What are the three goals that are widely considered the foundations of IT security? (pg. 656)

A. integrity

B.availability

C. sustainability

D. confidentiality

A., B. and D.

Confidentiality is the goal of keeping unauthorized people from accessing, seeing, reading or interacting with systems and data.

Meeting the goal of integrity requires maintaining data and systems in pristine, unaltered state when they are stored, transmitted, processed and received (unless the alteration is intended).

Maintaining availability means ensuring that systems and data are available for authorized users to perform authorized tasks whenever they need them.

A security threat where an attacker makes some data seem as though it came from somewhere else. (pg. 660)

A. exploit

B. packet/protocol abuse

C. on-path/man-in-the-middle attack

D. spoofing

D. Spoofing is the process of pretending to be someone or something you are not by placing false information in your packets. Any data on the network can be spoofed.

An exploit is the actual procedure for taking advantage of a vulnerability.

An on-path/MitM attack involves an attacker intercepting communications between two systems thought to only be between those two systems.

Switch process that monitors DHCP traffic, filtering out DHCP messages from untrusted sources. (pg. 662)

A. Router Advertisement Guard (RA-Guard)

B. on-path/man-in-the-middle attack

C. denial of service (DoS)

D. DHCP snooping

D. DHCP snooping creates a database of MAC addresses for all of a network's known DHCP servers and clients. If a system connected to an untrusted port starts sending DHCP server messages, the DHCP snoop-capable switch will block that system.

RA-Guard is similar to DHCP snooping, but is for IPv6 networks.

DoS and on-path are forms of attacks, not defenses against them.

A denial of service attack that targets Wi-Fi networks by sending out a frame that kicks a wireless client off its current WAP connection. (pg. 668)

A. DHCP scope exhaustion

B. deauthentication (deauth)

C. brute force

D. DHCP starvation

D. The deauth attack targets a specific Wi-Fi frame called a deauthentication frame, normally used by a WAP to kick an unauthorized WAP off its network.

DHCP scope exhaustion may or may not be caused by an attack. DHCP starvation is an attack that uses scope exhaustion, but denies service by causing a DHCP server to run out of addresses instead of kicking clients off of a network.

A brute force attack involves guessing passwords, not targeting wireless clients.

When an attacker taps into communications between two systems, covertly intercepting traffic thought to be only between those systems. (pg. 668)

A. man-in-the-middle attack

B. session hijacking

C.spoofing

D. banner grabbing

A. Man-in-the-middle attacks are commonly perpetrated using ARP poisoning, but a classic MitM attack would be to spoof the SSID and let people connect to the rogue WAP controlled by the attacker.

Spoofing is pretending to be someone or something you are not; MitM doesn't always involve it.

Session hijacking only tries to grab authentication information, no necessarily listen in for additional information.

Banner grabbing is is used to learn details about running services on open ports, not to intercept traffic between two systems.

A hardware device that has been optimized to perform a specific task. (pg. 689)

A. IoT

B. edge

C. client

D. controller

C. Edge devices work in coordination with other edge devices and controllers. Their primary characteristic is that they're installed closer to a client device, such as a client or security door, than to the core or backbone of a network.

An IoT (Internet of Things) device is the opposite of an edge device; IoT devices can connect to the cloud or data centers for processing, whereas edge devices perform computations locally.

The client device requests services of the edge device.

Process by which a switch or router queries network devices to confirm that they meet minimum security standards before being permitted to connect to the production network. (pg. 690)

A. network access control (NAC)

B. network segmentation

C. device hardening

D. posture assessment

D. Posture assessment includes checking things like type and version of anti-malware, level of QoS, and type/version of operating system.

Posture assessment is a tool used to implement NAC and device hardening, broader terms that include a number of other security standards.

Network segmentation isn't about gatekeeping devices until they're confirmed to meet security standards, but breaking up a network into logical collections that share policies or security controls.

A process or program running within the computer that scans the computer to create an inventory of statistics. (pg. 690)

A. advisor

B. agent

C. widget

D. keylogger

B. Agents can be persistent, in which they stay on a device and runs every time the device boots up. They can also be non-persistent, in which they are released from memory after a node disconnects from a network and leaves a portal site.

Advisor is a term I made up.

A widget is a small desktop or smartphone accessory or applet, but not necessarily meant for the same purpose as an agent.

If you have a keylogger on your computer, get it off ASAP!

Separating network assets through various means, such as with VLANs or with a DMZ, to protect against access by malicious actors. (pg. 691)

A. posture assessment

B. subnetting

C. network segmentation

D. isolation

C. Network segmentation is the use of hardware, VLANs, ACLs, firewalls and so on to break the network up into logical segments that collect all of the clients or servers that need the same policy or security controls.

Posture assessment is a tool used to implement network access control.

Subnetting is the process of splitting networks into smaller ones separated by IP ranges, but doesn't segment by device.

Isolation is the practice of preventing a device on a wireless network access to other wireless clients and the wired network, but still granting Internet access.

A technique that modern firewalls use to tell if a packet is part of an existing connection by examining them all as a stream. (pg. 698)

A. network access control (NAC)

B. access control list (ACL)

C. stateless inspection

D. stateful inspection

A device that uses stateful inspection can do more than allow or block; it can track when a stream is disrupted or when packets get corrupted, and act accordingly.

Devices that use stateless inspection filters each IP packet individually, checking the packet for IP addresses and port numbers, and blocking or allowing accordingly.

NAC is about inspecting devices before they're allowed to connect to a network, not packets.

ACLs allow or deny traffic based on things like source or destination IP address, not packet characteristics.