Lesson 11: Enhance Application Security Capabilities Flashcards
1
Q
List 3 modern email security protocols
A
- DomainKeys Identified Mail - DKIM
- Sender Policy Framework - SPF
- Domain-based Message Authentication, Reporting & Conformance - DMARC
2
Q
List two traditional email security protocols
A
- SMTPS
- IMAPS
3
Q
What protocols are used for secure file transfers?
A
SFTP (SSH File Transfer Protocol) or FTPS (File Transfer Protocol Secure)
4
Q
What protocol is used for secure directory access?
A
LDAPS
5
Q
What protocol is used for secure DNS queries?
A
DNSSEC
6
Q
Describe the formal process an organization would go through to implement a secure protocol
A
Assessing risks, reviewing policies, and evaluating the security features of different protocols.
7
Q
What are two transport methods?
A
TCP and UDP
8
Q
Define ‘Transport Layer Security (TLS)’
A
Uses certificates for authentication and encryption to protect web communications and other application protocols.
9
Q
What is the purpose of installing a certificate on a client computer?
A
For VPNs and enterprise networks that require mutual authentication.
10
Q
What improvement was added to TLS 1.3
A
Removing the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions; Handshake protocol has less messages to speed up connections.
11
Q
Define a ‘Cipher suite’
A
Lists of cryptographic algorithms that a server and client both support and can use to negotiate a secure connection.
12
Q
Define ‘hash key derivation function’
A
Deriving a key suitable for use as input to an encryption algorithm; A password, a salt, and a cost factor as inputs then generate a password hash.
13
Q
How do client and server agree upon a cipher suite in TLS 1.3?
A
The client sends a hello message stating the versions of TLS and cipher suites that it can support; The server responds with a cipher suite and version that both it and the client can support as well as its certificate.
14
Q
How does a client adjust to a servers cipher suite?
A
After accepting the servers public key certificate, it uses the Change Cipher Spec command to start using the agreed symmetric cipher and key.
15
Q
What ports does LDAP use?
A
Port 389
16
Q
Define a ‘simple bind’ authentication in the LDAP protocol
A
The client authenticates with its distinguished name (DN) and password, but these are passed as plaintext.
17
Q
Define ‘Simple Authentication and Security Layer (SASL)’ authentication in the LDAP protocol
A
Preferred mechanism for Microsoft’s AD implementation of LDAP; The client and server negotiate the use of a supported authentication mechanism, such as Kerberos.
18
Q
Define ‘LDAP Secure (LDAPS)’
A
Implementing LDAP using SSL/TLS encryption; The server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange.
19
Q
What port does LDAP Secure (LDAPS) use?
A
Port 636
20
Q
Where should port 636 and 389 be enabled to secure LDAP?
A
LDAP port should be blocked by a firewall from access over the public interface.
21
Q
Define ‘Simple Network Management Protocol (SNMP)’
A
Application protocol used for monitoring and managing network devices.
22
Q
What port(s) does Simple Network Management Protocol (SNMP) use?
A
UDP ports 161 and 162 by default.
23
Q
What are the two components of Simple Network Management Protocol (SNMP)?
A
SNMP monitor and SNMP agent
24
Q
Define a ‘SNMP agent’
A
A process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.
25
What is the function of an SNMP agent?
Agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device.
26
Define an 'SNMP trap function'
The agent informs the management system of a notable event after reaching an established threshold.
27
What port does the SNMP monitor use to query data from an SNMP agent?
UDP port 161
28
What port are SNMP traps communicated over?
UDP port 162
29
What is best practice in securing an SNMP community name?
Use difficult to guess names, and never leave it to blank or default; Do not transport the community name over a network.
30
What is the most secure version of SNMP?
SNMPv3
31
What are security improvements to SNMPv3?
Instead of community names, the agents are configured with a list of usernames and access permissions.
32
Define the authentication process in SNMPv3
SNMP messages are signed with a hash of the user's passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.
33
Define 'Secure File Transfer Protocol (SFTP)'
Uses a Secure Shell (SSH) tunnel as an encryption method between client and server to transfer, access, and manage files.
34
What port does Secure File Transfer Protocol (SFTP) use?
TCP port 22
35
What are two protocols used to implement FTP over SSL/TLS?
1. Explicit TLS (FTPES)
2. Implicit TLS (FTPS)
36
Define the function of Explicit TLS (FTPES)
Uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one.
37
Define the function of Implicit TLS (FTPS)
Negotiates a TLS tunnel before the exchange of any FTP commands over TCP port 990.
38
What version of FTP over TLS is preferred when there are firewalls between client and server?
Explicit TLS (FTPES)
39
Define 'Simple Mail Transfer Protocol (SMTP)'
Application protocol used to send mail between mail servers on the Internet sent over TCP port 25.
40
What port does a client use to submit a message request to a mail server?
TCP port 587
41
Define a 'mailbox protocol'
Stores messages for users and allows them to download them to client computers or manage them on the server.
42
How does a mail server locate a recipient?
Uses the domain name of the recipient to discover an IP address that is registered in DNS as an MX record.
43
What are the two secure versions of Simple Mail Transfer Protocol (SMTP)?
1. STARTTLS
2. SMTPS
44
Define 'STARTTLS'
Explicit TLS; A command that upgrades an existing unsecure SMTP connection to use TLS.
45
Define 'SMTPS'
Implicit TLS; Using PKI, establishes the secure connection before any SMTP commands are exchanged.
46
What is the preferred method of implementing SMTP over TLS?
STARTTLS
47
Define 'Post Office Protocol v3 (POP3)'
Application mailbox protocol that stores messages on a server and enables a client to download email messages from a server mailbox to a client.
48
What port does Post Office Protocol v3 (POP3) use?
TCP port 110
49
Describe the function of Post Office Protocol v3 (POP3)
Client application, such as Microsoft Outlook, establishes a TCP connection to the POP3 server over port 110; After authenticating with the server the mailbox is downloaded.
50
What is the secure version of Post Office Protocol v3 (POP3) and the port is uses?
POP3S; TCP port 995 by default.
51
Define 'Internet Message Access Protocol (IMAP)'
Application mailbox protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server.
52
What are the differences between Internet Message Access Protocol (IMAP) and Post Office Protocol v3 (POP3)?
IMAP supports permanent connections to a server and connects multiple clients to the same mailbox simultaneously; Clients can manage mail folders.
53
What port does Internet Message Access Protocol (IMAP) use?
TCP port 143
54
What port does IMAP over TLS use?
TCP port 993
55
Define 'Sender Policy Framework (SPF)'
A DNS record identifying hosts authorized to send mail for the domain.
56
What is the purpose of Sender Policy Framework (SPF)?
Helps detect and prevent sender address forgery commonly used in phishing and spam emails.
57
How does Sender Policy Framework (SPF) function?
By verifying the sender's IP address against a list of authorized sending IP addresses published in the DNS TXT records of the email sender's domain.
58
Define 'DomainKeys Identified Mail (DKIM)'
A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.
59
What is the purpose of DomainKeys Identified Mail (DKIM)?
Leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature.
60
How does DomainKeys Identified Mail (DKIM) leverage encryption?
The receiving email server uses a DKIM record that acts as a public key in the sender's DNS record to verify the signature and the email's integrity.
61
Define 'Domain-based Message Authentication, Reporting & Conformance (DMARC)'
Framework combining SPF and DKIM for authentication of senders; Specifies the actions to be taken when an email fails authentication; A DMARC policy is published as a DNS record.
62
What actions can Domain-based Message Authentication, Reporting & Conformance (DMARC) enact when authentication fails?
Moving messages to quarantine or spam, rejecting them outright, or tagging the message.
63
Does Domain-based Message Authentication, Reporting & Conformance (DMARC) offer reporting?
Yes, giving the owner of a domain visibility into which systems are sending emails on their behalf, including unauthorized activity.
64
Define an 'email gateway'
Control point for all incoming and outgoing email traffic.
65
What is the purpose of an email gateway?
To audit all emails removing potential threats before they reach inboxes.
66
What security measures does a typical email gateway use to secure mail?
Anti-spam filters, antivirus scanners, and sophisticated threat detection algorithms to identify phishing attempts, malicious URLs, and harmful attachments as well as attachment blocking, content filtering, and data loss prevention.
67
Define 'Secure/Multipurpose Internet Mail Extensions (S/MIME)'
Protocol for securing mail communications using encryption and digital signature to encrypt data and verify identities.
68
Define 'Data loss prevention (DLP)'
Software that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
69
How can Data loss prevention (DLP) be used to secure email communications?
DLP scans emails and attachments for certain types of sensitive information defined by the organization's DLP policies; If an email contains these types of information, the DLP system can take several actions based on predefined rules.
70
What actions can Data loss prevention (DLP) software take to prevent data loss via email?
Blocking the email, alerting the sender or administrator, or automatically encrypting it before transmission.
71
Define 'DNS filtering'
Blocks or allows access to specific websites by controlling the resolution of domain names into IP addresses
72
How does DNS filtering operate?
When a request is made to resolve a website URL, the DNS filter checks the request against a database of domain names; If the domain is known as malicious, or is unapproved, the filter blocks the request, preventing access to the website.
73
Define a 'DNS firewall'
Intercept DNS queries at the network level and applies filtering rules accordingly.
74
What is best practice for securing an internal DNS server?
DNS servers should only accept recursive queries from local hosts and not from the internet.
75
Define 'DNS footprinting'
Obtaining information about a private network by using its DNS server.
76
What are two ways to perform DNS footprinting?
Performing a zone transfer to a rouge DNS server of by querying the DNS server using nslookup/dig.
77
Define 'DNS Security Extensions (DNSSEC)'
Security protocol that provides authentication of DNS data and upholds DNS data integrity.
78
What is the purpose of DNS Security Extensions (DNSSEC)?
To mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses.
79
How does DNS Security Extensions (DNSSEC) secure DNS records?
The authoritative server creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key).
80
With DNS Security Extensions (DNSSEC) enabled, how does a non-authoritative DNS server receive DNS records?
The authoritative server returns the package along with its public key, which can be used to verify the signature.
81
When using S/MIME, which key is used to protect the confidentiality of a message?
The recipient's public key; The public key is used to encrypt a symmetric session key.
82
What is the purpose of input validation?
Used in software and web development that addresses the issue of untrusted input to defeat injection attacks.
83
Define 'untrusted input'
Specially crafted data supplied to an application to manipulate its behavior.
84
What are different forms of input validation?
Allowlisting, Blocklisting, Data type and range checks, regular expressions, encoding.
85
Define Allowlisting input validation
Permits inputs that match a predetermined and approved set of values or patterns.
86
Define Blocklisting input validation
Explicitly blocks known harmful inputs, such as certain special characters or patterns commonly used in attacks.
87
Define 'data type check' input validation
Checks to ensure the input data is of the expected type, such as a string, integer, or date.
88
Define 'range check' input validaiton
Validates that numeric inputs fall within expected ranges.
89
Define 'Regular expression/regex' input validation
Used to match input to expected patterns or signs of malicious activity.
90
Define 'encoding' input validation
Prevent special characters from being interpreted as executable commands or scripts.
91
Define a 'cookie'
A text file stored on a computer by a web browser while accessing a website.
92
What is the purpose/function of a cookie?
Maintain session states, remember user preferences, and track user behavior and other settings.
93
How can cookies be exploited if not properly secured?
Attacks such as session hijacking or cross-site scripting.
94
What is the purpose of static code analysis?
Identify potential vulnerabilities, errors, and noncompliant coding practices before the program is finalized.
95
Define 'Code sigining'
The method of using a digital signature to ensure the source and integrity of software code.
96
How does software become digitally signed?
The signer uses a private key to encrypt a hash or digest of the code to form the digital signature.
97
How is the code verified once digitally signed?
Requires using a certificate issued by a trusted certificate authority (CA) and the client uses the cert to verify the signature of the code.
98
Define 'data exposure'
A fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls.
99
Define an 'error/exception' in software development
An application vulnerability that is defined by how an application responds to unexpected events/processes that can lead to holes in the security of an app.
100
What are errors/exceptions that could occur in software?
Invalid user input, a loss of network connectivity, another server or process failing, and so on.
101
How can errors/exceptions be handled in a good manner?
By a programmer implementing a structured exception handler (SEH) to dictate what the application should then do.
102
Define a 'structured exception handler (SEH)'
A mechanism to account for unexpected error conditions that might arise during code execution.
103
What is the purpose of implementing to code?
To reduce the chances that a program could be exploited.
104
What is the difference between an error and an exception?
An error is a condition that the process cannot recover from; An exception is a type of error that can be handled by a block of code without the process crashing.
105
Define 'cloud hardening'
Fortify the cloud infrastructure, reducing its attack surface.
106
What should be implemented in the cloud to restrict access to cloud resources?
Least privilege access.
107
How do modern web browsers implement sandboxing/sandbox envrionments?
If a website or browser extension in one browser tab attempts to run malicious code, it is confined within that tab's sandbox to prevent malicious code from impacting the entire browsers or the OS.
108
How do mobile phone OS's implementing sandboxing?
They use sandboxing to limit each app's actions; An app in a sandbox can access its own data and resources but cannot access other app data or any nonessential system resources without explicit permission.
109
What are examples of large scale infrastructure sandboxing?
Virtual machines (VMs) and containers like Docker; each VM or container can run in isolation.
110
How can sandboxing be leveraged in security operations?
Detecting and understanding malware activities via forensic inspection.
111
What is the purpose of using sandboxing in security operations?
To create an enclosed, controlled environment that allows the safe execution of potentially harmful software without affecting the IT environment.
112
Which response header provides protection against SSL stripping attacks?
HTTP Strict Transport Security (HSTS)
113
What are the two types of centralized logging management are available on Windows?
1. Source computer initiated
2. Collector initiated
114
