As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
False. All
... [Show More] firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
What distinguishes host-based personal software firewall from a network firewall appliance?
A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. However, since it is a software application, it is easier for malware to interfere with its operation or exploit inherent OS flaws to circumvent the firewall. Also, a personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.
What is a WAF?
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.
True or false? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.
True.
What is usually the purpose of the default rule on a firewall?
Block any traffic not specifically allowed (implicit deny)
Why are most network DoS attacks distributed?
Most attacks depend on overwhelming the victim. This typically requires a large number of hosts
How do DoS attacks target resource exhaustion vulnerabilities?
As well as consuming bandwidth, each packet requires resources (CPU, memory, and disk cache) to process. A DoS attack may overwhelm the hardware resources available to the victim server, rather than attempting to overwhelm the network bandwidth available to it.
What is an amplification attack?
Where the attacker spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
What is meant by scheduling in the context of load balancing?
The algorithm and metrics that determine which node a load balancer picks to handle a request.
You are implementing a new e-commerce portal with multiple web servers accessing accounts on database servers. Would you deploy load balancers to facilitate access by clients to the web servers or by the web servers to the database servers? Why or why not?
Load balancers are typically deployed for stateless fault tolerance and so would be used at the front-end (client-web server) rather than back-end (database servers). Load balancing a database service would be performed by configuring server clusters.
What is the best option for monitoring traffic passing from host-tohost on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
What are examples of the output from passive detection systems?
Logging or alerting intrusion incidents.
How could out-of-band IDS monitoring be configured and what advantage would this have over in-band monitoring?
Out-of-band means configuring a link that is not shared with ordinary hosts on the main enterprise network. This could be established using VLANs or physically separate cabling and switches. Out-of-band monitoring reduces the chance of an adversary being able to compromise the intrusion detection process.
What is a blinding attack?
A blinding attack attempts to disable a NIDS either by overwhelming the sensor or switch spanning port to cause it to drop packets or to generate large numbers of false positives and overwhelm the alerting engine or make administrative oversight of the system much more difficult.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
Anti-virus software has reported the presence of malware but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?
The string identifying the malware. You can use this to reference the malware on the A-V vendor's site and, hopefully, obtain manual removal and prevention advice.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes—malware is a likely cause that you should investigate
If you suspect a process of being used for data exfiltration but the process is not identified as malware by A-V software, what types of analysis tools will be most useful?
Use a process monitor to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.
What is data exfiltration?
Unauthorized copying or retrieval of data from a system.
A user reports that an essential design draft document has disappeared and in its place is a file describing a policy violation. Should you suspect the reporting user of having attempted to exfiltrate the data?
Not necessarily. The Data Loss Prevention (DLP) solution might have been configured to quarantine the file for all users if any policy violation was detected. You should check the DLP monitor alerts or logs.
What mechanisms does cloud-based DLP use to prevent data loss from cloud services?
The solution can either use a proxy to mediate access or the cloud service provider's API to perform scanning and policy enforcement.
What is the purpose of SIEM?
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify Indicators of Compromise and alert administrators to potential incidents.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
What feature of server logs is essential to establishing an audit trail?
That the logs are tamper-proof (or at the very least tamper-evident). This might be assisted by writing logs to Write Once, Read Many (WORM) media.
What is a trigger, in the context of SIEM?
A trigger is an event (or pattern of events) that generates an alert. Triggers are identified by defining rules within the SIEM.
What difficulty is inherent in monitoring the way users exercise privileges granted to them (to access particular files, for instance)?
This is likely to generate a large amount of raw data (numerous events), which will be difficult to analyze.
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall.
An Access Control List (ACL) is configured to deny access to IP addresses with specific sources
Analyze the following scenarios and determine which best simulates a content filter in action.
A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter
A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work
During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website while masking the identity of the systems used in the attack. Evaluate the following explanations to determine the chosen attack method.
DDoS attacks utilize botnets.
Select the statements accurately distinguishing between Layer 4 and Layer 7 load balancers.
Layer 4 load balancers base forwarding decisions on IP address port values, while Layer 7 load balancers base forwarding decisions on application-level data.
Layer 4 load balancers are stateless and cannot retain information about user sessions, while Layer 7 load balancers require more complex logic.
Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate.
A NIDS will identify and log hosts and applications for the administrator to analyze and take action to remove or block attackers.
Training and tuning are complex, and there is a high chance of false positive and negative rates.
Differentiate between the features of Host-Based Intrusion Detection Systems (HIDS) and Host-Based Intrusion Prevention Systems (HIPS) and compare these systems with other types of detection and prevention systems.
HIDS and HIPS are installed on a single host, where administrators may install and configure an instance on each workstation within a network.
HIDS' core ability is to capture and analyze log files while, HIPS preserves the system in its intended state
A network manager is asked to assist with developing a policy to protect the company from data exfiltration. The employee devises a list of focus points that should be included. Which plans, when consolidated, provide the best protection for the company?
New employees complete initial and refresher trainings on document confidentiality and the use of encryption
Only allow removable media if it is company property, required to perform a task, and has been cleared through the proper channels
Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network
An employee is working on a project that contains critical data for the company. In order to meet deadlines, the employee decides to email the document containing the data to their personal email to work on at home. Consider the traits of Data Loss Prevention (DLP) and evaluate the scenario to select the DLP remediation that should be utilized.
The user should be blocked from sending the email, but retain access to it. The user is alerted to the policy violation and it is logged as an incident
A user calls the help desk to report that Microsoft Excel continues to crash when used. The technician would like to review the logs in an attempt to determine the cause. Analyze the types of logs to determine which would contain the information the technician needs.
Event log
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding.
Decreasing available bytes and increasing committed bytes have been logged. [Show Less]