Security

Question 1

Mantraps

Answer 1

• All doors normally unlocked
  
  • Opening one door causes others to lock

• All doors normally locked
• Unlocking one door prevents others from being
unlocked

• One door open / other locked
  
  • When one is open, the other cannot be unlocked
• One at a time, controlled groups
  
  • Managed control through an area

Question 2

Token-based

Answer 2

Magnetic swipe card or key fob

Question 3

Tokens and cards

Answer 3

• Smart card
  
  • Integrates with devices
  • May require a PIN
• USB token
  
  • Certificate is on the USB device
• Hardware or software tokens
  
  • Generates pseudo-random authentication codes
• Your phone
  
  • SMS a code to your phone

Question 4

Guards and access lists

Answer 4

• Security guard
  
  • Physical protection
  • Validates identification of existing employees
  • Provides guest access
• ID badge
  
  • Picture, name, other details
  • Must be worn at all times
• Access list
  
  • Physical list of names
  • Enforced by security guard

Question 5

USB locks

Answer 5

• Prevent access to a USB port
  
  • Physical lock inside of the interface

• A secondary security option after disabling the
interface
in BIOS and/or operating system
• There’s always a way around security controls

• Relatively simple locks
  
  • Defense in depth

Question 6

Active Directory

Answer 6

• Centralized management
  
  • Windows Domain Services
  • Limit and control access

Question 7

Login script

Answer 7

• Map network drives
• Update security software signatures
• Update application software

Question 8

Organizational Units

Answer 8

• Structure Active Directory
• Can be based on the company
(locations, departments)

Question 9

Home Folder

Answer 9

• Assign a network share as the user’s home
  
  • \server1\users\professormesser
• Folder redirection
  
  • Instead of a local folder, redirect to the server
  • Store the Documents folder on \server1
  • Access files from anywhere

Question 10

Mobile Device Management (MDM)

Answer 10

• Manage company-owned and user-owned devices
  
  • BYOD - Bring Your Own Device

• Centralized management of
the mobile devices
• Specialized functionality

• Set policies on apps, data, camera, etc.
  
  • Control the remote device
  • The entire device or a “partition”

• Manage access control
• Force screen locks and PINs on these single user
devices

Question 11

Port security

Answer 11

• Prevent unauthorized users from
connecting to a switch interface
• Alert or disable the port

• Based on the source MAC address
  
  • Even if forwarded from elsewhere
• Each port has its own config
  
  • Unique rules for every interface

Question 12

MAC filtering

Answer 12

• Media Access Control - The “hardware” address

• Limit access through the physical hardware address
  
  • Keeps the neighbors out
  • Additional administration with visitors

• Easy to find MAC addresses through wireless LAN
analysis
• MAC addresses can be spoofed

• Security through obscurity

Question 13

Certificate-based authentication

Answer 13

• Smart card
• Private key is on the card
• PIV (Personal Identity Verification) card
• US Federal Government smart card
• Picture and identification information
• CAC (Common Access Card)
• US Department of Defense smart card
• Picture and identification
• IEEE 802.1X
• Gain access to the network using a certificate
• On-device storage or separate physical device

Question 14

Host-based firewalls

Answer 14

• “Personal” firewalls
• Software-based
• Included in many operating systems
• 3rd-party solutions also available
• Stops unauthorized network access
• “Stateful” firewall
• Blocks traffic by application
• Windows Firewall
• Filters traffic by port number and application

Question 15

Network-based firewalls

Answer 15

• Filters traffic by port number
• HTTP is 80, SSH is 22
• Next-generation firewalls can
identify the application

• Can encrypt traffic into/out of the network
• Protect your traffic between sites
• Can proxy traffic
• A common security technique
• Most firewalls can be layer 3 devices (routers)
• Usually sits on the ingress/egress of the network

Question 16

User authentication

Answer 16

• Identifier
• Something unique
• In Windows, every account has a Security Identifier
(SID)

• Credentials
• The information used to authenticate the user
• Password, smart card, PIN code, etc.
• Profile
• Information stored about the user
• Name, contact information, group memberships, etc

Question 17

Directory permissions

Answer 17

• NTFS permissions
• Much more granular than FAT
• Lock down access
• Prevent accidental modification or deletion
• Some information shouldn’t be seen
• User permissions
• Everyone isn’t an Administrator
• Assign proper rights and permissions
• This may be an involved audit

Question 18

VPN concentrator

Answer 18

• Virtual Private Network
• Encrypt (private) data traversing a public network
• Concentrator
• Encryption/decryption access device
• Many deployment options
• Specialized cryptographic hardware
• Software-based options available

• Used with client software - Sometimes built into the OS

Question 19

Data Loss Prevention (DLP)

Answer 19

• Where’s your data?
• Social Security numbers, credit card numbers,
medical records

• Stop the data before the bad guys get it
• Data “leakage”
• So many sources, so many destinations
• Often requires multiple solutions in different places

Question 20

Access Control Lists (ACLs)

Answer 20

• Used to allow or deny traffic
• Also used for NAT, QoS, etc.
• Defined on the ingress or egress of an interface
• Often on a router or switch
• Incoming or outgoing
• ACLs evaluate on certain criteria
• Source IP, Destination IP,
• TCP port numbers, UDP port numbers, ICMP
• Deny or permit
• What happens when an ACL matches the traffic?
• Following the traffic flow

Question 21

Email filtering

Answer 21

• Unsolicited email
• Stop it at the gateway before it reaches the user
• On-site or cloud-based
• Scan and block malicious software
• Executables, known vulnerabilities
• Phishing attempts
• Other unwanted content

Question 22

An antivirus software is kept up to date via

Answer 22

Engine updates

Virus signature updates

Question 23

Examples of secure network protocols used for establishing VPN connections include

Answer 23

IPsec

TLS