Unit 3 - Practice Quiz

A firewall acts as a barrier between a trusted internal network and an untrusted external network, filtering traffic to protect against unauthorized access.

SSH (Secure Shell) is a cryptographic network protocol used for secure remote login and other secure network services over an unsecured network. It replaced the insecure Telnet protocol.

An IDS is a monitoring system. Its primary role is to detect potential security breaches and report them, but unlike an Intrusion Prevention System (IPS), it does not actively block the activity.

The Principle of Least Privilege is a fundamental security concept that minimizes risk by ensuring users, programs, or processes have only the minimum access levels necessary for their function.

Encryption transforms plaintext data into unreadable ciphertext using an algorithm, protecting its confidentiality so that only authorized parties can read it.

Server hardening aims to reduce the server's attack surface. Changing default credentials and removing unneeded software or services are critical initial steps.

Physical security involves protecting hardware from unauthorized physical access, theft, or damage. A locked door is a fundamental physical security control.

VLANs allow network devices on different physical LAN segments to be grouped into one logical network, improving security and network management by isolating traffic.

This is a security best practice. It ensures that the firewall operates on a principle of 'default deny,' where only specifically permitted traffic can pass through.

HTTPS stands for Hypertext Transfer Protocol Secure. The 'Secure' part indicates that the communication between your browser and the website is encrypted using SSL/TLS.

Multi-Factor Authentication (MFA), often Two-Factor Authentication (2FA), enhances security by requiring two or more different methods of verification to grant access.

Software vendors release patches to fix bugs and, more importantly, to close security holes that have been discovered. Patch management is a critical part of server hardening.

A UPS contains a battery that provides power to connected equipment for a short period during a power failure, allowing for a graceful shutdown and preventing data loss.

A VPN creates a secure 'tunnel' for your data to travel through when using public networks like the internet, protecting it from eavesdropping.

An Intrusion Detection System (IDS) is passive, functioning like a burglar alarm. An Intrusion Prevention System (IPS) is active, functioning like a security guard who can stop a break-in.

The Bell-LaPadula model is known for its rules like 'no read up, no write down,' which are designed to prevent information from flowing to a less secure classification level, thus protecting confidentiality.

RBAC simplifies administration by managing permissions for roles, not individual users. A user inherits the permissions of the role(s) they are assigned to.

A basic packet-filtering firewall makes its decisions based on information in the network and transport layer headers, such as source/destination IP addresses (Layer 3) and port numbers (Layer 4).

Server hardening is the general term for the process of securing a system by reducing its vulnerabilities. This is often achieved by removing unnecessary software, accounts, or services.

A hypervisor, or virtual machine monitor (VMM), is the software or firmware that allows one host computer to support multiple guest virtual machines by sharing its resources.

The standard security practice for firewalls is to follow an 'implicit deny' or 'default deny' policy. This involves explicitly defining all ALLOW rules first and then ending with a single DENY ALL rule. This ensures that only specified traffic is permitted and everything else is blocked. Option A is incorrect because a DENY ALL rule at the beginning would block all traffic, making subsequent ALLOW rules useless.

TLS 1.3 is the latest and most secure version of the Transport Layer Security protocol, offering improved security and performance. SSL 3.0 is highly vulnerable (e.g., POODLE attack) and must be disabled. A self-signed certificate will cause trust warnings in browsers and does not provide proper authentication from a trusted third party. FTPS is for secure file transfer, not for general web traffic (HTTP).

Anomaly-based (or behavior-based) detection systems work by establishing a baseline of normal activity and then flagging any significant deviations. Since the alert was for unusual traffic at an odd time and did not match a known signature, an anomaly-based system is the most likely source. A HIDS is plausible as it monitors a specific host's behavior. A signature-based system would not catch this, as there was no signature match. A stateful firewall tracks connections but doesn't typically analyze behavior patterns.

The principle of least functionality dictates that a system should only have the services and software required to perform its primary role. By uninstalling unneeded packages, you remove potential vulnerabilities associated with that software, directly reducing the attack surface. While the other options are also good hardening practices, they do not directly relate to the principle of least functionality.

Role-Based Access Control (RBAC) is specifically designed for this scenario. In RBAC, permissions are associated with roles (e.g., 'Database Admins', 'Accountants'), and users are assigned to these roles. This simplifies administration and enforces policies based on job function. DAC is user-centric, and MAC is data-centric based on security labels.

A mantrap is a physical security control consisting of a small room with two doors, where the first door must close before the second can be opened. This system forces individuals to be authenticated one at a time, making it the most effective technical control for preventing tailgating. While biometrics, CCTV, and guards are valuable, the mantrap is the specific solution for this problem.

An 'Internal-only' network creates a completely isolated virtual switch that only the VMs connected to it can use. They can communicate with each other but have no connectivity to the host machine or the external network. 'Host-only' is similar but allows communication with the host machine. 'Bridged' connects the VM directly to the physical network, and 'NAT' allows outbound connections from the VM to the external network.

The Biba Integrity Model is focused on maintaining data integrity. Its core principles are 'no read down' (a subject cannot read data at a lower integrity level) and 'no write up' (a subject cannot write data to a higher integrity level). The 'no write down' rule mentioned in similar models also aligns with the Biba philosophy of preventing contamination of high-integrity data. Bell-LaPadula is focused on confidentiality ('no read up', 'no write down').

This command uses the connection tracking (conntrack) module to identify packets that are part of an already ESTABLISHED connection or are RELATED to one (like FTP data connections). Allowing this traffic is a fundamental part of a stateful firewall configuration, as it lets the server respond to legitimate requests it initiated or accepted, while a default deny policy can block new, unsolicited connections.

A 'fail-closed' or 'fail-secure' state is when a security device blocks all traffic upon failure. This prioritizes security over availability, as it prevents potentially malicious traffic from passing through uninspected. The opposite is 'fail-open', where the device would act as a simple wire and allow all traffic to pass, prioritizing availability over security.

Using a Managed Service Account (MSA) or Group Managed Service Account (gMSA) is the modern best practice. These accounts have automatically managed passwords and can be granted very specific, minimal permissions required for the application to function. This perfectly embodies the principle of least privilege. Using powerful built-in accounts like Local System, Network Service, or any administrator account grants excessive privileges.

PPTP is an outdated VPN protocol with numerous well-documented security vulnerabilities, particularly in its use of the MS-CHAPv2 authentication protocol. It is susceptible to brute-force attacks and is considered insecure for modern use. OpenVPN, IPsec/IKEv2, and WireGuard are all considered secure and robust modern alternatives.

Multi-factor authentication relies on combining different categories of factors. A password is 'something you know'. A physical USB security key is 'something you have'. This combination provides a strong two-factor authentication (2FA) solution. 'Something you are' refers to biometrics (e.g., fingerprint, face scan).

Running a process in a 'chroot jail' or a modern container (like Docker) restricts its view of the filesystem and limits its ability to interact with the host operating system. If the web server process is compromised, the attacker is confined to this isolated environment, preventing them from escalating their attack to the rest of the server. This is a powerful application-level hardening technique.

The HVAC system is responsible for maintaining the ambient temperature and humidity within a server room to ensure equipment operates correctly. An alert about excessive temperature indicates a failure or inadequacy of the cooling component of the HVAC system. The UPS provides backup power, and a fire suppression system deals with fires.

A honeypot is a decoy computer system set up to attract and trap cyberattackers. It appears to be a legitimate part of the network but is actually isolated and monitored. Its purpose is to gather information about the identity, methods, and motives of attackers without putting any production systems at risk.

The Clark-Wilson model is highly focused on commercial data integrity and is built around the concept of well-formed transactions. It requires that data can only be modified through trusted procedures (Transformation Procedures), enforces separation of duties, and mandates strong auditing. This makes it a perfect fit for systems like financial or medical records where the integrity of transactions is paramount.

Static NAT creates a one-to-one, persistent mapping between a public IP address (and often a specific port) and a private IP address. This is commonly used to make an internal server, like a web server, accessible from the internet. It is also known as port forwarding or destination NAT. PAT and Dynamic NAT are typically used for outbound connections from many internal clients sharing one or a few public IPs.

This entry is the most precise application of the principle of least privilege. It specifies the exact user (webadmin), the command they can run (/usr/sbin/service), and the specific arguments (httpd restart). This prevents the user from using sudo service to restart other critical daemons. Granting access to ALL, /bin/bash (a root shell), or the entire service command would provide excessive, unnecessary permissions.

Both SCP and SFTP are built on top of the SSH protocol. They provide strong encryption for data in transit and natively support public key authentication, which is ideal for automated, non-interactive scripting. FTP and Telnet are insecure as they transmit credentials and data in cleartext. TFTP is also insecure and has very limited functionality.

A stateful firewall tracks connections based on their state. A legitimate new TCP connection must start with a SYN packet. Any non-SYN packet arriving without a corresponding entry in the connection tracking table is considered invalid or part of a potential scanning attempt. The most secure and common response is to silently drop the packet (DROP) to prevent the attacker from gaining any information about the firewall's presence or the state of the target port. Forwarding it or sending a RST/ICMP message would leak information.

A return-to-libc attack works by overwriting the return address on the stack to point to a function within a standard library (like system() in libc), thereby bypassing non-executable stack protections. ASLR is the primary defense here because it randomizes the memory location of libc each time it's loaded. This makes it extremely difficult for the attacker to know the correct address of the system() function to jump to. While PIE randomizes the executable's base and SELinux provides mandatory access control, ASLR specifically targets the location of shared libraries, which is the core of a return-to-libc attack.

A standard NIDS placed on a network segment cannot inspect the contents of encrypted traffic (like HTTPS) without being configured for SSL/TLS inspection, which requires the server's private keys to decrypt the traffic (acting as a man-in-the-middle). Since the NIDS does not have these keys, the application layer payload containing the SQL injection string remains encrypted and unreadable. Therefore, the signature /(?i)union\s+all\s+select/ will never be matched, resulting in a false negative (the attack occurs but is not detected). Inference based on packet size/timing is unreliable for specific signature matching.

The Biba Integrity Model is the inverse of Bell-LaPadula. Its goal is to protect data integrity. The rules are: 1) The Simple Integrity Axiom ('no read down'): A subject cannot read an object of lower integrity. This prevents high-integrity processes from being contaminated by low-integrity data. 2) The *-Integrity Axiom ('no write up'): A subject cannot write to an object of higher integrity. This prevents low-integrity processes from corrupting high-integrity data. In the scenario:

• The low-integrity process writing to the high-integrity database violates the 'no write up' rule (the *-Integrity Axiom).
• The high-integrity process being blocked from reading the low-integrity file shows the 'no read down' rule (the Simple Integrity Axiom) being correctly enforced.

The scenario requires connecting two entire networks, which dictates the use of Tunnel Mode. Tunnel mode encapsulates the original IP packet (with internal 10.x.x.x addresses) inside a new IP packet (with the gateways' public IP addresses). The requirement to leave original headers 'intact' refers to them being present inside the encrypted payload, not as the outer headers. Transport Mode would not work because it retains the original IP header, which would be the private 10.x.x.x addresses, and these are not routable over the internet. Since a NAT device is present, standard ESP (IP Protocol 50) will likely be blocked. NAT Traversal (NAT-T) is required, which encapsulates the ESP packet within a UDP packet (usually on port 4500), allowing it to pass through the NAT device.

OpenFlow-enabled switches process packets by matching them against a series of flow rules in a flow table, processed in order of priority. A common configuration is to have a low-priority 'catch-all' rule that allows general traffic. If the new, more specific FTP-blocking rule was installed with a priority value lower than a more general 'allow TCP' rule, the general rule would be matched first, and the packet would be forwarded before the blocking rule is ever evaluated. This is a frequent and subtle misconfiguration issue in SDN deployments. The other options are less likely if the controller dashboard shows the policy as successfully pushed, which implies that the APIs and translation are likely working.

The key defense of FIDO2/WebAuthn against phishing is origin binding. When the user attempts to log in, the browser communicates the origin (e.g., https://login.company.com) to the security key. The key then uses this origin as part of the data it cryptographically signs. The attacker's phishing site will have a different origin (e.g., https://login.company.com.evil.net). When the server receives the signed response, it checks the signature against the expected origin. Since the signature was generated for the wrong origin, the validation will fail. In contrast, a user can be tricked into entering their password and a valid TOTP code into the phishing site, which the attacker can immediately relay to the real site to gain access. The MitM simply passes the valid code along.

This is a complex physical security problem. An IR beam can be defeated by stepping over it or by two people walking very close together. A pressure mat can be fooled by two lighter individuals or triggered by heavy equipment, leading to false positives or negatives. A PIR sensor just detects motion/heat and cannot reliably count individuals. A 3D imaging/stereoscopic sensor is the most advanced and effective solution. It can build a three-dimensional model of the space, distinguish between one large object (a server) and two distinct human shapes, and perform accurate people counting, thus reliably detecting tailgating attempts while ignoring inanimate objects.

This scenario highlights two critical limitations of VLANs that VXLAN overcomes. First, the 802.1Q VLAN standard uses a 12-bit VLAN Identifier (VID), which allows for a theoretical maximum of VLANs (with 0 and 4095 reserved), making it impossible to support 5000 isolated networks. Second, VLANs are a Layer 2 technology. Extending a VLAN (a single broadcast domain) across a Layer 3 WAN is complex, brittle, and not scalable. VXLAN (Virtual Extensible LAN) solves both problems by using a 24-bit VXLAN Network Identifier (VNI) for up to 16 million segments and by encapsulating the Layer 2 frame inside a UDP packet, which can be easily routed across any standard Layer 3 network. Therefore, both the scale and the L3 transport requirements make VXLAN the only choice.

The noexec mount option prevents the kernel from executing binary files directly from that filesystem via the execve() system call. However, it does not prevent a program (an interpreter like /usr/bin/php or mod_php running within the Apache process) from opening a file, reading its contents as data, and then executing the instructions within its own process space. In this case, the Apache/mod_php process, which is running from a filesystem without noexec (like /usr/sbin/), reads the shell.jpg file and interprets the PHP code inside it. The execution context is the Apache process, not a new process launched from the uploads directory. This is a classic and critical limitation of noexec for protecting against web script execution.

While both NGFWs and WAFs operate at the application layer, a WAF is a specialized tool built specifically for web application security. It terminates the TLS session, allowing it to inspect the decrypted HTTP request in its entirety. Crucially, a WAF understands the context of web traffic—it can parse file uploads, analyze parameter inputs, and apply complex rules based on application logic (e.g., 'a file uploaded to this endpoint should never contain executable code'). An NGFW, while having some application awareness, typically operates on more general signatures and protocol conformance. It is less likely to have the deep, application-specific context to identify a novel RCE exploit within a legitimate-looking file upload. The WAF's specialization gives it a significant advantage in this scenario.

The core of the Clark-Wilson model is ensuring integrity through well-formed transactions. This is achieved by having certified Transformation Procedures (TPs) be the only way to manipulate Constrained Data Items (CDIs). The certification process is supposed to formally verify that a TP will always transform a CDI from one valid state to another valid state. In this case, the TP leaves the system in an inconsistent state (money is debited but not credited), which is an invalid state. This represents a failure in the certification and vetting of the TP itself. While an IVP might later detect the inconsistency, the root cause of the integrity violation is the faulty TP being certified and put into use.

In TLS 1.3, 0-RTT allows a client to send application data in its first message to the server, using a pre-shared key (PSK) from a previous session. The critical vulnerability here is that an attacker who captures these initial 0-RTT packets can 'replay' them to the server, and the server might process the request multiple times. For example, if the request was POST /api/transfer?amount=100, a replay attack could cause multiple transfers. Therefore, the primary risk is replay attacks. The standard mitigation is for the application layer to ensure that any request sent via 0-RTT is idempotent, meaning that processing it multiple times has the same effect as processing it once (e.g., a GET request is idempotent, but a request to create a resource is not).

Most robust access control systems, including those from major cloud providers like AWS, operate on the principle that an explicit Deny policy will always override an Allow policy. Even though the user's DatabaseAdmin role grants db:Write, their membership in the ProjectAuditor role brings in a Deny for that same permission. The Deny takes precedence, and the db:Write permission is revoked. The db:Read permission from the ProjectAuditor role is unaffected. Therefore, the user's final effective permission is db:Read only. This demonstrates the critical security concept of precedence of explicit denial, ensuring that restrictive policies can be safely applied for auditing or emergency lockdown roles without being accidentally overridden by permissive roles.

This is a classic example of a false positive. The behavior of the monitoring application—sending UDP probes to various ports—technically mimics the behavior of a UDP port scan. The IDS signature, based purely on this traffic pattern, is therefore technically correct in its match. However, from a security operations perspective, the alert is false because the underlying activity is legitimate and benign. The problem lies with the IDS signature being too generic and lacking the specific context to differentiate between a malicious scan and a legitimate application's keep-alive or discovery mechanism. The correct action would be to tune the IDS, perhaps by whitelisting the partner's IP address for this specific signature.

This question requires analyzing the role of the server to determine what is truly unnecessary. sshd is essential for remote administration. chronyd/ntpd is critical for accurate time, which is important for logs and TLS certificate validation. rsyslogd is crucial for security logging. rpcbind, however, is a service used to map RPC program numbers to network ports, primarily used by services like NFS and NIS. An API gateway has absolutely no need for these services. Historically, rpcbind and other RPC services have been a source of numerous security vulnerabilities (e.g., amplification attacks, information leaks). Therefore, on a hardened, single-purpose server like this, rpcbind represents a significant and completely unnecessary attack surface and should be disabled.

This question tests a deep understanding of nftables and connection tracking. Let's trace the packets:

1. Client -> Server (SYN): The initial SYN packet from 192.168.1.10 to 10.0.0.5:22 arrives. ct state is new. The packet matches the first rule (ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established accept). The action is accept. The packet is forwarded.
2. Server -> Client (SYN/ACK): The return packet arrives. The connection tracker now sees this packet as part of an existing connection and marks its state as established. This packet will now match the second rule (ct state related,established accept). The action is accept. The packet is forwarded.
3. Client -> Server (ACK): This packet is also established and is accepted by the second rule.

The first rule correctly allows the initial packet, and the second, more general rule correctly allows all subsequent traffic for any established connection. The ruleset is functional and will allow the SSH connection to be established.

This scenario highlights the weakness of traditional network segmentation. While VLANs isolate traffic between tiers (e.g., Production vs. Dev), all servers within the Production VLAN can communicate freely with each other. This allows for rapid lateral movement of malware. Microsegmentation solves this problem by treating each individual virtual machine or workload as its own security perimeter. By applying a stateful, default-deny firewall policy to each workload's virtual NIC, you can enforce a 'zero-trust' model. Communication is explicitly whitelisted, meaning one production web server cannot talk to another unless there is a specific rule allowing it. This would effectively contain the worm to the first machine it compromises, preventing lateral spread. The other options are ineffective for this specific problem: 802.1X is about network admission control, an edge NGFW doesn't see intra-VLAN traffic, and VXLAN provides isolation at the same level as VLANs (just more scalably) unless paired with a microsegmentation solution.

Unconstrained Delegation is an extremely dangerous configuration. When a user authenticates to a service with unconstrained delegation enabled, a copy of their TGT is forwarded and cached in memory on that service's host (the web server). If an attacker compromises this web server, they can use tools like Mimikatz to extract any TGTs cached in the LSASS process memory. If a privileged user like a Domain Admin has recently authenticated, the attacker can steal their TGT. With the Domain Admin's TGT, the attacker can then request service tickets for any service in the domain, effectively becoming a Domain Admin. This is a classic privilege escalation and lateral movement technique. Kerberoasting targets accounts with SPNs, and pass-the-hash is an NTLM-related attack; while both are valid attacks, they are not the direct result of unconstrained delegation.

While a Faraday cage (Option A) is the most effective solution, it is also extremely expensive and complex to build and maintain correctly (e.g., requiring special doors and filtered power/HVAC). RF jamming (Option B) is often illegal and can interfere with legitimate wireless devices. A large physical perimeter (Option C) is often impractical inside an existing building. The most practical and cost-effective mitigation is to address the primary sources of emanation. Copper network cables act as effective antennas for leaking data-carrying signals. Replacing them with fiber-optic cables completely eliminates this vector, as fiber transmits data as light, which has no significant electromagnetic emanation. Properly grounding server chassis helps to reduce overall emissions. This combination provides a significant reduction in risk for a fraction of the cost of a full Faraday cage.