IT Security Attacks and Countermeasures

Questions and Answers

An organization is developing a new web application that will handle sensitive customer data. Which security measure would be MOST important to integrate during the development process?

• Establishing security governance policies for the entire organization.
• Ensuring all custom application code is correct and incorporates security measures. (correct)
• Regularly testing the incident response plan.
• Implementing physical security measures for the server room.

A company experiences a data breach. Analysis reveals that several employees used weak, easily guessable passwords. Besides password complexity policies, what is another PRIMARY countermeasure to prevent similar incidents in the future?

• Implementing network monitoring and analytics management tools.
• Conducting regular security awareness training for all employees. (correct)
• Enhancing physical security measures around data centers.
• Encrypting all data at rest and in transit.

Which of these options is the BEST example of a technological control that directly supports the security best practice of 'Employing access control'?

• Developing a detailed incident response plan.
• Implementing multi-factor authentication for critical systems. (correct)
• Conducting regular risk assessments to identify vulnerabilities.
• Ensuring all employees receive annual security awareness training.

After a security incident, it's discovered that the intrusion occurred due to an unpatched vulnerability in a widely used software application. What preventative measure would have been MOST effective in mitigating this risk?

Maintaining security patches and updates promptly. (D)

A company wants to improve its network security posture by implementing devices that filter network traffic. Which device would be MOST suitable for interconnecting different network segments while providing basic network filtering?

A router (B)

A network administrator performs a port scan and receives an 'open' state response. What does this indicate about the service running on that port?

The service is actively listening for and accepting connections. (B)

Which of the following authentication factors provides the STRONGEST level of security when used in a multi-factor authentication (MFA) system?

A one-time password sent to a mobile phone. (B)

In the context of access control, what is the PRIMARY function of 'authorization'?

Granting specific permissions and access levels to a user after successful authentication. (A)

A company implements an access control system that requires employees to use both a password and a fingerprint scan to access sensitive data. Which security principles does this system employ?

Identification and Authentication (D)

An organization wants to ensure that all actions performed on its systems can be traced back to a specific user. Which access control element is MOST directly related to achieving this goal?

Accountability (A)

Which of the following scenarios best illustrates the use of a symmetric key cipher?

A website uses HTTPS, where the server and client negotiate a shared secret key to encrypt all communications after the initial handshake. (D)

In a system employing asymmetric key encryption, what is the primary difference between the public key and the private key?

The public key is widely distributed and used for encryption, while the private key is kept secret and used for decryption. (B)

A user encrypts a file using a symmetric key cipher with a strong key. What is the most significant risk to the confidentiality of the file?

A brute-force attack successfully guesses the encryption key. (D)

Which of the following is a crucial consideration when choosing an encryption method for data at rest, such as files stored on a hard drive?

All of the above. (D)

A company wants to ensure secure communication between its web server and clients. Which approach is most suitable for establishing a secure channel?

Implementing HTTPS using TLS/SSL, which involves both symmetric and asymmetric encryption. (C)

Which security function primarily focuses on limiting unauthorized data access and disclosure?

Data Security (PR.DS) (B)

An organization aims to enhance its security infrastructure by implementing tools that actively prevent security breaches. Which security function aligns best with this objective?

Protective Technology (PR.PT) (D)

A security team notices a series of unusual login attempts from various geographical locations within a short period. Which security function would be MOST helpful in identifying and addressing this issue?

Anomalies and Events (DE.AE) (A)

Which of the following scenarios best describes the application of 'Data Security (PR.DS)'?

Encrypting sensitive customer data stored in a database. (A)

A company wants to proactively defend against malware infections. Which action exemplifies the application of 'Protective Technology (PR.PT)'?

Deploying endpoint detection and response (EDR) software on all workstations. (C)

Which scenario is MOST suitable for utilizing asymmetric encryption?

Exchanging encryption keys between two parties who have never met before. (B)

What is the primary security advantage of asymmetric encryption compared to symmetric encryption?

It uses two separate keys, making it harder to compromise. (C)

Which of the following reflects a key difference in the application of symmetric versus asymmetric encryption?

Symmetric encryption is ideal for encrypting large datasets, while asymmetric encryption is better for authentication and digital signatures. (C)

Which of the following is NOT a best practice for information security?

Using only open-source software to avoid hidden vulnerabilities. (D)

What is the purpose of implementing network monitoring and analytics management tools as a security best practice?

To detect and respond to security incidents effectively. (B)

If a company wants to ensure only authorized personnel can access sensitive financial data, which NIST CSF Protect/Detect function should they implement?

PR.AC (Access Control) (D)

An organization decides to strengthen its data protection strategy. Which action would MOST directly support this goal?

Encrypting sensitive data both in transit and at rest. (D)

A software development team is creating a new web application that will handle sensitive user data. Besides functional testing, what specific security measure should they prioritize to ensure the application's integrity?

Ensuring that all custom application code is correct and has security measures in place. (C)

Which security measure provides network access to remote workers while ensuring data encryption?

VPN (C)

A network administrator notices suspicious traffic attempting to exploit a known vulnerability. Which security system is best suited to automatically block this traffic in real-time?

Intrusion Prevention System (IPS) (B)

An organization wants to implement a security solution that uses machine learning to identify deviations from normal network behavior. Which type of detection method should they employ?

Anomaly-based detection (A)

A security analyst is investigating a potential malware outbreak on company laptops. Which endpoint security solution would be most effective in preventing file-based malware attacks and providing investigation capabilities?

Endpoint Protection Platform (EPP) (B)

A network technician is tasked with identifying which services are running on a server. What process should the technician use to gather this information?

Port Scanning (C)

What is the primary function of a port number in network communication?

To identify the specific application or service on a device (C)

An organization wants to implement a security measure that identifies potential threats based on the historical trustworthiness of IP addresses. Which type of system is most suitable?

Reputation-based IDS (D)

Which of the following actions is an IPS most likely to perform upon detecting a malicious network activity?

Terminating the session that has been exploited (B)

What is a key difference between an IDS and an IPS?

An IDS detects malicious activity, while an IPS actively prevents it. (D)

A company wishes to ensure that sensitive data transmitted between its headquarters and a remote office remains confidential. Besides encryption, which device can provide routing and filtering?

Router (B)

Flashcards

Risk Assessment

Identifying potential dangers to information assets.

Security Governance

Framework of rules ensuring security objectives are met.

Physical Security Measures

Measures like locks, guards, and surveillance to prevent unauthorized access.

Perform and Test Backups

Process of copying data for restoration in case of data loss or disaster.

Routers

Connects networks, filters traffic, and directs data.

Port Scan

A process of probing a server or host to identify open ports.

Access Control

The selective way a system determines who can use a resource and how.

Authentication

Verifying a user's identity.

Authorization

Granting specific permissions or access levels to a user.

Accountability (Auditability)

Tracking and monitoring user actions on a system.

Data Security (PR.DS)

Protecting data from unauthorized access.

Protective Technology (PR.PT)

Making sure security tools are used correctly.

Anomalies and Events (DE.AE)

Finding unusual or unexpected activities.

What is EPP?

Stands for Endpoint Protection Platform. It focuses on finding malicious activity.

What is IDS?

Stands for Intrusion Detection System. It monitors a network for suspicious activity.

Event Logs

Digital records of application, security, or system events; used for auditing and diagnostics.

Transaction Logs

Records all activities that occur in a database. Essential for maintaining database integrity and enabling recovery from failures.

Encryption

Process of converting readable data into an unreadable format to protect its confidentiality. Achieved through cryptography using algorithms and keys.

Cipher

An algorithm used to encrypt and decrypt data, transforming plaintext into ciphertext and vice versa.

Symmetric Key Cipher

Encryption method using a single key for both encryption and decryption. Faster but requires secure key exchange.

Asymmetric Encryption

Encryption using separate keys for encryption and decryption: a public key for encrypting data and a private key for decrypting it.

Symmetric Encryption

Faster encryption method ideal for bulk data encryption and secure communication within closed systems.

Maintain Security Patches and Updates

A best practice to reduce vulnerabilities.

Encrypt Data

A way to protect data at rest and in transit.

Perform Risk Assessment

Analyzing risks to assets to understand potential vulnerabilities.

Establish Security Governance

Policies that govern data protection and privacy.

Employ Access Control

Controlling who has access to systems and data.

Access Control (PR.AC)

Ensuring that only authorized users can access systems.

Firewall

A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

VPN

A technology that creates a secure, encrypted connection over a less secure network, allowing remote workers secure access to a company network.

Intrusion Detection System (IDS)

A security system that monitors a network for malicious activity and policy violations.

Intrusion Prevention System (IPS)

A security system that both detects and prevents malicious network activity or policy violations.

Signature-based Detection

Detects attacks by looking for specific patterns or signatures used by malware.

Anomaly-based Detection

Monitors system activity and classifies it as normal or anomalous using machine learning.

Reputation-based Detection

Recognizes potential threats based on reputation scores.

Antimalware/Antivirus

Systems that use signatures and behavioral analysis to identify and block malicious code from being executed.

Port Number

An identifier for each application running on a device, used to ensure data is passed to the correct application.

Study Notes

• The notes discuss IT security attacks and countermeasures.

Information Security Best Practices

• Conducting risk assessments is important.
• Organizations should establish security governance.
• Implementing physical and human resources security measures are best practices.
• Regular backups should be performed and tested.
• Updating security patches helps to maintain security.
• Ensure custom application codes have security measures in place.
• Access control should be employed.
• Regularly, companies should test incident responses.
• Network monitoring and analytics management tools need implementation.
• Implement and maintain network security devices.
• Having comprehensive endpoint security solutions is a best practice.
• Educate users to keep up to date with security issues.
• Data should be encrypted.

Network Security Devices and Systems

• Routers interconnect different network segments.
• Routers provide basic network filtering capabilities.
• Firewalls prevent specific types of information from moving between two different network levels.
• Firewalls filter which communications are allowed in and out of a device or network.
• Intrusion Detection and Prevention Systems (IDPS) detect and modify configurations to prevent intrusions.
• An intrusion is an adverse event where an attacker attempts to enter or disrupt a system's normal operations.
• Virtual Private Networks (VPNs) are private networks using the internet to create secure communication via tunneling protocols with security procedures.
• Firewalls show what's happening on the network for a faster response to cyberattacks.
• VPNs empower remote workers with highly secure access to the company network from any device, at any time, in any location.
• Routers provide routing, filtering, and encryption in a single platform.

Intrusion Detection and Prevention System (IDPS)

• Detection uses signature-based methods to detect attacks by looking for specific patterns or signatures used by malware.
• Detection uses anomaly-based methods, monitoring system activity and classifying it as either normal or anomalous.
• Detection uses reputation-based methods to recognize the potential threats according to the reputation scores.
• Prevention performs real-time packet inspection across the network, if deemed suspicious, will terminate the session or block the offending IP address/user account.

Endpoint Security

• Antimalware/Antivirus systems identifies and blocks code execution using signatures and behavioral analysis.
• Endpoint Protection Platforms prevent file-based malware attacks, detect malicious activity, and remediate dynamic security incidents and alerts.

Prot Scanning

• Ports are identifiers of each application running on a device.
• Ports are used on both ends of the transmission so the right data goes to the correct application.
• Port scanning probes a computer, server, or network host for open ports.
• Port scanning can identify a computer operating system, and running services.
• A port scan reporting an open state means the service on the network can be accessed by other network devices.
• If a service contains a vulnerability, then it can be exploited by an attacker.

Access Control

• Access control is a method by which systems specify resource usage.
• Fundamental functions of access control systems include:
• Identification: e.g. user ID, email account.
• Authentication: Proving you are a user.
• Authentication factors: something known, something held, something inherent.
• Authorization: Specifying access permissions.
• Matching user groups to access control list (ACL).
• Accountability: Tracking and monitoring system usage, also known as auditability.
• Actions, logs and transactions can be attributed to an authenticated identity

Encryption

• Encryption scrambles data to make it unreadable to unauthorized parties.
• Cryptography is the science of encryption and decryption.
• Encryption involves mathematical operations and keys.
• A cipher is an algorithm to encrypt or decrypt.
• Plaintext are original unencrypted messages.
• Keys are numbers to encrypt or decrypt messages.
• Ciphertext are encrypted messages.
• Symmetric key ciphers use only one key to encrypt and decrypt.
• Asymmetric key ciphers use one key to encrypt and another to decrypt.
• Passphrases are used to unlock a key.

Encryption Method

• Symmetric encryption uses one key and includes algorithms called symmetric key ciphers.
• Asymmetric encryption uses two keys, the algorithms are called asymmetric key ciphers.

Symmetric vs. Asymmetric Encryption

• Symmetric encryption is faster than asymmetric encryption.
• Asymmetric encryption simplifies key distribution while symmetric requires secure key distribution.
• Symmetric encryption is ideal for bulk data encryption and secure communication within closed systems.
• Asymmetric encryption is used for secure key exchanges, digital signatures, and authentication in open systems.
• Symmetric encryption can be strong with correct implementation and key management.
• Asymmetric encryption is considered more secure due to two keys making it harder for attackers to compromise the system.
• Examples of symmetric encryption include AES, TwoFish, and 3DES.
• Examples of asymmetric encryption include RES and ECC.

NIST CSF Protect/Detect Function

• PR.AC (Access Control): Ensures only authorized users can access systems.
• PR.DS (Data Security): Protects data from unauthorized access and disclosure.
• PR.PT (Protective Technology): Addresses the implementation of security tools.
• DE.AE (Anomalies and Events): Focuses on identifying unexpected activities.

Description

Explore IT security with risk assessments and governance. Learn to protect physical and human resources, perform backups, and apply security patches. Discover access control, incident response testing, and network security for robust defense.