Net-Sec Test #3

on-path attack

occurs when a threat actor positions themselves in the middle between two communicating users or devices

man-in-the-middle (MITM)

a threat actor is positioned into a communication between two parties

Session replay

An attack that involves intercepting and then using a session ID to impersonate a user

Replay attack

makes a copy of a legitimate transmission before sending it to the recipient

man-in-browser (MITB)

attack that intercepts communication between parties to steal or manipulate the data, usually begins with a Trojan infecting the computer and installing an extension into the browser configuration

DNS-based attack

substitutes a DNS address so that the computer is silently redirected to a different device (DNS poisoning and hijacking)

DNS poisoning

modifies a local host file on a device to point to a different domain

DNS hijacking

intended to infect an external DNS server with IP addresses that point to malicious sites

DDoS (distributed denial of service)

uses hundreds or thousands of devices flooding the server with requests

amplified attacks (reflection attacks)

where threat actors attack a misconfigured Internet device or service in such a way that causes the device or service to reflect and generate an even larger payload at the ultimate target

PowerShell

a task automation and configuration management framework from Microsoft

VBA (visual basic for applications)

An event-driven Microsoft programming language

Macros

are used to automate a complex task or a repeated series of tasks, date back to late 1990s but continue to be a key attack vector

ARP poisoning

relies on MAC spoofing, or initating another computer by means of changing the MAC address

MAC cloning

threat actors discover a valid MAC address of a device connected to a switch and spoof the MAC address on their own device and the switch changes its MAC address table to reflect the MAC address with the port to which the attacker's device is connected

MAC flooding attack

a threat actor overflows the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address

Yua has discovered that the network switch is broadcasting all packets to all devices. She suspects it is the result of an attack that has overflowed the switch MAC address table. Which type of attack would she report?
A. MAC spoofing attack
B. MAC cloning attack
C. MAC flooding attack
D. MAC overflow attack

C. MAC flooding attack

Anomaly monitoring

designed for detecting statistical anomalies, a secure baseline of normal activities is compiled so if there is a deviation from the baseline, an alarm is raised

Signature-based monitoring

examines network traffic, activity, transactions, or behavior to look for well-known patterns to compare these activities against a predefined signature

Behavior-based monitoring

uses the normal processes and actions as the standard, continuously analyzes the behavior of processes and programs on a system and alerts the user if it detects any abnormal actions

Heuristic monitoring

is founded on experience-based techniques and attempts to answer the question will this do something harmful if it is allowed to execute

Wireshark

a popular GUI packet capture and analysis tool

Tcpdump

a command-line packet analyzer

Tcpreplay

a tool for editing packets and then replaying the packets back onto the network to observe their behavior

Flow analysis

the process of monitoring the network's devices and sounding an alert if it exceeds a baseline

NetFlow

a session sampling protocol that collects IP network traffic

DLP (data loss prevention)

A system of security tools used to recognize and identify data that is critical to the organization and ensure it is protected. Designed to detect and prevent unauthorized data from leaving or internal misuse, e.g. copying data to usb.

SNMP (simple network management protocol)

is used to remotely monitor, manage, and configure devices on the network

Log aggregation

enables security personnel to gather events from disparate sources into a single entity so that it can be searched and analyzed

SCAP (security content automation protocols)

can help automate vulnerability management and determine whether the enterprise is compliant with required policies

SEIM (security information and event management)

consolidates real-time security monitoring and management of security information with analysis and reporting of security events

SOAR (security orchestration, automation, and response)

is similar to a SIEM in that it is designed to help security teams manage and respond to a high number of security warnings and alarms and takes it a step further by combining more comprehensive data gathering and analytics in order to automate incident response

Which type of monitoring methodology looks for statistical deviations from a baseline?
A. Behavioral monitoring
B. Signature-based monitoring
C. Anomaly monitoring
D. Heuristic monitoring

C. Anomaly monitoring

MUA (mail user agent)

is what is used to read and send emails from an endpoint

MTA (mail transfer agent)

programs that accept email messages from senders and router them toward their recipients

SPF (sender policy framework)

An email authentication method that identifies the MTA email servers that have been authorized to send email for a domain

DKIM (domain keys identified mail)

An authentication technique that validates the content of the email message

DMARC (domain-based message authentication, reporting, and conformance)

allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF, or both) is used when sending email from that domain

SEG (secure email gateway)

acts as a "proxy" for the organization's email server

Which of the following email defenses uses a digital signature?
A. SPC
B. DKIM
C. DMARC
D. It depends on whether or not the email payload has been encrypted.

B. DKIM

antispoofing

a defense routers have that protect against devices that imitate another computer's IP address

firewall

uses bidirectional inspection to examine outgoing and incoming packets, rule-based is specific and policy-based is more generic

forward proxy

a computer or an application that intercepts user requests from the internal secure network and processes the requests on behalf of the user

reverse proxy

router requests coming from an external network to the correct internal server

honeypot

a computer located in an area with limited security that serves as bait to threat actors either low or high interaction

honeynet

a network or honeypots set up with intentional vulnerabilities

sinkhole

a bottomless pit designed to steer unwanted traffic away from its intended destination to another device

passive system

is connected to a port on a switch, which receives a copy of network traffic

port mirroring (SPAN)

mirrors traffic to a designated port (monitors)

Network TAP

full unaltered copy of net traffic (placed in-line)

Maya is researching information on firewalls. She needs a firewall that allows for more generic statements instead of creating specific rules. What type of firewall should Maya consider purchasing that supports her need?
A. Content/URL filtering firewall
B. Policy-based firewall
C. Hardware firewall
D. Proprietary firewall

B. Policy-based firewall

Web filtering

monitors the websites users are browsing so that the organization can either allow or block web traffic to protect against potential threats and enforce corporate policies

DNS filtering

blocks harmful or inappropriate content, blocks entire domains

Which of the following is NOT a common network device that can be configured to provide a degree of security protection?
A. Router
B. Switch
C. Endpoint
D. Server

C. Endpoint

air-gapped network

The most restricted level of all can be a network that has physical isolation from all other networks or the Internet

Logical segmentation

creates subnets via virtual networks or through network addressing schemes

DMZ

functions as a separate network that rests outside the secure network perimeter

jump server

a minimally configured server within the DMZ that runs only essential protocols and ports

Remote access VPN

allows users to connect to the network from anywhere

Site-to-site VPN

connects networks together over the public internet

NAC (Network access control)

examines the current state of an endpoint before it can connect to a network

Bluetooth

a wireless technology that uses short-range radio frequency (RF) transmissions for communications over short distances, primary type of topology is piconet

Bluejacking

an attack that sends unsolicited messages to Bluetooth-enabled devices

Bluesnarfing

an attack that accesses unauthorized information from a wireless device through a Bluetooth connection

NFC (Near field communication)

A set of standards used to establish communication between devices in close proximity, passive NFC device only contains information, active can read and transmit data

RFID (Radio frequency identification)

is commonly used to transmit information between employee identification badges, inventory tags, book labels, and other paper-based tags that can be detected by a proximity reader

AP (access point)

a centrally located WLAN connection device that can send and receive wireless signals

Controller APs

can be managed through a dedicated wireless LAN controller (WLC)

captive portal AP

uses a standard web browser to provide information and allows the user to agree to a policy or present valid login credentials

hard edge

a well-defined boundary protects data and resources

blurred edge

caused by the introduction of WLANs, multiple entry points

rogue AP

an unauthorized AP that allows an attacker to bypass many of the network security configurations, usually set up by an insider

evil twin

an AP set up by an attacker, attempts to mimic an authorized AP

RF jamming

occurs when attackers use intentional RF interference to flood the RF spectrum with enough interference to prevent a device from communicating with the AP

disassociation attack

An attacker can create false deauthentication or disassociation management frames that appear to come from another device, causing the client to disconnect from the AP

Muchaneta is investigating a security incident in which the smartphone of the CEO was compromised and confidential data was stolen. She suspects that it was an attack that used Bluetooth. Which attack would this be?
A. Blueswiping
B. Bluehiking
C. Bluejacking
D. Bluesnarfing

D. Bluesnarfing

WEP (Wired Equivalent Privacy)

An IEEE 802.11 security protocol designed to ensure only authorized parties can view transmissions by encrypting them with a shared secret key between the wireless client device and the AP

WPS (Wi-Fi protected setup)

protected setup through pin or push-button method

WPA (Wi-Fi protected access)

was introduced by the wifi alliance to fit into the existing WEP engine without requiring extensive hardware upgrades or replacements, WPA uses TKIP and WPA2 uses AES, which is more secure

SAE (simultaneous authentication of equals)

included by WPA3, is designed to increase security at the time of hanshake when keys are being exchanged

site survey

an in-depth examination and analysis of a wireless LAN site

public cloud

a cloud where the services and infrastructure are offered to all users with access provided remotely through the Internet

community cloud

a cloud that is open only to specific organizations that have common concerns

private cloud

a cloud that is created and maintained on a private network

hybrid cloud

a combination of public and private clouds

SaaS

the vendor provides access to the vendor's software applications running on a cloud infrastructure

PaaS

consumers install and run their own specialized applications on the cloud computing network

IaaS

the vendor allows customers to deploy and run their own software, including OSs and applications

XaaS

a broad category of subscription services related to cloud computing

Arsene has been given a project to manage the development of a new company app. He wants to use a cloud model to facilitate the development and deployment. Which cloud model should he likely choose?
A. SaaS
B. XaaS
C. IaaS
D. PaaS

D. PaaS

vulnerability scan

an ongoing automated process used to identify weaknesses and monitor information security progress

Threat intelligence

data that is collected, processed, and analyzed to understand a threat actor's motives, targets, and attack behaviors

3 web levels

clear web, deep web, dark web

Active scanning

sends test traffic transmissions into the network and monitors the responses of the endpoints

Passive scanning

does not send any transmissions but instead only listens for normal traffic to learn the needed information

internal vulnerability scan

is performed from the vantage point inside the internal network, benefit of identifying at-risk systems

external vulnerability scan

is performed from the vantage outside the network

risk appetite

the organization's tolerance for exposure to a vulnerability

scope of a vulnerability scan

the target devices to be scanned

sensitivity level

the depth of a scan