Term
What are some good sources of information for detecting and mitigating threats? |
|
Definition
- netflow - syslog - RMON events - SNMP thresholds and traps - CPU and interface statistics - Cisco security MARS reporting |
|
|
Term
Describe the general approach when creating a security policy |
|
Definition
- Step 1 - identify what you are trying to protect
- Step 2 - determine what you're trying to protect it from
- Step 3 - determine how likely the threats are
- Step 4 - Implement measures that protect your assets in a cost effective manner
- Step 5 - Review the process continuously and mane improvements each time a weakness is found |
|
|
Term
What are some threat detection and mitigating solutions described by Cisco? |
|
Definition
- endpoint protection - application security and anti-X defense - infection containment - inline IPS and anomaly detetion |
|
|
Term
What are the 4 steps used to facilitate continuing efforts in maintaining security policies? |
|
Definition
- Step 1 - secure - identification, authorization, ACls, stateful packet inspection, encryption, and VPN
- Step 2 - monitor - intrusion and content-based detection and response
- Step 3 - test - assessments, vulnerabilities, scanning, and security audits
- Step 4 - improve - security data analysis, reporting, intelligent network security |
|
|
Term
In best practice, where should user authentication be placed on a network? |
|
Definition
Validating user authentication should be implemented as close to the source as possible, with an emphasis on strong authentication for access from untrusted networks. |
|
|
Term
What are the 3 components of risk assessment? |
|
Definition
- Control - refers to how you use the security policy to minimize potential risks
- Severity - describes the level of the risk to the organization
- Probability - The likeliness that an attack against the assets will occur |
|
|
Term
What are some of the functions provides by security management applications? |
|
Definition
- Central repository for collecting network information for further analysis of security-related events
- Allows for easier deployment of security policies into the security devices via graphical user interface tools
- Role-based access control for all accounts to separate admin tasks and user functions |
|
|
Term
What are the critical components of the self-defending network? |
|
Definition
- Trust and identity management - securing critical assets
- Threat defense - responding to the effects of security outbreaks.
- Secure connectivity - ensure privacy and confidentiality of data communications |
|
|
Term
What 3 broad categories can security threats fall under? |
|
Definition
- Reconnaissance - Gain unauthorized access - Denial of service (DOS) |
|
|
Term
What are some ways to combat DOS attacks? |
|
Definition
- DHCP snooping - verifies DHCP transactions and prevents rogue DHCP servers from interfering with production traffic
- Dynamic ARP inspection - intercepts ARP packets and verifies that they are valid IP-to-MAC bindings
- Unicast RPF - prevents known source addresses from using the network as a transport mechanism to carry out attacks
- ACL - control what traffic is allowed on the network
- Rate limiting - controls the rate of bandwidth that incoming traffic is using, such as ARP and DHCP requests |
|
|
Term
How is a risk index used to consider the risks of potential threats? |
|
Definition
The risk index is calculated by multiplying the severity and probability factors and then dividing that by the control factor.
risk index = (severity * probability)/control
Then you can give each risk factor a value from 1(lowest) to 3(highest) |
|
|
Term
What are the 3 components of trust and identity management? |
|
Definition
1. Trust 2. Identity 3. Access control |
|
|
Term
Describe the core network security platforms used to develop network security |
|
Definition
- Adaptive security appliance (ASA) is a high-performance firewall appliance with intrusion prevention system (IPS), antivirus, IPsec, and SSL VPN technologies integrated into a single unified architecture. ASA also has network admission control (NAC) capabilities
- Integrated services router (ISR) - combines IOS firewalls, VPN, and IPS services across the router portfolio. ISR routers also have NAC enabled
- Cisco catalyst switches include DoS and man-in-the-middle attack mitigation, integrate the use of service modules for high protection and provide for secure connectivity |
|
|
Term
Describe the 3 network phases of the self-defending network |
|
Definition
- Integrated security - security throughout the existing infrastructure in which each network device acts as a point of defense
- Collaborative security - security components that work together with an organization's security policies.
- Adaptive threat defense - Tools used to defend against security threats and varying network conditions. |
|
|
Term
What are some examples of technologies used to support trust and identity management |
|
Definition
- Access control lists - Firewall - Network admission control (NAC) - 802.1x - Cisco identity-based network services (IBNS) |
|
|
Term
What are some ways to prevent integrity violations and confidentiality attacks? |
|
Definition
- Restrict access by separating networks (VLANs) and using packet-filtering firewalls
- Restrict access with OS-based controls in both windows and Unix
- Limit user access by using user profiles for different departmental roles
- Use encryption technologies to secure data or digitally sign data. |
|
|
Term
What are the 3 main areas of focus when it comes to threat defense? |
|
Definition
- Enhancing the security of the existing network
- Adding full security services for network endpoints
- Enabling integrated security in routers, switches and applications |
|
|
Term
Describe the Cisco self-defending network |
|
Definition
The self-defending network is Cisco's strategy for securing an organization's business by identifying, preventing, and adapting to security threats. Teh SDN has defined 3 critical components
1. Trust and identity management - securing critical assets
2. Threat defense - responding tothe effects of security outbreaks
3. Secure connectivity - ensuring privacy and confidentiality of data communications. |
|
|
Term
Describe the identity component of a trust relationship |
|
Definition
this can be users, devices, organizations, or all the these. Authentication of the identity is based on the following:
- Something the subject knows (password or pin)
- Something the subject has (token ring, smart card)
- Something the subject is (finger print, retina scan, or voice recognition) |
|
|
Term
What are some important network characteristics that can be at risk for security threats? |
|
Definition
- Data confidentiality
- Data integrity
- System availability |
|
|
Term
Explain what the Cisco NAC framework and NAC appliance are. |
|
Definition
- The NAC framework is an integrated solution led by Cisco that incorporates the network infrastructure and 3rd-party software to impose security policy on the attached end-point
- The NAC appliance is a self-contained product that integrates with the infrastructure to provide user authentication and enforce security policy for devices seeking entry into the network. NAC appliances can also repair vulnerabilities before allowing access to the network infrastructure |
|
|
Term
Describe the trust component of trust and identity management |
|
Definition
Trust is the relationship between 2 or more network entities that are permitted to communicate. Domains of trust are a way to group network systems that share a common policy or function. |
|
|
Term
Describe the access control component of trust and identity management |
|
Definition
Access control is a security mechanism for controlling admission to network and resources. The core of network access control consist of the following:
- Authentication establishes the user's identity and access to network resources
- Authorization describes what can be done and what can be accessed
- Accounting provides an audit trail of activities by logging the actions of the user |
|
|
Term
Explain the 802.1X protocol |
|
Definition
The 802.1X protocol is a standard-based protocol for authenticating clients by permitting or denying access to the network. It operates between the end-user client seeking access and an ethernet switch or wireless AP providing the connection to the network. A back-end RADIUS server such as a Cisco access control server (ACS) provides the user account database used to apply authentication and authorization. |
|
|
Term
What are the 2 main reasons for having a security policy? |
|
Definition
- It provides the framework for the security implementation
- It creates a security baseline of the current security posture |
|
|
Term
Describe Cisco's identity-based network services |
|
Definition
The Cisco Identity-based network services solution is a way to authenticate host access based on policy for admission to the network. IBNS supports identity authentication, dynamic provisioning of VLANs on a per user basis, guest VLANs, and 802.1X with port security. |
|
|
Term
What act (law) focuses on the accuracy and the controls imposed on a company's financial records? |
|
Definition
US Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley or SOX) |
|
|
Term
Which act (law) provides protection against the sale of bank and account information that is regularly bought and sold by financial institutions? |
|
Definition
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) |
|
|
Term
Which act (law) applies to the protection of private health information that is used electronically? |
|
Definition
US Health Insurance Portability and Accountability Act (HIPAA) |
|
|
Term
Which act (law) calls for the protection of people's privacy with respect to the processing of personal data? |
|
Definition
EU Data Protection Directive 95/46/EC |
|
|
Term
What protects the network from threats by enforcing security compliance on all devices attempting to access the network? |
|
Definition
Network Admission Control (NAC) |
|
|
Term
What is an IEEE media-level access control standard that permits and denies access to the network and applies traffic policy based on identity? |
|
Definition
|
|
Term
What technology is based on several integrated Cisco solutions to enable authentication, access control and user policies to secure network infrastructure and resources? |
|
Definition
Cisco Identity-Based Network Services (IBNS) |
|
|
Term
Define the following technologies:
- FWSM - ASA - IPS sensor alliances - CSA - MARS - Cisco TADM |
|
Definition
- FWSM - Catalyst 6500 Firewall Service Module
- ASA - Adaptive security appliance (Robust firewall, and/or NIPS
- IPS sensor appliances (just NIPS)
- Cisco Security Agent (HIPS)
- MARS - Monitoring, analysis, and response system
- Cisco TADM - Traffic Anomaly Detector Module - detects high-speed DOS attacks |
|
|
Term
Describe the following security management solutions:
- CSM - ACS - MARS - CSA MC - SDM - ASDM - IDM |
|
Definition
- Cisco Security Manager (CSM) - an integrated solution for configuration management for firewall, VPN, router, switch module and IPS devices
- Cisco Secure Access Control Server (ACS) - provides centralized control for administrative access to Cisco devices and security applications.
- Cisco Secure Monitoring, Analysis, and Response System (MARS) - an appliance-based solution for network security administrators to monitor, identify, isolate, and respond to security threats.
- Management Center for CSA (CSA MC) - an SSL web-based tool for mapping Cisco Security Agent configurations
- Cisco Router and Security Device Manager (SDM) - a web-based tool for routers and supports a wide range of IOS software
- Cisco Adaptive Security Device Manager (ASDM) - web-based tool for managing Cisco ASA 5500 series appliances., PIX 500 series applications, and Cisco Catalyst 6500 Firewall Service Modules
- Cisco Intrusion Prevention System Device Manager (IDM) - web-based application that configures and manages IPS sensors. |
|
|