security policy of the organization determines whether inside systems are permitted direct access to the Internet, or whether they are required to use the proxy services on the bastion host.
True.
37
Dual-homed firewall—This is a firewall system that has two or more network interfaces, each of which is connected to a different network. A dual-homed firewall usually acts to block or filter some or all of the traffic trying to pass between the networks. A dual-homed firewall system is a more restrictive form of a screened-host firewall system in which a dual-homed bastion host is configured with one interface established for information servers and another for private network host computers.
True.
38
Demilitarized zone (DMZ) or screened-subnet firewall—This is a small, isolated network for an organization’s public servers, bastion host information servers and modem pools. The DMZ connects the untrusted network to the trusted network, but it exists in its own independent space to limit access and availability of resources. As a result, external systems can access only the bastion host and possibly information servers in the DMZ. The inside router manages access to the private network, accepting only traffic originating from the bastion host. The filtering rules on the outside router require the use of proxy services by accepting only outbound traffic on the bastion host. The key benefits of this system are that an intruder must penetrate three separate devices, private network addresses are not disclosed to the Internet, and internal systems do not have direct access to the Internet.
True.
39
Problems faced by organizations that have implemented firewalls include the following:
* Configuration errors
* Monitoring demands—monitoring activities may not always occur on a regular basis.
* Policy maintenance—Firewall policies may not be maintained regularly.
* Vulnerability to application- and input-based attacks—Most firewalls operate at the network layer; therefore, they do not stop any application-based or input-based attacks, such as SQL injection and buffer-overflow attacks. Newer-generation firewalls are able to inspect traffic at the application layer and stop some of these attacks.
40
A VLAN is set up by configuring ports on a switch, so devices attached to these ports may communicate as if they were attached to the same physical network segment, although the devices are actually located on different LAN segments.
True.
41
The key benefits of a DMZ system are:
* An intruder must penetrate three separate devices
* Private network addresses are not disclosed to the Internet
* Internal systems do not have direct access to the Internet
42
egress IS also known as ______.
data exfiltration
43
Strong DLP (data loss prevention) solutions cover three primary states of information:
Data at rest - Crawler applications
Data in motion - Deep packet inspection (DPI)
data in use - agent software to set rules for data use
44
Anti-malware can be controlled through many different mechanisms, including:
* Restriction of outbound traffic
* Policies and awareness
* Multiple layers of anti-malware software using a combination of signature identification and heuristic analysis
45
Broad categories of IDSs include:
* Network-based IDSs—These identify attacks within the monitored network and issue a warning to the operator. If a network-based IDS is placed between the Internet and the firewall, it will detect all the attack attempts, regardless of whether they enter the firewall. If the IDS is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (i.e., it will detect intruders). The IDS is not a substitute for a firewall, but rather it complements the function of a firewall.
* Host-based IDSs—These are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack. They can detect the modification of executable programs, detect the deletion of files and issue a warning when an attempt is made to use a privileged command.
46
Components of an IDS are:
* Sensors responsible for collecting data in the form of network packets, log files, system call traces, etc.
* Analyzers that receive input from sensors and determine intrusive activity
* An administration console
* A user interface
47
Types of IDSs include:
* Signature-based—These IDS systems protect against detected intrusion patterns. The intrusive patterns they can identify are stored in the form of signatures.
* Statistical-based—These systems need a comprehensive definition of the known and expected behavior of systems.
* Neural networks—An IDS with this feature monitors the general patterns of activity and traffic on the network and creates a database. It is similar to the statistical model but with added self-learning functionality.
48
The features available in an IDS include:
* Intrusion detection
* Ability to gather evidence
* Automated response
* Security policy
* Interface with system tools
* Security policy management
49
An IDS cannot help with the following weaknesses:
* Weaknesses in the policy definition
* Application-level vulnerabilities
* Back doors into applications
* Weaknesses in identification & authentication
50
An intrusion prevention system (IPS) predicts an attack before it occurs. It does this by monitoring key areas of a computer system and looking for “bad behavior,” such as worms, Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures since it does not rely on identifying and distributing threat signatures or patches.
True.
51
Some advantages of IPSs include:
* Protection at the application layer
* Prevention of attacks rather than simply reacting
* Defence in depth
* Real-time event correlation
52
Encryption is part of a broader science of secret languages called cryptography, which is generally used to:
* Protect information stored
* Protect data in transit
* Deter and detect accidental or intentional alterations of data
* Verify authenticity of a transaction or document
53
Key elements of cyptographic systems include:
* Encryption algorithm
* Encryption key
* Key length
54
Effective cryptographic systems depend upon a variety of factors including:
* Algorithm strength
* Secrecy and difficulty of compromising a key
* Nonexistence of back doors by which an encrypted file can be decrypted without knowing the key
* Inability to decrypt parts of a ciphertext message and prevent known plaintext attacks
* Properties of the plaintext known by a perpetrator
55
There are two types of cryptographic systems:
* Symmetric Key Systems—These use single, secret, bidirectional keys that encrypt and decrypt.
* Asymmetric Key Systems—These use pairs of unidirectional, complementary keys that only encrypt or decrypt. Typically, one of these keys is secret, and the other is publicly known.
56
The most common symmetric key cryptographic system is the Data Encryption Standard (DES). DES is based on a public algorithm that operates on plaintext in blocks. This type of algorithm is known as a block cipher. DES uses blocks of 64 bits. DES is being replaced with AES, a public algorithm that supports keys from 128 bits to 256 bits.
True.
57
There are two main advantages to symmetric key cryptosystems such as DES or AES:
* The user only has to remember/know one key for both encryption and decryption.
* Symmetric key cryptosystems are generally less complicated and, therefore, use up less processing power than asymmetric techniques. They are ideally suited for bulk data encryption.
58
There are two main disadvantages to symmetric key cryptosystems such as DES or AES:
* Difficulty distributing keys
* Limitations of shared secret—A symmetric key cannot be used to sign electronic documents or messages due to the fact that the mechanism is based on a shared secret.
59
Asymmetric keys are often used for short messages such as encrypting DES symmetric keys or creating digital signatures. If asymmetric keys were used to encrypt bulk data (long messages), the process would be very slow; this is the reason they are used to encrypt short messages such as digests or signatures.
True.
60
A variant and more efficient form of public key cryptography is elliptical curve cryptography (ECC), which is gaining prominence as a method for increasing security while using minimum resources. It is believed that ECC demands less computational power and therefore offers more security per bit. For example, an ECC with a 160-bit key offers the same security as an RSA-based system with a 1,024-bit key. ECC works well on networked computers requiring strong cryptography. However, it has some limitations such as bandwidth and processing power.
True.
61
Quantum cryptography is the next generation of cryptography that may solve some of the existing problems associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. It is based on a practical application of the characteristics of the smallest “grains” of light (photons) and the physical laws governing their generation, propagation and detection. Initial commercial usage has already started.
True.
62
AES has replaced the DES as the cryptographic algorithm standard. NIST announced that it had selected Rijndael as the algorithm for the AES.
True.
63
Rijndael is a symmetric block cipher with variable block and key length. For AES the block length was fixed to 128 bits, and three different key sizes (128, 192 and 256 bits) were specified. Therefore, AES-128, AES-192 and AES-256 are three different versions of AES.
True.
64
A ________ is an electronic identification of a person or entity created by using a public key algorithm.
digital signature
65
To verify the integrity of the data, a cryptographic hashing algorithm, called a ______ , is computed against the entire message or electronic document, which generates a small fixed string message, usually about 128 bits. This process, also referred to as a digital signature algorithm, creates a message digest.
checksum
66
Common types of message digest algorithms are SHA1, SHA2, MD2, MD4 and MD5. These algorithms are one-way functions. They are meant for digital signature applications where a large electronic document or string of characters has to be compressed in a secure manner before being signed with the private key. All digest algorithms take a message of arbitrary length and produce a 128-bit message digest. MD2 was optimized for 8-bit machines, whereas MD4 and MD5 were created for 32-bit machines.
True.
67
Encrypt the message digest using the sender’s private key. Why?
“signs” the document with the sender’s digital signature for message authenticity. nonrepudiation
68
Digital signature is a cryptographic method that ensures:
* Data integrity—Any change to the plaintext message would result in the recipient failing to compute the same message hash.
* Authentication—The recipient can ensure that the message has been sent by the claimed sender since only the claimed sender has the secret key.
* Nonrepudiation—The claimed sender cannot later deny generating and sending the message.
69
Digital signatures and public key encryption are vulnerable to man-in-the-middle attacks wherein the sender’s digital signature private key and public key may be faked. The PKI performs the function of independently authenticating the validity of senders’ digital signatures and public keys.
True.
70
A popular VPN technology is _____, which commonly uses the DES, Triple DES or AES encryption algorithms.
IPsec
71
PKI allows a trusted party to issue, maintain and revoke public key certificates.
True.
72
The status and values of a current user’s digital certificate should include:
1. A distinguishing username
2. An actual public key
3. The algorithm used
4. A certificate validity period
73
Key elements or subcomponents of the CA structure include:
1. the certification practice statement (CPS),
2. RAs and
3. certificate revocation lists (CRLs).
74
The administrative functions that a particular RA implements will vary based on the needs of the CA, but must support the principle of establishing or verifying the identity of the subscriber. These functions may include:
1. personal authentication functions
2. Verifying the right to requested certificate attributes
3. proof of possession (POP)
4. Reporting key compromise or termination
5. Assigning names for identification purposes
6. Generating shared secrets for initialization and certificate pick-up phases
7. Initiating registration process with CA for the subject end entity
8. Initiating the key recovery processing
9. Distributing the physical tokens (such as smart cards) containing the private keys
10. Certification practice statement
75
Certification practice statement—CPS is a detailed set of rules governing the CA’s operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA in terms of the following:
1. The controls that an organization observes
2. The method it uses to validate the authenticity of certificate applicants
3. The CA’s expectations of how its certificates may be used
76
SSL provides end-point authentication and communications privacy over the Internet using cryptography. In typical use, only the server is authenticated while the client remains unauthenticated. SSL involves a number of basic phases:
1. Peer negotiation for algorithm support
2. Public key, encryption-based key exchange and certificate-based authentication
3. Symmetric cipher-based traffic encryption
77
The SSL provides for:
- Confidentiality
- Integrity
- Authentication
78
IPSec is used for communication among:
two or more hosts,
two or more subnets, or
hosts and subnets
79
SSH is a client-server program that opens a secure, encrypted command-line shell session from the Internet for remote logon. SSH is useful in securing Telnet and FTP services. It is implemented at the application layer, as opposed to operating at the network layer.
True.
80
_____ is a standard secure email protocol that authenticates the identity of the sender and receiver, verifies message integrity, and ensures the privacy of a message’s contents, including attachments.
S/MIME - Secure Multipurpose Internet Mail Extensions
81
_________ is a protocol developed jointly by VISA and MasterCard to secure payment transactions among all parties involved in credit card transactions.
Secure Electronic Transactions (SET)
