Lesson 11: Enhance Application Security Capabilities

Question 1

List 3 modern email security protocols

Answer 1

1. DomainKeys Identified Mail - DKIM
2. Sender Policy Framework - SPF
3. Domain-based Message Authentication, Reporting & Conformance - DMARC

Question 2

List two traditional email security protocols

Answer 2

1. SMTPS
2. IMAPS

Question 3

What protocols are used for secure file transfers?

Answer 3

SFTP (SSH File Transfer Protocol) or FTPS (File Transfer Protocol Secure)

Question 4

What protocol is used for secure directory access?

Answer 4

LDAPS

Question 5

What protocol is used for secure DNS queries?

Answer 5

DNSSEC

Question 6

Describe the formal process an organization would go through to implement a secure protocol

Answer 6

Assessing risks, reviewing policies, and evaluating the security features of different protocols.

Question 7

What are two transport methods?

Answer 7

TCP and UDP

Question 8

Define ‘Transport Layer Security (TLS)’

Answer 8

Uses certificates for authentication and encryption to protect web communications and other application protocols.

Question 9

What is the purpose of installing a certificate on a client computer?

Answer 9

For VPNs and enterprise networks that require mutual authentication.

Question 10

What improvement was added to TLS 1.3

Answer 10

Removing the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions; Handshake protocol has less messages to speed up connections.

Question 11

Define a ‘Cipher suite’

Answer 11

Lists of cryptographic algorithms that a server and client both support and can use to negotiate a secure connection.

Question 12

Define ‘hash key derivation function’

Answer 12

Deriving a key suitable for use as input to an encryption algorithm; A password, a salt, and a cost factor as inputs then generate a password hash.

Question 13

How do client and server agree upon a cipher suite in TLS 1.3?

Answer 13

The client sends a hello message stating the versions of TLS and cipher suites that it can support; The server responds with a cipher suite and version that both it and the client can support as well as its certificate.

Question 14

How does a client adjust to a servers cipher suite?

Answer 14

After accepting the servers public key certificate, it uses the Change Cipher Spec command to start using the agreed symmetric cipher and key.

Question 15

What ports does LDAP use?

Answer 15

Port 389

Question 16

Define a ‘simple bind’ authentication in the LDAP protocol

Answer 16

The client authenticates with its distinguished name (DN) and password, but these are passed as plaintext.

Question 17

Define ‘Simple Authentication and Security Layer (SASL)’ authentication in the LDAP protocol

Answer 17

Preferred mechanism for Microsoft’s AD implementation of LDAP; The client and server negotiate the use of a supported authentication mechanism, such as Kerberos.

Question 18

Define ‘LDAP Secure (LDAPS)’

Answer 18

Implementing LDAP using SSL/TLS encryption; The server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange.

Question 19

What port does LDAP Secure (LDAPS) use?

Answer 19

Port 636

Question 20

Where should port 636 and 389 be enabled to secure LDAP?

Answer 20

LDAP port should be blocked by a firewall from access over the public interface.

Question 21

Define ‘Simple Network Management Protocol (SNMP)’

Answer 21

Application protocol used for monitoring and managing network devices.

Question 22

What port(s) does Simple Network Management Protocol (SNMP) use?

Answer 22

UDP ports 161 and 162 by default.

Question 23

What are the two components of Simple Network Management Protocol (SNMP)?

Answer 23

SNMP monitor and SNMP agent

Question 24

Define a ‘SNMP agent’

Answer 24

A process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

Question 25

What is the function of an SNMP agent?

Answer 25

Agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device.

Question 26

Define an ‘SNMP trap function’

Answer 26

The agent informs the management system of a notable event after reaching an established threshold.

Question 27

What port does the SNMP monitor use to query data from an SNMP agent?

Answer 27

UDP port 161

Question 28

What port are SNMP traps communicated over?

Answer 28

UDP port 162

Question 29

What is best practice in securing an SNMP community name?

Answer 29

Use difficult to guess names, and never leave it to blank or default; Do not transport the community name over a network.

Question 30

What is the most secure version of SNMP?

Answer 30

SNMPv3

Question 31

What are security improvements to SNMPv3?

Answer 31

Instead of community names, the agents are configured with a list of usernames and access permissions.

Question 32

Define the authentication process in SNMPv3

Answer 32

SNMP messages are signed with a hash of the user’s passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.

Question 33

Define ‘Secure File Transfer Protocol (SFTP)’

Answer 33

Uses a Secure Shell (SSH) tunnel as an encryption method between client and server to transfer, access, and manage files.

Question 34

What port does Secure File Transfer Protocol (SFTP) use?

Answer 34

TCP port 22

Question 35

What are two protocols used to implement FTP over SSL/TLS?

Answer 35

1. Explicit TLS (FTPES)
2. Implicit TLS (FTPS)

Question 36

Define the function of Explicit TLS (FTPES)

Answer 36

Uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one.

Question 37

Define the function of Implicit TLS (FTPS)

Answer 37

Negotiates a TLS tunnel before the exchange of any FTP commands over TCP port 990.

Question 38

What version of FTP over TLS is preferred when there are firewalls between client and server?

Answer 38

Explicit TLS (FTPES)

Question 39

Define ‘Simple Mail Transfer Protocol (SMTP)’

Answer 39

Application protocol used to send mail between mail servers on the Internet sent over TCP port 25.

Question 40

What port does a client use to submit a message request to a mail server?

Answer 40

TCP port 587

Question 41

Define a ‘mailbox protocol’

Answer 41

Stores messages for users and allows them to download them to client computers or manage them on the server.

Question 42

How does a mail server locate a recipient?

Answer 42

Uses the domain name of the recipient to discover an IP address that is registered in DNS as an MX record.

Question 43

What are the two secure versions of Simple Mail Transfer Protocol (SMTP)?

Answer 43

1. STARTTLS
2. SMTPS

Question 44

Define ‘STARTTLS’

Answer 44

Explicit TLS; A command that upgrades an existing unsecure SMTP connection to use TLS.

Question 45

Define ‘SMTPS’

Answer 45

Implicit TLS; Using PKI, establishes the secure connection before any SMTP commands are exchanged.

Question 46

What is the preferred method of implementing SMTP over TLS?

Answer 46

STARTTLS

Question 47

Define ‘Post Office Protocol v3 (POP3)’

Answer 47

Application mailbox protocol that stores messages on a server and enables a client to download email messages from a server mailbox to a client.

Question 48

What port does Post Office Protocol v3 (POP3) use?

Answer 48

TCP port 110

Question 49

Describe the function of Post Office Protocol v3 (POP3)

Answer 49

Client application, such as Microsoft Outlook, establishes a TCP connection to the POP3 server over port 110; After authenticating with the server the mailbox is downloaded.

Question 50

What is the secure version of Post Office Protocol v3 (POP3) and the port is uses?

Answer 50

POP3S; TCP port 995 by default.

Question 51

Define ‘Internet Message Access Protocol (IMAP)’

Answer 51

Application mailbox protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server.

Question 52

What are the differences between Internet Message Access Protocol (IMAP) and Post Office Protocol v3 (POP3)?

Answer 52

IMAP supports permanent connections to a server and connects multiple clients to the same mailbox simultaneously; Clients can manage mail folders.

Question 53

What port does Internet Message Access Protocol (IMAP) use?

Answer 53

TCP port 143

Question 54

What port does IMAP over TLS use?

Answer 54

TCP port 993

Question 55

Define ‘Sender Policy Framework (SPF)’

Answer 55

A DNS record identifying hosts authorized to send mail for the domain.

Question 56

What is the purpose of Sender Policy Framework (SPF)?

Answer 56

Helps detect and prevent sender address forgery commonly used in phishing and spam emails.

Question 57

How does Sender Policy Framework (SPF) function?

Answer 57

By verifying the sender’s IP address against a list of authorized sending IP addresses published in the DNS TXT records of the email sender’s domain.

Question 58

Define ‘DomainKeys Identified Mail (DKIM)’

Answer 58

A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.

Question 59

What is the purpose of DomainKeys Identified Mail (DKIM)?

Answer 59

Leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature.

Question 60

How does DomainKeys Identified Mail (DKIM) leverage encryption?

Answer 60

The receiving email server uses a DKIM record that acts as a public key in the sender’s DNS record to verify the signature and the email’s integrity.

Question 61

Define ‘Domain-based Message Authentication, Reporting & Conformance (DMARC)’

Answer 61

Framework combining SPF and DKIM for authentication of senders; Specifies the actions to be taken when an email fails authentication; A DMARC policy is published as a DNS record.

Question 62

What actions can Domain-based Message Authentication, Reporting & Conformance (DMARC) enact when authentication fails?

Answer 62

Moving messages to quarantine or spam, rejecting them outright, or tagging the message.

Question 63

Does Domain-based Message Authentication, Reporting & Conformance (DMARC) offer reporting?

Answer 63

Yes, giving the owner of a domain visibility into which systems are sending emails on their behalf, including unauthorized activity.

Question 64

Define an ‘email gateway’

Answer 64

Control point for all incoming and outgoing email traffic.

Question 65

What is the purpose of an email gateway?

Answer 65

To audit all emails removing potential threats before they reach inboxes.

Question 66

What security measures does a typical email gateway use to secure mail?

Answer 66

Anti-spam filters, antivirus scanners, and sophisticated threat detection algorithms to identify phishing attempts, malicious URLs, and harmful attachments as well as attachment blocking, content filtering, and data loss prevention.

Question 67

Define ‘Secure/Multipurpose Internet Mail Extensions (S/MIME)’

Answer 67

Protocol for securing mail communications using encryption and digital signature to encrypt data and verify identities.

Question 68

Define ‘Data loss prevention (DLP)’

Answer 68

Software that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Question 69

How can Data loss prevention (DLP) be used to secure email communications?

Answer 69

DLP scans emails and attachments for certain types of sensitive information defined by the organization’s DLP policies; If an email contains these types of information, the DLP system can take several actions based on predefined rules.

Question 70

What actions can Data loss prevention (DLP) software take to prevent data loss via email?

Answer 70

Blocking the email, alerting the sender or administrator, or automatically encrypting it before transmission.

Question 71

Define ‘DNS filtering’

Answer 71

Blocks or allows access to specific websites by controlling the resolution of domain names into IP addresses

Question 72

How does DNS filtering operate?

Answer 72

When a request is made to resolve a website URL, the DNS filter checks the request against a database of domain names; If the domain is known as malicious, or is unapproved, the filter blocks the request, preventing access to the website.

Question 73

Define a ‘DNS firewall’

Answer 73

Intercept DNS queries at the network level and applies filtering rules accordingly.

Question 74

What is best practice for securing an internal DNS server?

Answer 74

DNS servers should only accept recursive queries from local hosts and not from the internet.

Question 75

Define ‘DNS footprinting’

Answer 75

Obtaining information about a private network by using its DNS server.

Question 76

What are two ways to perform DNS footprinting?

Answer 76

Performing a zone transfer to a rouge DNS server of by querying the DNS server using nslookup/dig.

Question 77

Define ‘DNS Security Extensions (DNSSEC)’

Answer 77

Security protocol that provides authentication of DNS data and upholds DNS data integrity.

Question 78

What is the purpose of DNS Security Extensions (DNSSEC)?

Answer 78

To mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses.

Question 79

How does DNS Security Extensions (DNSSEC) secure DNS records?

Answer 79

The authoritative server creates a “package” of resource records (called an RRset) signed with a private key (the Zone Signing Key).

Question 80

With DNS Security Extensions (DNSSEC) enabled, how does a non-authoritative DNS server receive DNS records?

Answer 80

The authoritative server returns the package along with its public key, which can be used to verify the signature.

Question 81

When using S/MIME, which key is used to protect the confidentiality of a message?

Answer 81

The recipient’s public key; The public key is used to encrypt a symmetric session key.

Question 82

What is the purpose of input validation?

Answer 82

Used in software and web development that addresses the issue of untrusted input to defeat injection attacks.

Question 83

Define ‘untrusted input’

Answer 83

Specially crafted data supplied to an application to manipulate its behavior.

Question 84

What are different forms of input validation?

Answer 84

Allowlisting, Blocklisting, Data type and range checks, regular expressions, encoding.

Question 85

Define Allowlisting input validation

Answer 85

Permits inputs that match a predetermined and approved set of values or patterns.

Question 86

Define Blocklisting input validation

Answer 86

Explicitly blocks known harmful inputs, such as certain special characters or patterns commonly used in attacks.

Question 87

Define ‘data type check’ input validation

Answer 87

Checks to ensure the input data is of the expected type, such as a string, integer, or date.

Question 88

Define ‘range check’ input validaiton

Answer 88

Validates that numeric inputs fall within expected ranges.

Question 89

Define ‘Regular expression/regex’ input validation

Answer 89

Used to match input to expected patterns or signs of malicious activity.

Question 90

Define ‘encoding’ input validation

Answer 90

Prevent special characters from being interpreted as executable commands or scripts.

Question 91

Define a ‘cookie’

Answer 91

A text file stored on a computer by a web browser while accessing a website.

Question 92

What is the purpose/function of a cookie?

Answer 92

Maintain session states, remember user preferences, and track user behavior and other settings.

Question 93

How can cookies be exploited if not properly secured?

Answer 93

Attacks such as session hijacking or cross-site scripting.

Question 94

What is the purpose of static code analysis?

Answer 94

Identify potential vulnerabilities, errors, and noncompliant coding practices before the program is finalized.

Question 95

Define ‘Code sigining’

Answer 95

The method of using a digital signature to ensure the source and integrity of software code.

Question 96

How does software become digitally signed?

Answer 96

The signer uses a private key to encrypt a hash or digest of the code to form the digital signature.

Question 97

How is the code verified once digitally signed?

Answer 97

Requires using a certificate issued by a trusted certificate authority (CA) and the client uses the cert to verify the signature of the code.

Question 98

Define ‘data exposure’

Answer 98

A fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls.

Question 99

Define an ‘error/exception’ in software development

Answer 99

An application vulnerability that is defined by how an application responds to unexpected events/processes that can lead to holes in the security of an app.

Question 100

What are errors/exceptions that could occur in software?

Answer 100

Invalid user input, a loss of network connectivity, another server or process failing, and so on.

Question 101

How can errors/exceptions be handled in a good manner?

Answer 101

By a programmer implementing a structured exception handler (SEH) to dictate what the application should then do.

Question 102

Define a ‘structured exception handler (SEH)’

Answer 102

A mechanism to account for unexpected error conditions that might arise during code execution.

Question 103

What is the purpose of implementing to code?

Answer 103

To reduce the chances that a program could be exploited.

Question 104

What is the difference between an error and an exception?

Answer 104

An error is a condition that the process cannot recover from; An exception is a type of error that can be handled by a block of code without the process crashing.

Question 105

Define ‘cloud hardening’

Answer 105

Fortify the cloud infrastructure, reducing its attack surface.

Question 106

What should be implemented in the cloud to restrict access to cloud resources?

Answer 106

Least privilege access.

Question 107

How do modern web browsers implement sandboxing/sandbox envrionments?

Answer 107

If a website or browser extension in one browser tab attempts to run malicious code, it is confined within that tab’s sandbox to prevent malicious code from impacting the entire browsers or the OS.

Question 108

How do mobile phone OS’s implementing sandboxing?

Answer 108

They use sandboxing to limit each app’s actions; An app in a sandbox can access its own data and resources but cannot access other app data or any nonessential system resources without explicit permission.

Question 109

What are examples of large scale infrastructure sandboxing?

Answer 109

Virtual machines (VMs) and containers like Docker; each VM or container can run in isolation.

Question 110

How can sandboxing be leveraged in security operations?

Answer 110

Detecting and understanding malware activities via forensic inspection.

Question 111

What is the purpose of using sandboxing in security operations?

Answer 111

To create an enclosed, controlled environment that allows the safe execution of potentially harmful software without affecting the IT environment.

Question 112

Which response header provides protection against SSL stripping attacks?

Answer 112

HTTP Strict Transport Security (HSTS)

Question 113

What are the two types of centralized logging management are available on Windows?

Answer 113

1. Source computer initiated
2. Collector initiated