Security Operations 4.5

Question 1

Firewall

Answer 1

Filter traffic by port number or application.
Traditional - filter by port number
NGFW - Filter by application.
Encrypt traffic - VPN between sites.
Most firewalls can be layer 3 devices. Often sits on the ingress.egress of the network.

Question 2

NGFW

Answer 2

Most advance firewall which sits at the top of the OSI model - application layer
Layer 7 firewall.

Performs deep-packet inspection adding application level inspection as a core feature.

Question 3

Ports and Protocols

Answer 3

Traditional firewall which makes forwarding decisions based on TCP or UDP port numbers.

They either allow or disallow traffic based on destination protocol and port.

Question 4

What is the the ingress egress of the network?

Answer 4

The point that separates the internet from the internal part of the internet.

Question 5

Screened subnet

Answer 5

Commonly holds data that needs to be accessed by people on the internet. But keeps private data separate on the internal network.

Question 6

IPS

Answer 6

Intrusion prevention system

Question 7

Host based firewalls

Answer 7

Monitor traffic going in and out of a single host.

Question 8

Network based firewall

Answer 8

Protect an entire network

Question 9

Stateless firewall

Answer 9

Uses rules implemented in ACL’s to identify allowed and blocked traffic. Rules are based on
- Permission
- Protocol
- Source
-Port or protocol

Question 10

Stateful Firewalls

Answer 10

Inspects traffic and makes decisions based on the traffic context or state.

Question 11

Layer 4 firewalls

Answer 11

Operate on the transport model of the OSI model. They inspect traffic and make decisions based on the traffic context or state.

Question 12

Web application firewall

Answer 12

Specfically designed to protect a web application. A web server hosts the web application, and the WAF is place between the web server and web server clients.

Level 7

Question 13

URL Scanning.

Answer 13

Allow or restrict based on Uniform resource location.

Question 14

Agent Based

Answer 14

Installed on client software on the user’s device. Usually managed from a central console.

Question 15

Proxies

Answer 15

Sit between the users and the external network. Control of traffic managed through the proxy.

The proxy makes requests on behalf of the user. The proxy makes a decision based on what it receives on whether it wants to pass that response onto the end user.

Question 16

Forward Proxy

Answer 16

The user and the proxy are internal network of the organisation.

Question 17

Block Rules

Answer 17

Based on specific URL or Category of content.
Different Dispositions - different rules for different types of website. EG block gambling, send alert if home and garden.

Question 18

Reputation

Answer 18

Filter URL’s based on perceived risk based on the reputation of the website.

Question 19

DNS filtering

Answer 19

Before connecting to a website, it get the iP address and performs a DNS look up.

Harmful sites are not provided.

Question 20

Operating system Security - Group Policy

Answer 20

Configuration management tool.

Question 21

Security Enhanced Linux

Answer 21

Security patches added to the Linux kernel which allow for enhanced security.

The patches give the central access control discretion over rights and permissions used in the Linux Operator as opposed to the individual user.

MAC - Mandatory access control
DAC - Discretionary Access Control.

Question 22

Secure Protocols - protocol selection

Answer 22

Make sure that when you an application you are not using insecure protocols which do not contain encryption.

Telnet - SSH
HTTP - HTTPS
IMAP - IMAPS
FTP - SFTP

Question 23

Port number Selection

Answer 23

you can tell whether an application secure of insecure based on the port number its using.

Port 80 - HTTP (Sent in the clear).
Port 443 HTTPS (Encrypted)

Port number usage does not guarantee security

Question 24

Transport Method

Answer 24

Transport method impacts security because. If transport is Open access - there is no transport level encryption

WPA3: All user data is encrypted.

VPN - Encrypted. Good choice for data transfer.

Question 25

SPF Protocol

Answer 25

Used DNS record to define which IP addresses are authorised to send emails on behalf of a domain.

Question 26

DKIM

Answer 26

Domain Keys identified mail
Digital signatures added to the transport process.

Question 27

DMARC

Answer 27

Builds on top of SFP by allowing domain owners to set policies for how to handle emails that fail authentication checks and providing, reporting mechanisms to monitor and improve email authentication performance.

Question 28

Three INSECURE data in transit methods

Answer 28

File Transfer Protocol
Trivial File Transfer Protocol
Secure Sockets Layer SSL

Question 29

FTP - File Transfer Protocol

Answer 29

Uploads and Downloads files to and from an FTP sever. In cleartext (NOT SECURE).

Question 30

Trivial File Transfer Protocol

Answer 30

Is used to transfer smaller amounts of data. Many attacks are done on TFTP. Most administrators commonly disable it.

Question 31

Secure Sockets layer

Answer 31

Was the primary method use to secure HTTP traffic as Hypertext transfer protocol. SSL can also encrypt other types of traffic such as SMTP. However, SSL has been compromised and is not recommended for use.

Question 32

Secure alternative data in transits protocols.

Answer 32

Transport Layer Security TSL - replacement for SSL

Internet Protocol Security (IPsec).

SSH /SCP (based on SSH) encrypts

SFTP Secure implementation of FTP. It is an extension fo secure shell using SSH to transmit the files in an encrypted format.

FTPS is another secure implementation of FTP is used TSL to encrypt FTP traffic.

Question 33

Remember me location 3958

Answer 33

Look it up

Question 34

Which three protocols create framework for email authentication

Answer 34

SPF, DKIM and DMARC

Question 35

File Integrity Monitors

Answer 35

File Integrity Monitors detect modified system files. A file integrity checker calculates hashes on a system files as a baseline. Then it periodically recalculates the hashes on these files and compares them with the hashes on the baseline. If the hashes are different then the system has been modified.

SFC - Windows FIM
Tripwire - Linux FIM

Question 36

Data Exfiltration

Answer 36

The unauthorised transfer of data outside of an organisation.

Question 37

Example of network based DLP.

Answer 37

Configure a DLP to look for specific words phrases or character strings. Any outgoing data, within an email or attachment containing this code word will be recognised by the DLP and blocked.

Question 38

Software based DLP

Answer 38

Installed on an individual system indetifying data exfiltration attempts and blocking them from succeeding.

Question 39

Network access control (NAC)

Answer 39

Inspects a computer and does not allow it to join the network if it does not pass the inspection.

Question 40

XDR

Answer 40

Extended detection and Response includes other types of devices and systems.

Goes beyond endpoint to include other types of devices and systems, such as network devices, cloud infrastructure and Iot Devices. Providing a more comprehensive view of the entire IT environment.

Question 41

EDR

Answer 41

Endpoint detection and response provides continuous monitoring of endpoints

Often uses advanced behavioural analysis techniques to identify suspicious activity and contain threats before they cause damage.

Question 42

User behaviour Analytics

Answer 42

XDR commonly includes user behaviour analytics. Watch users, hosts network traffic, data repositories