Module 4 Flashcards

1
Q

What is a key risk indicator?

A
  • A metric of the upper and lower bounds of specific indicators of normal network activity
    • Ex: Total network logs per second, number of failed remote logins, network bandwith
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an indicator of compromise (IOC)?

A

An indicator that malicious activity is occurring but is still in the early stages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is predictive analysis?

A
  • An evaluation used for discovering an attack before it actually occurs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is open source?

A

Anything that could be freely used without restrictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are public information sharing centers?

A
  • A repository by which open source cybersecurity information is collected and disseminated.
    • Ex: U.S. Department of Homeland Security
    • Cyber Information Sharing and Collaboration Program (CISCP).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is automated indicator sharing (AIS)? What two tools help to aid AIS?

A
  • A technology that enables the exchange of cyberthreat indicators between parties through computer-to-computer communication.
  • Two tools:
    1. Structured Threat Information Expression (STIX): A language and format used to exchange cyberthreat intelligence.
    2. Trusted Automated Exchange of Intelligence Information (TAXII): An application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is closed source?

A

Proprietary information owned by an entity that has an exclusive right to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a private information sharing center?

A

Organizations participating in closed source information that restrict both access to data and participation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name four different sources of threat intelligence for cybersecurity:

A
  1. Vulnerability database
  2. Threat maps
  3. File and Code repositories
  4. Dark Web
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a vulnerability database?

A

A repository of known vulnerabilities and information as to how they have been exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a threat map?

A

An illustration of cyberthreats overlaid on a diagrammatic representation of a geographical area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are file and code repositories?

A

A storage area in which victims of an attack can upload malicious files and software code that can then be examined by others to learn more about these attacks and craft their defenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the dark web?

A

Part of the web is beyond the reach of a normal search engine and is the domain of threat actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is BIOS?

A

(Basic input/output system)

  • A chip integrated into the computer’s motherboard
  • BIOS software would “awaken” and perform the following steps in a legacy BIOS boot:
  1. BIOS would test various components of the computer to ensure they functioned properly (called the POST or Power-On Self-Test).
  2. Next, BIOS would reference the Master Boot Record (MBR) that specified the computer’s partition table, which instructed the BIOS where the computer’s operating system (OS) could be located.
  3. Finally, the BIOS passed control to the installed boot loader, which launched the OS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What firmware interface eventually replaced the BIOS?

A

UEFI (Unified Extensible Firmware Interface)
Included benefits such as:

  • ability to access hard drives that are larger than two terabytes (TB)
  • support for an unlimited number of primary hard drive partitions
  • faster booting
  • support for networking functionality in the UEFI firmware itself to aid in remote troubleshooting.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does boot security involve?

A
  • Validating that each element used in each step of the boot process has not been modified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the hardware root of trust?

A
  • Security checks that begin with hardware checks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a chain of trust? (when referring to the boot process/boot security)

A
  • Process of validation from the boot software to the software drivers and so on
    • (Boot attestation refers to the process of determining that the boot process is valid.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What happens after boot security is established?

A

The computer endpoints must be actively protected

  • This protection can be done by ways of software installed on the endpoint, such as:
    • antivirus software, antimalware, web browser protections, and monitoring and response systems
20
Q

What is antivirus software?

A

Software that can examine a computer for file-based virus infections as well as monitor computer activity and scan new documents that might contain a virus.

21
Q

What is antimalware?

A
  • A suite of software intended to provide protections against multiple types of malware, such as ransomware, crypto malware, Trojans, and other malware.
    • Also includes antispyware
    • A common technique includes a pop-up blocker
22
Q

How do web browsers protect your comptuer?

A
  • Using secure cookies and HTTP headers:
    • The Hypertext Transfer Protocol (HTTP) is the Internet-based protocol that is the foundation of all data exchanges on the web
    • Use of cookies to store user-specific information to be retrieved later
      • Includes first party, third party, and session cookies
    • HTTP Response Header: A header that can inform the browser how to function while communicating with the website.
    • Secure Cookie: A cookie that is only sent to the server with an encrypted request over the secure HTTPS protocol.
23
Q

What are the three types of monitoring and response systems for endpoint computers?

A
  1. host intrusion detection systems (HIDS)
  2. host intrusion prevention systems (HIPS)
  3. endpoint detection and response (EDR)
24
Q

What is a Host Intrusion Detection Systems (HIDS)? What types of endpoint computer functions does HIDS typically monitor?

A

A software-based application that runs on an endpoint computer and can detect that an attack has occurred.

  • Typically Monitors:
  1. System calls
  2. Files system access
  3. Host input/output
25
Q

What is Host Intrusion Prevention Systems (HIPS)?

A
  • Software that monitors endpoint activity to immediately block a malicious attack by following specific rules.
26
Q

What is Endpoint Detection and Response (EDR)?

A
  • Robust tools that monitor endpoint events and take immediate action.
27
Q

What is the next step after boot security has been established and the endpoints have been protected?

A
  • Harden the endpoints for further protection using patch management and OS protections
28
Q

What is patch management? What are the two patch management tools used to administer patches?

A
  1. Patch distribution: Distribution of patches from companies such as Apple macOS and Windows (automated patch update service manages patches)
  2. Patch reception: Receiving the patch. (nowadays patches are usually auto updated)
29
Q

What should a typical OS security configuration include? (hint 3)

A
  1. Disabling unnecessary ports and services: Turning off any service that is not being used and closing any unnecessary TCP ports to enhance security.
  2. Disabling default accounts/passwords
  3. Employing least functionality
30
Q

What is a security template?

A

A collection of security configuration settings, specifically on Windows

31
Q

What is registry?

A

A database that contains low-level settings used by the Windows OS and for those applications that elect to use it.

32
Q

What are the 3 confinement tools for restricting malware?

A
  1. Application whitelisting/blacklisting: Requiring preapproval for an application to run or not run.
  2. Sandbox: A “container” in which an application can be run so that it does not impact the underlying OS.
  3. Quarantine: The process that holds a suspicious document.
33
Q

Name the 3 steps for protecting/securing an endpoint computer?

A
  1. Confirming boot integrity
  2. protecting endpoints
  3. hardening endpoints
34
Q

What is a root directory?

A

specific directory on a web server’s file system

35
Q

What is a directory traversal attack?

A

An attack that takes advantage of vulnerability so that a user can move from the root directory to other restricted directories.

36
Q

What is a poor memory management vulnerability?

A

Failure of programmers to create secure code, which allows vulnerabilities that manipulate computer RAM.

37
Q

What are the different stages to developing an application? (hint 4)

A
  1. Development stage: A stage of application development in which the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins.
  2. Testing stage: A stage in which an application is tested for any errors that could result in a security vulnerability.
  3. Staging stage: A stage in application development that tests to verify that the code functions as intended.
  4. Production stage: An application development stage in which the application is released to be used in its actual setting.
38
Q

What is software diversity?

A

Software development technique in which two or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams.

39
Q

What is provisioning vs deprodivsioning?

A
  • Provisioning: The enterprise-wide configuration, deployment, and management of multiple types of IT system resources.
  • Deprovisioning: Removing a resource that is no longer needed.
40
Q

What is integrity measurement?

A
  • An “attestation mechanism” designed to ensure that an application is running only known and approved executables.
41
Q

What is an application development lifecycle model? What are the two main models that are used?

A
  • a conceptual model that describes the stages involved in creating an application.
  • Waterfall model: uses a sequential design process: as each stage is fully completed, the developers move on to the next stage
  • Agile model: takes an incremental approach. Developers might start with a simplistic project design and begin to work on small modules. The work on these modules is done in short (weekly or monthly) “sprints,” and at the end of each sprint, the project’s priorities are again evaluated as tests are being run.
42
Q

What is SecDevOps?

A
  • process of integrating secure development best practices and methodologies into application software development and deployment processes using the agile model. It is a set of best practices designed to help organizations implant secure coding deep in the heart of their applications.
  • Promoted in terms of its elasticity (flexibility) and scalability (expandability)
  • Applies automated courses of action to develop code as quickly and securely as possible
    • Includes continuous validation (ongoing approvals of the code), continuous integration (ensuring that security features are incorporated at each stage), continuous delivery (moving the code to each stage as it is completed), and continuous deployment (continual code implementation).
43
Q

List some secure coding techniques used to create secure applications:

A
  • Proper input validation
  • Normalization
  • Stored Procedure
  • Code signing
44
Q

What is one of the most important steps of SecDevOps?

A

Code testing

45
Q

What are the two different types of code testing?

A
  1. Static code analysis: Analyzing and testing software from a security perspective before the source code is compiled. (could also include manual peer reviews
  2. Dynamic code analysis: Examining code after the source code is compiled and when all components are integrated and running. (could include fuzzing, which provides random input to program to trigger an exception)