Domain 4 Flashcards

Question

RADIUS

Answer 1

AAA protocol centralize authentication for users

Answer 2

- input validation - secure cookies - static code analysis - code signing - sandboxing - monitoring

Answer 3

person owner per asset for asset tracking

Answer 4

type of asset hard/software etc. for asset tracking

Answer 5

inventory enumeration - list all parts of an asset add an asset tag (barcode, rfid, tracking number, org name, etc)

Answer 6

decommissioning removing data, no usable info remains reuse

Answer 7

physical - shredder, hammer, em (degaussing), incineration

Answer 8

- backup of data - regulatory compliance - operational needs

Answer 9

- vulnerability scans - application code analysis - threat feed - pen testing - disclosure programs - audits

Answer 10

- first need to confirm the vuln - prioritize it - use CVSS to determine severity - CVE - vuln classification - exposure factor - envrionmental variables - industry/org impact - risk tolerance

Answer 11

loss of value or business activity if vuln is exploited

Answer 12

environment associated with the vulnerability helps with prioritization (ex. isolated device in lab vs database server in public cloud)

Answer 13

amount of risk acceptable to an org

Answer 14

- patching - insurance - segmentation - compensating controls - exceptions and exemptions

Answer 15

optimal security methods may not be available so instead compensate in other ways for a temporary time. ex. disabling a service, revoking access to application etc.

Answer 16

removing the vuln is optimal balancing act -- don't want vulnerability but want the service to be operating exception - formal process

Answer 17

- rescanning - audit - verification

Answer 18

- authentication --> logins, from where, what time, etc. - server monitoring - service activity, backups, software versions

Answer 19

- availability --> uptime, response times - data transfers --> increases or decrease in rates - security notifications - from developer

Answer 20

- remote access systems, employees, vendors, guests - firewall and IPS reports

Answer 21

log aggregation thru SIEM central database, for centralized reporting

Answer 22

to check all systems and devices find potential anomalies

Answer 23

- siem (log aggregation) - alerting - scanning - reporting - archiving - alert response/validation

Answer 24

quarantine alert tuning

Answer 25

quarantine the system , isolate it, prevent attacker additional access to it, prevent spread to other systems

Answer 26

prevent false positives & negatives

Answer 27

SCAP benchmarks agents/agentless SIEM antivirus DLP SNMP traps NetFlow Vuln Scanners

Answer 28

security content automation protocol // allows tools to identify and act on same critera tools can communicate with each, same language, to identify vulns

Answer 29

apply security best practices to everything

Answer 30

software agent on device; always on, always running, must update the agent agentless - no install, performs the check then disappear, no ongoing updates, nothing permanantly installed

Answer 31

passive port scan identify systems test from outside & inside

Answer 32

works in application layer (7) - block/allow by application

Answer 33

start matching top to bottom. Top - more specific rules

Answer 34

step thru each rule in succession. if no rule matches, then it will automatically be denied.

Answer 35

groupings by categories ex. source, dest ip, time of day, port number, application

Answer 36

where the firewall is usually put. point where the internet separates from the internal network

Answer 37

additional layer of security between network and internet. access to public resources but private data stays protected

Answer 38

usually integrated in NGFW monitoring traffic in real time can be signature or anomaly based

Answer 39

loaded onto the IPS recognizes malicious software. must be a perfect match.

Answer 40

build a baseline of what's normal anything that deviates is flagged.

Answer 41

list of vulns, and IPS should block/allow, send alert etc.

Answer 42

filter out certain types of data inappropriate content malicious software parental controls sensitive material

Answer 43

allow/restrict based on URL or URI integrated into an NGFW

Answer 44

installed on user's device

Answer 45

sits between users and external network. user makes request, proxy receives that and forwards that request on the user's behalf useful for caching info, access control, URL filtering, content scanning

Answer 46

application uses proxy for communication instead of directly to server

Answer 47

for user access to internet

Answer 48

filter urls based on perceived risk

Answer 49

content filtering w/o NGFW, proxy, or URL Filter DNS lookup, malicious sites are blocked (IP address isn't sent back to user) based on real time threat intelligence commerical & public lists

Answer 50

database of everything on network (computers, user accounts, file shares, printers, groups) centralized access control, manage authentication

Answer 51

security policies, diff permissions or configs, for each individual user/device

Answer 52

security enhanced linux// security patches for the linux kernel linux automatically uses DAC (discretionary access control) but SELinux uses MAC (mandatory access control) limits application access, least privilege.

Answer 53

SSH Remote console

Answer 54

HTTPS port 443 Web browsing

Answer 55

IMAPS email client access

Answer 56

SFTP file transfer

Answer 57

no transport-level encryption

Answer 58

802.11 wireless - WPA3 VPN

Answer 59

evaluates source of inbound email messages. blocks at gateway before it reaches the user.

Answer 60

sender policy framework// sender configures a list of all servers authorized to send emails for a domain

Answer 61

domain keys identified mail// mail server digitally signs all outgoing mail. validated by the receiving mail servers

Answer 62

domain based message authentication reporting and conformance//

Answer 63

file integrity monitoring

Answer 64

os and application files

Answer 65

system file checker// on windows os (built-in) will scan all critical os files, makes sure no modifications have been made, but if there are changes, will replace with a good version

Answer 66

tool for FIM on Linux

Answer 67

windows: SFC Linux: Tripwire host based IPS - diff than network based; on os itself and can monitor all files.

Answer 68

data loss prevention// look for sensitive data across the network and block that traffic in real time. constantly monitoring the network or stored on the device. 1. endpoint 2. network 3. on server 4. cloud based

Answer 69

software DLP solution that's on the computer (aka endpoint) monitors data in use (in memory of that device)

Answer 70

protects data in motion monitoring packets in real time. could be standalone appliance or integrated in NGFW

Answer 71

if monitor files on OS filesystem (aka data at rest). runs as software on the OS directly or server directly

Answer 72

part of network where inside meets "outside" or internet part of network.

Answer 73

check devices if all security stuff is up to standards.

Answer 74

when device first accesses the network or logs in network remotely parameters to check: - trusted device? - security utilities -> anti-virus, running, updated with latest signatures - corporate application? latest versions? - encryption?

Answer 75

1. persistent agents - permanently installed on the device and can run anytime. must be updated. 2. dissolvable agent - no formal installation. executes during a login or connection process. once assmessment is done, it terminates itself 3. agentless NAC (network access control) - integrated with Active Directory. runs when you log in/log out of active directory database. can't be scheduled.

Answer 76

endpoint detection and response// bahevioral analysis, ml, process monitoring. lightweight agent on the endpoint root cause analysis (how and why an event happened) respond to threat automatically (isolate, quarantine, rollback)

Answer 77

extended detection and response// improve missed detection, false positives, and long investigation times. can correlate multiple data types from more than one system

Answer 78

xdr uses this interprets user activity to build a baseline of normal activity requires data analysis over an extended period of time

Answer 79

identity and access management //

Answer 80

1. provisioning 2.

Answer 81

creating user accounts/removal

Answer 82

roles, permissions is just enough for the person's jobs storage/files can be private to the user no privileged access to the os

Answer 83

Resolution: verifies the user is who they say they are Validation: gathering info from users (password, security questions) Attestation: verification. additional details (passport, etc.)

Answer 84

single sign on provide credentials one time and get access to all assigned resources.

Answer 85

lightweight directory access protocol// authentication protocol for reading & writing directories over an IP network.

Answer 86

security assertion markup language// open standard for authentication and authorization authenticate user to a third party database

Answer 87

authorization framework, NOT An authentication PROTOCOL determines what resources a user will have access to.

Answer 88

network access without using a local authentication database. between two organizations (ex. login with facebook) third parties establishes the trust relationship

Answer 89

everything must work together/be compatible.

Answer 90

permissions and rights exactly what they need to do their job. nothing more.

Answer 91

mandatory access control// each resource/object gets label (ex. confidential, top secret)

Answer 92

discretionary access control// owner decides who gets access, permissions etc.

Answer 93

role based access control// based on the role in your org (manager, director, etc) rights gained implicitly (through groups)

Answer 94

access determined through system-enforced rules.

Answer 95

attribute based access control// considers many parameters

Answer 96

restrict access during certain times or days of the week.

Answer 97

prove who you are

Answer 98

you know you have somewhere you are something you are

Answer 99

passwords PINs pattern

Answer 100

smart card USB security key hardware/software tokens phone (sms a code to your phone)

Answer 101

biometrics - finger, voice, retinal, etc

Answer 102

only works if you are in a certain geographical location ip address, mobile device location services

Answer 103

-complexity and length no words, no walks, mix upper and lower case, symbols, etc. - password age and expiration. periodic reset - no reuse, diff passwords for diff accounts

Answer 104

use different passwords for each account. keep all of them in a single database. this must be encrypted, mfs, extra protection

Answer 105

grant admin access for a limited time.

Answer 106

primary credentials stored in a password vault. vault controls who gets access

Answer 107

- saves time - minimal human error - enforces baselines - standard infrastructure configs - automate boring tasks - speed - secure scaling - employee retention - reaction time - computer is faster than human - workforce multiplier

Answer 108

user and resource provisioning **guard rails - automated validations security groups - add/remove from security groups, monitoring, etc. ticket creation escalation - correct issues before involving human enabling/disabling services continuous integration and testing - integrations and application programming interfaces (API) -

Answer 109

complexity cost single point of failure technical debt - covering up the real problem with more and more scripts ongoing supportability

Answer 110

preparation detection analysis containment eradication recovery lessons learned

Answer 111

communication methods hardware and software (laptions, removable media, forensic software, camera etc) resources (documentation, network diagrams, baselines, file hash values etc.) mitigation software - clean OS, application images relevant policies

Answer 112

many sources, different levels of details

Answer 113

malware detects its in a sandbox and behaves differently

Answer 114

replace the bad software with known good software

Answer 115

- remove malware - disable breached user accounts - fix vulnerabilities

Answer 116

- restore from known good backups - rebuild from scratch - harden so attackers can't get back in

Answer 117

learn and improve post-incident meeting how to resolve issue more efficiently next time have a better plan for the next incident

Answer 118

- timeline of events - how effective the plan worked? - what would work differently. - update incident response plan - any warnings? how to improve monitoring

Answer 119

- BEFORE an incident occurs - documentation, testing, training, of IR plan - IR team needs to know investigation plan, IR reporting, etc.

Answer 120

- simulations - tabletop

Answer 121

specific rules of engagement (roles, responsibilities, what systems, etc) specific scenario, limited time to run the event evaluate the response, document everything

Answer 122

sitting at table, logistically going through procedure and policies in the certain scenario

Answer 123

a real simulated event ex. phishing

Answer 124

determine the ultimate cause of the incident.

Answer 125

proactive hunt to find vulnerabilities and mitigate before attacker finds it and exploits it

Answer 126

collect and protect info relating to an intrusion in relation to legal proceedings

Answer 127

legal technique to preserve relevant info prepare for impeding litigation, initiated by legal counsel

Answer 128

data must remain in its unmodified form for the duration of the analysis. process to ensure the integrity of the data, but since many people need to access this data during the investigation, a chain of custody is used to determine who accesses the data. how? hashes and digital signatures

Answer 129

obtain the data -- thru the disk, RAM, firmware, OS files...etc

Answer 130

document findings, how data was found/acquired, and how its stored

Answer 131

protecting data is first priority. analyze without alterations. work from copies.

Answer 132

collect, prepare, review, interpret, and produce electronic documents. acquiring data (not analysis) works in conjunction with forensics

Answer 133

firewall application endpoint os-specific security IPS/IDS metadata network

Answer 134

could show... - blocked/allowed traffic - exploit attempts - blocked URL categories - DNS sinkhole traffic

Answer 135

traffic flows through a firewall contains info including: - source, destination IP addresses - port numbers - disposition (allowed or blocked) - if NGFW is being used --> reveals what applications are being used, URL filtering categories, anomalies and suspicious data

Answer 136

windows - event viewer Linux - /var/log

Answer 137

data on the endpoint (device) ex. - logon events - policy changes - system events or processes - account management - directory services

Answer 138

info about predefined vulnerabilities known OS vulns, generic security events data points such as timestamps, type of class of attack, source and destination IP, source and destination ports

Answer 139

(switches, routers, access points, VPN concentrators) find any network changes: routing updates, authentication issues, network security issues

Answer 140

data that describes other data sources ex. email: header details, sending servers, destination address; phone: type of phone, GPS location; Web: OS, browser type, IP; Files: name, address, phone number, title

Answer 141

vulnerability scans automated reports dashboards packet captures

Domain 4 Flashcards

(176 cards)