9.1 - 9.9 Virtualization, Cloud Secuirty, and Securing Mobile Devices
What is the minimum number of users needed in a Windows Enterprise agreement for Intune to be included?
500 Intune is included with any Windows Enterprise agreement of at least 500 users and supports all types of devices.
Apple
> Apple iOS 8.0 and later > Mac OS X 10.9 and later
Bring your own device
A BYOD policy allows employees to use personal devices for work related tasks.
System on a chip (SoC)
A SoC is an integrated circuit that includes all components of a typical computer system, including digital, analog, mixed-signal, and radio frequency functions. The Raspberry Pi is a common device that uses a SoC. Because of their relatively low cost, SoCs are often used by hobbyists.
Enterprise mobility management (EMM)
A combination of MDM and MAM solutions in one package. EMM allows a system administrator to remotely manage hardware and applications on a mobile device.
Hybrid cloud
A combination of public, private, and community cloud resources from different service providers.
Virtual network
A computer network consisting of virtual and physical devices.
Media gateways
A media gateway is a translation device that converts media streams for use by different telecommunication technologies.
Container
A standard unit of software that holds the complete runtime environment including an application, all application dependencies, libraries, binaries, and configuration files.
Virtual areanetwork(VAN)
A virtual LAN running on top of a physical LAN.
Virtual machine (VM)
A virtual computer that functions like a physical computer.
Which of the following is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications?
Acceptable use policy (AUP) An acceptable use policy (AUP) is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications. A business impact analysis (BIA) identifies critical processes and assets and the effect of their loss on the company. A disaster recovery plan (DRP) addresses how a corporation should respond to a disaster. A business continuity plan (BCP) addresses how a corporation responds to the disruption of critical systems.
Add
Add the apps you would like to manage and assign them in Intune. You can add the following app types: > Apps from the Windows Store > Apps that are line-of-business apps written in house > Apps on the web > Built-in apps
Acceptable use policy
An AUP determines the rules for using corporate resources, such as internet access, computers, etc.
Multi-function display (MFD)
An MFD is a screen surrounded by configurable buttons that can be used to display information in a variety of ways. MFDs are often used on airplanes, helicopters, and ships.
Unified endpoint management (UEM)
An all-in-one device management solution. UEM allows a system administrator to manage local and mobile devices, including Internet of Things devices.
Cloud access security broker (CASB)
An on-premises cloud-based software tool or service that sits between an organization and a cloud service provider.
Citrix
Citrix virtualization solutions: > Provide a virtualization solution called XenServer, also referred to as Citrix Hypervisor. > Support the widest range of graphics applications. > Support Intel GVT-g GPU virtualization, a CPU-embedded GPU requiring no additional hardware.
Cloud auditing
Cloud auditors evaluate: > Security controls > Performance > Communication > Risk management > Data management > Vulnerability and remediation management > Privacy of cloud provider's services > Compliance with regulation and security policies
Infrastructure as a Service (IaaS)
IaaS delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. The client deploys and runs software without purchasing servers, data center space, or network equipment.
Wearable devices
In recent years, companies have started producing wearable devices that can connect to the internet for a variety of purposes. These devices include: > Watches > Headphones > Fitness trackers
Network fencing
Location compliance, known as network fencing, allows you to keep devices outside your corporate network from accessing network resources.
Connection Types
Mobile devices can use various methods to connect to the internet, network and other devices. Connection methods include: > Cellular > WiFi > Bluetooth > NFC > ANT > Infrared > USB > SATCOM (satellite)
Digital cameras
Most modern digital cameras use embedded systems for processing captured images, storing images, and uploading images to a PC or other storage device.
Private cloud
Platforms, applications, storage, or other resources that are made available to a single organization.
Supervisory control and data acquisition (SCADA)
SCADA is an industrial computer system that monitors and controls a process.
Virtual router (vRouter)
Software that replicates the functionality of a physical router.
Segmentation
The division of a network into smaller networks through a virtual local area network (VLAN) and firewalls.
Cloud Security Concepts
The following table describes cloud security concepts.
Sandboxing
The isolation of an app so that it can't affect other areas of a computer or network.
Bring your own device (BYOD)
The practice of having employees use their own personal mobile devices for business related tasks.
Geotagging
The process of embedding GPS coordinates within mobile device files, such as image or video files created with the device's camera.
Jailbreaking
The process of removing inherent protections placed by the device manufacturer.
Data exfiltration
The unauthorized copy, transfer, or retrieval of data from a computer, server, or network.
9.4.5 Cloud Storage Security Facts
This lesson covers the following topics: > Cloud storage > Advantages of cloud storage
Configure
Update deployed apps with new versions using Intune.
Virtual networks
Virtual machines and devices connected through software.
Apps Security Issues
When working with mobile device apps, be aware of the following security issues:
The advantages of cloud computing are:
> Flexible access > Ease of use > Self-service resource provisioning > API availability > Service metering > The ability to try software applications in cloud computing service models
Real-time operating system (RTOS)
A RTOS is an operating system that serves real-time applications without buffer delays. They are generally used in systems that require a response within a strict time constraint. Because RTOS are often used as critical components of an application, a successful attack on the RTOS can harm an entire system, including physical machinery.
Virtual hard disk (VHD)
A file that is created within the host operating system and simulates a hard disk for the virtual machine.
Mainframe computer
A lesser known category of embedded devices are mainframe computers. A mainframe computer is a large, powerful computer that is capable of processing extremely large amounts of data. Mainframe computers typically run proprietary operating systems. Because these operating systems are rarely updated, they are considered a static environment. In addition, mainframe computers often contain large amounts of sensitive data, making them an attractive target for hackers.
Virtual private cloud (VPC) endpoint
A virtual device that provides a private connection between virtual private clouds and a cloud provider's services. A VPC endpoint keeps traffic secure with a private link resource.
Virtual hard disk (VHD)
A virtual hard disk (VHD) is a file created within the host operating system and simulates a hard disk for the virtual machine.
System Configuration for Windows Intune
After signing up for a Windows Intune subscription, you need configure the system by completing the tasks listed in the table below:
Remote management
All app types, except for the line-of-business apps, automatically update as needed. Updates can be uploaded into Intune where they can be pushed out to users and updated within 24 hours. Administrators can push out updates for line-of-business apps through the company portal. When an employee leaves the organization, Intune allows the administrator to remotely remove apps and clear all data from the device without affecting the device itself.
Which of the following BEST describes the Physical SDN layer?
Also known as the Infrastructure layer. The Physical layer is also known as the Infrastructure layer. The Application layer is sometimes called a northbound API. The Control layer receives its requests from the Application layer. One of the advantages of SDN is it gives new life to old networking hardware.
Cloud Security Solutions
Be familiar with the following security solutions:
Cloud access security broker (CASB)
Cloud access security broker is an on-premises cloud-based software tool or service that sits between an organization and a cloud service provider. CASBs: > Monitor communication for compliance with an organization's security policies and procedures. > Can offer malware protection and encryption. > Can give more specific protection and monitoring capabilities than secure web gateways (SWGs) and enterprise firewalls.
Types of clouds
Cloud computing can be implemented in several different ways, including the following:
Application Security
Cloud computing has become the norm for many organizations today. It has become common to add applications and tools to the cloud environment. It's critical to use security best practices when adding each new application or tool. Each additional has the potential to create a network vulnerability. Application security best practices include: > Verify the application is correctly configured. > Secure APIs and interfaces through encryption and multifactor authentication with limited authorization.
Corporate owned, personally enabled
In a COPE system, the company provides a list of approved devices for an employee to choose from. The company owns the device; the employee uses and manages the device.
9.8.2 BYOD Security Facts
In addition to mobile devices owned by your organization, you must also take into account personally owned mobile devices that employees bring to work and use to complete daily work-related tasks. This practice is sometimes referred to as Bring Your Own Device (BYOD). Even though it entails a host of security risks, this is very common practice in the modern work environment. This lesson covers the following topics: > BYOD security issues > Deployment model alternatives
Mobile Application Management
Microsoft app protection policies are rules that make sure the company's data is secure within an application. The user cannot move data or perform any action that is prohibited in a policy. Intune mobile device management (MDM) provides the app protection policies that enable MAM to protect devices and data. MAM also provides protection through MAM without enrollment (MAM-WE) in Intune MDM. The following table describes the two possible configurations.
9.7.6 Mobile Application Management Facts
Mobile application management (MAM) refers to the assortment of management features that lets a system administrator publish, push, configure, secure, monitor, and update mobile apps. The goal is to ensure users have the applications they need at all times while protecting the organization's data within the apps. This can be very challenging due to the wide variety of device platforms and application types. Intune is Microsoft's MAM solution in the Azure cloud. This lesson covers the following topics: > Mobile application management > Intune application life cycle > App deployment and update methods
Multifunction printers (MFPs)
Multifunction printers can connect to wireless networks and to the internet for additional functionality.
Platform as a Service (PaaS)
PaaS delivers everything a developer needs to build an application. The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers.
Public cloud
Platforms, applications, storage, or other resources that are made available to the general public by a cloud service provider.
Mobile application management (MAM) provides the ability to do which of the following?
Remotely install and uninstall apps. Mobile application management (MAM) solutions focus on managing the applications on a mobile device but not the device itself. Licensed applications or custom-designed apps fall under MAM policies. Mobile application management provides the ability to: > Remotely install and uninstall apps. > Update apps as needed. > Limit functionality in an app as needed. Microsoft Intune allows the system administrator to: > Manage mobile devices > Manage mobile apps > Control data access > Comply with security policies
Retire
Remove apps that have reached end of life or become outdated and are no longer used.
Which of the following methods can cloud providers implement to provide high availability?
Replication Cloud service providers replicate data in multiple zones and within zones to provide high availability. Replication: > Helps eliminate downtime (the time your data is unavailable). > Redirects to another availability zone when a zone fails. Cloud integration is the system that connects application repositories, systems, and IT environments in a way that allows access and exchange of data over a network by multiple devices and locations. Encryption is one method that a cloud provider can use to protect a customer's data. Instance awareness is the ability to apply cloud security within an application that has rules specific to an instance.
Control layer
The Control layer receives its requests from the Application layer and then provides the Physical layer with its configuration and instructions.
9.4.4 Cloud Computing Facts
This lesson covers the following topics: > Cloud computing > Types of clouds > Cloud computing models > Cloud security risk reduction > Virtual Desktop Infrastructure (VDI)
Virtual desktop infrastructure
VDI is a technology that uses virtual machines and virtual desktops.
9.6.2 Mobile Device Connection Facts
Whether it's a tablet, smartphone, or an e-reader, all mobile devices share some common characteristics. This lesson covers the following topics: > Connection Types > Security Considerations > Application Management > Apps Security Issues
Wireless keyboards and mice
Wireless keyboards and mice use Bluetooth or other proprietary radio frequency connections.
Environment controls
Many homes and businesses use environmental control devices that can send real-time information and can be controlled via the internet. These devices can be as basic as controlling a home's HVAC system (such as a Nest thermostat) or as complex as controlling the humidity, temperature, and other environmental factors in a data center.
Field Programmable Gate Array (FPGA)
A Field Programmable Gate Array is an integrated circuit manufactured and then later configured by the customer. The configuration happens through a hardware description language (HDL), similar to application-specific integrated circuit (ASIC).
Virtual private cloud (VPC) endpoint
A VPC endpoint is a virtual device that provides a private connection between virtual private clouds and a cloud provider's services. A VPC keeps traffic secure with a private link resource. VPC endpoints improve cloud security because VPC resources never traverse the internet to reach a service.
Virtual Private Network (VPN)
A VPN is usually used as a secure tunnel over another network, connecting multiple remote end-points, such as routers. A multipoint VPN is a VPN connecting more than two end-points.
You manage the information systems for a large manufacturing firm. Supervisory control and data acquisition (SCADA) devices are used on the manufacturing floor to manage your organization's automated factory equipment. The SCADA devices use embedded smart technology, allowing them to be managed using a mobile device app over an internet connection. You are concerned about the security of these devices. What can you do to increase their security posture? (Select two.)
Install the latest firmware updates from the device manufacturer. Verify that your network's existing security infrastructure is working properly. Since you generally have little or no control over the smart technology embedded within SCADA devices, they are referred to as static environments. As a result, there is typically very little you can do to increase the security posture for these types of devices. For SCADA devices, you may be able to perform the following, depending on the device manufacturer: > Install the latest firmware updates from the device manufacturer. > Verify that your network's existing security infrastructure is working properly. Because these devices operate in a static environment, you typically can't install third-party software on them, including anti-malware scanners, monitoring agents, or mobile device management agents.
Sideloading
Installing an app on a mobile device via a method other than the manufacturer's app repository.
Which of the following tools allows the user to set security rules for an instance of an application that interacts with one organization and different security rules for an instance of the application when interacting with another organization?
Instance awareness Instance awareness is the ability to apply cloud security within an application that has rules specific to an instance. This tool allows the user to set security rules for an instance of an app interacting with one organization and different security rules for an instance of the app when it interacts with another. Cloud integration is the system that connects application repositories, systems, and IT environments in a way that allows access and exchange of data over a network by multiple devices and locations. Encryption is one method that a cloud provider can use to protect a customer's data. Cloud service providers replicate data in multiple zones and within zones to provide high availability.
Instance awareness
Instance awareness is the ability to apply cloud security within an application that has rules specific to an instance. This tool allows the user to set security rules for an instance of an app interacting with one organization and a different security rules for an instance of the app is interacting with another organization.
Protect
Protect company data in deployed apps with conditional access to email and other corporate resources. Conditional access is based on the criteria you set in the app protection policies that lock down actions the users can perform on devices. Examples of locked-down actions include copying data and preventing app installation on rooted devices.
Which of the following serves real-time applications without buffer delays?
RTOS A real-time operating system (RTOS) is an operating system that serves real-time applications without buffer delays. They are generally used in systems that require a response within a strict time constraint. Supervisory control and data acquisition (SCADA) devices are special computer systems that gather, analyze, and manage automated factory equipment. A system on a chip (SoC) is an integrated circuit that includes all components of a typical computer system, including digital, analog, mixed-signal, and radio frequency functions. A Field-Programmable Gate Array (FPGA) is an integrated circuit manufactured and then later configured by the customer.
Raspberry Pi
Raspberry Pi is a low-cost device the size of a credit card that's powered by the Python programming language. It's manufactured into a single system on a chip (SoC).
Which of the following app deployment and update methods allows updates to be uploaded onto Intune where they can be pushed out to users within 24 hours?
Remote management With remote management, all app types (except for line-of-business apps) automatically update as needed. Updates can be uploaded onto Intune where they can be pushed out to users within 24 hours. A company can create a self-service portal using Intune. This makes the distribution of apps easier for everyone. Bring Your Own Device (BYOD) is a policy that allows a user to use their personal device for business purposes. An app catalog allows an organization to define the apps that a user can and cannot use.
Which of the following is the first phase of the Microsoft Intune application life cycle?
Add The first phase of the Microsoft Intune application life cycle is to add the apps that are to be managed and assigned in Intune. Deploy is the second phase. Configure is the third phase. Protect is the fourth phase.
Which of the following defines an acceptable use agreement?
An agreement that identifies employees' rights to use company property, such as internet access and computer equipment, for personal use. An acceptable use agreement identifies employees' rights to use company property, such as internet access and computer equipment, for personal use. A non-compete agreement prohibits an employee from working for a competing organization for a specified period of time after he or she leaves the organization. An employee monitoring agreement outlines the organization's monitoring activities. A non-disclosure agreement is a legal contract between an organization and an employee that specifies that the employee is not to disclose the organization's confidential information.
Your organization recently purchased 20 Android tablets for use by the organization's management team. To increase the security of these devices, you want to ensure that only specific apps can be installed. Which of the following would you implement?
App whitelisting App whitelisting is the process of defining specific apps that users can have on their mobile devices. Apps not on the whitelist are not allowed to be installed. Blacklisting apps is the process of defining specific apps that users cannot have on their mobile devices. The Credential Manager function that is implemented in most mobile operating systems can store usernames and passwords for the end user. Application Control is implemented by each mobile operating system. It determines how apps are installed and where they come from.
Arduino
Arduino is an open-source hardware and software company. They design and manufacture single-board microcontrollers as well as kits to build digital devices.
9.2.7 Section Quiz
CIST 1601
9.4.6 Section Quiz
CIST 1601
9.5.6 Section Quiz
CIST 1601
9.6.7 Section Quiz
CIST 1601
Which Amazon device can be used to control smart devices (such as lights) throughout a home using voice commands?
Echo Amazon Echo devices can be integrated into a user's home to control other smart devices using voice commands. Home is Google's product line that can be integrated to control smart devices using voice commands. Cortana is Microsoft's digital assistant. Siri is Apple's digital assistant.
MAM-WE
Manage apps using MAM and app protection policies but with devices enrolled with third-party enterprise mobility management (EMM) providers. Sensitive data can be managed on any device, including personal devices. *App protection can require a PIN to launch an application.
Application Management
Security considerations regarding the management of applications on the mobile devices include: > Rooting/jailbreaking/sideloading to load apps from third-party app stores or other websites. > Flashing with custom firmware. > Carrier unlocking. This is the ability to use different mobile carrier networks. > The ability to receive over-the-air (OTA) firmware updates and app updates. > Camera usage and geolocation information in pictures. > Text and multimedia message protocols (SMS/MMS). > Connection to external media. > Connection using USB OTG (on-the-go). > The use of a microphone for recording purposes. > Tethering which is the ability to share internet connectivity to other devices.
Segmentation
Segmentation divides a network into network segments using a Virtual Local Area Network (VLAN) and firewalls. To protect segments, filter traffic between segments with a deny all statement and then add rules to allow necessary traffic. Segmentation: > Aids in monitoring traffic for security issues. > Limits any damage to the compromised segment.
Virtual Local Area Network (VLAN)
Several physical LANs can function as a single logical LAN, or the partitioned network can be on a single router.
If a user's BYOD device (such as a tablet or phone) is infected with malware, that malware can be spread if that user connects to your organization's network. One way to prevent this event is to use a Network Access Control (NAC) system. How does an NAC protect your network from being infected by a BYOD device?
The NAC remediates devices before allowing them to connect to your network. The NAC remediates devices before allowing them to connect to your network. This means that the NAC performs the following types of device management tasks before allowing a device to connect to the network: > Operating system updates > App updates > Anti-malware installation > Anti-malware definition updates An alternative to using an NAC solution is to force BYOD devices to connect to a guest network that is isolated from your production network. An Acceptable Use Policy (AUP) specifies which apps can be used while the BYOD device is connected to the organization's network. An AUP also notifies users that personally owned devices are subject to random searches if brought on site.
Physical layer
The Physical layer, also known as the Infrastructure layer, communicates to the Control layer through the southbound interface. The individual networking devices use southbound APIs to communicate with the control plane and vice versa. Even though this layer is called the Physical layer, it is where both physical and virtual network devices sit.
Mobile application management
The administration of applications on a mobile device. MAM software allows a system administrator to remotely install or remove organizational apps and to disable certain functions within the apps.
App whitelisting
The process of identifying apps that users are allowed to have on mobile devices.
Types of Embedded Devices
The following table describes some of the most common embedded devices:
App Deployment and Update Methods
The following table describes the three methods available to work with applications throughout their life cycle.
Cloud Storage is a virtual service
The infrastructure is the responsibility of the storage provider. Access controls should be set in the same way as a local file system would be set. There is no need for the provider to have access to the stored data. Measures for securing cloud storage include: > Implement security controls in the same way as in a physical datacenter. > Use data classification policies. > Assign information into categories that determine storage, handling, and access requirements. > Assign security classification based on information sensitivity and criticality. > Use specialized tools to securely dispose of data when it is no longer needed.
Internet of Things
The network of physical devices such as vehicles, home appliances, etc., that are embedded with electronics, software, sensors, actuators, and connectivity that enable them to connect, collect, and exchange data through the internet.
Arduino
Arduino is an open-source hardware and software platform for building electronic projects.
Advantages of Cloud Storage
> Companies pay only for the storage used. This does not necessarily mean that cloud storage is less expensive, but it incurs only operating expenses. > Cloud storage can cut energy consumption by up to 70% making an organization more green. > Organizations can choose between off-premises and on-premises cloud storage options, or a mixture of the two options. > Storage availability and data protection is intrinsic to object storage architecture. Depending on the application, you can eliminate the costs, effort, and additional technology to add availability and protection. > Storage maintenance tasks, such as purchasing additional storage capacity, are the responsibility of the service provider. > Cloud storage can be used for copying virtual machine images from the cloud to on-premises locations or to import a virtual machine image from an on-premises location to the cloud image library. > Cloud storage can be used as natural disaster backup, since cloud storage providers' backup servers are typically located in different places around the globe.
> Google Android 4.0 > Google Android for Work *Customers with enterprise management + security (EMS) can also use Azure Active Directory (Azure AD) to register Windows 10 devices.
Some disadvantages of SDN include:
> Is currently a new technology > Lack of vendor support > Standards are still being developed > Centralized control opens a new target for security threats
Cloud storage is:
> Made up of many distributed resources but still acts as one, either in a federated or a cooperative storage cloud architecture. > Highly fault tolerant through redundancy and distribution of data. > Highly durable through the creation of versioned copies.
Windows
> Windows 10 (Home, S, Pro, Education, and Enterprise versions) > Windows 10 Mobile > Windows Phone 8.1 > Windows 8.1 RT > PCs running Windows 8.1 > Devices running Windows 10 IoT Enterprise (x86, x64) > Devices running Windows 10 IoT Mobile Enterprise > Windows Holographic & Windows Holographic Enterprise
Community cloud
A community cloud is designed to be shared by several organizations. Access is restricted to users within the organizations who are sharing the community cloud infrastructure. Community clouds can be hosted internally or on-premise, with each organization sharing the cost of implementation and maintenance. Because of the expense and expertise required, community clouds are commonly hosted externally, by a third party.
Subscriber identity module (SIM) card
A SIM card encrypts data transmission and stores information.
Which of the following cloud storage access services acts as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure?
A cloud-access security broker A cloud-access security broker (CASB) may act as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure. A CASB focuses on the visibility of company data, regulation compliance, user access, and data security through encryption and loss prevention. Cloud storage services may be accessed through a co-located cloud computer service, a web service application programming interface (API), or by applications that utilize the API, such as cloud desktop storage (in other words, cloud storage gateways or web-based content management systems).
Cloud-based firewalls
A cloud-based firewall is a software network device that is deployed in the cloud. It protects against unwanted access to a private network. When making a decision about a cloud-based firewall, consider the following. > Cost - Liability and damage to your cloud applications and services. - The cost of a misconfigured firewall. Misconfiguration includes ports left open and other security holes exposed. - There are cloud-based firewalls available whose fees are based on usage to help lower the cost. The cost of damages and liability may be far higher than the cost of a firewall. > Segmentation - Implement internal segmented firewalls (ISFWs) and access control lists to control access to each segment. - Use segmentation to partition networks into trust zones to limit access. - Become familiar with networking methods and network segmentation tools provided by your cloud provider to optimize the cloud-based firewall for your organization. - Use segmentation tools such as firewall rule sets and load balancers to regulate the IP addresses that can access network segments. > OSI layers - Application layer firewalls work on the Layer 7 of the OSI model. They are considered to be third-generation firewalls. - Third generation firewalls work by inspecting inbound and outbound packets and blocking packets that don't meet the rule requirements. - The application layer firewall protects the stack of layers below it. - Transport layer (Layer 4) firewalls are considered to be stateful firewalls. They are referred to as second-generation firewalls. These firewalls: - Log all connections and sort by new connections and existing connections. If traffic is not part of any connection, it's inspected against the firewall rules. - Block connections that fail to meet the rule requirements. - Network layer firewalls work on Layer 3. They are considered to be first-generation firewalls. First-generation firewalls: - Check the network packet's source and destination address, protocol, and destination ports. - Protect against packets coming from certain IP addresses. > Secure Web Gateways - SWGs and firewalls both detect malicious traffic. Firewalls work at the packet level, while SWGs work at the application level in the cloud. - SWGs are a network security service that filters malware from user-side internet connections. SWGs use URL filtering, application control, data loss prevention, https inspections, and antivirus protection. - SWGs are proxies between the organization and the internet. They receive requests from clients before deciding if the session is legitimate. - SWGs can monitor and log all on-premises traffic, as well as traffic in public and private clouds. This helps you understand where your vulnerabilities are, which allows you to implement security and use policies intentionally.
Container security
A container holds the complete runtime environment including an application, its dependencies, libraries, other binaries, and configuration files, all in one unit. Benefits of containers include: > Containers allow software to function properly when moved from one computing environment to another. > Multiple applications within containers can run on a server using the same operating system. > Each container shares the OS kernel with the other containers. This requires fewer resources than a virtual machine.
Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets. The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization's network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization's network from their personal devices while still giving them access to the internet. Which of the following should you implement?
A guest wireless network that is isolated from your organization's production network A guest wireless network that is isolated from your organization's production network allows user-owned devices to gain internet access, but it quarantines them from sensitive information on your organization's production network. A mobile device management (MDM) infrastructure, such as Microsoft Intune, can be used to wipe data from a device that has been lost or stolen. A Network Access Control (NAC) solution can remediate devices before allowing them to connect to your network. An Acceptable Use Policy (AUP) can be used to define which kind of data is allowed and prohibited on personally owned devices.
Hybrid cloud
A hybrid cloud is composed of a combination of public, private, and community cloud resources from different service providers. The goal behind a hybrid cloud is to expand the functionality of a given cloud service by integrating it with other cloud services.
Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on company-owned tablets. These tablets contain sensitive information. If one of these tablets is lost or stolen, this information could end up in the wrong hands. The chief information officer wants you to implement a solution that can be used to keep sensitive information from getting into the wrong hands if a device is lost or stolen. Which of the following should you implement?
A mobile device management (MDM) infrastructure A mobile device management (MDM) infrastructure, such as Microsoft Intune, can be used to wipe data clean from a device that has been lost or stolen. A Network Access Control (NAC) solution can remediate devices before allowing them to connect to your network. An Acceptable Use Policy (AUP) can be used to define which kind of data is allowed on personally owned devices and which kind of data is prohibited. A guest wireless network that is isolated from your organization's production network allows user-owned devices to gain internet access, but it quarantines them from the rest of your organization's production network.
Private cloud
A private cloud provides resources to a single organization. Access is restricted to the users within the organization. Private clouds can be hosted internally. Because of the expense and expertise required to implement, clouds are typically hosted externally, by a third party. An organization commonly enters into an agreement with a cloud service provider, which provides secure access to cloud-based resources. The organization's data is kept separate and secure from any other organization using the same service provider.
Public cloud
A public cloud can be accessed by anyone. Cloud-based computing resources, such as platforms, applications, storage, or other resources, are made available to the general public by a cloud service provider. The service provider may or may not require a fee for using these resources. For example, Google provides many publicly-accessible cloud applications, such as Gmail and Google Docs.
Virtual private network(VPN)
A secure tunnel to another network that connects multiple remote end-points.
Security groups
A security group is a group of files that is assigned a unique name. The security group is controlled through permissions and works like a firewall that controls traffic to and from instances. Security groups use restrictive access control lists (ACLs) to allow ingress traffic only from specific IPs and to specific ports that are prepared through an application for connection. When using security groups: > Regularly check security group policies to ensure they are allowing traffic only from acceptable addresses based on the organization's policies and purposes. > Never allow incoming traffic to connect to the SSH port 22. > Never allow incoming traffic to connect to RDP port 3389.
Security group
A security group works like a firewall to control traffic to and from network resources.
Cloud-based firewall
A software network device that is deployed in the cloud that protects against unwanted access to a private network.
Windows Information Protection
A technology that helps protect against data leakage on company-owned and personal devices without disrupting the user experience.
Which of the following could be an example of a malicious insider attack?
A user uses the built-in microphone to record conversations. If a user is so inclined, he or she could use their mobile device to conduct a malicious insider attack. For example, they could: > Use the built-in camera, which nearly all modern mobile devices have, to take pictures of sensitive internal information. > Use the built-in microphone to record conversations. > Use the built-in video function to record proprietary processes and procedures. > Use the device's mobile broadband connection to transfer stolen data to parties outside the organization, bypassing the organization's network security mechanisms. If a user copies sensitive data to their device, the organization could potentially lose control of that information. Even the question of who owns the data after it has been copied to a personal device becomes problematic. Consider the following scenarios: > A user may not have implemented appropriate security settings on their device, allowing anyone who gains access to the device to view sensitive data. > A user may lose the device, allowing anyone who finds it to access sensitive data. > A device may become infected with malware, potentially exposing sensitive data.
Application programming interfaces (API) inspections and integration
APIs are the software that allows applications and cloud computing systems to communicate with each other. You should regularly inspect the API integration points to: > Ensure authentication is required from the end-user before access is given. > Determine the functions or operations necessary for each user and authorize only those functions or operations. > Restrict users from using unnecessary roles. > Scan payloads and validate API schemas to prevent injection attacks or man-in-the-middle attacks.
App catalog
An app catalog allows the organization to define the apps that a user can and cannot use. Apps can be assigned to specific users and devices via groups to facilitate management. The catalog is configured to make available to specific users and groups only the apps that they have rights to access. An app can also be blacklisted so no user can use it to access company resources.
Software-defined networking
An architecture that allows network and security professionals to manage, control, and make changes to a network.
Which of the following app deployment and update methods can be configured to make available to specific users and groups only the apps that they have rights to access?
App catalog An app catalog allows an organization to define the apps that a user can and cannot use. Apps can be assigned to specific users and devices via groups to facilitate management. The catalog is configured to make available to specific users and groups only the apps that they have rights to access. An app can also be blacklisted so no user can use it to access company resources. A company can create a self-service portal using Intune that makes the distribution of apps easier for everyone. With remote management, all app types (except for line-of-business apps) automatically update as needed. Bring Your Own Device (BYOD) is a policy that allows a user to use their personal device for business purposes.
App whitelisting
App whitelisting is the process of defining specific apps that users can have on their mobile devices. For example, Windows RT provides a feature named Assigned Access, which allows you to define a whitelist of Windows Store applications. Assigned Access ensures that the device has installed only the apps required for its intended purpose. Apps that aren't on the whitelist are not allowed. For iOS and Android devices, app whitelists can be defined and enforced using a mobile device management (MDM) solution.
App control
Application control is implemented in a similar manner for most mobile device operating systems. > For iOS devices, all apps come from Apple's App Store, which uses the following mechanisms to secure apps: - Running apps are sandboxed. This means they cannot access data stored by other running apps, nor can they access system files and resources. - All iOS apps must be digitally signed by either Apple or by a third party developer using an Apple-issued certificate. This ensures that apps from the App Store haven't been tampered with. - App developers can use encryption APIs to protect app data. Data can be symmetrically encrypted using AES, RC4, or 3DES. > For Windows RT devices, all apps come from Microsoft's Windows Store. The following mechanisms secure apps: - Windows RT refuses to load modules not digitally signed by Microsoft. This ensures that apps from the Windows Store haven't been tampered with. - All apps available through the Windows Store use the Windows RT API, which contains significant security enhancements, including: - Windows anti-buffer-overflow memory restrictions - Data Execution Prevention (DEP)Address Space Layout Randomization (ASLR)SafeSEH, sacrificial canary values Be aware, however, that iOS devices can be jailbroken. Jailbreaking allows apps to be installed from sources other than the App Store. Likewise, apps that aren't from the Windows Store can be installed on Windows RT devices using a process called sideloading. Either of these actions can seriously compromise the security of the device and should be avoided. Apps for the Android operating system are not as tightly controlled as those for iOS and Windows RT. Some Android app stores implement good security and tightly control apps much like the App Store and the Windows Store, but others do not. It is strongly recommended that you use apps that come only from a reputable source, such as the following: > Google Play Store > Amazon Appstore for Android > Samsung Apps
Which type of firewall operates at Layer 7 of the OSI model?
Application layer Application layer firewalls work on Layer 7 of the OSI model. They are considered third-generation firewalls. Transport layer (Layer 4) firewalls are considered to be stateful firewalls. They are referred to as second-generation firewalls. A circuit-level gateway firewall operates at the Session layer of the OSI model. Packet-filtering firewalls work on Layer 3. They are considered first-generation firewalls.
Which of the following is an open-source hardware and software company that designs and manufactures single-board microcontrollers as well as kits to build digital devices?
Arduino Arduino is an open-source hardware and software company. They design and manufacture single-board microcontrollers as well as kits to build digital devices. Raspberry Pi is a common device that uses a system on a chip (SoC). Neither Microsoft nor Amazon are an open-source hardware and software company that designs and manufactures single-board microcontrollers as well as kits to build digital devices.
Security Risks
As with any networked system, there are security risks associated with smart devices. Not only do you have little or no control over the smart technology within static environments, smart device vendors can be slow to take steps to protect their products against security threats. They tend to respond only after an exploit has occurred instead of proactively updating systems. This is why smart devices are attractive to hackers. However, there are some steps you can take to secure a network from these devices and reduce the damage that a compromised device can cause. > Some static devices (such as home routers, game consoles, and SCADA devices) require manual firmware updates. With these devices, it is important to keep the firmware updated. > For devices that cannot be manually updated, the best approach is to minimize the amount of damage a compromised device can cause. This is done by segmenting the network using VLANs or encrypting all network communications.
9.5 Cloud Security
As you study this section, answer the following questions: > How can I secure my data in the cloud? > How do cloud networks work? > What is the role of segmentation in cloud security? > How do cloud-based firewalls work? Why are they important for security? In this section, you will learn to: > Recognize how cloud security controls protect data. > Configure permissions and encryption for cloud data. > Identify how cloud networks can be used to protect data. > Protect data with cloud firewalls.
9.9 Embedded and Specialized Systems
As you study this section, answer the following questions: > How can you minimize the damage of compromised embedded devices? > What are common static environments within the Internet of Things (IoT)? In this section, you will learn to: > Recognize embedded devices and systems. > Secure embedded devices. > Identify communication methods of embedded devices.
9.8 BYOD Security
As you study this section, answer the following questions: > How would you remediate a tablet or phone infected with malware? > What is an acceptable use policy (AUP)? How does it benefit mobile security? > How does virtual desktop infrastructure (VDI) provide enhanced security and better data protection? > What is the difference between choose your own device (CYOD) and corporate owned, personally enabled (COPE)? > How can you prevent malicious insider attacks? In this section, you will learn to: > Secure mobile devices. > Secure an iPad. > Create a guest network for BYOD.
9.7 Mobile Device Management
As you study this section, answer the following questions: > What are four methods of mobile device management (MDM)? > What are the benefits of implementing mobile application management (MAM)? > What do Windows Information Protection (WIP) policies provide? > How does Intune help you to secure data? In this section, you will learn to: > Enroll devices and perform a remote wipe. > Enroll non-Windows devices.
9.6 Mobile Devices
As you study this section, answer the following questions: > Which process allows you to define specific apps that users can have on mobile devices? > Which two configurations can be used to deploy Windows Intune? > What does a mobile device management (MDM) solution allow you to do? > How do jailbreaking and sideloading differ? In this section, you will learn to: > Enforce security policies on mobile devices. > Sideload an application.
Deploy
Assign the app to users and/or devices you manage and monitor them on the Azure portal.
9.7.7 Section Quiz
CIST 1601
9.8.7 Section Quiz
CIST 1601
9.9.6 Section Quiz
CIST 1601
Which device deployment model gives businesses significant control over device security while allowing employees to use their devices to access both corporate and personal data?
COPE The Corporate-Owned, Personally Enabled (COPE) model gives businesses significant control over device security while allowing employees to use their devices to access both corporate and personal data. Because the company owns the device, it can be secured more easily and wiped clean if lost or stolen. One disadvantage of this model is that employees who are not free to choose their own devices may end up bringing their own anyway. The Bring Your Own Device (BYOD) model has users bringing in their personal devices and using them for business use. The Choose Your Own Device (CYOD) model provides slightly more flexibility in giving users a limited selection of devices to choose from. A virtual desktop interface (VDI) can be used with any device deployment model. A VDI allows mobile devices to establish a remote connection to a virtualized desktop.
In which phase of the Microsoft Intune application life cycle would you assign an app to users and/or devices you manage and monitor them on the Azure portal?
Deploy During the Deploy phase, apps are assigned to users and devices and then monitored on the Azure portal. The Configure phase is when apps are updated using Intune. Add is the first phase. This is when apps are added to Intune to be managed. Protect is the fourth phase. This is the phase in which company data is protected.
Cloud Computing
Cloud computing is software, data access, computation, and storage services provided to clients through the internet. The term cloud is a metaphor for the internet. It is based on the basic cloud drawing used to represent the telephone network. It is now used to describe the internet infrastructure in computer network diagrams. Characteristics of cloud computing include: > Delivery of common business applications that are accessed from a web service or software (like a web browser). > The cloud connection can exist over the internet or a LAN. > Cloud computing does not require end-user knowledge of the physical location and configuration of the system that delivers the services.
Cloud Computing Models
Cloud computing service models include the following:
Integration
Cloud integration is the system that connects application repositories, systems, and IT environments in a way that allows access and exchange of data over a network by multiple devices and locations. This can include: > Cloud-to-on-premises integration > Cloud-to-cloud integration > Both cloud-to-on-premises integration and cloud-to-cloud integration Your organization's systems must be tightly integrated to the cloud provider to preserve secure communication in the digital system.
9.5.5 Cloud Security Solutions Facts
Cloud security is a responsibility of the cloud service provider, but ultimately, it's the IT security professional's responsibility to ensure that the organization does all it can to keep its data safe. This lesson covers the following topics: > Cloud security solutions > Cloud-native controls vs. third-party solutions
Encryption
Cloud service providers protect a customer's data by changing it to cyphertext. It is your responsibility to: > Be familiar with your cloud service provider's encryption services. Some cloud service providers offer encryption before the data is transferred to the cloud, some do not, and some offer end-to-end encryption only for sensitive data. > Familiarize yourself with your provider's encryption policies and procedures to ensure they meet your security requirements. > Encrypt your data in-house before it's transferred to the cloud if encryption is not part of the service you chose.
Cloud Security Risk Reduction
Cloud service providers reduce the risk of security breaches through the following actions. > Authenticate all users who access the service and allow users to access only the applications and data that they need. > Use a Cloud Access Security Broker (CASB). A CASB is a software tool or service that sits between an organization and a cloud service provider. Its job is to make sure that all communication and access to the cloud service provider complies with the organization's security policies and procedures. > Segregate each organization's centrally-stored data. Verify, test, and apply updates to the infrastructure. > Establish a formal process for all facets of the service, from user requests to major data breaches and catastrophic events. > Implement security monitoring for usage, unusual behavior, and other events. Implement encryption up to the point of use, such as the client's web browser. > Probe for security holes with a third-party service provider. > Comply with all regulatory measures, such as the Sarbanes-Oxley Act.
High availability across zones
Cloud service providers replicate data in multiple zones and within zones to provide high availability. Replication: > Helps eliminate downtime (the time your data is unavailable). > Redirects to another availability zone, when a zone fails. To determine the best provider for your organization, compare cloud service providers' availability percentages. > Availability percentage = uptime/uptime + downtime. > The higher the percentage, the more resilient and reliable a provider is.
Cloud Storage
Cloud storage is a data storage model. It is usually provided by a third party as a service. Some of the most widely used cloud storage for enterprises providers are Google Cloud, Amazon Web Services, and Microsoft Azure. Many companies take advantage of cloud services to decrease costs and meet ever-increasing storage needs. Cloud storage services may be accessed through a co-located cloud computer service, a web service application programming interface (API), or by applications that utilize the API. Cloud desktop storage that uses a cloud storage gateway or web-based content management system is an example of an application that uses the API. A cloud access security broker (CASB) may act as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure. A CASB focuses on the visibility of the company data, regulation compliance, user access to prevent threats, and data security through encryption and loss prevention.
What is the on-premises, cloud-based software tool that sits between an organization and a cloud service provider called?
Cloud-access security broker A cloud-access security broker (CASB) is an on-premises, cloud-based software tool or service that sits between an organization and a cloud service provider. A cloud-based firewall is a software network device that is deployed in the cloud. It protects against unwanted access to a private network. Cloud native controls refer to the security controls that are native to the cloud provider. Secure web gateways (SWGs) detect malicious traffic and work at the Application layer in the cloud.
Which of the following can provide the most specific protection and monitoring capabilities?
Cloud-access security broker A cloud-access security broker (CASB) is an on-premises, cloud-based software tool or service that sits between an organization and a cloud service provider. A CASB can offer malware protection and encryption and can also give more specific protection and monitoring capabilities than secure web gateways (SWGs) and enterprise firewalls. A cloud-based firewall is a software network device that is deployed in the cloud. It protects against unwanted access to a private network. Cloud native controls refer to the security controls that are native to the cloud provider. Secure web gateways (SWGs) detect malicious traffic and work at the Application layer in the cloud.
Which of the following is a network device that is deployed in the cloud to protect against unwanted access to a private network?
Cloud-based firewall A cloud-based firewall is a software network device that is deployed in the cloud. It protects against unwanted access to a private network. Cloud native controls refer to the security controls that are native to the cloud provider. A virtual area network (VAN) is a virtual LAN running on top of a physical LAN. This configuration enables guest virtual machines on separate physical hosts to communicate. A cloud-access security broker (CASB) is an on-premises, cloud-based software tool or service that sits between an organization and a cloud service provider.
Virtual Desktop Infrastructure (VDI)
Cloud-based services can be hosted externally by third-party service providers or internally on your own virtualization infrastructure. For example, internal private clouds are commonly used to provide a VDI. Using VDI, user desktops are virtualized, running on high-end hardware in the data center instead of on the end user's workstation hardware. The physical workstation is merely used to establish a remote connection to the user's virtualized desktop. This is sometimes called a thin client deployment because most of the computing power is provided by servers in the data center. Traditional deployments, where most of the processing load is handled by the local workstation, are called thick client deployments. Using VDI provides increased flexibility, enhanced security, efficient management, and better data protection than the traditional workstation-based desktop model. Consider the following advantages: > Workstation hardware costs are reduced. Only minimal workstation hardware is required to run a Remote Desktop (Windows) or VNC (Linux) client and connect to the private cloud. > User data on the desktop can be protected centrally by backing up the hypervisors where the virtualized desktops are running. There is no need to back up physical workstations separately. > If a user's physical workstation fails, no data is lost. The user can access the virtualized desktop from a different workstation while the failed hardware is repaired or replaced. > If a widespread malware infection hits multiple user desktops, the affected virtual systems can be quickly re-imaged on the hypervisor. There is no need to push large images down to end users' workstations over the network. > If a user loses a device, such as a notebook or tablet, there is much less of a chance that critical data will be compromised because no data is saved on the device.
A group of small local businesses have joined together to share access to a cloud-based payment system. Which type of cloud is MOST likely being implemented?
Community A community cloud is designed to be shared by several organizations. Access is restricted to users within the organizations who are sharing the community cloud infrastructure. A hybrid cloud is composed of a combination of public, private, and community cloud resources from different service providers. A public cloud can be accessed by anyone. A private cloud provides resources to a single organization.
Which of the following Intune portals is used by end users to manage their own account and enroll devices?
Company portal The Company portal is used by end users to manage their own account and enroll devices. The Admin portal is used to manage enrolled devices and policies. Add Intune Users is a configuration task that is completed in the Account portal. The Account portal is used to manage subscriptions, users, groups, and domains.
Permission management
Configuring permissions is essential in cloud data security. > To manage permissions, you can use buckets, which are containers that store your data. > Applying permissions to a bucket can help you manage who has access to sets of data. For example, a bucket may need to be globally readable at the first stage of a project, but it will need tighter permissions at the next stage. *Remember to always practice the principle of least privilege with cloud storage.
Intune Application Life Cycle
Each app in Intune goes through a life cycle. Intune provides a full range of tools to help manage apps during each phase. The following table describes these phases.
Why do attackers prefer to conduct distributed network attacks in static environments? (Select two.)
Devices tend to employ much weaker security than traditional network devices. Devices are typically more difficult to monitor than traditional network devices. Attackers prefer static environment devices to conduct distributed network attacks for the following reasons: > Static devices tend to employ much weaker security and are easier to exploit than traditional targets, such as desktops, notebooks, tablets, and smartphones. > Smart device vendors tend to reactively protect their products against security threats, responding only after an exploit has occurred instead of proactively defending systems. > Static devices are typically more difficult to monitor than traditional network devices. Because these devices operate in a static environment, you typically can't install third-party software on them, including anti-malware scanners. Because of their relatively weak security, these devices should not be deployed in an unsecure area of a network, such as the DMZ.
Cloud storage is a virtual service, so the infrastructure is the responsibility of the storage provider. Access control should be set as a local file system would be, with no need for the provider to have access to the stored data. You are implementing the following measures to secure your cloud storage: > Verify that security controls are the same as in a physical data center. > Use data classification policies. > Assign information into categories that determine storage, handling, and access requirements. > Assign information classification based on information sensitivity and criticality. Which of the following is another security measure you can implement?
Dispose of data when it is no longer needed by using specialized tools. Disposing of data when it is no longer needed by using specialized tools is another security measure you can implement. Creating versioned copies of your cloud data, configuring redundancy and distribution of data, and configuring distributed resources to act as one in a federated architecture are all measures that improve the fault tolerance and durability of your data.
Which of the following mobile device management (MDM) solutions is hardware-agnostic and supports many different brands of mobile devices?
EMM Enterprise mobility management (EMM) is the combination of MDM and MAM solutions in one package. EMM solutions are able to manage multiple brands and types of mobile devices in a single package. Mobile application management (MAM) solutions focus on managing the applications on a mobile device, but do not manage the device itself. Mobile device management (MDM) solutions allow IT administrators to remotely manage a mobile device even if it's a personally owned device used for work-related purposes. Unified endpoint management (UEM) is the next step in device management. These solutions provide a single point for all types of devices.
Your organization recently purchased 18 iPad tablets for use by the organization's management team. These devices have iOS pre-installed on them. To increase the security of these devices, you want to apply a default set of security-related configuration settings. What is the BEST approach to take to accomplish this? (Select two. Each option is part of a complete solution.)
Enroll the devices in a mobile device management (MDM) system. Configure and apply security policy settings in a mobile device management (MDM) system. A mobile device management (MDM) solution can push policies directly to each tablet device over a network connection. This option enables policies to be remotely enforced and updated without any action by the end user. The tablet devices must be enrolled in the MDM system before the policy settings can be applied. One of the key problems associated with managing mobile devices is the fact that they can't be joined to a Windows domain. This means Group Policy can't be used to automatically push security settings to mobile devices. For devices running Apple's iOS operating system, security settings can be distributed in a configuration profile. The profile can be defined so that only an administrator can delete the profile, or you can lock the profile to the device so that it cannot be removed without completely erasing the device. However, this option relies on the end user to install the profile, which can be problematic. It's also not a dynamic strategy. Making even the smallest change to your mobile device security policies requires a great deal of effort.
Enterprise Mobility Management
Enterprise mobility management is the combination of MDM and MAM solutions in one package. These policies allow a system administrator to remotely manage a mobile device's hardware and applications. As different brands and manufacturers of mobile devices came on the market, the ability to manage them all became more difficult. Enterprise mobility management solutions address this problem by being able to manage multiple types of devices in a single package. Microsoft's Intune is one of the most popular EMM solutions. Intune is included with any Windows Enterprise agreement of at least 500 users and supports all types of devices. Intune is integrated into the organization's Azure Active Directory, which simplifies device management even more. Intune allows the system administrator to: > Manage mobile devices > Manage mobile apps > Control data access > Comply with security policies
External storage devices
External storage devices such as USB flash drives, HDDs, and SSDs can connect to traditional computing equipment, as well as to many smart devices.
Field Programmable Gate Array (FPGA)
FPGA is an integrated circuit that the customer configures.
Geo-tagging
Geo-tagging embeds GPS coordinates within mobile device files, such as image or video files created with the device's camera. While this feature can be useful in some circumstances, it can also create security concerns. Geo-tagging embeds GPS coordinates within mobile device files, such as image or video files created with the device's camera. While this feature can be useful in some circumstances, it can also create security concerns. As a consequence, it is recommended that this functionality be disabled in mobile devices you manage.
Recently, a serious security breach occurred in your organization. An attacker was able to log in to the internal network and steal data through a VPN connection using the credentials assigned to a vice president in your organization. For security reasons, all individuals in upper management in your organization have unlisted home phone numbers and addresses. However, security camera footage from the vice president's home recorded someone rummaging through her garbage cans prior to the attack. The vice president admitted to writing her VPN login credentials on a sticky note that she subsequently threw away in her household trash. You suspect the attacker found the sticky note in the trash and used the credentials to log in to the network. You've reviewed the vice president's social media pages. You found pictures of her home posted, but you didn't notice anything in the photos that would give away her home address. She assured you that her smartphone was never misplaced prior to the attack. Which security weakness is the MOST likely cause of the security breach?
Geotagging was enabled on her smartphone. Geotagging embeds GPS coordinates within mobile device files (such as image or video files) created with the device's camera. While this feature can be useful in some circumstances, it can also create security concerns. In this scenario, the vice president probably posted geotagged images to her social media accounts. The attacker likely analyzed the images to discover where she lived and then conducted a dumpster dive attack that yielded the sticky note with the vice president's VPN credentials. The best way to remedy this weakness is to simply disable this functionality in the mobile devices you manage. Sideloaded apps can only be installed if the device administrator has specifically configured the device to allow them, so this is an unlikely cause. A weak smartphone password is a concern, but this would not be the cause of the exploit if the device were always in the vice president's possession. A Christmas tree attack is used to fingerprint network devices, not to gather personally identifiable information.
Device management
If a user brings a personally owned device on site, the organization needs to address clearly who is responsible for managing the device. Responsibility for the following needs to be defined: > Operating system updates > App updates > Anti-malware installation > Anti-malware definition updates Relying on the end user to implement these updates is unwise. Instead, consider implementing a network access control (NAC) solution that remediates devices before allowing them to connect to your network.
Support
If a user brings a personally owned device on site, the organization needs to address clearly who will provide support for the device and for the apps used on the device. Will the organization's help desk provide support, or must the user depend upon support provided by the device manufacturer? Implement an acceptable use policy that specifies: > Where users can get support for personally owned mobile devices. > Which apps are allowed for use with organizational data. > Where users can get support for these apps.
Loss of sensitive data control
If a user copies sensitive data to their device, the organization could potentially lose control of that information. Even the question of who owns the data after it has been copied to the personal device becomes problematic. Consider the following scenarios: > The user may not have implemented appropriate security settings on their device, allowing anyone who gains access to the device to view the sensitive data. > The user may lose the device, allowing anyone who finds it to access the sensitive data. > The device may become infected with malware, potentially exposing the sensitive data. Implement an acceptable use policy that defines which kinds of data are allowed on personally owned devices and which kinds of data are prohibited. Information classification labels can be useful when implementing this policy. Consider requiring personal devices to be enrolled with a mobile device management infrastructure, such as Windows Intune, to enforce mobile device security policies.
Malicious insider attacks
If a user is so inclined, they could use their mobile device to conduct a malicious insider attack. For example, they could: > Use the built-in camera, which nearly all modern mobile devices have, to take pictures of sensitive internal information. > Use the built-in microphone to record conversations. > Use the built-in video function to record proprietary processes and procedures. > Use the device's mobile broadband connection to transfer stolen data to parties outside the organization, bypassing the organization's network security mechanisms. Implement an acceptable use policy that: > Specifies where and when mobile devices can be possessed within the organization. For example, the possession of mobile devices may be prohibited in high-security areas. > Notifies users that personally owned devices are subject to random searches if brought on site.
Malware propagation
If a user's tablet or phone is infected with malware, the infection can be spread when he or she connects their device to the organization's network. Consider implementing a network access control (NAC) solution that remediates devices before allowing them to connect to your network. Alternatively, consider implementing a guest wireless network that is isolated from your organization's production network. User-owned devices can connect to this network to gain internet access but are quarantined from the rest of your organization's production network.
Your organization allows employees to bring their own devices into work, but management is concerned that a malicious internal user could use a mobile device to conduct an insider attack. Which of the following should be implemented to help mitigate this threat?
Implement an AUP that specifies where and when mobile devices can be possessed within the organization. To mitigate the threat of an insider attack, you should consider implementing an AUP that: > Specifies where and when mobile devices can be possessed within the organization. For example, the possession of mobile devices may be prohibited in high-security areas. > Notifies users that personally owned devices are subject to random searches if brought on site. A Network Access Control (NAC) solution would not help mitigate an insider attack with mobile devices. Implementing an Acceptable Use Policy (AUP) that specifies which apps are allowed for use with organizational data would not help mitigate an insider attack with mobile devices. Implementing a guest wireless network that is isolated from your organization's production network would not help mitigate an insider attack with mobile devices.
Choose your own device
In a CYOD system, the company provides a list of approved devices for an employee to choose from. The ownership and management of devices varies by organization.
Self-service portal
In a large organization, it is not feasible for the network administrator to manually push apps out to all users and groups for all devices. Therefore, a company can create a self-service portal using Intune that makes the distribution of apps easier for everyone.
The IT manager has tasked you with configuring Intune. You have enrolled the devices and now need to set up the Intune policies. Where would you go to set up the Intune policies?
In the Admin portal, select Policy > Add Policy. To set up Intune policies, access the Admin portal and then select Policy > Add Policy.
Which of the following are true concerning virtual desktop infrastructure (VDI)? (Select two.)
In the event of a widespread malware infection, the administrator can quickly reimage all user desktops on a few central servers. User desktop environments are centrally hosted on servers instead of on individual desktop systems. Virtual desktop infrastructure (VDI) is a service that hosts user desktop environments on centralized servers. Users access their desktops from low-end systems over a network connection using a remote display protocol such as Remote Desktop or Virtual Network Computing (VNC). This allows users to access their desktop environment with their applications and data from any location and from any client device. Roaming profiles are not needed. VDI provides administrators with a centralized client environment that is easier and more efficient to manage. For example, if a widespread malware infection hits multiple user desktops, the affected systems can be quickly reimaged on the VDI server. There is no need to push large images down to client systems over the network.
Displays
In the past, display devices had a single use as a monitor for a computer. Today's monitors and other display devices are increasingly embedded with smart features and have wireless connections.
What is the system that connects application repositories, systems, and IT environments in a way that allows access and exchange of data over a network by multiple devices and locations called?
Integration Cloud integration is the system that connects application repositories, systems, and IT environments in a way that allows access and exchange of data over a network by multiple devices and locations. Encryption is one method that a cloud provider can use to protect a customer's data. Instance awareness is the ability to apply cloud security within an application that has rules specific to an instance. Cloud service providers replicate data in multiple zones and within zones to provide high availability.
You notice that a growing number of devices, such as environmental control systems and wearable devices, are connecting to your network. These devices, known as smart devices, are sending and receiving data via wireless network connections. Which of the following labels applies to this growing ecosystem of smart devices?
Internet of Things (IoT) These smart devices are part of a growing ecosystem known as the Internet of Things (IoT). Environments that contain these types of devices are known as static environments. A static environment is one that never changes (or changes very infrequently) and that a network administrator has very little control over. For example, a smart television in an office has embedded technology that might never be updated, which creates a security hole in the company's network.
Your organization recently purchased 20 Android tablets for use by the organization's management team. You are using a Windows domain. Which of the following should you use to push security settings to the devices?
Intune Intune is Microsoft's cloud-based mobile device management (MDM) platform that allows a network administrator to remotely manage and secure mobile devices. The Credential Manager function that is implemented in most mobile operating systems can store usernames and passwords for the end user. Group Policy cannot be used to automatically push security settings to mobile devices. This is because the devices cannot be joined to a Windows domain. Application Control is implemented by each mobile operating system. This determines how apps are installed and where they come from.
Which of the following is the recommend Intune configuration?
Intune Standalone Intune Standalone is the recommended deployment method. Intune Standalone is a cloud-only solution that is managed using a web console that can be accessed from anywhere with internet access. Hybrid MDM with Configuration Manager is a solution that combines Intune's mobile device management capabilities into Configuration Manager. The Account portal is used to manage subscriptions, users, groups, and domains. The Company portal is used by end users to manage their own account and enroll devices.
Define Intune policies
Intune policies allow you to manage your mobile devices. You can perform tasks such as: > Configuring security settings > Applying updates > Configuring firewall settings *Policy settings can be applied to both standalone and domain-joined devices. However, policy conflicts can occur with domain-joined devices. To prevent this from happening, verify that domain-joined devices are not configured to receive the same configuration settings from both Active Directory Group Policies and Windows Intune. Intune provides the following policy templates containing recommended settings that you can deploy: > Mobile Device Security Policy > Windows Firewall settings > Windows Intune Agent settings > Windows Intune Center settings To set up your Intune policies, access the admin console and select Policy > Add Policy. Select the policy you wish to deploy and select Create and Deploy a Policy. At a minimum, it is recommended that you deploy all of the above policies using the default settings and apply them to either all devices or all users. If necessary, you can later modify the default settings in the policy. You can also configure specific devices or users that a policy applies to.
Intune MDM + MAM
Manage apps using MAM and app protection policies on devices enrolled in Intune MDM. In an MDM + MAM implementation, administrators use the Intune console in the Azure portal.
Appliances
Many appliances contain integrated technology that allows internet communication. For example, smart laundry appliances can send notifications when a load is complete or when laundry detergent needs to be refilled. Other common smart home appliances include: > Refrigerators > Dishwashers > Microwaves
Mobile Application Management
Mobile application management solutions focus on managing the applications on a mobile device but not the device itself. Licensed applications or custom-designed apps fall under MAM policies. Mobile application management provides the ability to: > Install and uninstall apps remotely. > Update apps as needed. > Limit functionality in an app as needed.
Which of the following is a solution that pushes security policies directly to mobile devices over a network connection?
Mobile device management (MDM) Mobile device management (MDM) is a solution that pushes security policies directly to each device over a network connection. MDM solutions enable policies to be remotely enforced and updated without any action by the end user. Many companies have MDM products, including Apple, Cisco, and Microsoft. The Credential Manager function that is implemented in most mobile operating systems can store usernames and passwords for the end user. Group Policy cannot be used to automatically push security settings to mobile devices. This is because the devices cannot be joined to a Windows domain. Application Control is implemented by each mobile operating system. It determines how apps are installed and where they come from (App Store, etc.).
Mobile Device Management
Mobile device management solutions allows IT administrators to remotely manage a mobile device even if it's a personally owned device being used for work-related purposes. MDM focuses on managing the device itself but not the applications or software. Mobile device management provides the ability to: > Track the device. > Push apps and updates (this is also known as provisioning the device). > Manage security settings, such as lock screens, passwords, etc. > Remotely wipe the device in case it is lost or stolen.
Security Considerations
Mobile device security considerations include: > Device content management. > Remote wipe. > The ability to restrict the device to a particular geographical area (geofencing). > The ability to manage location information, known as geolocation. > The requirement to lock the screen with passwords. > The management of push notification services that can send messages and information to the device when the screen is locked and the application is not active. > The ability to store and manage passwords for networks, websites, etc. > Biometrics. > Full device encryption.
Automobiles
Modern cars use integrated technologies and in-vehicle systems that can perform various tasks, such as: > Starting the car remotely using a smart phone > Warning a driver about nearby cars > Applying the brakes automatically to avoid collision > Performing parallel parking autonomously
9.9.5 Embedded and Specialized Systems Facts
More and more devices are becoming connected to the internet through embedded technology that allows the device to send and receive information. This lesson covers the following topics: > Types of embedded devices > Security risks
9.5.3 Cloud Security Controls Facts
Most organizations rely on cloud services or will in the future. Cloud services provide many benefits, but there are risks involved when data security is the responsibility of an outside source. To safeguard against vulnerabilities, implement a cloud security strategy. This lesson covers the following topics: > Cloud security concepts > Network security concepts > Cloud access
Medical devices
Much of today's medical technology for daily monitoring and maintenance uses embedded systems. Instead of having to visit a physician every day, wearable devices can be used to collect information on heart rate, glucose levels, weight, blood pressure, and other parameters. This information can then be sent to a doctor automatically or used for self-monitoring.
The IT manager has tasked you with implementing a solution that ensures that mobile devices are up to date, have anti-malware installed, and have the latest definition updates before being allowed to connect to the network. Which of the following should you implement?
NAC A Network Access Control (NAC) solution can remediate devices before allowing them to connect to your network. This includes defining that a device is fully updated, has anti-malware installed, and has the latest definition updates. The Bring Your Own Device (BYOD) model has users bringing in their personal devices and using them for business use. A mobile device management (MDM) infrastructure, such as Microsoft Intune, can be used to track, manage, and even remotely wipe a user's mobile device. A virtual desktop infrastructure (VDI) can be used with any device-deployment model. A VDI allows mobile devices to establish a remote connection to a virtualized desktop.
Google Cloud, Amazon Web Services (AWS), and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompt companies to take advantage of cloud storage? (Select two.)
Need to bring costs down Growing demand for storage Some of the most widely used cloud storage for enterprises are Google Cloud, Amazon Web Services, and Microsoft Azure. Because of the growing demand for storage and desire to bring costs down, many companies have been taking advantage of cloud storage.
9.6.4 Enforcing Mobile Device Security Facts
One of the key problems associated with managing mobile devices is the fact that they can't be joined to a Windows domain. This means Group Policy can't be used to automatically push security settings to mobile devices. This lesson covers the following topics: > Mobile device management (MDM) > Windows Intune > Windows Intune configurations > System configuration for Windows Intune
Mobile Device Management (MDM)
One option you can use instead of Gorup Policy is mobile device management (MDM). Its security settings include the following: > Security settings can be manually configured on each individual device. This option doesn't require any additional infrastructure to be implemented. However, it can be a time-consuming task for the administrator (especially in a large organization with many mobile devices) and is not recommended. > For devices running Apple's iOS operating system, security settings can be distributed in a configuration profile for users to install. The profile can be defined so that only an administrator can delete the profile, or you can lock the profile to the device so that it cannot be removed without completely erasing the device. This option also doesn't require any additional infrastructure for implementation. However, it does rely on the end user to actually implement the profile, which can be problematic. Additionally, it is not a dynamic strategy, so making even the smallest change to your mobile device security policies would require a great deal of effort to implement. > A mobile device management solution that pushes security policies directly to each device over a network connection can be implemented. This option enables policies to be remotely enforced and updated without any action by the end user. Many companies have MDM products, including Apple, Cisco, and Microsoft.
Windows Intune
One widely used MDM solution is Windows Intune, which provides cloud-based mobile device management that allows you to remotely manage and secure mobile devices (as well as standard desktop systems starting with Windows 7 or later). Intune cannot by used to manage Windows Server. The table below shows which operating systems Windows Intune currently supports:
Which of the following BEST describes the Platform as a Service (PaaS) cloud computing service model?
PaaS delivers everything a developer needs to build an application on the cloud infrastructure. Platform as a Service (PaaS) delivers everything a developer needs to build an application on the cloud infrastructure. The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers. Software as a Service (SaaS) delivers software applications to the client either over the internet or on a local area network. Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. The client deploys and runs software without purchasing servers, data center space, or network equipment. Data as a Service (DaaS) stores and provides data from a centralized location without the need for local collection and storage.
Which type of firewall protects against packets coming from certain IP addresses?
Packet-filtering Packet-filtering firewalls work on Layer 3. They are considered to be first-generation firewalls. These firewalls check a packet's source and destination address, protocol, and destination ports. They can protect against packets coming from certain IP addresses. Transport layer (Layer 4) firewalls are considered to be stateful firewalls. They are referred to as second-generation firewalls. A circuit-level gateway firewall operates at the Session layer of the OSI model. Application layer firewalls work on Layer 7 of the OSI model. They are considered third-generation firewalls.
Which of the following BEST describes a virtual desktop infrastructure (VDI)?
Provides enhanced security and better data protection because most of the data processing is provided by servers in the data center rather than on the local device. A virtual desktop infrastructure (VDI) can be used with any of the above models, including BYOD, to allow mobile devices to establish a remote connection to a virtualized desktop. Using a VDI provides enhanced security and better data protection because most of the data processing is provided by servers in the data center rather than on the local device. The Corporate-Owned, Personally Enabled (COPE) model gives businesses significant control over device security while allowing employees to use their devices to access both corporate and personal data. A possible remedy for the loss of sensitive date is to implement an Acceptable Use Policy (AUP) that defines which kinds of data are allowed on personally owned devices and which kinds of data are prohibited. A possible remedy for malicious insider attacks is to implement an AUP that specifies where and when mobile devices can be possessed within the organization. For example, the possession of mobile devices may be prohibited in high-security areas.
Match each description on the left with the appropriate cloud technology on the right.
Public cloud Provides cloud services to just about anyone. Private cloud Provides cloud services to a single organization. Community cloud Allows cloud services to be shared by several organizations. Hybrid cloud Integrates one cloud service with other cloud services. Cloud computing can be implemented in several different ways, including the following: > A public cloud can be accessed by anyone. Cloud-based computing resources are made available to the general public by a cloud service provider. The service provider may or may not require a fee for use of these resources. For example, Google provides many publicly accessible cloud applications, such as Gmail and Google Docs. > A private cloud provides resources to a single organization. Access is restricted to only the users within that organization. An organization commonly enters into an agreement with a cloud service provider, which provides secure access to cloud-based resources. The organization's data is kept separate and secure from any other organization using the same service provider. > A community cloud is designed to be shared by several organizations. Access is restricted to only users within the organizations who are sharing the community cloud infrastructure. Community clouds are commonly hosted externally by a third party. > A hybrid cloud is composed of a combination of public, private, and community cloud resources from different service providers. The goal behind a hybrid cloud is to expand the functionality of a given cloud service by integrating it with other cloud services.
Which of the following app deployment and update methods allows an administrator to remove apps and clear all data from a device without affecting the device itself?
Remote management With remote management, when an employee leaves an organization, an administrator can remotely remove apps and clear all data from a device without affecting the device itself. A company can create a self-service portal using Intune that makes the distribution of apps easier for everyone. Bring Your Own Device (BYOD) is a policy that allows a user to use their personal device for business purposes. An app catalog allows the organization to define the apps that a user can and cannot use.
A smartphone was lost at the airport. There is no way to recover the device. Which of the following ensures data confidentiality on the device?
Remote wipe Remote wipe, also known as sanitization, remotely clears specific, sensitive data on a mobile device. This ensures that whoever has the device cannot see the sensitive data. This task is also useful if you are assigning the device to another user or after multiple incorrect entries of the password or PIN. Data encryption also ensures data confidentiality on the device. Voice encryption (on mobile phones) ensures data confidentiality during transit. Global Positioning System (GPS) tracking can assist in the recovery of the device by displaying its current location. A lockout (or screen lock) disables the device's interface after a short period of inactivity. The correct password or personal identification number (PIN) unlocks the device. Trusted Platform Module (TPM) is a hardware chip on the motherboard that can generate and store cryptographic keys to check the integrity of startup files and components.
Which of the following devices are special computer systems that gather, analyze, and manage automated factory equipment?
SCADA Supervisory control and data acquisition (SCADA) devices are special computer systems that gather, analyze, and manage automated factory equipment. A system on a chip (SoC) is an integrated circuit that includes all components of a typical computer system, including digital, analog, mixed-signal, and radio frequency functions. A multi-function display (MFD) is a screen surrounded by configurable buttons that can be used to display information in a variety of ways. Unmanned Aerial Vehicles (UAVs) are used for military campaigns, search and rescue, weather monitoring, and recreation.
You are the security administrator for your organization. You have implemented a cloud service to provide features such as authentication, anti-malware, intrusion detection, and penetration testing. Which cloud service have you most likely implemented?
SECaaS Security as a Service (SECaaS) providers integrate their services into a corporate infrastructure. The applications and software are specific to organizational security. SECaaS is based on the Software as a Service (SaaS) cloud computing model. However, it is limited to information security services and does not require on-premises hardware. These security services can include authentication, antivirus, anti-malware, spyware, intrusion detection, penetration testing, and security event management. IaaS delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. PaaS delivers everything a developer needs to build an application. SaaS delivers software applications to the client over the internet or on a local area network.
Security as a Service (SECaaS)
SECaaS providers integrate their services into a corporate infrastructure. The applications and software are specific to organizational security. SECaaS is based on the Software-as-a-Service cloud computing model, but is limited to information security services and does not require on-premises hardware. These security services can include authentication, anti-virus, anti-malware, spyware, intrusion detection, penetration testing, and security event management. SECaaS can sometimes be much more cost effective for an organization than having to pay for all the necessary equipment and personnel to properly protect a network from viruses, malware, and instruction. However, it is still necessary to have an on-site security professional.
Which of the following cloud computing solutions delivers software applications to a client either over the internet or on a local area network?
SaaS Software as a Service (SaaS) delivers software applications to the client either over the internet or on a local area network (LAN). Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. The client deploys and runs software without purchasing servers, data center space, or network equipment. Platform as a Service (PaaS) delivers everything a developer needs to build an application on the cloud infrastructure. The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers. Data as a Service (DaaS) stores and provides data from a centralized location without the need for local collection and storage.
Software as a Service (SaaS)
SaaS delivers software applications to the client over the internet or on a local area network. SaaS comes in two implementation types: > Simple multi-tenancy in which each customer has its own resources that are segregated from other customers. > Fine grain multi-tenancy segregates customers, but resources are shared.
Which of the following mobile device security considerations disables the ability to use the device after a short period of inactivity?
Screen lock A lockout (or screen lock) disables the ability to use the device after a short period of inactivity. The correct password or personal identification number (PIN) unlocks the device. Remote wipe, also known as sanitization, remotely clears specific, sensitive data on a mobile device. This task is also useful if you are assigning the device to another user or after multiple incorrect password or PIN entries. Data encryption also ensures data confidentiality on the device. Voice encryption (on mobile phones) ensures data confidentiality during transit. Global Positioning System (GPS) tracking can assist in a device's recovery by displaying its current location. Trusted Platform Module (TPM) is a hardware chip on the motherboard that can generate and store cryptographic keys to check the integrity of startup files and components.
Secrets management
Secrets management is the method for managing authentication credentials which can include passwords, encryption keys, usernames, email addresses, and private certificates. To secure secrets: > Centralize all secrets across your network using one tool for management. > Ensure password security through: - Regular rotation - Complexity - Password expirations > Remove default and hardcoded credentials from: - Applications - Code files - Test builds - Production builds
Which of the following is a network security service that filters malware from user-side internet connections using different techniques?
Secure web gateway Secure web gateways (SWGs) are network security services that filter malware from user-side internet connections. SWGs use URL filtering, application control, data loss prevention, HTTPS inspections, and antivirus protection. A cloud-based firewall is a software network device that is deployed in the cloud. It protects against unwanted access to a private network. A cloud-access security broker (CASB) is an on-premises, cloud-based software tool or service that sits between an organization and a cloud service provider. A virtual area network (VAN) is a virtual LAN running on top of a physical LAN. This configuration enables guest virtual machines on separate physical hosts to communicate.
BYOD Security Issues
Security administrators need to keep the following BYOD security issues in mind:
Which of the following do Raspberry Pi systems make use of?
SoC A system on a chip (SoC) is an integrated circuit that includes all components of a typical computer system, including digital, analog, mixed-signal, and radio frequency functions. Raspberry Pi is a common device that uses an SoC. Because of their relatively low cost, SoCs are often used by hobbyists. A real-time operating system (RTOS) is an operating system that serves real-time applications without buffer delays. They are generally used in systems that require a response within a strict time constraint. Supervisory control and data acquisition (SCADA) devices are special computer systems that gather, analyze, and manage automated factory equipment. A Field-Programmable Gate Array (FPGA) is an integrated circuit configured by the customer.
Virtual switch (vSwitch)
Software that facilitates the communication between virtual machines by checking data packets before moving them to a destination.
Building/facility automation
Some facilities use a network of integrated devices that control various aspects, creating what is known as facility automation. Some of the devices that are integrated with facility automation include: > Lighting controls > Security systems > Door locks > Sprinkler systems > Garage doors > Smart meters
Industrial equipment
Some industrial equipment also fits into the category of a smart device. Supervisory control and data acquisition (SCADA) devices are special computer systems that gather, analyze, and manage automated factory equipment. For example, a SCADA system could be used to monitor factory pipes and automatically open valves if pressure in the pipe system reaches a specific threshold. SCADA is a subset of Industrial Control Systems (ICS), which refers to all types of industrial automation.
Cloud Storage Access
Standard security access measures are even more important when using cloud computing. The following table describes security access measures to implement when using cloud computing.
Public and private subnets
Subnets are subdivisions of an IP network. > Public subnets can send outbound traffic directly to the internet. > Private subnets access the internet through a network address translation (NAT) gateway within a public subnet. Database servers can connect to the internet through a NAT gateway, but internet connections are not established directly to the database servers. Subnets, give you greater control over who has access to your network. Dividing your network limits traffic, exposure, and potential damage from an attack. For example, if an attacker gains access or inserts malicious code into one subnet, the attack is confined to that subnet.
Mobile device management
The administration of mobile devices. MDM software generally allows for tracking devices; pushing apps and updates; managing security settings; and remotely wiping the device.
Authentication and credential management
The average end user must remember passwords for various network resources and services, including web-based services. To make life easier, the credential management function implemented in most mobile operating systems can store usernames and passwords for the end user. A good example is Credential Manager in Windows RT. The iOS operating system performs a similar function using an encrypted keychain for storing digital identities, usernames, and passwords. When the user accesses a password-protected network resource or website, the credential management software supplies the necessary username and password, effectively allowing the user to automatically log in. While using credential management software is convenient for the end user, it can also represent a security risk. For example, suppose a user has stored credentials to a sensitive network resource or website on a mobile device and then loses that device. If the user failed to secure the device with a password or PIN, a malicious individual could exploit the stored credentials to gain unauthorized access. It is recommended that you train users to not store credentials to sensitive network resources on their mobile devices.
Unified Endpoint Management
The need to manage so many different devices has become an issue for organizations. Devices such as printers, workstations, servers, and others are managed in Active Directory. However, mobile devices need to be managed separately. A recent solution to this is unified endpoint management. UEM is the next step in device management. These solutions provide a single point for all types of devices, including: > Workstations > Printers > Mobile devices > IoT devices > Wearable Devices UEM is the joining together of traditional device management and enterprise mobility management solutions.Wearable devices
9.7.2 Mobile Device Management Facts
The use of mobile devices in the workplace has increased rapidly over the past few years. The management of these devices has become a big concern for system administrators. Many organizations allow users to bring their own devices and use them for work-related purposes. This practice, known as bring your own device (BYOD) requires the organization to develop a set of policies to manage these devices, which allow the organization to ensure the mobile devices are secured and can be managed remotely. There are four main types of mobile device management solutions. This lesson covers the following topics: > Mobile device management (MDM). > Mobile application management (MAM). > Enterprise mobility management (EMM). > Unified endpoint management (UEM).
Cloud Native Controls vs. Third-party Solutions
There are a few things to consider in choosing to implement the security controls native to the cloud service provider or to add a third-party security solution to meet your security needs and requirements. To help with this decision: > List all requirements and check those against what your native controls offer and what the cloud service provider offers. > Look at how each option can meet your security and compliance requirements. > Look for third-party solutions for any unmet requirements at the native level. > Be sure that the third-party options utilize the cloud provider's APIs.
The IT manager has tasked you with installing new physical machines. These computer systems are barebone systems that simply establish a remote connection to the data center to run the user's virtualized desktop. Which type of deployment model is being used?
Thin client This type of deployment is often referred to as a thin client deployment. This deployment utilizes virtual desktop infrastructure (VDI) to virtualize a user's desktop. The client machine is essentially only used to connect to the high-end machines in the data center. IaaS delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. PaaS delivers everything a developer needs to build an application. Traditional deployments, where most of the processing load is handled by the local workstation, are called thick client deployments.
Deployment Model Alternatives
To better secure mobile devices used by company employees, consider the following deployment model alternatives to BYOD: > Corporate-owned device: A corporate-owned device strategy lets businesses more effectively monitor and control activities performed on mobile devices. One advantage of this model is that businesses can purchase devices at significant discounts. The corporate-owned model also includes the option of restricting mobile device use to the workplace only. However, employees who need access to corporate email and other data after hours may feel compelled to use their personal devices for such access. > Corporate-owned, personally enabled (COPE): The COPE model gives businesses significant control over device security while allowing employees to use the devices to access both corporate and personal data. Because the company owns the device, it can be secured more easily and wiped clean if lost or stolen. One disadvantage of this model is that employees who are not free to choose their own devices may end up bringing their own anyway. > Choose your own device (CYOD): The CYOD model provides slightly more flexibility in giving users a limited selection of devices to choose from. But since the devices are still corporate-owned devices, IT managers can implement more effective security measures to prevent breaches. > Virtual desktop infrastructure (VDI): VDI can be used with any of the above models, including BYOD, to allow mobile devices to establish a remote connection to a virtualized desktop. Using VDI provides enhanced security and better data protection because most of the data processing is provided by servers in the data center rather than on the local device.
Enroll mobile devices
To enroll mobile devices in Intune, you must first enable mobile device management in the Admin Console. Select the Administration workspace; then select Mobile Device Management > Set Mobile Device Management Authority > Yes. Users must configure mobile devices with the address of the Intune enrollment server (enterpriseenrollment-s.manage.microsoft.com) during the enrollment process. Be sure users are provided with this address prior to starting the device enrollment process. At this point, Windows RT mobile devices can be enrolled with Windows Intune. To enroll a Windows RT device, search for and run Company Apps; then enter your Intune user ID and password along with the address of the enrollment server. Once enrolled, select the link displayed to install the management app from the Windows store. If you want to enroll other types of mobile devices, you must configure Intune for each platform you plan to support. For example, if you want to manage iOS devices, you must obtain an Apple Push Notification service (APNs) certificate and then upload it to Intune. Alternatively, if you plan to support Windows Phone 8 devices, you must get a Windows Phone Dev Center account and upload a signed enterprise mobile code certificate to Intune.
Cloud security infrastructure
To ensure your cloud service provider has and maintains a strong security infrastructure: > Verify the provider's firewall protection from external sources. If the firewall is inadequate, provide your own. > Verify the log monitoring and analysis tools offered by your provider.
Root account security
To secure the root account: > Create an administrative group and assign rights to it. > Do not give rights to any other groups or individual users. > Use groups to control the level of access to files and programs.
Network Concepts
To understand how to secure your applications and data in the cloud, it helps to understand network concepts that enhance security.
Mobile device management (MDM) provides the ability to do which of the following?
Track the device. Mobile device management (MDM) solutions allow IT administrators to remotely manage a mobile device even if it's a personally owned device being used for work-related purposes.
Unmanned aerial vehicles (UAV)
UAVs are used for military campaigns, search and rescue, weather monitoring, and recreation. UAVs use embedded computers for collecting and transmitting data and for receiving commands.
Which of the following mobile device management (MDM) solutions allows an organization to manage all devices, including printers, workstations, and even IoT devices?
UEM Unified endpoint management (UEM) is the next step in device management. These solutions provide a single point for all types of devices. This includes workstations, printers, mobile devices, IoT devices, and wearable devices. Mobile application management (MAM) solutions focus on managing the applications on a mobile device, but not on managing the device itself. Mobile device management (MDM) solutions allows IT administrators to remotely manage a mobile device even if it's a personally owned device being used for work-related purposes. Enterprise mobility management (EMM) is the combination of MDM and MAM solutions in one package.
Which formula is used to determine a cloud provider's availability percentage?
Uptime/uptime + downtime To determine the best cloud provider for your organization, compare cloud service providers' availability percentages. > Availability percentage = uptime/uptime + downtime. > The higher the percentage, the more resilient and reliable a provider is. None of the other formulas are correct.
You manage information systems for a large co-location data center. Networked environmental controls are used to manage the temperature within the data center. These controls use embedded smart technology that allows them to be managed over an internet connection using a mobile device app. You are concerned about the security of these devices. What can you do to increase their security posture? (Select two.)
Verify that your network's existing security infrastructure is working properly. Install the latest firmware updates from the device manufacturer. Since you generally have little or no control over the embedded technology within smart environmental control devices, they are referred to as static environments. As a result, there is typically very little you can do to increase the security posture for these types of devices. For environmental controls, you may be able to perform the following, depending upon the device manufacturer: > Install the latest firmware updates from the device manufacturer. > Verify that your network's existing security infrastructure is working properly. Because these devices operate in a static environment, you typically can't install third-party software on them, including anti-malware scanners or mobile device management (MDM) agents. Relying on the device manufacturer for security updates is problematic because manufacturers can be slow to take steps to protect their products against security threats. Manufacturers tend only to respond after an exploit has occurred instead of proactively defending their systems.
Wi-Fi-enabled microSD cards
Wi-Fi-enabled MicroSD cards can wirelessly transfer data to and from other devices. Many of them connect directly to the internet.
Virtual networks
Virtual networks connect virtual machines and devices through software. Network virtualization can also include combining network hardware resources and network software resources into one unit. > Virtual networks have a physical underlay that is made of physical servers and routers. Underlays use bridges and routers for traffic. > Virtual networks also have overlays that are connected to the underlay through a router. Overlays have virtual routers and bridges that connect the virtual machines within the virtual network. > Tunnel endpoints (TEPs) connect encapsulated data from the virtual network to physical network servers. > Segments are used in the virtual network to reduce traffic and keep areas within the virtual network separate. > Firewalls can also be used in the virtual network to protect segments through micro segmentation. > Virtual networks provide limited access to resources because most of the network functions in an isolated environment. Virtual networks: - Limit costs. - Allow you to create the virtual machines, routers, bridges, and firewalls to suit your needs.
Which of the following lets you make phone calls over a packet-switched network?
VoIP Voice over IP (VoIP) is a protocol optimized for the transmission of voice data (telephone calls) through a packet-switched IP network. VoIP routes phone calls through an IP network, including the internet. VoIP solutions can integrate with a public-switched telephone network (PSTN) to allow VoIP customers to make and receive external calls. A Field-Programmable Gate Array (FPGA) is an integrated circuit configured by the customer. A real-time operating system (RTOS) is an operating system that serves real-time applications without buffer delays. They are generally used in systems that require a response within a strict time constraint. Supervisory control and data acquisition (SCADA) devices are special computer systems that gather, analyze, and manage automated factory equipment.
Voice over IP (VoIP)
Voice over IP is a protocol optimized for the transmission of voice data (telephone calls) through a packet-switched IP network. VoIP routes phone calls through an IP network, including the internet. VoIP solutions can integrate with the public switched telephone network (PSTN) to allow VoIP customers to make and receive external calls.
Windows Intune Configurations
Windows Intune can be deployed in two different configurations: > Intune Standalone is the recommended deployment method. Intune Standalone is a cloud-only solution that is managed using a web console that can be accessed from anywhere with internet access. > Hybrid MDM with Configuration Manager is a solution that combines Intune's mobile device management capabilities into Configuration Manager. It uses Intune for policies, profiles, and applications for devices, but it uses Configuration Manager to administer content and manage the devices. *This course covers only cloud-only deployments. Deploying Intune in United Configuration Mode requires experience and skill beyond the scope of this course. You must first sign up for an account at Microsoft's website before you can use Intune. After you sign up for an Intune account, you can manage the deployment using the following Intune Management Portals: > Account Portal (https://account.manage.microsoft.com) is used to manage subscriptions, users, groups, and domains. End users can also use the account portal to manage their passwords. > Admin Portal (https://admin.manage.microsoft.com) is used to manage enrolled devices and policies. > Company Portal (https://portal.manage.microsoft.com) is used by end users to manage their own account and enroll devices.
Add Intune users
Windows Intune uses administrative and standard users. The first user account created when you sign up for an Intune subscription is made an administrator by default. Additional standard users can be created and managed using the account console by selecting Management > Users > New > User. *You can also synchronize users and groups into the account console from your Active Directory domain.
Manage users and groups
Windows Intune uses two types of groups: > User groups allow you to deploy software and mobile device security polices to specific user accounts. > Device groups allow you to deploy software, Intune agent settings, and firewall settings to specific devices. To add groups using the Account Console, select Admin > Security Groups > New > Group.
9.8.6 Create a Guest Network for BYOD
You are a network technician for a small corporate network. You need to enable BYOD Guest Access Services on your network for guests and employees that have mobile phones, tablets, and personal computers. In this lab, your task is to perform the following: > Access the Wireless Controller console through Google Chrome on http://192.168.0.6. - Username: admin (case sensitive) - password: password > Set up Guest Access Services using the following parameters: - Name: Guest_BYOD - Authentication: Use guest pass authentication - The guest should be presented with your terms of use statement and then allowed to go to the URL he or she was trying to access. - Verify that 192.168.0.0/16 is on the list of restricted subnets. > Create a guest WLAN using the following parameters: - Network name: Guest - ESSID: Guest_BYOD - Type: Guest Access - Authentication: Open - Encryption Method: None - Guest Access Service: Guest_BYOD - Isolate guest wireless clients from other clients on the access point. > Open a new Google Chrome window and request a guest pass using the BYODAdmin user as follows: - URL: 192.168.0.6/guestpass - Username: BYODAdmin (case sensitive) - Password: P@ssw0rd (0 is a zero) - Use any full name in the Full Name field. - Make a note of or copy and paste the key in the Key field. > Use the key from the guest pass request to authenticate to the wireless LAN Guest_BYOD from the Gst-Lap laptop computer in the Lobby. Complete this lab as follows: 1. Access and log into the Ruckus ZoneDirector. a. From the taskbar, select Google Chrome. b. In the URL field, enter 192.168.0.6 and then press Enter. c. Maximize the window for easier viewing. d. In the Admin field, enter admin (case sensitive). e. In the Password field, enter password as the password. f. Select Login. 2. Set up Guest Access Services. a. Select the Configure tab. b. From the left menu, select Guest Access. c. Under Guest Access Service, select Create New. d. Change the Name field to Guest_BYOD. e. For Terms of Use, select Show terms of use. f. Expand Restricted Subnet Access. g. Verify that 192.168.0.0/16 is listed. h. Select OK. 3. Create a Guest WLAN. a. From the left menu, select WLANs.Under WLANs, select Create New. b. Change the Name to Guest. c. Change the ESSID to Guest_BYOD. d. Under Type, select Guest Access. e. For Wireless Client Isolation, select Isolate wireless client traffic from other clients on the same AP. f. Select OK. g. Close Google Chrome. 4. Request a Guest password. a. . Open a new Google Chrome browser window. b. In the URL field, enter 192.168.0.6/guestpass and then press Enter. c. Maximize the window for easier viewing d. .In the Username field, enter BYODAdmin (case sensitive). e. Enter P@ssw0rd as the password (0 is a zero). f. Select Log In. g. In the Full Name field, enter any full name. h. In the Key field, highlight the key and press Ctrl + C to copy the key. i. Select Next. 5. Access the wireless Guest Access Service from the guest laptop in the lobby. a. From the top menu, select Floor 1. b. Select Gst-Lap in the lobby. c. In the notification area, select the Network icon. d. Select Guest_BYOD. e. Select Connect. f. Select Yes. g. After Internet Explorer opens to the Guest Access login page, paste the key from the Key field. h. Select Log In.
Enroll computers
You can enroll standard computer systems (desktops and notebooks) in Windows Intune in one of two ways: > Administrator enrollment requires an Intune administrator to set up the enrollment for a specific user. > Useterm-205r enrollment allows a user to enroll a computer through the Company Portal. Before you can enroll a system in Intune, you must first download and install the Intune client software on the computer. To do this using administrator enrollment, complete the following: 1. Open a browser and access the Admin Console. 2. Select Administration > Client Software Download > Download Client Software. 3. Once this zip file has downloaded, extract its contents and run the Windows_Intune_Setup.exe file as an administrator user. 4. After the installation is complete, restart the computer. The newly managed computer should appear in the Intune Admin Console after a few minutes. Administrator-enrolled computers must be manually linked to an Intune user ID. In the Admin Console, go to Groups > All Devices; then select the device and select Link User. A user can self-enroll a computer by opening a browser, accessing the company portal, and logging in using his or her Intune user ID. Then he or she can select the option to enroll the current device. User-enrolled devices are automatically linked to the user ID that enrolled them.
9.8.4 Secure an iPad
You work as the IT security administrator for a small corporate network. The receptionist uses an iPad to manage employees' schedules and messages. You need to help her secure the iPad because it contains all of the employees' personal information. In this lab, your task is to: > View the current iOS version and then answer the applicable question. > Apply the latest software update and then answer the applicable question. > Configure Auto-Lock with a five-minute delay. > Configure Passcode Lock using a passcode of C@sp3r > Require the passcode after five minutes. > Configure Data Erase to wipe all data after 10 failed passcode attempts. > Require unknown networks to be added manually. > Turn off Bluetooth. Complete This Lab as Follows: 1. Verify the current version of iOS installed on your iPad. a. Select Settings. b. From the Settings pane, select General. c. From the General pane, select About. d. In the top right, select Answer Questions. e. Answer Question 1. Leave the question dialog open. 2. Apply the latest software update. a. From the About pane's heading, select General. This returns you to the General settings. b. From the General pane, select Software Update. c. Select Download and Install. d. Select Agree. e. Select OK. The software is downloaded. f. Select Install. g. The installation automatically starts after 10 seconds. h. Slide the arrow to the right to unlock the iPad. i. Answer Question 2 and then minimize the question dialog. 3. Configure Auto-Lock. a. From the Settings pane, select Display & Brightness. b. From the right pane, select Auto-Lock and then select 5 minutes. 4. Configure Complex Passcode Lock and Data Erase. a. From the left menu, select Touch ID & Passcode. b. From the right pane, select Turn Passcode On. c. Enter the new passcode of C@sp3rSelect Next. d. Re-enter [email protected] Done. e. Scroll down and then slide Erase Data to ON. f. Select Enable. g. Select Require Passcode. h. Select After 5 minutes. 5. Require unknown networks to be manually added. a. From the left menu, select Wi-Fi. b. Slide Ask to Join Networks to OFF. 6. Turn off Bluetooth as follows: a. From the left pane, select Bluetooth. b. Slide Bluetooth to OFF. c. In the top right, select Answer Questions. d. Select Score Lab.
Zigbee
Zigbee is a radio protocol that creates low-rate private area networks.
Cloud
A metaphor for the internet.
Type 2 hypervisor
Known as a hosted hypervisor. It runs as an application on a conventional operating system. While it may be used in a production environment, a type 2 hypervisor is most often used as a development sandbox. Examples of Type II hypervisors are: > VMware Workstation and VMware Player > Oracle Virtual Box > Microsoft Hyper-V built into Windows 8.1 and 10 > Parallels Desktop for Mac
Which of the following is an advantage of software-defined networking (SDN)?
More granular control One of the advantages of SDN is more granular control. Some disadvantages of SDN include: Is currently a new technology Lack of vendor support Standards are still being developed
Community cloud
Platforms, applications, storage, or other resources that are shared by several organizations.
Hypervisor
A thin layer of software that resides between the guest operating system and the hardware. It creates and runs virtual machines.
Disadvantages of virtualization include:
> An attack on the host machine could compromise all guest machines operating on that host. > A bottleneck or failure of any hardware component that is shared between multiple guests, such as a failure in a disk subsystem, could affect multiple virtual machines. > While the administration is centralized, virtualization is a newer technology and requires new skills. Managing virtual servers can add complexity. > Your configuration is susceptible to server sprawl, a condition that delays patch and security update management due to the number of virtual machines that must be managed.
Some advantages of SDN include:
> Centralized management > More granular control > Lower overall cost and labor > Give new life to old networking hardware > Gather network information and statistics > Facilitate communication between hardware from different vendors
Load Balancing
A technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time.
Which of the following are disadvantages of server virtualization?
A compromised host system might affect multiple servers. Virtualization allows a single physical machine (known as the host operating system) to run multiple virtual machines (known as guest operating systems). The virtual machines appear to be self-contained and autonomous systems. Disadvantages of virtualization include: > An attack on the host machine could compromise all guest machines operating on that host. > A bottleneck or failure of any hardware component that is shared between multiple guests, such as a failure in a disk subsystem, could affect multiple virtual machines. > While administration is centralized, virtualization is a newer technology and requires new skills, so managing virtual servers could add complexity. A compromise of a guest system is typically limited to that system only because each virtual machine is kept partitioned from other guest machines. System isolation, if configured, is an advantage of virtualization. Isolation is typically used for testing purposes and prevents unreliable applications from interfering with other systems. Virtual systems do not need to be isolated. They can be configured to have full network access to other virtual machines or other network devices. An advantage of virtualization is reduced hardware costs.
Hypervisor
A hypervisor is a thin layer of software that resides between the guest operating system and the hardware. A hypervisor allows virtual machines to interact with the hardware without going through the host operating system. There are two types of hypervisors.
Physical machine
A physical machine, also known as the host operating system, has the hardware, such as the hard disk drive(s), optical drive, RAM, and motherboard.
Virtual router (vRouter)
A software function that replicates the functionality of a physical router. Because virtual routing liberates the IP routing function from specific hardware, you can more freely move routing functions around a network.
Virtual Machine
A software implementation of a computer that executes programs like a physical machine.
Isolation
A virtual machine can be isolated from the physical network to allow testing to be performed without impacting the production environment. This is called sandboxing. > Sandboxed virtual machines offer an environment in which malware can be executed with minimal risk to equipment and software. > Sandboxing virtual machines protects them from many kinds of security threats. > To allow isolated virtual machines to communicate with each other, create a new virtual switch configured for host-only (internal) networking. Connect the virtual network interfaces in the virtual machines to the virtual switch.
Virtual machine
A virtual machine, also known as the guest operating system, is a software implementation of a computer. The virtual machine executes programs in the same way a physical machine executes programs. The virtual machine appears to be a self-contained and autonomous system.
Virtual Networks
A virtual network is a computer network consisting of virtual and physical devices. Organizations generally use virtual devices to save money. By using less physical storage space, a company is able to have considerably more devices in a network while using very little space in a data center. With virtualization, companies can take advantage of the efficiencies and agility of software-based devices and storage resources. The physical networking devices are responsible for forwarding of packets, while the virtual network (software) provides an intelligent abstraction that makes it easy to deploy and manage network services and underlying network resources. Following are some network virtualization terms to be familiar with:
Which of the following statements about virtual networks is true? (Select two.)
A virtual network is dependent on the configuration and physical hardware of the host operating system. Multiple virtual networks can be associated with a single physical network adapter. A virtual network is made up of one or more virtual machines configured to access local or external network resources. Some important facts about virtual networks include: > Virtual machines support an unlimited number of virtual networks, and an unlimited number of virtual machines can be connected to a virtual network. > Multiple virtual networks can be associated with a single physical network adapter. > When a virtual network is created, its configuration is dependent on the configuration and physical hardware (such as the type and number of network adapters) of the host operating system. > Accessing a network and network resources requires that the operating system on the virtual machine be configured as a part of the network.
Virtual Networking
A virtual network is made up of one or more virtual machines configured to access local or external network resources. Important facts about virtual networks include the following: > Virtual machines support an unlimited number of virtual networks. Also be aware that an unlimited number of virtual machines can be connected to a virtual network. - Multiple virtual networks can be associated with a single physical network adapter. - When a virtual network is created, its configuration is dependent on the configuration and physical hardware (such as the type and number of network adapters) of the host operating system. - The physical devices are partitioned into one or more virtual devices, depending on the network necessity and the device capability. - When setting up a new virtual device, the system administrator will define how much of the physical device capability each partition will have. This means that one physical server could act as two or three virtual machines that work separately from one another and have their own specifications. - The available resources in a network are split up so the available bandwidth is turned into channels. Each channel can be assigned to a particular server or device in real-time. Each channel is independently secured. > A virtual network includes a virtual Dynamic Host Configuration Protocol (DHCP) server that can provide IP address leases only to virtual machines. Even though the DHCP server is isolated, it assigns unique IP addresses from the range specified. > Accessing a network and network resources requires that the operating system on the virtual machine be configured as a part of the network. > Internal network virtualization configures a single system with software containers, or pseudo-interfaces, to emulate a physical network with software. This can improve a single system's efficiency by isolating applications to separate containers or pseudo-interfaces. > External network virtualization combines one or more LANs into virtual networks to improve a large network's efficiency. Using this technology, systems physically attached to the same local network can be configured to be separate virtual networks. Systems from separate LANs can also be combined into a single VLAN that spans segments of a large network. > Network virtualization should allow a virtual network, including all of its IP addresses, routes, network appliances, and so on, to appear to be running directly on the physical network. This allows the servers connected to that virtual network to continue to operate as if they were running directly on the physical network, even though multiple virtual networks share the physical network.
Virtualization Advantages
Advantages of virtualization are described in the following table.
Server Consolidation
Allows you to move multiple physical servers with many virtual machines. Physical-to-virtual migration (P2V migration) is the process of moving an older operating system off again hardware and into a virtual machine. Consolidating servers: > Requires fewer physical computers. > Reduces power consumption. > Increases physical server utilization of resources. > Increase administrative efficiency. > Reduces the number of incompatibility issues.
Application virtualization
Applications can be virtualized. > A virtual application appears to be local, but is really running on a different system. > Virtualized browsers can protect the underlying physical operating system from malware installation. Any malware installed from the virtual browser affects only the browser, not the rest of the system. *Malware can also use virtualization techniques that make it difficult to detect.
Which SDN layer would a load balancer that stops and starts VMs as resource use increases reside on?
Application Applications reside on the Application layer. A load balancer that stops and starts VMs as resource use increases is an example of an application that would reside on this layer. The Physical layer is where both physical and virtual network devices sit. The Session layer is the fifth layer of the OSI model. The Control layer is the middle layer. This is where the controller resides.
9.2 Virtual Networking
As you study this section, answer the following questions: > How does a virtual network differ from a physical network? > What is a Virtual Private Network (VPN)? > What is a virtual machine? > What terms are associated with virtualization and what do they mean? > What is the Dynamic Host Configuration Protocol (DHCP)? > How can physical devices become virtual ones? > Who are some of the network virtualization service providers? In this section, you will learn to: > Configure virtual network devices. > Create virtual switches.
9.4 Cloud Services
As you study this section, answer the following questions: > What is the difference between a hybrid cloud and a community cloud? > What is the difference between infrastructure as a service (IaaS) and platform as a service (PaaS)? > Which two implementations are available for software as a service (SaaS)? > What services does cloud computing provide? > Which cloud computing model allows the client to run software without purchasing servers, data center space, or network equipment?
9.1 Host Virtualization
As you study this section, answer the following questions: > What is virtualization? > What is the difference between a virtual machine and a hypervisor? > What are the advantages of virtualization? > What are the disadvantages of virtualization? In this section, you will learn to: > Create virtual machines. > Add virtual network adapters. > Manage virtual machines.
9.3 Software-Defined Networking
As you study this section, answer the following questions: > Which three layers exist in the software-defined networking (SDN) architecture? > What is the function of the controller? > What technology allows network and security professionals to manage, control, and make changes to a network? > What are the advantages of SDN? > What are the disadvantages of SDN?
VMware
Be aware of the following regarding VMware solutions. > VMware introduced the first x86 server virtualization products in 2001, making it a virtualization pioneer. > VMware desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. > ESXi is primarily used for data center virtualization.
9.1.8 Section Quiz
CIST 1601
9.3.4 Section Quiz
CIST 1601
Which of the following provides the network virtualization solution called XenServer?
Citrix Citrix provides the virtualization solution called XenServer, also referred to as Citrix Hypervisor. Microsoft provides a virtualization solution called Hyper-V Network Virtualization. VMWare provides a virtualization solution called ESXi. Cisco does not provide a virtualization solution but does offer a vSwitch platform called Nexus 1000v.
Which of the following BEST describes the Application SDN layer?
Communicates with the Control layer through the northbound interface. The Application layer communicates with the Control layer through what is called the northbound interface. These are sometimes called northbound APIs. The Physical layer, also known as the Infrastructure layer, communicates with the Control layer through the southbound interface. The Control layer receives its requests from the Application layer and then provides the Physical layer with its configuration and instructions. The controller is software that is able to inventory hardware components in the network.
You are an application developer. You use a hypervisor with multiple virtual machines installed to test your applications on various operating systems' versions and editions. Currently, all of your virtual machines used for testing are connected to the production network through the hypervisor's network interface. However, you are concerned that the latest application you are working on could adversely impact other network hosts if errors exist in the code. To prevent issues, you decide to isolate the virtual machines from the production network. However, they still need to be able to communicate directly with each other. What should you do? (Select two. Both responses are part of the complete solution.)
Connect the virtual network interfaces in the virtual machines to the virtual switch. Create a new virtual switch configured for host-only (internal) networking. To allow the virtual machines to communicate with each other while isolating them from the production network, complete the following: > Create a new virtual switch configured for host-only (internal) networking > Connect the virtual network interfaces in the virtual machines to the virtual switch Creating a bridged virtual switch would still allow the virtual machines to communicate on the production network through the hypervisor's network interface. Disconnecting the hypervisor's network cable, blocking the virtual machines' MAC addresses, or disabling the hypervisor's switch port would isolate the virtual machines from the production network, but this would also prevent them from communicating with each other.
Which of the following are advantages of virtualization? (Select two.)
Easy migration of systems to different hardware Centralized administration Virtualization allows a single physical machine (known as the host operating system) to run multiple virtual machines (known as guest operating systems). The virtual machines appear to be self-contained and autonomous systems. Advantages of virtualization include: Server consolidation The ability to migrate systems between different hardware Centralized management of multiple systems Increase utilization of hardware resources Isolation of systems and applications Disadvantages of virtualization include: A compromise in the host system could affect multiple guest systems. A failure in a shared hardware resource could affect multiple systems.
Which of the following is an exploit in which malware allows the virtual OS to interact directly with the hypervisor?
Escape Virtual machine escape is an exploit in which malware allows the operating system within a virtual machine to break out and interact directly with the hypervisor. Jump is not a type of VM exploit. Load balancing is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time. A bottleneck is an area (software, hardware component, etc.) that all traffic slows down at.
Which of the following is a network virtualization solution provided by Microsoft?
Hyper-V Hyper-V Network Virtualization provides virtual networks to virtual machines. This is similar to the way in which server virtualization (hypervisors) provides virtual machines to the operating system. Hyper-V Network Virtualization has high scalability, with the capacity for over 1,000 virtual machines per host. None of the other virtualization solutions are provided by Microsoft.
Which of the following devices is computer software, firmware, or hardware that creates and runs virtual machines?
Hypervisor A hypervisor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine. Each virtual machine is called a guest machine. The hypervisor provides the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.
Load Balancing
Load Balancing is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time. The primary goal of load balancing is to improve performance and create high availability by configuring multiple devices to respond as one. Load balancing can also provide fault tolerance. If the load balancing mechanism is able to detect when a specific node or member is unavailable, new requests will automatically be distributed to other available members. Load balancing methods with virtualization include the following: > Resource pooling creates shared logical pools of CPU and memory resources from many physical machines within the hypervisor to guarantee a level of resources for specific virtual machines. > Workload balancing distributes a workload (the total requests made by users and applications of a system) across multiple computers or a computer cluster to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid overload.
Which of the following is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time?
Load balancing Load balancing is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time. The primary goal of load balancing is to improve performance and create high availability by configuring multiple devices to respond as one. A hypervisor is a thin layer of software that resides between the guest operating system and the hardware. Virtualization refers to installing and running multiple operating systems concurrently on a single physical machine. A bottleneck is an area (software, hardware component, etc.) that all traffic slows down at.
Microsoft
Microsoft solutions include: > Hyper-V Network Virtualization that provides virtual networks to virtual machines. This is similar to how server virtualization (hypervisor) provides virtual machines to the operating system. Hyper-V Network Virtualization has high scalability, with capacity for over 1,000 virtual machines per host. > Microsoft Azure that provides network virtualization in the cloud.
Virtual switch (vSwitch)
Software that facilitates the communication between virtual machines by checking data packets before moving them to a destination. A vSwitch may be a part of software installed in the virtual machine or it may be part of the server firmware.
Which of the following does the Application layer use to communicate with the Control layer?
Northbound APIs The Application layer communicates with the Control layer through what is called the northbound interface. These are sometimes called northbound APIs. The controller is just a software platform that contains other applications. It can be thought of as the network's operating system. The individual networking devices on the Physical layer use southbound APIs to communicate with the control plane and vice versa. The Application and Control layers do communicate.
Virtual firewall appliance (VFA)
Software that functions as a network firewall device that provides the usual packet filtering and monitoring. The VF can run as a traditional software firewall on a virtual machine.
Type I hypervisor
Often called a native hypervisor or bare-metal hypervisor. A hypervisor in a dedicated appliance is called an embedded hypervisor. A Type I hypervisor is like a thin operating system that directly interfaces with the computer hardware. Examples of Type I hypervisors are: > VMware ESX and ESXi > Microsoft Hyper-V > Linux KVM > Citrix Hypervisor > Xen > Oracle VM
Virtual firewall appliance (vFA)
Software that functions as a network firewall device. A virtual firewall appliance provides packet filtering and monitoring functions.
Which of the following is an advantage of a virtual browser?
Protects the host operating system from malicious downloads A virtual browser operates within a security sandbox that keeps activities within the browser from affecting the rest of the system. For example, malware downloaded by the virtual browser is limited to the security sandbox and cannot harm the operating system. The virtual browser does not prevent adware, spyware, or phishing. These threats are still possible within the virtual browser. However, if malware is installed within the virtual session, the malware cannot harm the rest of the system, and the virtual browser can be easily restored to remove the malicious software.
You have a development machine that contains sensitive information relative to your business. You are concerned that spyware and malware might be installed while users browse websites, which could compromise your system or pose a confidentiality risk. Which of the following actions would BEST protect your system?
Run the browser within a virtual environment. To best protect your system, run the browser in a virtual environment. Virtualization creates an environment that is logically separated from the main system. Any problems that occur within the virtual environment are contained within that environment and do not affect the rest of the system.
Which of the following is a disadvantage of software defined networking (SDN)?
SDN standards are still being developed. Some of the disadvantages of SDN include: Still a newer technology Lack of vendor support Standards are still being developed Centralized control opens a new target for security threats Some of the advantages of SDN include: Centralized management More granular control Lower overall cost and labor Gives new life to old networking hardware Gathers network information and statistics Facilitates communication between hardware from different vendors
What is isolating a virtual machine from the physical network to allow testing to be performed without impacting the production environment called?
Sandboxing Isolating a virtual machine from the physical network to allow testing to be performed without impacting the production environment is known as sandboxing. Resource pooling creates shared logical pools of CPU and memory resources from many physical machines within the hypervisor. This guarantees a level of resources for specific virtual machines. Virtual machines can be configured in a lab environment that mirrors a production network to provide a testing environment. Workload balancing distributes a workload (the total requests made by users and applications of a system) across multiple computers or a computer cluster to achieve optimal resource utilization, maximum throughput, minimal response time, and less overload.
Virtualization Security
Security considerations for a virtual machine should be the same as for physical machines. For the host and all guest machines, be sure to: > Reduce the number of services running. > Apply patches and updates regularly. > Install antivirus and other security software. > Implement backups, operating system snapshots, and other solutions for data protection. In addition, you should protect against virtual machine escape, an exploit in which malware allows the operating system within a virtual machine to break out and interact directly with the hypervisor. To minimize this vulnerability. > Apply patches and updates regularly. > Install only the resources-sharing features that are necessary. > Install only the software applications that are necessary.
Software Defined Networking (SDN)
Software defined networking (SDN) is a recent technology that allows network and security professionals to manage, control, and make changes to a network. The idea is that network engineers are able to use software to configure and intelligently control the network rather than relying on the individual static configuration files that are located on each network device. SDN uses a controller to manage the devices. The controller is software that is able to inventory hardware components in the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. It can also be used to make wide-spread configuration changes on just one device. The SDN architecture consists of three layers. The table below shows the functions:
Cloud computing
Software, data access, computation, and storage services provided to clients through the internet.
Virtual machinemonitor (VMM)/hypervisor
Software, firmware, or hardware that creates and runs virtual machines.
Virtual machine monitor/hypervisor (VMM/hypervisor)
Software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs to provide one or more virtual machines is called a host machine. Each virtual machine is called a guest machine. The hypervisor provides the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.
Network engineers have the option of using software to configure and control the network rather than relying on individual static configuration files that are located on each network device. Which of the following is a relatively new technology that allows network and security professionals to use software to manage, control, and make changes to a network?
Software-defined networking (SDN) Software-defined networking (SDN) is a relatively new technology that allows network and security professionals to manage, control, and make changes to a network. Network engineers are able to use software to configure and control the network rather than relying on individual static configuration files that are located on each network device. The Control layer is one of three layers that comprise software defined networking. The other layers are the Application layer and the Physical layer. Load balancers can be a component of the Application layer. The Physical layer can also be referred to as the Infrastructure layer.
Network Virtualization Providers
Some of the main network virtualization service providers are:
Which APIs do individual networking devices use to communicate with the control plane from the Physical layer?
Southbound Individual networking devices on the Physical layer use southbound APIs to communicate with the control plane and vice versa. The Application layer communicates with the Control layer through what is called the northbound interface.
Application layer
The Application layer communicates with the Control layer through what is called the northbound interface. These are sometimes called northbound APIs.
Software defined networking (SDN) uses a controller to manage devices. The controller is able to inventory hardware components on the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. It can also be used to make widespread configuration changes on just one device. Which of the following best describes an SDN controller?
The SDN controller is software. SDN uses a controller to manage devices. The controller is software that is able to inventory hardware components on the network, gather network statistics, make routing decisions based on gathered data, and facilitate communication between devices from different vendors. The controller can also be used to make widespread configuration changes on just one device.
Virtual Networking Devices
The following table describes virtual networking devices that can be used to create a more secure network.
Physical Machine
The physical computer with hardware, such as the hard disk drive(s), optical drive, RAM, and MB.
Virtual Area Network (VAN)
This is a virtual LAN running on top of a physical LAN. This configuration enables guest virtual machines on separate physical hosts to communicate.
Drag the software defined networking (SDN) layer on the left to the appropriate function on the right. (Each SDN layer may be used once, more than once, or not at all.)
This layer receives its requests from the Application layer. Control layer This layer is also known as the Infrastructure layer. Physical layer This layer communicates with the Control layer through what is called the northbound interface. Application layer This layer provides the Physical layer with configuration and instructions. Control layer On this layer, individual networking devices use southbound APIs to communicate with the control plane. Physical layer The SDN architecture consists of three layers: Application layer - communicates with the Control layer through the northbound interface. These are sometimes called northbound APIs. Control layer - receives its requests from the Application layer and then provides the Physical layer with its configuration and instructions. Physical layer - communicates with the Control layer through the. southbound interface. The individual networking devices use southbound APIs to communicate with the control plane and vice versa. Even though this is called the Physical layer, it is where both physical and virtual network devices sit. It is also known as the Infrastructure layer.
9.3.3 SDN Facts
This lesson covers the following topics: > Software defined networking (SDN) > SDN advantages and disadvantages
9.2.4 Virtualization Implementation Facts
This lesson covers the following topics: > Virtual networking > Networking virtualization providers
9.2.5 Virtual Networking Facts
This lesson covers the following topics: > Virtual networks > Virtual networking devices
9.1.3 Virtualization Facts
This lesson covers the following topics: > Virtualization components > Virtualization advantages and disadvantages > Virtualization security > Load balancing
Security
To better protect other systems, virtual machines can be used to create honeypots and honeynets to attract attackers so you can analyze attacks on the system.
Which type of hypervisor runs as an application on the host machine?
Type 2 A Type 2 hypervisor is known as a hosted hypervisor. It runs as an application on a conventional operating system. A Type 1 hypervisor is like a thin operating system that directly interfaces with the computer hardware. There are no Type 3 or Type 4 hypervisors.
What is the limit of virtual machines that can be connected to a virtual network?
Unlimited An unlimited number of virtual machines can be connected to a virtual network. 254 is the maximum hosts in a Class C network. 65,534 is the maximum hosts in a Class B network. 16,777,214 is the maximum hosts in a Class A network.
What is a virtual LAN that runs on top of a physical LAN called?
VAN A virtual area network (VAN) is a virtual LAN running on top of a physical LAN. This configuration enables guest virtual machines on separate physical hosts to communicate. VLANs allow several physical LANs to function as a single logical LAN. A VFA is a virtual firewall appliance. This is software that functions as a network firewall device. A virtual machine monitor is software, firmware, or hardware that creates and runs virtual machines. This is also known as a hypervisor.
Which of the following virtual devices provides packet filtering and monitoring?
VFA A VFA is a virtual firewall appliance. This is software that functions as a network firewall device that provides the usual packet filtering and monitoring. A VFA can run as a traditional software firewall on a virtual machine. VLANs allow several physical LANs to function as a single logical LAN. A vSwitch is software that facilitates the communication between virtual machines by checking data packets before moving them to a destination. A virtual machine monitor is software, firmware, or hardware that creates and runs virtual machines. This is also known as a hypervisor.
Which of the following is an example of protocol-based network virtualization?
VLAN VLANs and VPNs are two examples of protocol-based network virtualization. A vSwitch is software that facilitates the communication between virtual machines by checking data packets before moving them to a destination. A VFA is a virtual firewall appliance. This is software that functions as a network firewall device. A virtual machine monitor is software, firmware, or hardware that creates and runs virtual machines. This is also known as a hypervisor.
Virtual Machine (VM)
VMs are virtual computers that function like a physical computer. Virtual servers are virtual machines capable of providing services such as databases, email, domains, and applications. The traffic between virtual machines can be routed using virtual switches alongside virtual routers and virtual firewalls for network segmentation and data isolation.
Which of the following is used as a secure tunnel to connect two networks?
VPN A virtual private network (VPN) is usually used as a secure tunnel over another network, connecting multiple remote endpoints (such as routers). A multipoint VPN is a VPN connecting more than two endpoints. VLANs allow several physical LANs to function as a single logical LAN. A virtual area network (VAN) is a virtual LAN running on top of a physical LAN. A VFA is a virtual firewall appliance. This is software that functions as a network firewall device.
Flexibility
Virtual Machines can be given network access. Other network devices will consider them to be physical machines. Be aware that virtual machines: > Should have the latest service packs and patches. Just like physical machines. > Should be hardened, just like physical machines. > Can be connected to the production network by creating a bridged (external) virtual switch. Because they are self-contained, virtual machines can be easily moved between hypervisor hosts as needed.
Testing
Virtual machines can be configured in a lab environment that mirrors a production network. This lab environment can be used to : > Testing applications before installing them on production systems. > Test updates and patches before rolling them out into the production environment. > Test security controls to verify that they are working as designed.
Which of the following devices facilitates communication between different virtual machines by checking data packets before moving them to a destination?
Virtual switch A virtual switch is software that facilitates the communication between different virtual machines. It does so by checking data packets before moving them to a destination. They may already be a part of software installed in the virtual machine, or they may be part of the server firmware.
Virtualization Components
Virtualization refers to installing and running multiple operating systems concurrently on a single physical machine. Virtualization typically includes the following components:
Which load balancing method distributes a workload across multiple computers?
Workload balancing Workload balancing distributes a workload (the total requests made by users and applications of a system) across multiple computers or a computer cluster to achieve optimal resource utilization, maximum throughput, minimal response time, and less overload. Resource pooling creates shared logical pools of CPU and memory resources from many physical machines within the hypervisor. This guarantees a level of resources for specific virtual machines. Virtualization refers to installing and running multiple operating systems concurrently on a single physical machine. A bottleneck is an area (software, hardware component, etc.) that all traffic slows down at.
9.1.6 Create Virtual Machines
You have installed Hyper-V on ITAdmin. You're experimenting with creating virtual machines. In this lab, your task is to create two virtual machines named VM1 and VM2. Use the following settings as specified for each machine: VM1: Virtual machine name: VM1 Virtual machine location: D:\HYPERV Generation: Generation 1 Startup memory: 1024 MB (do not use dynamic memory) Networking connection: External Virtual hard disk name: VM1.vhdx Virtual hard disk location: D:\HYPERV\Virtual Hard Disks Virtual hard disk size: 50 GB Operating system will be installed later VM2: Virtual machine name: VM2 Virtual machine location: D:\HYPERV Generation: Generation 1 Startup memory: 2048 MB (use dynamic memory) Networking connection: Internal Virtual hard disk name: VM2.vhdx Virtual hard disk location: D:\HYPERV\Virtual Hard Disks Virtual hard disk size: 250 GB Operating system will be installed later Minimum RAM: 512 MB Maximum RAM: 4096 MB Complete this lab as follows: 1. Access the Hyper-V Manager. a. Select Start. b. Expand Windows Administrative Tools and then select Hyper-V Manager. 2. Create virtual machines on ITAdmin. *Use all default settings unless directed otherwise. a. Right-click ITADMIN and then select New > Virtual Machine. b. From the Before You Begin dialog, select Next. c. In the Name field, enter VM_name and then select Next. d. Make sure Generation 1 is selected and then select Next. e. In the Startup memory field, enter size. f. Set the Use Dynamic Memory for this virtual machine appropriately and then select Next. g. Use the Connection drop-down menu to select connection_type and then select Next. h. In the Size field, enter disk_size and then select Next. i. Make sure Install an operating system later is selected and then select Next. j. Review your configuration and then select Finish to create the virtual machine. k. Repeat step 2 to create the second virtual machine. 3. Adjust virtual machine memory for VM2. a. From the Hyper-V Manager, under Virtual Machines, right-click VM2 and select Settings. b. From the left pane, select Memory. c. In the Minimum RAM field, enter 512. d. In the Maximum RAM field, enter 4096.Select OK.
9.2.6 Create Virtual Switches
You have installed Hyper-V on the CorpServer server. You want to use the server to create virtual machines. Prior to creating the virtual machines, you are experimenting with virtual switches. In this lab, your task is to: Create an internal virtual switch named Switch 1. Create a private virtual switch named Switch 2. Complete this lab as follows: 1. Open the Virtual Switch Manager. a. From Hyper-V Manager, right-click CORPSERVER. b. Select Virtual Switch Manager. 2. Create an internal switch named Switch 1. a. Select Create Virtual Switch. b. In the Name field, enter Switch 1. c. Under Connection type, select Internal network. d. Select Apply. 3. Create a private switch named Switch 2. a. From the left pane, select New virtual network switch. b. From the right pane, select Private. c. Select Create Virtual Switch. d. In the Name field, enter Switch 2. e. Select OK.