CCNA Cyber Ops (Version 1.1) – Chapter 10 Exam Answers Full

B. The Open Source HIDS SECurity (OSSEC) software is an open source HIDS that uses a central manager server and agents that are installed on the hosts that are to be monitored.

C. The Domain profile in Windows Firewall configuration is for connections to a trusted network, such as a business network, that is assumed to have an adequate security infrastructure.

A. The Common Vulnerability Scoring System (CVSS) is a risk assessment tool to convey the common attributes and severity of vulnerabilities in computer hardware and software systems.

C. There are four potential strategies for responding to risks that have been identified:
Risk avoidance: Stop performing the activities that create risk.
Risk reduction: Decrease the risk by taking measures to reduce vulnerability.
Risk sharing: Shift some of the risk to other parties.
Risk retention: Accept the risk and its consequences.

D. The major regulatory compliance options include:
Federal Information Security Management Act of 2002 (FISMA):
Specifies security standards for U.S. government systems and contractors to the U.S. government.
Sarbanes-Oxley Act of 2002 (SOX): Sets new or expanded requirements for all U.S. public company boards, management, and public accountingfirms regarding the way in which corporations control and disclose financial information.
Gramm-Leach-Bliley Act (GLBA): Established that financial institutions must ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
Health Insurance Portability and Accountability Act (HIPAA):
Requires that all patient personally identifiable healthcare information be stored, maintained, and transmitted in ways that ensure patient privacy and confidentiality.

B, D, F. IoT components, such as sensors, controllers, and network security cameras, are network endpoints when they are connected to a network. Routers, VPN appliances, and wireless access points are examples of intermediate devices.

C. Antimalware programs may detect viruses using three different approaches:
Signature-based, by recognizing various characteristics of known malware files
Heuristics-based, by recognizing general features shared by various types of malware
Behavior-based, through analysis of suspicious activities

C. The SANS Institute describes three components of the attack surface:
Network Attack Surface: Exploitation of vulnerabilities in networks
Software Attack Surface: Exploitation of vulnerabilities in web, cloud, or host-based software applications
Human Attack Surface: Exploitation of weaknesses in user behavior

C. The service accounts element of a server profile defines the type of service that an application is allowed to run on a given host.

B. The Base metric group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics:
Exploitability metrics: Features of the exploit such as the vector,complexity, and user interaction required by the exploit
Impact metrics: The impacts of the exploit rooted in the CIA triad of confidentiality, integrity, and availability

B. The steps in the Vulnerability Management Life Cycle include these:
Discover: Inventory all assets across the network and identify host details, including operating systems and open services to identify vulnerabilities.
Prioritize assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations.
Assess: Determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification.
Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
Remediate: Prioritize according to business risk and fix vulnerabilities in order of risk.
Verify: Verify that threats have been eliminated through follow-up audits.

A. A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.

The telemetry functionality in most host-based security suites provides robust logging functionality and submits logs to a central location for analysis.

In Windows, blacklisting and whitelisting settings can be managed through the Group Policy Editor.

Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system.

In vulnerability assessment, security analysts use software to scan internal networks and Internet facing servers for various types of vulnerabilities. Tools for vulnerability assessment include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and Fireeye Mandiant services.

There are four potential strategies for responding to risks that have been identified:

• Risk avoidance – Stop performing the activities that create risk.
• Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
• Risk sharing – Shift some of the risk to other parties.
• Risk retention – Accept the risk and its consequences.

There are four potential strategies for responding to risks that have been identified:

• Risk avoidance – Stop performing the activities that create risk.
• Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
• Risk sharing – Shift some of the risk to other parties.
• Risk retention – Accept the risk and its consequences.

A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system.

Using a signature-based approach, host security software can detect viruses and malware by recognizing various characteristics of known malware files.

Switches are LAN infrastructure devices interconnecting endpoints. They are susceptible to LAN-related attacks including MAC address-table overflow attacks, spoofing attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.

The Base Metric Group Exploitability metrics include the criteria:

• Attack vector – a metric that reflects the proximity of the threat actor to the vulnerable component
• Attack complexity – a metric that expresses the number of components, software, hardware, or networks, that are beyond control of the attacker and that must be present in order for a vulnerability to be successfully exploited
• Privileges required – a metric that captures the level of access that is required for a successful exploit of the vulnerability
• User interaction – second component of the attack complexity metric that expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful
• Scope – a metric that expresses whether multiple authorities must be involved in an exploit

There are four potential strategies for responding to risks that have been identified:

• Risk avoidance – Stop performing the activities that create risk.
• Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
• Risk sharing – Shift some of the risk to other parties.
• Risk retention – Accept the risk and its consequences.

Iptables is an application that allows Linux system administrators to configure network access rules.

Configuration management addresses the inventory and control of hardware and software configurations of network systems.

With an anomaly-based intrusion detection approach, a baseline of host behaviors is established first. The host behavior is checked against the baseline to detect significant deviations, which might indicate potential intrusions.

The three steps of risk assessment in order are as follows:

1. Identify threats and vulnerabilities and the matching of threats with vulnerabilities.
2. Establish a baseline to indicate risk before security controls are implemented.
3. Compare to an ongoing risk assessment as a means of evaluating risk management effectiveness.

A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities, also called threat-vulnerability (T-V) pairing.

Blacklists can be used to identify and prevent specific applications, websites, or services from being downloaded or executed within an enterprise network.

Network Admission Control (NAC) allows only authorized and compliant systems to connect to a network.

Cisco ThreatGrid Glovebox is a sandbox product for analyzing malware behaviors.

Antimalware programs may detect viruses using three different approaches:

• signature-based – by recognizing various characteristics of known malware files
• heuristics-based – by recognizing general features shared by various types of malware
• behavior-based – through analysis of suspicious activities

There are five major regulatory compliance regulations including:

• Federal Information Security Management Act of 2002 (FISMA) – specifies security standards for U.S. government systems and contractors to the U.S. government.
• Sarbanes-Oxley Act of 2002 (SOX) – sets new or expanded requirements for all U.S. public company boards, management and public accounting firms regarding the way in which corporations control and disclose financial information.
• Gramm-Leach-Bliley Act (GLBA) – established that financial institutions must ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
• Health Insurance Portability and Accountability Act (HIPAA) – requires that all patient personally identifiable healthcare information be stored, maintained, and transmitted in ways that ensure patient privacy and confidentiality.

An attack surface is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.

The steps in the Vulnerability Management Life Cycle include these:Discover – inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities
Prioritize assets – categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations
Assess – determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification
Report – measure the level of business risk associated with assets according to security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
Remediate – prioritize according to business risk and fix vulnerabilities in order of risk
Verify – verify that threats have been eliminated through follow-up audits

Important elements of a network profile include:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

The Base Metric Group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics, Exploitability and Impact.

The Base Metric Group Exploitability metrics include these criteria:

• Attack vector – a metric that reflects the proximity of the threat actor to the vulnerable component
• Attack complexity – a metric that expresses the number of components, software, hardware, or networks, that are beyond control of the attacker and that must be present in order for a vulnerability to be successfully exploited
• Privileges required – a metric that captures the level of access that is required for a successful exploit of the vulnerability
• User interaction – second component of the attack complexity metric that expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful
• Scope – a metric that expresses whether multiple authorities must be involved in an exploit

Explanation:
Linux server services are managed using configuration files that contain specific information about the service including port number, location of the hosted resources, and client authorization details.

Explanation:
A network design that uses distributed firewalls centrally manages security rules and pushes those rules to the Linux and Windows host machines. Windows-based hosts use the Windows Firewall, whereas the Linux-based hosts use a firewall application such as iptables or nftables. Snort is an open source network intrusion prevention software. Wireshark is a packet capture tool and Security information and event management (SIEM) provides real-time analysis of alerts and log entries generated by network appliances such as IDSs and firewalls.

Explanation:
The Simple Network Management Protocol (SNMP) is an application layer protocol used to monitor and manage the network. Network devices have SNMP agents that communicate with the SNMP manager where the SNMP management software runs.

Explanation:The Public Key Infrastructure (PKI) is a third party-system referred to as a certificate authority or CA. The PKI is the framework used to securely exchange information between parties. Common PKI applications are as follows:

• SSL/TLS certificate-based peer authentication
• IPsec VPNs
• HTTPS web traffic
• network access control using 802.1x authentication
• secure email using S/MIME
• secure instant messaging
• approve and authorize applications with Code signing
• protect data with EFS
• use two-factor authentication
• secure USB storage devices

Antimalware programs may detect viruses using three different approaches:

signature-based – by recognizing various characteristics of known malware files

heuristics-based – by recognizing general features shared by various types of malware

behavior-based – through analysis of suspicious activities