Answers to Written Labs

The written labs are intended to give you an opportunity to either verbalize or put down in writing the concepts that you learned in each chapter. As a learning or memory tool, sometimes it's beneficial to rephrase terms, definitions, and ideas into your own words. The four questions at the end of every chapter are intended to prompt you to think about the chapter content.

Following are some brief answers for each of the written lab questions. These answers should steer you in the correct direction. For this to be beneficial, read the brief answers and elaborate on them in your own words. It's important that you know and understand the concepts and not just memorize facts, figures, and data.

Chapter 2

1. The implicit deny rule states that unless something (such as traffic on a network) is explicitly allowed, it is denied. It isn't used to deny all traffic but instead to deny all traffic that isn't explicitly granted or allowed. Implicit deny usually refers to the bottommost rule in a rule stack. Should no other rule explicitly allow the traffic, then the implicit rule would deny the traffic.
2. As a security concept, availability ensures that data, applications, and network access are available to users.
3. The security AAA triad consists of authentication, authorization, and auditing/accounting.
4. The three primary security categories are prevention, detection, and recovery. Prevention, of course, includes activities that may be used to prevent attacks or prevent the loss of or damage to an asset. Detection is the use of controls and devices that detect anomalies, signatures, or activity that trigger either an alarm or some course of action to control the event. Recovery is returning to normal or to a state just prior to an attack event.

Chapter 3

1. Federated access is a single sign-on technique that involves sharing properly authenticated user information with third-party entities that are grouped through contractual agreement. A typical illustration is a travel booking website. Once the user is logged in and authenticated, they can access hotel, flight, and car rental information and make reservations from other websites.
2. A primary vulnerability to single sign-on is that if an attacker can compromise an individual's credentials, they then have free access to all of the network resources that the individual has rights to. This is negated if the individual requires separate logins and passwords for each resource.
3. Mandatory access control (MAC) assigns labels to both the subject and the object. The subject would have a security clearance label, and the object would have a security classification label. Access by the subject to a secure object would be mediated typically by a device referred to as a trusted computing base. Mandatory access control is typically used in government and military organizations. Discretionary access control (DAC) is a default access control technique in Microsoft Windows. The owner/creator of the data has the capability of determining who has access to the data as well as what they can do when they access the data, such as read, read/write, or even create and delete actions.
4. Access controls are grouped under various categories. These categories include administrative, logical/technical, and physical.

Chapter 4

1. Anyone could write a policy within an organization. Unless the policy has executive-level endorsement, meaning that a senior executive has approved it, stands behind it, and indicates that it is the authorized or mandated statement from the organization, it will not be respected.
2. Standards, baselines, and procedures indicate the supporting details of a policy. Policies are created because of a standard that the organization must abide by. For instance, the requirement that an organization needs to meet HIPAA standards is a reason for a HIPAA policy. Baselines are a measure of the minimum amount of effort, compliance, or activity the organization must undertake to meet a certain standard. Procedures are steps or activities that should be taken in a sequential order to achieve a specific result.
3. During the interruption of regular organizational IT activity, such as during a disaster event, the business continuity plan (BCP) or the disaster recovery plan (DRP) may specify an alternate location for the continuation of IT activity. A hot site is a location that can be brought online within a number of hours. Typically, all required hardware, electrical power, HVAC, and communications capabilities are installed and ready to go. Current data is not installed on hot site equipment. A warm site may have some equipment and will take incrementally longer to bring online. A cold site is typically just a building location with no equipment installed. It will take the longest period of time to bring online.
4. Recovery time objective (RTO) is a component of the business continuity plan that indicates the period of time that the organization may be without a specific business function. It indicates the time that the business function must be up and running, even if at a reduced capacity. Recovery point objective is the point at which the last known good copy or backup copy of data can be restored to bring a specific business function back online.

Chapter 5

1. In the process of risk analysis, there are two types of asset valuation. Quantitative analysis is a method of determining asset value based upon various numerical values. These might include original purchased cost, depreciated cost, replacement cost, and a variety of additional costs such as installation, restoration, configuration, and other operational costs. Quantitative may be thought of as a “quantity” of money. Qualitative analysis does not make use of factual data such as monetary cost figures. It arrives at subjective values and impact values based upon the opinions of experts. The subjective value that is typically used in quantitative analysis might measure the impact of lost functionality as low, medium, and high.
2. A threat describes the action that a bad actor may take or cause to happen. A vulnerability describes a weakness in an asset or control. The traditional definition of risk is the probability that a threat will exploit a vulnerability, thus causing harm.
3. In risk analysis, various computations might be used to express the cost to the organization should an asset be lost or damaged due to the actions of a threat. Single loss expectancy (SLE) is the cost to the organization each time an asset is harmed due to the action of a threat. Annualized loss expectancy (ALE) represents the cost determined in a single loss expectancy multiplied by the number of times per year the loss may occur, which is described as the annualized rate of occurrence (ARO). The exposure factor (EF) is expressed as a percentage and represents the monetary loss of the value of an asset each time the asset is harmed due to the action of a threat. For instance, if an asset cost $10,000 and every time it was attacked by a threat it cost $5,000 to rebuild, the exposure factor would be 50 percent.
4. There are four acceptable methods of treating risk. They include accepting the risk, assigning risk, reducing risk, and risk avoidance. By default, ignoring risk means accepting the risk.

Chapter 6

1. Business continuity planning includes all of the actions required to develop a business continuity plan (BCP). A business continuity plan includes all of the requirements and procedures to maintain business operations after a disaster event. Business recovery planning includes all of the actions required to develop a disaster recovery plan (DRP). A disaster recovery plan includes all of the requirements and procedures that might be required to restore business operations to a point just prior to a disaster event. The recovery plan may include what is needed to restore facilities, equipment, and other assets.
2. Triage is typically a medical term. It refers to the prioritization of damages and the communication of this prioritization so that damaged entities can be addressed based on need, usually ranked high to low.
3. A business continuity plan will designate various time periods. The recovery time objective (RTO) is the period of time a particular business function may be nonfunctional and must be brought back online in some productive capacity. The recovery point objective (RPO) is the date and time of the last known good data for backup information that may be used to restore systems after a disaster event. The maximum tolerable downtime (MTD) represents the time period that a business activity may be unavailable, after which the business may begin to experience irreparable harm.
4. An incident response team is a team that responds with some set activities after the onset of an incident. The team determines the damage, takes actions, restores capabilities, and reports on findings or prepares after-action reports. Organizations will have different incident response activities depending upon the nature or severity of the event. The standard instruction to an incident response team is to follow the incident response plan.

Chapter 7

1. An asymmetric cryptography system makes use of two keys for each participant. These two keys include a public key and a private key. The private key must always be kept secret. The relationship between the keys is that the private key may be used to originate the public key, but it is mathematically infeasible for the person with the public key to determine the private key. Both keys can encrypt data, and either key can decrypt data but only the data encrypted by the opposite key. Asymmetric cryptography makes use of very large and intensive mathematical computations involving large prime numbers. Therefore, it is slow and cumbersome. Asymmetric cryptography is the basis for public key infrastructure (PKI), where certificates are used as a trusted means for verification of the ownership of a public key. Symmetric cryptography makes use of a single shared secret key between the participants. Symmetric cryptography is hardware based, and therefore encryption and decryption can be accomplished magnitudes of speed faster than with asymmetric cryptography. Generally, the drawback of symmetric cryptography involves key distribution. Sending a secret key to a previously unknown participant is difficult in symmetric cryptography. The strength of cryptographic algorithms is usually a function of key length.
2. The Diffie-Hellman key exchange is a method whereby two participants, who may be previously unknown to each other, can derive the same secret key utilizing a mathematical function. The two participants each create two numbers. One number is kept secret while the other number is exchanged in the clear with the other participant. These numbers are used in the mathematical function and will result in both participants arriving at the same final number. The final number will represent a shared secret key.
3. In public key infrastructure (PKI), the X.509 standard involves the use of digital certificates and various entities. The certificate authority (CA) is a respected and trusted organization that issues, maintains, and revokes digital certificates. The registration authority (RA) gathers information from users wishing to apply for digital certificates. The certificate revocation list (CRL) is a list of certificates that have either expired or been revoked due to compromise or other situations. Online Certificate Status Protocol (OCSP) is a protocol used by a web browser to automatically check the status of the protocol.
4. A digital signature is created by processing a plaintext message through a hashing algorithm to obtain a hash value or message digest. This hash value is then encrypted using the private key of the individual or entity providing a digital signature. Both the encrypted hash value and the plaintext message may then be sent to the receiving entity. The receiving entity will use the public key of the sender to decrypt the hash value. Upon rehashing the plaintext message, the receiving entity will compare the decrypted hash value in the derived hash value upon receipt to ensure that they are the same. A digital signature provides proof of origin and nonrepudiation. It does not provide confidentiality.

Chapter 8

1. IPsec is important because it is a popular method of protecting data while in transit and it has been adopted as a suggested encryption mechanism for use in IPv6. IPsec can be utilized in either tunnel mode or transport mode, depending upon the end connectivity. The end connectivity will also determine the type of header placed on each packet. The authentication header will provide both sender authentication and integrity to each packet. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite and provides authenticity, integrity, and confidentiality to packets. IPsec can be used to create tunnels between networks.
2. Kerberos is a popular technique that has been adopted by Microsoft as its single sign-on methodology. It makes use of tickets to grant user access to resources. The user logs in and is authenticated one time. The single sign-on provides a one-time user authentication and the assignment of a ticket-granting ticket (TGT) provided by a ticket-granting server (TGS). The ticket-granting ticket is utilized throughout a set period of time, typically one day, to request session tickets for each desired resource. Symmetric keys are utilized between the entities for authentication. The benefit of Kerberos is that the client provides most of the communication overhead.
3. Routers and switches are both network devices that provide directional control of packets on a network. Routers are OSI layer 3 devices that route packets based upon their IP address. Switches are OSI layer 2 devices that switch data packets between devices based upon Media Access Control (MAC) addresses. (Certain switches may be used at layer 3.)
4. The layers of the OSI model are numbered one through seven. In order, they are (beginning at layer 1) Application, Presentation, Session, Transport, Network, Data Link, and Physical.

Chapter 9

1. A hypervisor is a control program that runs on a PC or server and is referred to as a host because it will be used to host virtual machines. This control program interfaces with the underlying physical hardware of the host and controls the access to the resources for each virtual machine. This includes the CPU, RAM, and secondary storage such as hard disk drives. A Type I hypervisor interfaces directly with the physical hardware of the host and a Type II hypervisor interfaces with the operating system that is running on the host. The hypervisor is used to form and manage virtual machines. Each virtual machine is a separate instance of a computer system that shares the underlying hardware of the host.
2. The difference between a hacker, a certified hacker, and a script kiddie tends to be with the expertise and experience of each. The script kiddie is usually a young, inexperienced person who is utilizing readily available scripts to provide mischief on the Internet. A hacker, on the other hand, may be very experienced and is usually performing attacks for personal benefit or to exfiltrate data for financial gain. The certified ethical hacker is an experienced individual who has hacking skills and is generally employed by a commercial entity with particular assignments to penetrate networks, systems, and applications to determine weaknesses.
3. The European Commission has created a single law for the European Union, referred to as the EU General Data Protection Regulation (GDPR). This law will be replacing the EU Data Protection Directive 95/46 EC. The data protection directive was well intentioned and provided for concepts such as “data controllers” as well as the “right to be forgotten” idea. Unfortunately, the directive was not a law, and various European Union members could arbitrarily adopt it or not at their leisure. The difference between the two is that the EU Data Protection Directive 95/46 EC is only a directive, providing the effect as an advisory for the member states. The EU General Data Protection Regulation is a regulation, or law, that binds all 28 members of the European Union to a unified set of privacy standards.
4. The three cloud service modules include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). SaaS provides either third-party hosting of software in the cloud or the cloud provider hosting software for commercial use in the cloud. IaaS provides the user with various network components that may be assembled to duplicate or add to an existing data center. PaaS offers the user preconfigured computer platforms, which may be utilized for testing or application development purposes.