NSE 1 - Threat Landscape

Study online at quizlet.com/_38pf2z

1. Application Control Protects managed desktops and servers by allowing or denying network application usage
based on policies set up by the administrator
2. APT Advanced Persistent Threat - an unauthorized person gains access to network and stays
there undetected
3. ATP Advanced Threat Protection - relies on multiple types of security technologies, products,
and research. Prevent, Detect, Mitigate - Fortinet has a Sandbox for this
4. Bot A software application that runs automated tasks over the internet. It can spread as quick as
the speed of a signal transmission
5. Botnet Also called Zombie army, where users are unaware that there computer is being used to
forward malware to other computers. Botnets pose the most serious threat to internet.
6. By the mid 2000s, who were the main Criminals, Governments, and Hacktivists
hackers?
7. "Catch-it-as-you-can" systems Capture all packets passing through a certain traffic point, store the data, and then perform
analysis in batch mode.
8. Contemporary threats can be a 1) New devices and apps appear on the market regularly posing new threats.
challenge for these 4 reasons. 2) Much of the new technology is very cheap even for a simple user, one being
unsophisticated about security
3) Social media primary source of connectivity- hidden threats in these sites
4)More cross-platform sharing and integration makes it challenging.
9. Drive-By The unintentional download of a virus. By clicking on a web page, your computer
downloads a small piece of script that starts to open up your system to other malicious
code.
10. Exploit A vulnerability used to take advantage of a system
11. How is an APT able to stay It disables client-based security, gets constant updates from command center allowing to
undetected for so long? to morph, and spreads quickly into the network.
12. If a piece of malware gets through the A user's AV is supposed to stop it...but...some hackers use file compression, encryption, or
Intrusion Prevention, what is supposed fast morph variations so the AV can't '"see" it.
to stop the malware once it is in your
computer?
13. IP This is the commodity most sought after by criminals, the IP addresses of certain
computers and servers.
14. IPS Intrusion Prevention System - protects by blocking out malicious code. Wide range of
features such as using custom signatures, protocol decoders, out-of-band mode, packet
logging, IPS sensors
15. Is stateful inspection a new No. Stateful firewall inspection is part of every single UTM and NGFW on the market. It is
technology? not going away or being replaced. Conversely, there is nothing new or innovative about
stateful packet inspection. Every firewall on the planet of any notable interest does stateful
inspection and has for decades.
16. Log management The correct generation, transmission, analysis, storage and disposal of large volumes of log
data created within a system
17. Malvertising The use of online advertising to spread malware. Infections delivered through malvertising
silently travel through web page advertisements.
18. Malware Can be virus (malicious code), worm (replicate copies of themselves - do not need humans
just hole in the OS), trojan (malicious code contained inside harmless code)
19. Name 16 ways to 1. Security partnerships
stop Malware 2.End-user Education
3.Network Segragation
4. Web Filtering/IP Reputation
5. Whitelisting
6.Blacklisting
7.Application Control
8.Sandboxing
9.Data Leak Prevention
10.Intrusion Prevention
11. Proactive Patching
12. Restricting Administrative Rights
13. Network Access Control
14.Two-Factor Authentification
15.USB Drive Restrictions
16. Limiting Access to Cloud Based File Sharing
20. NBAD Network Behaviour Anomaly Detection (NBAD). The continuous monitoring of a network for unusual events.
21. Network Forensics Capturing, Recording, and analyzing network events to discover source of security attacks.
22. NGFW Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead of a basic
firewall and numerous add-on appliances. It integrates: IPS, Deep Packet Inspection, Network App ID and
Control, Access Enforcement, Distributed Enterprise Capability, "Extra Firewall" Intelligence, Third Party
Management Compatibility, VPN, Application Awareness
23. Phishing An email fraud method in which perp tricks users into giving up personal information. It will appear to come
from a well-know site, like Yahoo, saying your account has been compromised please click on link to re-
enter....etc.
24. PII Personally Identifiable Information - sought after by criminals...such as mother's maiden name...
25. Risk Management Identifying, assessing, and controlling threats to an organization's capital.
26. Sandboxing A device that detects and analyzes advanced attacks designed to bypass traditional security defences.
27. SIEM Security Information and Event Management - An approach to security management that seeks to provide a
holistic view of an organization's IT security. A centralized system flags anomalies.
28. "Stop, Look and Perform a basic analysis in memory and save only certain data for analysis.
Listen" systems
29. UTM Unified Threat Management allows admins to monitor and manage multiple, complex security applications
through a single console. UTM goes beyond the NGFW focus on a high-performance firewall for data center's
by incorporating a broader range of security capabilities such as IPS, Anti-mal, Anti-vir, Anti-spam, ID Access
Control, Content-Filtering, VPN Capabilities, Load Balancing, QoS, SSL,SSH Inspection, Application Awareness.
30. Vulnerability a flaw in a system that can leave it open to attack
31. Watering Hole A perp targets a specific organization by finding out which sites their users often visits and planting the virus on
those sites.
32. Web Filtering A functionality where an admin can explicitly allow or disallow various web-sites, or to pass un-inspected data
from trusted websites to accelerate traffic flows.
33. What are some Unpatched systems, Old OS versions, AV/AM signatures not up to date, insufficient budgets to secure network.
common problems
that allow old
threats to remain
effective?
34. What are some of the Access Control (layer 2/3 firewall, two factor authentication), Threat Prevention (IPS, application
features of Advanced control,Web-filtering,email-filtering,antimalware) Threat Detection (Sandboxing,botnet detection, client
Threat Protection? reputation,network behaviour analysis), Incident Response (logs and reports, professional services, device
quarantine, threat prevention updates) Continuous Monitoring(Real time activity)
35. What are some of the Malware, Social Engineering, Zero-Day Exploits, Insiders, Fake or Forged Certificates.
tools in the arsenal of
a hacker?
36. What are some obtain IP address of target, financial gain etc. through card #, PII (steal identity), disrupt business
reasons for hacking competitor, whistleblowing, sabotage (stuxnet).
into a system?
37. What are some Social Spoofing, Phishing, Spearphishing,Watering Hole, Phone calls and impersonation, Malvertising, Social
Engineering Media Links.
techniques?
38. What are the 5 main Define Target, Research Target, Obtain credentials, Strengthen Foothold, Engage outbound communication
steps a hacker takes
to steal information
39. What are the three Motivation, Knowledge, Access
Primary characteristics
of a technology
threat?
40. What are the two Social Engineering (tricking people) and Malware
primary tools of
hackers?
41. What happened Major network attacks, Target, Adobe, Heartbleed, Yahoo...
between October
2013 and June 2014
42. What happens if an Web-filtering protection is supposed to stop a user from connecting to a malicious URL ...but...some
email with a malicious hackers get around this by changing up the URL address every few hours so nobody knows its a bad URL.
URL gets through and
a user clicks on it?
43. What happens if the a If a user connects to a malicious URL the users Intrusion Prevention is supposed to stop it...but...sometimes
user gets through to a hackers use encryption to get the malware through.
malicious website?
44. What is a layer 2 Layer 2 switches operate using physical network addresses. Physical addresses, also known as link-layer,
switch? (data-link hardware, or MAC-layer addresses, identify individual devices. Most hardware devices are permanently
layer) assigned this number during the manufacturing process.

Switches operating at Layer 2 are very fast because they're just sorting physical addresses, but they usually
aren't very smart—that is, they don't look at the data packet very closely to learn anything more about
where it's headed.
45. What is a layer 3 Layer 3 switches use network or IP addresses that identify locations on the network. They read network
switch? (network addresses more closely than Layer 2 switches—they identify network locations as well as the physical
layer) device. A location can be a LAN workstation, a location in a computer's memory, or even a different packet
of data traveling through a network.

Switches operating at Layer 3 are smarter than Layer 2 devices and incorporate routing functions to actively
calculate the best way to send a packet to its destination. But although they're smarter, they may not be as
fast if their algorithms, fabric, and processor don't support high speeds
46. What is a layer Layer 4 of the OSI Model coordinates communications between systems. Layer 4 switches are capable of
4 switch? identifying which application protocols (HTTP, SNTP, FTP, and so forth) are included with each packet, and they use
this information to hand off the packet to the appropriate higher-layer software. Layer 4 switches make packet-
forwarding decisions based not only on the MAC address and IP address, but also on the application to which a
packet belongs.

Because Layer 4 devices enable you to establish priorities for network traffic based on application, you can assign
a high priority to packets belonging to vital in-house applications such as Peoplesoft, with different forwarding
rules for low-priority packets such as generic HTTP-based Internet traffic.

Layer 4 switches also provide an effective wire-speed security shield for your network because any company-
specific protocols can be confined to only authorized switched ports or users. This security feature is often
reinforced with traffic filtering and forwarding features...
47. What is a virus A unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used
signature? to detect and identify specific viruses. Anti-virus software uses the virus signature to scan for the presence of
malicious code.
48. What is a VPN? Connecting to public Wi-Fi networks is a commonplace practice, but these are also excellent avenues for attackers
to seize personal information. A virtual private network or VPNs use simple software to secure an internet
connection and give a person greater control of how they appear online. While connected to the VPN, all your
network traffic passes through this protected tunnel.
49. What is a Zero- A vulnerability in a software product allows for the execution of malicious code. Can be spread by spearphishing
Day Attack? or watering hole. Can also be exploited when software company announces patch for previously unknown hole,
but then it doesn't get updated quick enough by user.
50. What is Also called, Dynamic packet filtering, is a firewall technology that monitors the state of active connections and
Stateful uses this information to determine which network packets to allow through the firewall
Inspection?
51. What is the A NGFW-bundled product with a limited set of security layers (if you want to call them so) performs better on the
difference same hardware than the UTM/Security Suite-bundle with the full set of functionality, there is no doubt about that.
between going However going with a NGFW -bundle means that you will have to purchase and maintain additional solutions that
with a NGSW will take over the missing 'layers of security'. That means extra expenses and more work to manage all together -
bundle and a things you could avoid by correctly sizing the UTM solution you purchase (most vendors publish UTM
UTM bundle? performance data, so that should not be the problem).
52. What is the A claim could be made that UTM products are targeted at the SMB market where as NGFW are targeted to the
difference enterprise.
between the
NGFW target
market and the
UTM target
market?
53. What is the Almost None. There is really no difference between UTM and NGFW. These are the same technologies with the
difference same capabilities being marketed and promoted as different. Moreover, there is nothing intrinsically unique or
between UTM revolutionary about NGFWs. These are simply firewalls that have expanded their feature set to include other
and NGFW? security functions. Or in other words, NGFW is UTM. Some say NGFW is a subset of UTM.
54. What is the A WAF fully controls an entire HTTP/HTTPS session. It can set rules on exactly what kinds of content are allowed.
difference A WAF tends to be more of a "whitelist" approach to securing a web application. A WAF can compensate for a
between WAF poorly coded web app by only allowing "safe" application-layer functions.
and appication-
layer security A NGFW/UTM does not control the entire HTTP/HTTPS session (usually). It will only block known attack types. It is
in an NGFW more of a "blacklist" approach to web protection. A NGFW/UTM is not going to compensate for a poorly coded
web app.

For basic web apps, the protection of a NGFW/UTM is sufficient. But, for apps that require additional security, a
WAF provides a more robust set of controls that can block both known and unknown attack tactics.

NGFW/UTM do not put WAF features into their products because there is a LOT of processing power required to
do WAF correctly. Moreover, there is a limited subset of companies who want WAF. So, for now, WAF has
remained a stand-alone technology. Its possible that WAF features could eventually migrate to NGFW/UTM
platforms, but given the limited market for WAF, I think this is unlikely.
55. What is the WAF and NGFW are two different technologies. A Web Application Firewall is specifically for protecting web
difference applications from inbound attacks. WAFs are essentially highly customized reverse proxies that can filter out bad
between WAF web site requests and content. NGFW and UTM are network-layer firewalls that also offer application-layer
and NGFW? security features. Typically, organizations will have a UTM/NGFW and a WAF. The two technologies are
complimentary.
56. What is the The divide between UTM and NGFW is essentially a creation of the marketing people at palo Alto to make certain
divide between vendors seem more competitive than they really are. It is intended to shift the goal posts for the enterprise
UTM and NGFW consumer into a different set of criteria and marginalize established companies, like Fortinet and Astaro into the
essentially a basement of "small-business."
creation of?
57. What is the Sending a malicious email.
most popular
method for
initiating an
advanced
attack?
58. What was the When upstart UTM companies arose in the mid-2000s, the traditional firewall makers, like CheckPoint, Cisco, and
impetus for Juniper, were not prepared for this change. Their reliance on older code and enterprise clients stifled their
UTM? innovation. Their early UTM style appliances were clumsy and underpowered. Newer companies like Fortinet and
SonicWall were introducing more innovative designs and taking customers, so these companies came up with
NGFW to fight back. They said UTM is only good for small business but NGFW more suitable for enterprise.
59. Why is an APT Once inside the network, there are few systems in place for detection of APT's
persistent?