Module 4

Question 1

What is a key risk indicator?

Answer 1

• A metric of the upper and lower bounds of specific indicators of normal network activity
  
  • Ex: Total network logs per second, number of failed remote logins, network bandwith

Question 2

What is an indicator of compromise (IOC)?

Answer 2

An indicator that malicious activity is occurring but is still in the early stages.

Question 3

What is predictive analysis?

Answer 3

• An evaluation used for discovering an attack before it actually occurs

Question 4

What is open source?

Answer 4

Anything that could be freely used without restrictions

Question 5

What are public information sharing centers?

Answer 5

• A repository by which open source cybersecurity information is collected and disseminated.
  
  • Ex: U.S. Department of Homeland Security
  • Cyber Information Sharing and Collaboration Program (CISCP).

Question 6

What is automated indicator sharing (AIS)? What two tools help to aid AIS?

Answer 6

• A technology that enables the exchange of cyberthreat indicators between parties through computer-to-computer communication.
• Two tools:
  
  1. Structured Threat Information Expression (STIX): A language and format used to exchange cyberthreat intelligence.
  2. Trusted Automated Exchange of Intelligence Information (TAXII): An application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS).

Question 7

What is closed source?

Answer 7

Proprietary information owned by an entity that has an exclusive right to it

Question 8

What is a private information sharing center?

Answer 8

Organizations participating in closed source information that restrict both access to data and participation.

Question 9

Name four different sources of threat intelligence for cybersecurity:

Answer 9

1. Vulnerability database
2. Threat maps
3. File and Code repositories
4. Dark Web

Question 10

What is a vulnerability database?

Answer 10

A repository of known vulnerabilities and information as to how they have been exploited.

Question 11

What is a threat map?

Answer 11

An illustration of cyberthreats overlaid on a diagrammatic representation of a geographical area.

Question 12

What are file and code repositories?

Answer 12

A storage area in which victims of an attack can upload malicious files and software code that can then be examined by others to learn more about these attacks and craft their defenses.

Question 13

What is the dark web?

Answer 13

Part of the web is beyond the reach of a normal search engine and is the domain of threat actors.

Question 14

What is BIOS?

Answer 14

(Basic input/output system)

• A chip integrated into the computer’s motherboard
• BIOS software would “awaken” and perform the following steps in a legacy BIOS boot:

1. BIOS would test various components of the computer to ensure they functioned properly (called the POST or Power-On Self-Test).
2. Next, BIOS would reference the Master Boot Record (MBR) that specified the computer’s partition table, which instructed the BIOS where the computer’s operating system (OS) could be located.
3. Finally, the BIOS passed control to the installed boot loader, which launched the OS.

Question 15

What firmware interface eventually replaced the BIOS?

Answer 15

UEFI (Unified Extensible Firmware Interface)
Included benefits such as:

• ability to access hard drives that are larger than two terabytes (TB)
• support for an unlimited number of primary hard drive partitions
• faster booting
• support for networking functionality in the UEFI firmware itself to aid in remote troubleshooting.

Question 16

What does boot security involve?

Answer 16

• Validating that each element used in each step of the boot process has not been modified

Question 17

What is the hardware root of trust?

Answer 17

• Security checks that begin with hardware checks.

Question 18

What is a chain of trust? (when referring to the boot process/boot security)

Answer 18

• Process of validation from the boot software to the software drivers and so on
  
  • (Boot attestation refers to the process of determining that the boot process is valid.)

Question 19

What happens after boot security is established?

Answer 19

The computer endpoints must be actively protected

• This protection can be done by ways of software installed on the endpoint, such as:
  
  • antivirus software, antimalware, web browser protections, and monitoring and response systems

Question 20

What is antivirus software?

Answer 20

Software that can examine a computer for file-based virus infections as well as monitor computer activity and scan new documents that might contain a virus.

Question 21

What is antimalware?

Answer 21

• A suite of software intended to provide protections against multiple types of malware, such as ransomware, crypto malware, Trojans, and other malware.
  
  • Also includes antispyware
  • A common technique includes a pop-up blocker

Question 22

How do web browsers protect your comptuer?

Answer 22

• Using secure cookies and HTTP headers:
  
  • The Hypertext Transfer Protocol (HTTP) is the Internet-based protocol that is the foundation of all data exchanges on the web
  • Use of cookies to store user-specific information to be retrieved later
    
    • Includes first party, third party, and session cookies
  • HTTP Response Header: A header that can inform the browser how to function while communicating with the website.
  • Secure Cookie: A cookie that is only sent to the server with an encrypted request over the secure HTTPS protocol.

Question 23

What are the three types of monitoring and response systems for endpoint computers?

Answer 23

1. host intrusion detection systems (HIDS)
2. host intrusion prevention systems (HIPS)
3. endpoint detection and response (EDR)

Question 24

What is a Host Intrusion Detection Systems (HIDS)? What types of endpoint computer functions does HIDS typically monitor?

Answer 24

A software-based application that runs on an endpoint computer and can detect that an attack has occurred.

• Typically Monitors:

1. System calls
2. Files system access
3. Host input/output

Question 25

What is Host Intrusion Prevention Systems (HIPS)?

Answer 25

• Software that monitors endpoint activity to immediately block a malicious attack by following specific rules.

Question 26

What is Endpoint Detection and Response (EDR)?

Answer 26

• Robust tools that monitor endpoint events and take immediate action.

Question 27

What is the next step after boot security has been established and the endpoints have been protected?

Answer 27

• Harden the endpoints for further protection using patch management and OS protections

Question 28

What is patch management? What are the two patch management tools used to administer patches?

Answer 28

1. Patch distribution: Distribution of patches from companies such as Apple macOS and Windows (automated patch update service manages patches)
2. Patch reception: Receiving the patch. (nowadays patches are usually auto updated)

Question 29

What should a typical OS security configuration include? (hint 3)

Answer 29

1. Disabling unnecessary ports and services: Turning off any service that is not being used and closing any unnecessary TCP ports to enhance security.
2. Disabling default accounts/passwords
3. Employing least functionality

Question 30

What is a security template?

Answer 30

A collection of security configuration settings, specifically on Windows

Question 31

What is registry?

Answer 31

A database that contains low-level settings used by the Windows OS and for those applications that elect to use it.

Question 32

What are the 3 confinement tools for restricting malware?

Answer 32

1. Application whitelisting/blacklisting: Requiring preapproval for an application to run or not run.
2. Sandbox: A “container” in which an application can be run so that it does not impact the underlying OS.
3. Quarantine: The process that holds a suspicious document.

Question 33

Name the 3 steps for protecting/securing an endpoint computer?

Answer 33

1. Confirming boot integrity
2. protecting endpoints
3. hardening endpoints

Question 34

What is a root directory?

Answer 34

specific directory on a web server’s file system

Question 35

What is a directory traversal attack?

Answer 35

An attack that takes advantage of vulnerability so that a user can move from the root directory to other restricted directories.

Question 36

What is a poor memory management vulnerability?

Answer 36

Failure of programmers to create secure code, which allows vulnerabilities that manipulate computer RAM.

Question 37

What are the different stages to developing an application? (hint 4)

Answer 37

1. Development stage: A stage of application development in which the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins.
2. Testing stage: A stage in which an application is tested for any errors that could result in a security vulnerability.
3. Staging stage: A stage in application development that tests to verify that the code functions as intended.
4. Production stage: An application development stage in which the application is released to be used in its actual setting.

Question 38

What is software diversity?

Answer 38

Software development technique in which two or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams.

Question 39

What is provisioning vs deprodivsioning?

Answer 39

• Provisioning: The enterprise-wide configuration, deployment, and management of multiple types of IT system resources.
• Deprovisioning: Removing a resource that is no longer needed.

Question 40

What is integrity measurement?

Answer 40

• An “attestation mechanism” designed to ensure that an application is running only known and approved executables.

Question 41

What is an application development lifecycle model? What are the two main models that are used?

Answer 41

• a conceptual model that describes the stages involved in creating an application.
• Waterfall model: uses a sequential design process: as each stage is fully completed, the developers move on to the next stage
• Agile model: takes an incremental approach. Developers might start with a simplistic project design and begin to work on small modules. The work on these modules is done in short (weekly or monthly) “sprints,” and at the end of each sprint, the project’s priorities are again evaluated as tests are being run.

Question 42

What is SecDevOps?

Answer 42

• process of integrating secure development best practices and methodologies into application software development and deployment processes using the agile model. It is a set of best practices designed to help organizations implant secure coding deep in the heart of their applications.
• Promoted in terms of its elasticity (flexibility) and scalability (expandability)
• Applies automated courses of action to develop code as quickly and securely as possible
  
  • Includes continuous validation (ongoing approvals of the code), continuous integration (ensuring that security features are incorporated at each stage), continuous delivery (moving the code to each stage as it is completed), and continuous deployment (continual code implementation).

Question 43

List some secure coding techniques used to create secure applications:

Answer 43

• Proper input validation
• Normalization
• Stored Procedure
• Code signing

Question 44

What is one of the most important steps of SecDevOps?

Answer 44

Code testing

Question 45

What are the two different types of code testing?

Answer 45

1. Static code analysis: Analyzing and testing software from a security perspective before the source code is compiled. (could also include manual peer reviews
2. Dynamic code analysis: Examining code after the source code is compiled and when all components are integrated and running. (could include fuzzing, which provides random input to program to trigger an exception)