Course 5 – IT Security: Defense Against the Digital Dark Arts

Week 5: Defense in Depth

Coursera Study Guide


In the fifth week of this course, we’re going to go more in-depth into security defense. We’ll cover ways to implement methods for system hardening, application hardening, and determine the policies for OS security. By the end of this module, you’ll know why it’s important to disable unnecessary components of a system, learn about host-based firewalls, setup anti-malware protection, implement disk encryption, and configure software patch management and application policies.

Learning Objectives

  • Implement the appropriate methods for system hardening.
  • Implement the appropriate methods for application hardening.
  • Determine the appropriate policies to use for operating system security.


1. What is an attack vector?

  • The classification of attack type
  • The direction an attack is going in
  • A mechanism by which an attacker can interact with your network or systems (CORRECT)
  • The severity of the attack

Nice job! An attack vector can be thought of as any route through which an attacker can interact with your systems and potentially attack them.

2. Disabling unnecessary components serves which purposes? Check all that apply.

  • Closing attack vectors (CORRECT)
  • Making a system harder to use
  • Reducing the attack surface (CORRECT)
  • Increasing performance

Right on! Every unnecessary component represents a potential attack vector. The attack surface is the sum of all attack vectors. So, disabling unnecessary components closes attack vectors, thereby reducing the attack surface.

3. What’s an attack surface?

  • The target or victim of an attack
  • The total scope of an attack
  • The payload of the attack
  • The combined sum of all attack vectors in a system or network (CORRECT)

Yep! The attack surface describes all possible ways that an attacker could interact and exploit potential vulnerabilities in the network and connected systems.

4. A good defense in depth strategy would involve deploying which firewalls?

  • Network-based firewalls only
  • Both host-based and network-based firewalls (CORRECT)
  • No firewalls
  • Host-based firewalls only

You got it! Defense in depth involves multiple layers of overlapping security. So, deploying both host- and network-based firewalls is recommended.

5. Using a bastion host allows for which of the following? Select all that apply.

  • Running a wide variety of software securely
  • Applying more restrictive firewall rules (CORRECT)
  • Having more detailed monitoring and logging (CORRECT)
  • Enforcing stricter security measures (CORRECT)

Wohoo! Bastion hosts are special-purpose machines that permit restricted access to more sensitive networks or systems. By having one specific purpose, these systems can have strict authentication enforced, more firewall rules locked down, and closer monitoring and logging.

6. What benefits does centralized logging provide? Check all that apply.

  • It prevents database theft.
  • It allows for easier logs analysis. (CORRECT)
  • It blocks malware infections.
  • It helps secure logs from tampering or destruction. (CORRECT)

Yes! Centralized logging is really beneficial, since you can harden the log server to resist attempts from attackers trying to delete logs to cover their tracks. Keeping logs in place also makes analysis on aggregated logs easier by providing one place to search, instead of separate disparate log systems.

7. What are some of the shortcomings of antivirus software today? Check all that apply.

  • It can’t protect against unknown threats. (CORRECT)
  • It only detects malware, but doesn’t protect against it.
  • It’s very expensive.
  • It only protects against viruses.

Awesome! Antivirus software operates off a blacklist, blocking known bad entities. This means that brand new, never-before-seen malware won’t be blocked.

8. How is binary whitelisting a better option than antivirus software?

  • It has less performance impact.
  • It can block unknown or emerging threats. (CORRECT)
  • It’s cheaper.
  • It’s not better. It’s actually terrible.

That’s right! By blocking everything by default, binary whitelisting can protect you from the unknown threats that exist without you being aware of them.

9. What does full-disk encryption protect against? Check all that apply.

  • Tampering with system files (CORRECT)
  • Malware infections
  • IP spoofing attacks
  • Data theft (CORRECT)

Excellent job! With the contents of the disk encrypted, an attacker wouldn’t be able to recover data from the drive in the event of physical theft. An attacker also wouldn’t be able to tamper with or replace system files with malicious ones.

10. What’s the purpose of escrowing a disk encryption key?

  • Performing data recovery (CORRECT)
  • Protecting against unauthorized access
  • Providing data integrity
  • Preventing data theft

Yep! Key escrow allows the disk to be unlocked if the primary passphrase is forgotten or unavailable for whatever reason.


1. Why is it important to keep software up-to-date?

  • To ensure compatibility with other systems
  • To address any security vulnerabilities discovered (CORRECT)
  • To ensure access to the latest features
  • It’s not important. It’s just annoying.

Nice work! As vulnerabilities are discovered and fixed by the software vendor, applying these updates is super important to protect yourself against attackers.

2. What are some types of software that you’d want to have an explicit application policy for? Check all that apply.

  • Word processors
  • Filesharing software (CORRECT)
  • Video games (CORRECT)
  • Software development kits

Great job! Video games and filesharing software typically don’t have a use in business (though it does depend on the nature of the business). So, it might make sense to have explicit policies dictating whether or not this type of software is permitted on systems.


1. What’s the key characteristic of a defense-in-depth strategy to IT security?

  • Strong passwords
  • Encryption
  • Confidentiality
  • Multiple overlapping layers of defense (CORRECT)

Right on! Defense in depth involves having multiple layers of security in place, with overlapping defenses that provide multiple points of protection.

2. While antivirus software operates using a ______, binary whitelisting software uses a whitelist instead.

  • Greylist
  • Blacklist (CORRECT)
  • Secure list
  • Whitelist

You got it! Antivirus software operates using a blacklist, which blocks anything that’s detected as matching on the list. Binary whitelisting software operates using a whitelist, blocking everything by default, unless it’s on the whitelist.

3. What is a class of vulnerabilities that are unknown before they are exploited?

  • ACLs
  • Attack Vectors
  • Attack Surfaces
  • 0-days (CORRECT)

Nice job! 0-day vulnerabilities are unique in that they are previously unknown before being exploited in the wild.

4. Which of these host-based firewall rules help to permit network access from a Virtual Private Network (VPN) subnet?

  • Access Control Lists (ACLs) (CORRECT)
  • Secure Shell (SSH)
  • Group Policy Objects (GPOs)
  • Active Directory

You got it! Part of host-based firewall rules would likely provide Access Control Lists (ACLs) that permit access from the VPN subnet.

5. A network security analyst received an alert about a potential malware threat on a user’s computer. What can the analyst review to get detailed information about this compromise? Check all that apply.

  • Security Information and Event Management (SIEM) system (CORRECT)
  • Logs (CORRECT)
  • Full disk encryption (FDE)
  • Binary whitelisting software

Awesome! A Security Information and Event Management (SIEM) system is a central log server that ingests all the logs to help analysts make sense of it all.

Awesome! Logs give the analyst visibility into the events and detailed information about traffic and activity that’s going on in the network and its systems. They can be used to detect compromise or attempts to attack systems.

6. What can provide resilience against data theft, and can prevent an attacker from stealing confidential information from a hard drive that was stolen?

  • Full disk encryption (FDE) (CORRECT)
  • OS upgrades
  • Software patch management
  • Key escrow

Nice job! Systems with their entire hard drives encrypted are resilient against data theft, preventing an attacker from stealing confidential information from a hard drive that has been stolen or lost.

7. What is the purpose of installing updates on your computer? Check all that apply.

  • Updating helps block all unwanted traffic.
  • Updating adds new features. (CORRECT)
  • Updating improves performance and stability. (CORRECT)
  • Updating addresses security vulnerabilities. (CORRECT)

Awesome! Software updates improve software products by adding new features.

Awesome! Software updates improve software products by improving performance and stability.

Awesome! Software updates improve software products by addressing security vulnerabilities.

8. What does a host-based firewall protect against that a network-based one doesn’t? Check all that apply.

  • Protection from MITM attacks
  • Protection from XSS attacks
  • Protection from compromised peers (CORRECT)
  • Protection in untrusted networks (CORRECT)

Nice work! A host-based firewall can provide protection to systems that are mobile and may operate in untrusted networks. It can also provide protection from compromised peers on the same network.

9. What does full-disk encryption protect against? Check all that apply.

  • Data theft (CORRECT)
  • Data tampering (CORRECT)
  • Malware
  • Eavesdropping

Wohoo! Encrypting the entire disk prevents unauthorized access to the data in case it’s lost or stolen. It also protects against malicious tampering of the files contained on the disk.

10. What is the purpose of application software policies? Check all that apply.

  • They take log data and convert it into different formats.
  • They define boundaries of what applications are permitted. (CORRECT)
  • They serve to help educate users on how to use software more securely. (CORRECT)
  • They use a database of signatures to identify malware.

Nice job! Application policies define boundaries of what applications are permitted or not permitted.

Nice job! Application policies serve to help educate users on how to use software more securely.

11. Why is it risky if you wanted to make an exception to the application policy to allow file sharing software?

  • The software could be infected with malware. (CORRECT)
  • The software can normalize log data.
  • The software can shrink attack vectors.
  • The software could disable full disk encryption (FDE).

Nice job! It is generally a good idea to have a policy to disallow particularly risky classes of software. Things like file sharing software and piracy-related software tend to be closely associated with malware infections.

12. How are attack vectors and attack surfaces related?

  • They’re not actually related.
  • They’re the same thing.
  • An attack surface is the sum of all attack vectors. (CORRECT)
  • An attack vector is the sum of all attack surfaces.

Yep! An attack surface is the sum of all attack vectors in a system or environment.

13. Having detailed logging serves which of the following purposes? Check all that apply.

  • Event reconstruction (CORRECT)
  • Data protection
  • Vulnerability detection
  • Auditing (CORRECT)

Exactly! Having logs allows us to review events and audit actions taken. If an incident occurs, detailed logs allow us to recreate the events that caused it

Exactly! Having logs allows us to review events and audit actions taken. If an incident occurs, detailed logs allow us to recreate the events that caused it.

14. Securely storing a recovery or backup encryption key is referred to as _______.

  • Key encryption
  • Key obfuscation
  • Key escrow (CORRECT)
  • Key backup

That’s right! Key escrow is the act of securely storing a backup or recovery encryption key for a full-disk-encrypted set up.

15. A hacker gained access to a network through malicious email attachments. Which one of these is important when talking about methods that allow a hacker to gain this access?

  • An attack surface
  • A 0-day
  • An attack vector (CORRECT)
  • An ACL

Right on! An attack vector can be used by an attacker to compromise and gain unauthorized access to a system.

16. Which of these protects against the most common attacks on the internet via a database of signatures, but at the same time actually represents an additional attack surface that attackers can exploit to compromise systems?

  • Antivirus software (CORRECT)
  • Full disk encryption (FDE)
  • Security Information and Event Management (SIEM) system
  • Binary whitelisting software

Great work! Antivirus, which is designed to protect systems, actually represents an additional attack surface that attackers can exploit to compromise systems.

17. A core authentication server is exposed to the internet and is connected to sensitive services. How can you restrict connections to secure the server from getting compromised by a hacker? Check all that apply.

  • Access Control Lists (ACLs) (CORRECT)
  • Secure firewall (CORRECT)
  • Patch management
  • Bastion hosts (CORRECT)

Secure configurations, such as ACLs, could be implemented on specific bastion hosts to secure sensitive services without degrading the convenience of the entire organization.

Right on! A secure firewall configuration should restrict connections between untrusted networks and systems.

Right on! Bastion hosts are specially hardened and minimized in terms of what is permitted to run on them. Typically, bastion hosts are expected to be exposed to the internet, so special attention is paid to hardening and locking them down to minimize the chances of compromise.

18. If a full disk encryption (FDE) password is forgotten, what can be incorporated to securely store the encryption key to unlock the disk?

  • Application policies
  • Key escrow (CORRECT)
  • Application hardening
  • Secure boot

You nailed it! Key escrow means having the encryption key securely stored for later retrieval by an authorized party. So, if someone forgets the passphrase to unlock their encrypted disk, the escrowed key can be retried to allow the disk to be unlocked.

19. Which of these plays an important role in keeping attack traffic off your systems and helps to protect users? Check all that apply.

  • Full disk encryption (FDE)
  • Multiple Attack Vectors
  • Antimalware measures (CORRECT)
  • Antivirus software (CORRECT)

Woohoo! There is a huge amount of attack traffic on the internet, and antimalware measures play an important role in keeping this type of attack off your systems and helping to protect your users.

Woohoo! Antivirus software will monitor and analyze things, like new files being created or files being modified on the system, for any behavior that matches a known malware signature.

20. When looking at aggregated logs, you are seeing a large percentage of Windows hosts connecting to an Internet Protocol (IP) address outside the network in a foreign country. Why might this be worth investigating more closely?

  • It can indicate a malware infection. (CORRECT)
  • It can indicate what software is on the binary whitelist.
  • It can indicate log normalization.
  • It can indicate ACLs are not configured correctly.

Well done! When looking at aggregated logs, you should pay attention to patterns and correlations between traffic. For example, if you are seeing a large percentage of hosts all connecting to a specific address outside your network, that might be worth investigating more closely, as it could indicate a malware infection.

 21. What is the combined sum of all attack vectors in a corporate network?

  • The Access Control List (ACL)
  • The attack surface (CORRECT)
  • The risk
  • The antivirus software

Correct: Right on! An attack surface is the combined sum of all the various attack vectors that are present in a given system or environment.

22. What does applying software patches protect against? Check all that apply.

  • Data tampering
  • Undiscovered vulnerabilities (CORRECT)
  • Newly found vulnerabilities (CORRECT)
  • MITM attacks

23. If a user’s machine gets infected with malware within a trusted network, what can help protect computers inside the trusted network from the compromised one?

  • The Domain Controller
  • A host-based firewall (CORRECT)
  • A network-based firewall
  • Active Directory

Correct: Great work! Host-based firewalls are important for protecting individual hosts from being compromised when they are used in untrusted, potentially malicious environments, as well as protecting them from potentially compromised peers inside a trusted network.

24. A hacker exploited a bug in the software and triggered unintended behavior which led to the system being compromised by running vulnerable software. Which of these helps to fix these types of vulnerabilities?

  • Log analysis
  • Implicit deny
  • Software patch management (CORRECT)
  • Application policies

Correct: Well done! Vulnerabilities can be fixed through software patches and updates which correct the bugs that attackers exploit.