Domain 4 Flashcards
During what phase should regulatory compliance be introduced?
Requirements gathering
What testing methodology provides full access to an environment/system?
Full knowledge/white box
What testing methodology provides some access to environment/system?
Grey box/partial knowledge
What testing methodology requires testers to act like hackers w/out inside knowledge of system?
Black box/zero knowledge
What allows secure storage and access to secrets, allowing them to be used when needed w/out hard-coding them?
KMS - key management service
What avoids hard-coded credentials in cloud applications?
KMS - key management service
What’s used to identify each component in a software package?
SBOM - software bill of materials
What’s designed to aggregate API access, provide authentication for API use, rate-limit, and gather statistics and data about API usage?
API gateways
What’s used to decouple software components?
API proxies
What is a software element that connects to back-end services and creates a more modern and useful API to connect to the front end, and allows developers to define an API without having to change underlying services in the back end.
API proxy
What acts as the security gateway to your enterprise architecture, and is the single point of entry and exit for all API calls
API firewall
When is IAST - interactive application security testing - performed?
During QA/Testing phase of SDLC
What uses software instrumentation to monitor applications as they run and then gathers info about what occurs/how the software performs?
IAST
What aggregates API access, provides authentication for API use, rate-limit, and gathers statistics and data about API usage?
API gateways
What is a commonly accepted and used standard for encryption of data at rest?
AES-256
What is used for encryption in transit?
TLS
What documents abuse of software functionality?
Abuse case testing
What’s the best option to identify all components associated with software?
Software composition analysis (SCA)
What testing reviews source code?
Static testing
What looks at underlying components of software?
SCA - software composition analysis
What is intended to be used as a metric to assess the degree of trust that can be placed in web applications to help developers build in security controls?
ASVS - Application Security Verification Standard
What is major.minor.patch?
A common format for versioning.
What’s a listing of all the components of a software package or program?
Software bill of materials (SBOM)
What has built in protection against common attacks like SQL injection?
WAFs - web application firewalls
What allows for the easy movement of applications b/c they contain the dependencies and components the app needs w/out requiring a complete OS?
Containers
What are two functionalities used for federation?
SAML and OpenID Connect
What defines the requirements for cryptographic modules and is commonly used to assess cryptographic systems?
FIPS 140-2
Secrets that are generated and used as needed
Dynamic secrets?
T/F: Shared accounts allow for auditing.
False - b/c actions cannot be provably linked to individual users
What consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Brute force attack
What happens in the testing phase of the SDLC?
Performance and security of software is tested.
What allows creation, storage, management, and auditing of keys?
KMS
What is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
PKI - public key infrastructure
What is a CI/CD tool used for continuous integration tooling?
Jenkins
What provides awareness of software license compliance, terms and conditions, and license expiration dates?
A complete software inventory
What is used to control usage based on roles and rights?
CASB
What’s used to limit potential for sensitive data loss and to detect anomalous usage patterns?
Cost limiting rules
What’s commonly used for malicious software testing, also known as creating a secure and isolated environment to test?
Sandboxing
What’s used to centralize and correlate security events and information?
SIEM solutions
What can be used to enforce encryption b/w an on-premise location and cloud provider to prevent 3rd party from seeing data in transit?
CASB
What is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies including authentication, authorization, alerts and encryption?
CASB
Does tokenization and masking protect data while it’s being accessed or while it’s in transit?
Accessed
T/F: Containers contain elements of the OS, libraries, config files, and app files/binaries.
True
What does ATASM stand for?
Architecture, threats, attack surfaces, and mitigations
What is a seven-step process applicable to most application development methodologies, which is platform agnostic and aligns business objectives with technical requirements and takes into account compliance requirements, business impact analysis and a dynamic approach to threat management, enumeration and scoring.
P.A.S.T.A. - Process for attack simulation and threat analysis
What is a methodology used to perform threat modeling that focuses on a requirements model designed to ensure that the level of risk assigned to each asset is classified as acceptable by the system’s stakeholders?
Trike
What is a threat-modeling approach that highlights the importance of structural understanding of a system for the purpose of threat modeling (architecture). The architecture is broken apart into its logical and functional components (decomposing and factoring) to discover all potential attackable surfaces and define points where defenses will be built?
ATASM
What is using a pre-defined set of common and prevalent threats, a team will try to identify instances of them in the product by tracking the triggers
Threat library/list approach
What is testing done against running code?
Dynamic testing
What reviews source code?
Static testing
T/F: Some malware is sandbox aware.
True
What can provide remote access to the LAN, and even to the devices on a LAN, and then acts as a mini gateway on the LAN and allows you to access the LAN and then jump, via SSH or other services, to other connected devices on that LAN.
Jumpbox
What provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features?
DAM - database activity monitor
What two things help prevent DOS attacks on APIs?
Setting throttling limits and quotas
What limits the blast radius of exposed or compromised secrets?
Rotating secrets
What are two types of attacks prevalent on SMS?
SIM swapping and VoIP based attacks
What type of attack is designed to overwhelm the resources of a system to the point where it is unable to reply to legitimate service requests.
DoS and DDoS
What type of attack makes it possible for an attacker to eavesdrop on the data sent back and forth between two people, networks, or computers.
MITM - man in the middle
What is the prevention for MITM attacks?
Using strong encryption on access points or to a virtual private network (VPN).
Prevention for DDoS attacks?
Use a firewall that detects whether requests sent to your site are legitimate.
What attack occurs when a malicious actor sends emails that seem to be coming from trusted, legitimate sources in an attempt to grab sensitive information from the target and they combine social engineering and technology?
Phishing
Mitigation for phishing?
- Think carefully about the kinds of emails you open and the links you click on.
- Pay close attention to email headers, and do not click on anything that looks suspicious.
- Check the parameters for “Reply-to” and “Return-path.” They need to connect to the same domain presented in the email.
What attack goes after the “big fish” or whales of an organization
Whale-phishing attack
Which attack does the attacker take the time to research their intended targets and then write messages the target is likely to find personally relevant.
Spear phishing
In what attack is the work station encrypted and then given back when money is paid?
Ransomware
An attacker intercepts network transmissions to grab passwords not encrypted by the network or uses brute force to guess.
Password attack
An attack where the command is inserted into a data plane in place of something else that normally goes there, such as a password or login, and then the server that holds the database runs the command and the system is penetrated.
SQL Injection attack
Attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. The attacker knows the order in which a web-page’s URL information needs to be entered, they interpret the syntax, using it to figure out how to get into areas they do not have access to.
URL interpretation or URL poisoning
A hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad.
DNS spoofing
Making sure DNS servers are kept up-to-date is how to prevent _____.
DNS Spoofing
How to prevent URL Interpretation?
Use secure authentication methods for any sensitive areas of your site.
Set up a lock-out to lock out access to devices, websites, or applications automatically after a certain number of failed attempts.
How to prevent brute-force and password attacks
What kind of attack takes over a session between a client and the server in which the computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client.
Session hijacking
How to prevent session hijacking?
Use a VPN to access business-critical servers to encrypt all communication so attacker cannot gain access to the secure tunnel created by the VPN.
What’s an attack where an attacker simply tries to guess the login credentials of someone with access to the target system.
Brute force attack
How to prevent brute force attack
Lock out policies and random passwords
What attacks refer to threats that target vulnerabilities in web-based applications, like SQL injection, XSS, and CSRF (cross-site request forgery)
Web attacks
What involves adjusting the parameters that programmers implement as security measures designed to protect specific operations.
Parameter tampering
How to prevent web attacks?
Inspect your web applications to check for—and fix—vulnerabilities.
Attacks that come from within an organization?
Insider threats
How to prevent insider threats?
Least privilege and MFA
What attack is when a hacker embeds malicious code into an insecure website, and when a user visits the site, the script is automatically executed on their computer, infecting it.
Drive by attack
An attack where the attacker transmits malicious scripts using clickable content that gets sent to the target’s browser, and when the victim clicks on the content, the script is executed.
XSS - cross-site scripting
How to prevent XSS attack?
Whitelist of allowable entities
Either active or passive, the bad actor intercepts traffic as it is sent through the network and then collects usernames, passwords, and other confidential information, like credit cards.
Eavesdropping attacks
An attack where the hacker inserts a piece of software within the network traffic path to collect information that the hacker analyzes for useful data.
Active eavesdropping
An attack where the hacker listens in on the transmissions looking for useful data they can steal.
Passive eavesdropping
T/F: Eavesdropping is a MITM attack
True
How to prevent eavesdropping attacks.
Encrypt data
An attack where the hacker can create a hash that is identical to what the sender has appended to their message and then simply replace the sender’s message with their own.
Birthday attack
How to prevent birthday attack.
Use longer hashes for verification
This attack infects a computer and changes how it functions, destroys data, or spies on the user or network traffic as it passes through and can either spread from one device to another or remain in place, only impacting its host device.
Malware attack
