CISSP All-in-One Exam Guide Quick Review PDF

CISSP All-in-One Exam Guide 636 Quick Review Link encryption encrypts all the data along a specific communication path. End-to-end encryption (E2EE) occurs at the session layer (or higher) and does not encrypt routing information, enabling attackers to learn more about a captured packet and where it is headed. Transport Layer Security (TLS) is an E2EE protocol that provides confidentiality and data integrity for network communications. Secure Sockets Layer (SSL) is the predecessor of TLS and is deprecated and considered insecure. A virtual private network (VPN) is a secure, private connection through an untrusted network. The Point-to-Point Tunneling Protocol (PPTP) is an obsolete and insecure means of providing VPNs. The Layer 2 Tunneling Protocol (L2TP) tunnels PPP traffic over various network types (IP, ATM, X.25, etc.) but does not encrypt the user traffic. Internet Protocol Security (IPSec) is a suite of protocols that provides authentication, integrity, and confidentiality protections to data at the network layer. TLS can be used to provide VPN connectivity at layer 5 in the OSI model. A web service is client/server system in which clients and servers communicate using HTTP over a network such as the Internet. A service-oriented architecture (SOA) describes a system as a set of interconnected but self-contained components that communicate with each other and with their clients through standardized protocols. Application programming interfaces (APIs) establish a “language” that enables a system component to make a request from another component and then interpret that second component’s response. The Hypertext Transfer Protocol (HTTP) is a TCP/IP-based communications protocol used for transferring data between a server and a client in a connectionless and stateless manner. A uniform resource identifier (URI) uniquely identifies a resource on the Internet. HTTP Secure (HTTPS) is HTTP running over TLS. The Simple Object Access Protocol (SOAP) is a messaging protocol that uses XML over HTTP to enable clients to invoke processes on a remote host in a platform-agnostic way. SOAP security is enabled by a set of protocol extensions called the Web Services Security (WS-Security or WSS) specification, which provides message confidentiality, integrity, and authentication. Chapter 13: Securing the Network 637 Representational State Transfer (REST) is an architectural pattern used to develop web services without using SOAP. A domain generation algorithm (DGA) produces seemingly random domain names in a way that is predictable by anyone who knows the algorithm. DNS tunneling is the practice of encoding messages in one or a series of DNS queries or responses for exfiltrating or infiltrating data into an environment. DNS reflection attacks involve sending a query to a server while spoofing the source address to be that of the intended target. A DNS amplification attack is characterized by small queries that result in very much larger responses. Domain Name System Security Extensions (DNSSEC) is a set of IETF standards that ensures the integrity of DNS records but not their confidentiality or availability. DNS over HTTPS (DoH) is a (yet to be ratified) approach to protecting the privacy and confidentiality of DNS queries by sending them over HTTPS/TCP /IP instead of unsecured UDP/IP. E-mail spoofing is a technique used by malicious users to forge an e-mail to make it appear to be from a legitimate source. PART IV Simple Authentication and Security Layer (SASL) is a protocol-independent framework for performing authentication that is typically used in POP3 e-mail systems. The Sender Policy Framework (SPF) is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing by verifying the sender’s IP address. The DomainKeys Identified Mail (DKIM) standard allows e-mail servers to digitally sign messages to provide a measure of confidence for the receiving server that the message is from the domain it claims to be from. Domain-based Message Authentication, Reporting and Conformance (DMARC) systems incorporate both SPF and DKIM to protect e-mail. Secure MIME (S/MIME) is a standard for encrypting and digitally signing e-mail and for providing secure data transmissions. The Distributed Network Protocol 3 (DNP3) is a multilayer communications protocol designed for use in SCADA systems, particularly those within the power sector. The Controller Area Network (CAN) bus is a multilayer protocol designed to allow microcontrollers and other embedded devices to communicate with each other on a shared bus. Converged protocols are those that started off independent and distinct from one another but over time converged to become one. CISSP All-in-One Exam Guide 638 Fibre Channel over Ethernet (FCoE) is a protocol encapsulation that allows Fibre Channel (FC) frames to ride over Ethernet networks. The Internet Small Computer Systems Interface (iSCSI) protocol encapsulates SCSI data in TCP segments so that computer peripherals could be located at any physical distance from the computer they support. Network segmentation is the practice of dividing networks into smaller subnetworks. A virtual LAN (VLAN) is a set of devices that behave as though they were all directly connected to the same switch, when in fact they aren’t. Virtual eXtensible LAN (VxLAN) is a network virtualization technology that encapsulates layer 2 frames onto UDP (layer 4) datagrams for distribution anywhere in the world. Software-defined networking (SDN) is an approach to networking that relies on distributed software to separate the control and forwarding planes of a network. Software-defined wide area networking (SD-WAN) is the use of software (instead of hardware) to control the connectivity, management, and services between distant sites in a manner that is similar to SDN but applied to WANs. Questions Please remember that these questions are formatted and asked in a certain way for a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. Instead, the candidate should look for the best answer in the list. 1. Which of the following provides secure end-to-end encryption? A. Transport Layer Security (TLS) B. Secure Sockets Layer (SSL) C. Layer 2 Tunneling Protocol (L2TP) D. Domain Name System Security Extensions (DNSSEC) 2. Which of the following can take place if an attacker is able to insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer? A. Open relay manipulation B. VLAN hopping attack C. Hypervisor denial-of-service attack D. DNS tunneling

CISSP All-in-One Exam Guide Quick Review PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue