Cybersecurity

Question 1

Name 5 of the top 10 OWASP vulnerabilities.

Answer 1

Injection Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control

Question 2

Name 5 more of the top 10 OWASP vulnerabilities

Answer 2

Security Misconfiguration, Cross-Site Scripting, Insecure Deserialization, Components with Known Vulnerabilities, Insufficient Logging and Monitoring.

Question 3

What is OPSEC?

Answer 3

A systematic and proven process intended to deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: (1) identification of critical information; (2) analysis of threats; (3) analysis of vulnerabilities; (4) assessment of risks; and (5) application of appropriate countermeasures.

Question 4

Explain the MITRE ATT&CK Framework.

Answer 4

The MITRE ATTACK Framework is a curated knowledge base that tracks cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle. The framework is meant to be more than a collection of data: it is intended to be used as a tool to strengthen an organization’s security posture.

Question 5

What are FIPS 140-3 compliant ciphers and methods?

Answer 5

See attached

Question 6

FIPS MAC Algorithms

Answer 6

See attached

Question 7

FIPS approved for digital signatures

Answer 7

See attatched

Question 8

What security standards does the Netherlands use?

Answer 8

EU Directive on Security Network and Information Systems (Directive (EU) 2016/1148

The Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (‘the Cyber Resilience Act’).

The NIS Implementation Act: The NIS Directive was implemented, on 17 October 2018, by the Network and Information Systems Security Act 2018 (only available in Dutch here) (‘the NIS Implementation Act’). Following the passage of the NIS Implementation Act, the Decree Laying Down Rules for Implementing the Network and Information Systems Security Act

The Cybersecurity Act
Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No.526/2013 (‘the Cybersecurity Act’)

Question 9

Explain Cybersecurity regulatory authority.

Answer 9

In the Netherlands, there is no single all-encompassing regulatory authority tasked with the supervision of national cybersecurity. As indicated by the various laws detailed in the previous section of this Guidance Note, the competences in this field are scattered. Against this background, the following authorities are most relevant in the domain of cybersecurity regulation.

Authorities designated under the NIS Implementation Act

The NIS Implementation Act designates a number of national authorities to supervise compliance with its provisions. The AT supervises compliance with, and is able to take enforcement actions in relation to, the duty of care and the duty to report incidents under the NIS Implementation Act. Operators of essential services fall under the AT’s ‘active’ supervision policy. This means that the AT carries out planned inspections that are aimed at checking the set-up, existence and functioning of the risk management process, and the adoption of appropriate control measures. With regard to digital service providers, the AT applies ‘reactive’ supervision, meaning that inspections take place on the basis of incidents and signals received.

While some operators of essential services are subject to the supervision of the AT, others are subject to the supervision of sectoral regulatory authorities. For example, if an operator of essential services operates in the financial infrastructure sector, the DNB is the competent regulatory authority instead of the AT. Such sectoral regulatory authorities are also competent to enforce the NIS Implementation Act.

On the basis of the NIS Implementation Act, a supervisory authority has a number of powers, including the power to impose administrative fines.

Furthermore, there are two organisations that have taken on the role of the Computer Security Incident Response Team (‘CSIRT’) for the Netherlands, as provided for in the NIS Directive. The relevant organisations are:

the National Cybersecurity Centre (‘NCSC’), which acts as a CSIRT for operators of essential services; and
the Digital Service Providers CSIRT (‘CSIRT-DSP’).
Finally, the Minister of Justice and Security (‘MJS’) is responsible for performing the role of the ‘point of contact’ as set out in the NIS Directive.

The CSIRT and the point of contact are not competent to enforce the NIS Implementation Act.

The NIS2 Directive will streamline reporting obligations and introduce more stringent supervisory measures for national authorities and enforcement requirements, including harmonised sanctions across the EU.

Question 10

What are the steps in incident response?

Answer 10

Prepare, Detection and Reporting, Analysis and Triage, Containment, Recovery, Lessons Learned

Question 11

Explain threat hunting.

Answer 11

the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

Question 12

What is the OODA Loop?

Answer 12

Helps us make strategic decisions. Has 4 phases and acts a feedback loop. Observe, Orient, Decide, Act. Defenders and attackers operate an various speeds to complete their objectives. Intelligence speeds up how quickly we can complete the defender’s OODA loop.

Question 13

What is the Cybersecurity NICE Framework

Answer 13

The NICE Framework is the foundation for increasing the size and capability of the U.S. cybersecurity workforce. It breaks down roles, knowledge, skills, and responsibilities across various tasks. The NICE Framework comprises seven categories (Securely Provision, Operate and Maintain, Oversee and Govern, Protect and Defend, Analyze, Operate and Collect, and Investigate) POOP DACI. There are 33 specialty areas and 52 work roles

Question 14

Key to role of cyber threat analyst?

Answer 14

Provide timely, relevant, actionable insights on threat actors, capabilities, motivation, and threat environment to inform risk exposure and necessary defensive actions. TRAIT CaME

Question 15

What are the three audiences for threat hunting?

Answer 15

Strategic, Operational, and Tactical. Strategic = CIO, Operations = Red Team, Forensics, Tactical = Security Operations Center.

Question 16

What is Cross Site Scripting?

Answer 16

With cross-site scripting, attackers take advantage of APIs and DOM manipulation to retrieve data from or send commands to your application. Cross-site scripting widens the attack surface for threat actors, enabling them to hijack user accounts, access browser histories, spread Trojans and worms, control browsers remotely, and more.

Training developers in best practices such as data encoding and input validation reduces the likelihood of this risk. Sanitize your data by validating that it’s the content you expect for that particular field, and by encoding it for the “endpoint” as an extra layer of protection.

Question 17

What is Broken Authentication?

Answer 17

Incorrectly implemented authentication and session management calls can be a huge security risk. If attackers notice these vulnerabilities, they may be able to easily assume legitimate users’ identities.

Multifactor authentication is one way to mitigate broken authentication. Implement DAST and SCA scans to detect and remove issues with implementation errors before code is deployed.

Question 18

What is Broken Access Control?

Answer 18

If authentication and access restriction are not properly implemented, it’s easy for attackers to take whatever they want. With broken access control flaws, unauthenticated or unauthorized users may have access to sensitive files and systems, or even user privilege settings.

Configuration errors and insecure access control practices are hard to detect as automated processes cannot always test for them. Penetration testing can detect missing authentication, but other methods must be used to determine configuration problems. Weak access controls and issues with credentials management are preventable with secure coding practices, as well as preventative measures like locking down administrative accounts and controls and using multi-factor authentication.

Question 19

What is Insecure Deserialization?

Answer 19

Deserialization, or retrieving data and objects that have been written to disks or otherwise saved, can be used to remotely execute code in your application or as a door to further attacks. The format that an object is serialized into is either structured or binary text through common serialization systems like JSON and XML. This flaw occurs when an attacker uses untrusted data to manipulate an application, initiate a denial of service (DoS) attack, or execute unpredictable code to change the behavior of the application.

Although deserialization is difficult to exploit, penetration testing or the use of application security tools can reduce the risk further. Additionally, do not accept serialized objects from untrusted sources and do not use methods that only allow primitive data types.

Question 20

What is XML External Entities?

Answer 20

This risk occurs when attackers are able to upload or include hostile XML content due to insecure code, integrations, or dependencies. An SCA scan can find risks in third-party components with known vulnerabilities and will warn you about them. Disabling XML external entity processing also reduces the likelihood of an XML entity attack.

Question 21

What is Injection?

Answer 21

Injection occurs when an attacker exploits insecure code to insert (or inject) their own code into a program. Because the program is unable to determine code inserted in this way from its own code, attackers are able to use injection attacks to access secure areas and confidential information as though they are trusted users. Examples of injection include SQL injections, command injections, CRLF injections, and LDAP injections.

Question 22

What are effective penetration testing tools?

Answer 22

Aircrack-ng. Overview: Aircrack-ng is a standard, well-known tool used to assess, dissect and crack wireless networks. …
Burp Suite.
Cain and Abel.
CANVAS by Immunity.
John the Ripper.
Kali Linux.
Metasploit.
SQLmap

Question 23

Give some examples of threat-hunting tools/protocols for Maintain Presence

Answer 23

Web Shells, Chopstick, COM Hijacking, DLL Search Order Hijacking, Stolen VPN Credentials, GarnetBox, DarkMirror, XTunnel

Question 24

Give some examples of threat hunting tools/protocols for move Laterally.

Answer 24

RDP, SSH, PsExec, Winexe, Impacket smbexec, Impacket psexec, Impacket atexec, Eternal Blue.

Question 25

Give some examples of threat hunting tools/protocols for Initial Compromise.

Answer 25

Phishing, Stolen credentials, password spraying, Wifi Sniffing,

Question 26

Give some examples of threat hunting tools/protocols for Establish Foothold.

Answer 26

PowerShell Empire, Web Shells, GAMEFISH, BOSSNAIL, SourFace

Question 27

Give some examples of threat hunting tools/protocols for Escalate Privilege.

Answer 27

Procdump, Mimklatz, Impacket, Secretsdump, Responder, OLDBAIL

Question 28

Give some examples of threat-hunting tools/protocols for Internal Reconnaissance.

Answer 28

Nmap Port Scanner, DNS Zone Transfer, Addumper, LDAP-dumper, Ntbscan, DNSCMD

Question 29

Give some examples of threat hunting tools/protocols for Complete Mission.

Answer 29

WInRAR archives, OWA and O365 email theft

Question 30

What are the hardest problems in OPSEC?

Answer 30

People

Question 31

What are the best practices of OPSEC?

Answer 31

Implement precise change management processes that your employees should follow when network changes are performed. All changes should be logged and controlled so they can be monitored and audited.
Restrict access to network devices using AAA authentication. In the military and other government entities, a “need-to-know” basis is often used as a rule of thumb regarding access and sharing of information.
Give your employees the minimum access necessary to perform their jobs. Practice the principle of least privilege.
Implement dual control. Make sure that those who work on your network are not the same people in charge of security.
Automate tasks to reduce the need for human intervention. Humans are the weakest link in any organization’s operational security initiatives because they make mistakes, overlook details, forget things, and bypass processes.
Incident response and disaster recovery planning are always crucial components of a sound security posture. Even when operational security measures are robust, you must have a plan to identify risks, respond to them, and mitigate potential damages.

Question 32

Name a few hacking groups?

Question 33

What is an APT and name a few of them.