Unit 4 - Practice Quiz

A network security assessment is a systematic process to evaluate the security of a network by identifying potential vulnerabilities, threats, and weaknesses that could be exploited by an attacker.

Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing. It is widely used to find hosts and services on a computer network, thus creating a 'map' of the network.

A security baseline is a standardized level of minimum security controls that all systems throughout an organization must comply with. It acts as a reference point for future changes and security audits.

Baselines create a consistent security posture across the organization, make it easier to detect deviations or unauthorized changes, and provide a clear, measurable standard for security configurations.

A firewall is a network security device that monitors and filters network traffic, acting as a barrier between a trusted internal network and an untrusted external network, like the internet.

An Intrusion Detection System (IDS) is a passive device or software application that monitors a network for malicious activity or policy violations and reports it to a management station. It is designed to detect, not necessarily to block.

An endpoint is any device that connects to the corporate network. Common examples include laptops, desktops, smartphones, servers, and tablets.

Assessing endpoint security involves checking devices for required security measures like up-to-date antivirus, firewalls, and patches before allowing them to connect to the network, thereby preventing threats from entering.

Antivirus and antimalware software is a foundational element of endpoint security, designed to detect, prevent, and remove malicious software from devices.

Full disk encryption (FDE) encrypts the entire contents of a hard drive, making the data unreadable without the correct decryption key. This is critical for protecting sensitive information if an endpoint like a laptop is physically stolen.

A screen lock is the first line of defense against unauthorized physical access. Using a strong PIN, password, or biometrics (fingerprint/face ID) makes it difficult for someone to access the data on a lost or stolen device.

Unnecessary open services like Bluetooth or Wi-Fi can be potential entry points for attackers. Disabling them when not needed is a hardening technique that reduces the number of ways a device can be attacked, known as reducing the attack surface.

Sideloading refers to the process of installing applications from unofficial sources, bypassing the curated and security-checked official app stores (like Google Play Store or Apple App Store). This practice carries a higher risk of installing malware.

Input validation is a security measure that checks and sanitizes data entered by a user before it is processed by the application. This helps prevent attacks like SQL injection and cross-site scripting (XSS).

Vulnerability scanning is an automated process that identifies security weaknesses in an application or network. It is a key practice for maintaining and enhancing application security.

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It uses SSL/TLS to encrypt the communication between the web browser and the server, protecting the data from eavesdropping and tampering.

The primary purpose of TLS (the successor to SSL) is to provide a secure communication channel between two systems by encrypting the data transmitted between them. This ensures confidentiality and integrity of the data.

In an IaaS model, the cloud provider is responsible for the security of the cloud (physical infrastructure), while the customer is responsible for security in the cloud. This includes securing the operating systems, applications, and data they place on the infrastructure.

Cross-Site Scripting (XSS) is a vulnerability where an attacker injects client-side scripts into web pages viewed by other users. This can be used to steal session cookies, deface websites, or redirect users to malicious sites.

A WAF is specifically designed to protect web applications by filtering and monitoring HTTP traffic. It sits in front of the web application and can block common attacks like SQL injection and Cross-Site Scripting (XSS).

A Next-Generation Firewall (NGFW) is designed to operate at the application layer (Layer 7) and has the capability to perform deep packet inspection on encrypted traffic through SSL/TLS decryption. A NIPS may inspect traffic but often lacks native decryption capabilities. A Layer 2 switch operates at the data link layer, and NAC focuses on authentication and authorization, not deep traffic inspection.

Configuration drift is the term used to describe the process where a system's configuration changes over time, deviating from the established security baseline. This often happens due to manual changes, patches, or unmanaged updates. Baseline Deviation is a general term, but Configuration Drift specifically describes this unintended change over time.

Sandboxing is a security mechanism that provides an isolated environment (the 'sandbox') to execute and analyze suspicious code or files without affecting the host system or network. This is a key feature in advanced threat protection systems for detecting zero-day and polymorphic malware.

Fileless malware operates in memory and leverages legitimate system tools (like PowerShell), so it doesn't have a file 'signature' for traditional AV to detect. Endpoint solutions with heuristic analysis and behavior monitoring (often found in EDR or NGAV) are required to detect such attacks by identifying anomalous activities and system calls.

Application whitelisting is a security policy that allows only pre-approved applications to be executed on an endpoint. This provides a very strong defense against malware and unauthorized software, as any application not on the 'whitelist' is blocked by default. HIDS detects, DLP prevents data exfiltration, and FDE protects data at rest, but none of them directly prevent the execution of unauthorized applications.

Containerization creates a separate, encrypted, and managed partition or 'container' on a mobile device for corporate data and applications. This effectively isolates corporate assets from the user's personal space, allowing for granular control and security without impacting the user's personal data. Full device encryption protects all data but doesn't separate it, while remote wipe and geofencing are control features, not isolation mechanisms.

SAST, also known as 'white-box' testing, analyzes an application's source code, byte code, or binary code for security vulnerabilities without executing the application. This makes it ideal for integration into the early stages of a CI/CD pipeline to find flaws before the code is even compiled or deployed.

The HSTS header instructs browsers that they should only communicate with the site using HTTPS. Once a browser receives this header, it will automatically convert all future http:// requests to https:// requests for that domain, preventing insecure connections and protecting against attacks like SSL stripping.

In the IaaS model, the cloud provider is responsible for the security of the cloud (physical infrastructure, hardware, hypervisor). The customer is responsible for security in the cloud, which includes securing the guest operating systems, applications, data, user access, and virtual network configurations like firewall rules.

EDR solutions are specifically designed for this purpose. They continuously monitor and collect endpoint data, providing the visibility and historical context needed for threat hunting and incident investigation. They also offer response capabilities like isolating hosts, terminating processes, and deleting files, which are crucial for containing threats.

Port Security can be configured to limit the number of MAC addresses allowed on a specific port and to specify which MAC addresses are allowed. DHCP Snooping helps prevent rogue DHCP servers and validates DHCP traffic, indirectly helping to control which devices get an IP address on the network. Together, they provide strong control over which devices can connect and communicate.

Disabling sideloading (installing apps from outside the official app store) and using MDM controls to detect and block rooted (Android) or jailbroken (iOS) devices are direct hardening techniques. These actions prevent users from bypassing built-in OS security controls and installing potentially malicious applications from untrusted sources.

While a traditional IDS often relies heavily on signatures of known threats, an NDR solution excels at identifying unknown threats and sophisticated attacks. It does this by baselining normal network behavior and then using machine learning and advanced analytics to detect anomalous activities, such as an attacker moving laterally within the network, which signature-based systems would likely miss.

Adaptive MFA (also called risk-based authentication) is an advanced form of MFA that dynamically adjusts the authentication requirements based on the user's context and risk profile (e.g., location, device, time of day, login behavior). It provides strong protection against brute-force attacks by introducing a second factor only when the risk is elevated, offering a balance between security and user experience.

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during email delivery. An SPF record in the DNS allows a receiving mail server to check if an incoming mail from a domain comes from a host authorized by that domain's administrators.

A WAF is a specialized firewall that operates at the application layer (Layer 7) to protect web applications. It is explicitly designed to understand and filter HTTP/S traffic, allowing it to identify and block common web-based attacks like XSS, SQL injection, and directory traversal that a network firewall or a generic IPS might miss.

UEM (or similar tools like SCCM) are designed to manage and enforce policies on endpoints. They can query devices for their configuration state (e.g., encryption status, software versions, service status) and report on compliance, making them the most efficient tool for this specific task. A SIEM collects logs, and a vulnerability scanner looks for CVEs, but neither is primarily for configuration compliance assessment.

Data Loss Prevention (DLP) solutions are designed to monitor, detect, and block sensitive data from leaving the corporate network. An endpoint DLP agent can enforce granular policies on peripheral devices, such as allowing access only to specific, encrypted USB models while blocking all others, and can inspect data content to prevent unauthorized transfers.

Network segmentation is the practice of splitting a computer network into smaller subnetworks or segments. This is a core security principle used to contain security breaches, control traffic flow, and improve performance. By isolating segments with firewalls or ACLs, an attack that compromises one segment is prevented from easily spreading to others.

Remote wipe is a security feature that allows a network administrator or device owner to send a command to a computing device to delete all data. This is a critical capability in mobile device management (MDM) for responding to theft or loss to prevent a data breach. Device Lock only prevents access, while geolocation tracks the device's location, neither of which deletes the data.

While all options are valid security activities, adversarial emulation specifically aims to mimic the tactics, techniques, and procedures (TTPs) of real-world threat actors. Given the concern about state-sponsored actors, this approach provides the most realistic test of the organization's detection and response capabilities (the 'defensive capabilities') against the actual threats they face. A standard vulnerability scan, compliance audit, or configuration review would not effectively simulate the behavior and persistence of a sophisticated adversary.

The key indicators are the switch to a non-standard record type (TXT) for outbound queries, the destination being various external domains, and the activity originating from multiple workstations. This pattern is a classic signature of DNS tunneling, a covert channel used for C2 communication or data exfiltration. While a new application could cause this, the distributed and external nature of the queries makes an attack the most pressing and likely explanation. DNS cache poisoning affects the integrity of responses, it doesn't typically change the nature of outbound queries from clients in this manner.

The core of the problem was the attacker 'living off the land'—using legitimate tools and credentials. Traditional signature-based or rule-based systems (like IPS and basic SIEM rules) often miss this. A UEBA platform excels here by creating a baseline of normal behavior for each user and entity (like a workstation). When the attacker uses the compromised credentials to perform actions that are anomalous for that specific user (e.g., an accountant using PsExec to access a developer's machine), the UEBA system can detect this deviation and flag it as a high-risk threat. SOAR automates responses but doesn't improve detection; a better NGFW or sandbox wouldn't have stopped the lateral movement post-compromise.

Since the malware is described as 'fileless' and residing 'only in memory', disk-based forensics will likely miss the primary artifacts of the running malicious code. Similarly, a disabled EDR and a fileless nature suggest a standard AV scan would be ineffective. While event logs are useful for context, they won't reveal the in-memory malicious code itself. A memory dump is the only method that captures the live state of the system's RAM, allowing an analyst to find injected code, hidden processes, network connections, and other artifacts that do not exist on the disk, which is essential for investigating fileless malware.

This approach provides the best balance of security and functionality. Path-based rules are weak because an attacker who compromises the directory can replace the executable. 'Audit only' mode doesn't enforce security. Adding the vendor as a trusted publisher is risky if the application is unsigned; even if it were signed, this trusts all software from that vendor, which may be too broad. Creating a specific hash rule for each verified legacy binary is the most granular and secure method. It ensures that only that exact, vetted version of the application can run, preventing it from being replaced by malware, while standard, signed applications can be managed efficiently with publisher rules.

Simple file-based root detection (Option A) is trivial for a determined attacker to bypass. MDM (Option B) is effective for managed corporate devices, but not for an application available to the general public on unmanaged devices. Standard OS sandboxing (Option D) is a baseline security feature but does not prevent a compromised OS (a rooted device) from tampering with the application's environment. Remote attestation (Option C) is the most robust solution because it relies on a hardware-backed keystore and a trusted verifier (Google/Apple). The application gets a cryptographically signed statement from the service about the device's integrity, which is much harder for an attacker to spoof than a simple client-side check.

RASP is designed specifically for this use case. It instruments the application from within and has context of the code execution, data flow, and business logic at runtime. This allows it to detect and block attacks like insecure deserialization in real-time. SAST (B) cannot understand runtime business logic, and DAST (A) tests from the outside-in, often missing complex internal flaws. IAST (C) is a testing tool, not a production protection mechanism. RASP provides the runtime protection required, directly addressing the stated concerns for a production environment.

This is a classic DNS Rebinding attack. The attacker controls the DNS server for attacker.com. When the victim's browser first queries subdomain1.attacker.com, the attacker's DNS server responds with a very short Time-to-Live (TTL) and a public IP. The browser makes the connection, and the attacker's server serves malicious JavaScript. After the TTL expires, the JavaScript makes another request, but this time when the browser resolves the same domain name, the attacker's DNS server 'rebinds' it to an internal IP (192.168.1.50). The browser's Same-Origin Policy is bypassed because the domain name is the same, allowing the malicious script to interact with and exfiltrate data from the internal server. It's not SSRF because the request originates from the client-side browser, not a server. It's not cache poisoning because the authoritative DNS server is malicious by design.

This is the core function of a CSPM tool. CSPM solutions are designed to identify misconfiguration issues and compliance risks in the cloud. They continuously monitor the cloud environment's configuration against a baseline (e.g., CIS benchmarks, internal policies), detect drifts like publicly accessible storage, and often provide automated remediation capabilities. A CASB focuses on securing access between users and cloud applications. A CWPP focuses on protecting the workloads (VMs, containers) themselves. A WAF protects web applications from attacks like SQLi/XSS, but it does not monitor the configuration of the underlying cloud infrastructure.

The blue team successfully detected the host-based activity (data staging) but failed to detect the network-based exfiltration. The exfiltration method was designed to evade simple detection: it was slow, used a common protocol (HTTPS), and went to legitimate destinations (cloud storage). A signature-based IDS would likely miss this. This points to a failure in analyzing network behavior. A robust NTA capability would baseline normal traffic patterns (e.g., volume, destination, frequency) and would be able to flag the anomalous, sustained data transfer to external services, even if it's encrypted and slow, as a deviation from normal behavior.

This option is the only one that resolves the operational conflict without compromising the security posture. Re-enabling Telnet (Option A) reintroduces a significant vulnerability (unencrypted credentials). Rolling back the baseline (Option B) negates the security improvement. Accepting the loss of monitoring (Option C) creates a different, significant operational risk. The correct approach is to remediate the root cause by modernizing the dependent system (the monitoring tool) to comply with the new, more secure baseline. This aligns security and operations for a long-term, sustainable solution.

The core tenet of Zero Trust is the elimination of implicit trust within the internal network. Micro-segmentation is the primary technology that achieves this by creating granular security boundaries around individual workloads or applications. It allows the enforcement of strict 'allow-list' policies for all communication (east-west traffic), ensuring that even if one workload is compromised, it cannot easily communicate with or attack others. While the other options are valuable components of a secure network, micro-segmentation is the most direct and foundational implementation of the internal Zero Trust principle of treating all network traffic as untrusted.

This option represents the principle of least privilege in alert tuning. A global exclusion (Option A) is dangerously broad and would allow attackers to use PowerShell undetected. Disabling the rule entirely (Option B) creates a significant blind spot, as this technique is commonly used by attackers. Manually closing the alert (Option D) does not solve the underlying problem and leads to alert fatigue. By creating a highly specific suppression rule that incorporates context—such as the user's identity/group and the specific script's hash—the organization can filter out the known good behavior without weakening its ability to detect the same TTP when used by an unauthorized user or a different script.

This phased approach is the standard best practice for implementing complex security tools like HIPS that can have high operational impact. Deploying in blocking mode immediately (Option A) is guaranteed to cause the issues seen in the pilot. Whitelisting the entire executable (Option B) effectively makes the application immune to HIPS protection, defeating its purpose. Disabling the most valuable feature (behavioral analysis) (Option D) significantly reduces the tool's effectiveness. The correct strategy is to use the learning/monitoring mode to build a high-fidelity baseline of what constitutes 'normal' for the specific environment and applications, then create precise rules to allow that behavior before enabling blocking. This maximizes security while minimizing false positives and operational disruption.

This scenario describes a Man-in-the-Middle (MitM) attack facilitated by a user-installed trusted root CA. Certificate Pinning is the technique designed to defeat this. With pinning, the mobile application is hard-coded to only trust a specific server certificate (or the public key of that certificate). When the app initiates a TLS connection, it compares the server's certificate to its pinned certificate. If they don't match—as would be the case with a MitM proxy that generates its own certificate on the fly—the application will refuse the connection, even if the proxy's certificate is signed by a CA that the device's operating system trusts. The other options are not the primary defense: root detection can be bypassed, obfuscation makes reverse engineering harder but doesn't stop MitM, and strong crypto suites don't help if the client is tricked into trusting the attacker's CA.

This question highlights a critical nuance between SAST and SCA. A traditional SCA tool's primary job is to match library versions against a database of known CVEs (e.g., log4j version 2.14 is vulnerable). A traditional SAST tool analyzes the source code written by the developers for patterns of vulnerabilities (e.g., SQL injection). The gray area is the interaction between first-party and third-party code. In this case, the vulnerability is not just the presence of the library, but the insecure usage of its functions. A basic SAST tool often lacks the context to understand the internal workings and security implications of third-party library calls. More advanced SAST tools or modern SCA tools are beginning to bridge this gap with deeper analysis, but fundamentally, this is a known blind spot for traditional SAST.

In TLS 1.2 and earlier, the SNI field, which reveals the hostname the client is trying to connect to, is sent in plaintext. This allows passive security devices to see the destination hostname even in encrypted traffic. A key privacy and security enhancement in TLS 1.3 is the ability to encrypt this information via ESNI/ECH. If the attacker and their malware leverage this feature, the SIEM rule based on inspecting the plaintext SNI field will fail because the field is no longer in plaintext. Option C is incorrect; the entire ClientHello is not encrypted, but specific extensions within it (like SNI) can be. Self-signed certs and weak ciphers are different issues and wouldn't stop an SNI-based rule from firing if the SNI were visible.

While a WAF (A) can help, sophisticated SSRF payloads can often bypass it. Egress filtering at the node level (B) is too broad and doesn't provide granular, pod-level control. Vulnerability scanning (D) is a detection measure, not a mitigation for an existing flaw. A Kubernetes Network Policy (C) is the most precise and effective control for this specific problem. It operates at L3/L4 within the cluster and can enforce a policy stating 'This pod is not allowed to initiate traffic to the IP range of the Kube API server or the metadata service.' This directly blocks the malicious pivot attempt at the source, even if the SSRF vulnerability itself is successfully exploited, adhering to the principle of least privilege for network access.

This question targets the protection of data-in-use. Encryption-at-rest protects data on disk, and encryption-in-transit protects it on the network. However, data must typically be decrypted in memory (RAM) for the CPU to process it. This is where a compromised hypervisor or malicious admin could potentially access it. Confidential Computing solves this by creating a hardware-based trusted execution environment (TEE), or an 'enclave'. Data is only decrypted inside this secure enclave, and even the host OS/hypervisor cannot access the memory contents. This specifically protects data-in-use. Homomorphic encryption is a different technique that allows computation on ciphertext but is currently very performance-intensive. Client-side encryption protects data before it reaches the cloud, but it still must be decrypted for processing. An HSM protects keys, but not the data being processed by the CPU.

While the other options point to individual failures, the core issue is the breakdown of the overall security strategy. The success of the attack relied on the combination of multiple, independent failures. A strong defense-in-depth model assumes that individual controls may fail and therefore requires layered, compensating controls. This scenario shows that each layer had a weakness that, when chained, became a critical threat. The key takeaway is the failure to assess aggregate risk—how multiple low-risk findings can create a high-risk attack path. A mature security capability evaluation looks beyond individual CVE scores and analyzes how the entire system of controls performs against a realistic attack chain.