Chapter 2: Technologies and Tools

Question 1

1. Both the _______ and _________ use ACLs to block traffic by port, protocol, or IP address.

Answer 1

Router, firewall

Question 2

2. Where the router or firewall has no allow rule for a particular type of traffic, the traffic is blocked by a technique called ________ ____.

Answer 2

Implicit deny

Question 3

3. When setting up IPSec across the internet, it is used in _________ mode but when it is used in the LAN between client and server or server to server, it is known as ___________ mode.

Answer 3

Tunnel, transport

Question 4

A security architect is designing a new web infrastructure. They need a device to sit in the DMZ that will meet two requirements:

• Hide the internal IP addresses of the backend web servers from the internet.
• Decrypt incoming HTTPS traffic (SSL Offloading) so that the content can be inspected by the WAF and NIPS before it reaches the web servers.

What type of device is this?

Answer 4

Reverse Proxy

Explanation:

• A Reverse Proxy sits in front of web servers and forwards client requests to them. It protects the servers.
• (Contrast this with a Forward Proxy, which sits in front of users/clients to filter their outgoing web traffic).
• SSL Offloading is a key feature: the proxy handles the cryptography, decrypting the traffic so security tools can inspect the payload for attacks (like SQL injection) that would otherwise be hidden inside the encrypted HTTPS stream.

Question 5

A network administrator disables SSID Broadcasting on the office Access Points, believing this will make the network invisible to attackers. An attacker arrives and is able to discover the SSID in minutes.

What tool did the attacker use, and why did this security measure fail?

Answer 5

Wireless Packet Sniffer (or Protocol Analyzer).

Explanation: Disabling SSID broadcasting is merely Security through Obscurity. While the SSID is removed from the “Beacon” frames, it is still transmitted in cleartext in other management frames (specifically Probe Responses and Association Requests) whenever a legitimate device connects. A sniffer captures these frames and displays the SSID.

Question 6

6. The role of the VPN concentrator is to set up the _________ ________ before the exchange of data.

Answer 6

Secure tunnel

Question 7

7. _____ ___________ is used to prevent someone plugging a laptop into my network; however, ________ is used to prevent a rogue access point being plugged into my network as it authenticates the user or device itself.

Answer 7

Port security, 802.1x

Question 8

8. A __________ is a device that is used by cybersecurity administrators so that they can observe the attack method used by hackers. This will then enable them to prevent these types of attacks in the future.

Answer 8

Honeypot

Question 9

9. A security administrator has noticed in the SIEM system log files that an attack was detected on Server 1 but when they manually inspected the server, the attack was not shown; this is known as a ______ ___________.

Answer 9

False positive

Question 10

10. One of the reasons why a SIEM system records a false positive is because the wrong ______ _________ were being used, therefore it was monitoring the wrong type of attack.

Answer 10

Input filters

Question 11

An ________ NIPS has traffic flowing through it; however, the NIDS is known as ________ and relies on sensors and collectors to discover new attacks.

Answer 11

Inline, passive

Question 12

_________ __________ inspects traffic going to a website, whereas a _______ ________ inspects traffic across the network.

Answer 12

Banner Grabbing, packet sniffer

Question 13

Banner grabbing uses tools such as Dimitri, _____, ________, and ________.

Answer 13

Nmap, telnet, and netcat

Question 14

__________ shows established connections in a Windows environment, whereas _________ shows established connections in a Linux/Unix environment.

Answer 14

Netstat, netcat (nc)

Question 15

A _____ system correlates security logs from various devices such as servers and firewalls. The security administrator has decided to store the logs into a _______ drive so that they can be read but not tampered with as they may be needed as evidence at a later date.

Answer 15

SIEM, WORM

Question 16

A company could use a ____-__-____ VPN instead of an expensive lease line or even more expensive dark fiber, but it must be set to _______ - ___ mode.

Answer 16

Site-to-site, always-on

Question 17

A _____ ________ could be used as a spam filter and a ____ solution to prevent PII and sensitive information from leaving the company.

Answer 17

Mail gateway, DLP

Question 18

Both ____ and a ______ can detect when new hosts have been added to your internal network.

Answer 18

Nmap, NIDS

Question 19

A __________-______ NIDS/NIPS uses a known database and is reliant on regular updates where _______- _____ NIDS/NIPS start with a known database but can identify new variants.

Answer 19

Signature-based, anomaly-based

Question 20

A security administrator changes the default _________ and _________, disables the SSID, and enables ______ filtering to make a wireless access point more secure.

Answer 20

Username, password, MAC