Module 4 - Endpoint and Application Development Security

Question 1

An indicator of compromise (IOC) occurs when what metric exceeds its normal bounds?

Answer 1

key risk indicators (KRIs) - a KRI is a metric of the upper and lower bounds of specific indicators of normal network activity

an IOC shows that a malicious activity is occurring but is still in the early stages of an attack

Question 2

What are the 2 concerns about using public information sharing centers?

Answer 2

privacy and speed

an organization that is the victim of an attack must be careful not to share proprietary or sensitive information when providing IOCs and attack details

threat intelligence information must be distributed as quickly as possible to others; to rely on email alerts that require a human to read them and then react takes far too much time;

Question 3

Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information?

Answer 3

Traffic Light Protocol (TLP) - TLP is a sete of designations used to ensure that sensitive information is sahred only with the appropriate audience; TLP uses four colors (red, amber, green and white) to indicate the expected sharing limitations the recipients should apply;

TLP is a privacy protection of the Cyber Information Sharing and Collaboration Program (CISCP)

Question 4

Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked to look into how the process can be automated so that the information can feed directly into the team’s technology security. What technology with Oskar recommend?

Answer 4

Automated Indicator Sharing (AIS) - AIS enables the exchange of cyber-threat indicators between parties through computer-to-computer communication, not email communication; threat indicators such as malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks

Question 5

Which of the following is an application protocol for exchanging cyber-threat intelligence over HTTPS?

a) STIX
b) AIP-TAR
c) TAXII
d) TCP - Over-Secure (ToP)

Answer 5

Trusted Automated Exchange of Intelligence Information (TAXII) - is an application protocol for exchanging cyber-threat intelligence over HTTPS; TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers

Question 6

Which of the following is NOT a limitation of a threat map?

a) many maps claim that they show data in real-time, but most are simply a playback of previous attacks
b) because threat maps show anonymized data, it is impossible to know the identity of the attackers or the victims
c) they can be difficult to visualize
d) threat actors usually mask their real locations, so what is displayed on a threat map is incorrect

Answer 6

C - they can be difficult to visualize

Question 7

What are the two limitations of private information sharing centers?

Answer 7

access to data and participation

whereas private sharing centers are similar to public sharing centers in that members share threat intelligence information, insights, and best practices, private sharing centers are restrictive regarding who may participate

Question 8

Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports that he was unable to find anything because looking for information on the dark web is different from using the regular web. Which of the following is FALSE about looking for information on the dark web?

a) it is necessary to use Tor or IP2
b) dark web search engines are identical to regular search engines
c) dark web merchants open and close their sites without warning
d) the naming structure is different on the dark web

Answer 8

B - dark web search engines are identical to regular search engines

dark web search engines are difficult to use and notoriously inaccurate; one reason is because merchants who and buy sell stolen data or illicit drugs are constantly on the run, and their dark websites appear and suddenly disappear with no warning

Question 9

Which of the following is NOT an improvement of UEFI over BIOS?

a) UEFI Native Mode
b) Secure Boot
c) Trusted Boot
d) Measured Boot

Answer 9

A - UEFI Native Mode

uses UEFI standards for boot functions; security boot modules can be patched or updated as needed; no validation or protection of the boot process

Question 10

Which boot security mode sends information on the boot process to a remote server?

Answer 10

Measured Boot - the computer’s firmware logs the boot process so the OS can send it to a trusted server to assess the security; this provides the highest degree of security; could slow down the boot process

Question 11

Which of the following is NOT an important OS security configuration?

a) employing least functionality
b) disabling default accounts
c) disabling unnecessary services
d) restricting patch management

Answer 11

D - restricting patch management

Question 12

Which stage conducts a test that will verify the code functions as intended?

Answer 12

Staging - the staging stage tests to verify that the code functions as intended

Question 13

Which model uses a sequential design process?

Answer 13

waterfall model

uses a sequential design process: as each stage is fully completed, the developers move on to the next stage; this means that once a stage is finished, developers cannot go back to a previous stage without starting all over again; this makes any issues uncovered by quality of assurance difficult to address since it is at the end of the process; the waterfall model demands extensive planning in the very beginning and requires that it be followed carefully

Question 14

Which of the following is NOT an advantage of an automated patch update service?

a) downloading patches from a local server instead of using the vendor’s online update service can save bandwidth and time because each computer does not have to connect to an external server
b) administrators can approve updates for “detection” only; this allows them to see which computers require the update without installing it
c) users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service
d) administrators can approve or decline updates for client systems, force updates to install by a specific date and obtain reports on what updates each computer needs

Answer 14

C - users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service

Question 15

What type of analysis is heuristic monitoring based on?

Answer 15

dynamic analysis - uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches; the difference between static analysis and dynamic analysis detection is similar to how airport security personnel in some nations screen for terrorists; a known terrorist attempting to go through security can be identified by comparing his face against photographs of known terrorists (static analysis); a terrorist with not photograph - security personnel can look at the person’s characteristics - holding a one-way ticket, not checking luggage, showing extreme nervousness - as possible indicators that the individual may need to be questioned (dynamic analysis)

Question 16

Which of these is a list of pre-approved applications?

a) greenlist
b) redlist
c) blacklist
d) whitelist

Answer 16

D - whitelist

Question 17

What is the advantage of a secure cookie?

Answer 17

this type of cookie is only sent to the server with an encrypted request over the secure HTTPS protocol; this prevents unauthorized persons from intercepting a cookie that is being transmitted between the browser and the web server

Question 18

Which of the following tries to detect and stop an attack?

a) HIDS
b) HIPS
c) RDE
d) SOMA

Answer 18

B - Host Intrusion Prevention System (HIPS)

monitors endpoint activity to immediately block a malicious attack by following specific rules; activity that HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers; one of the drawbacks of HIPS is a high number of false positives can be generated; both legitimate and malicious programs often access the same resource, and each can cause a HIPS to then block the action

Question 19

What does Windows 10 Tamper Protection do?

Answer 19

prevents any updates to the registry until the user approves the update

prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry; instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software

Question 20

Which of the following is FALSE about a quarantine process?

a) it holds a suspicious application until the user gives approval
b) it can send a sanitized version of the attachment
c) it can send a URL to the document that is on a restricted computer
d) it is most often used with email attachments

Answer 20

A - it holds a suspicious application until the user gives approval; the quarantine process holds suspicious documents, not applications

Question 21

What is an Indicator of Compromise (IOC)?

Answer 21

an IOC shows that a malicious activity is occurring but is still in the early stages of an attack

KRIs exceeding normal bounds could be (but not always) an IOC

Question 22

What is predictive analysis?

Answer 22

discovering an attack before it occurs

IOC information that is available can assist companies in their predictive analysis by looking at what other companies have experienced in the past to indicate what a company may experience in the future

Question 23

What are the two categories of threat intelligence sources and give examples of each.

Answer 23

the two categories are open source and closed source

open source threat intelligence information is freely available; also known a OSINT (Open Source Intelligence), OSINT has become a vital resource; this information is often collected and disseminated through public information sharing centers; a typical sharing center enables actionable, relevant and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure sectors; two concerns around public information sharing centers are privacy and speed

closed source threat intelligence is the opposite of open source; it is proprietary; organizations that participate in closed source information sharing are part of private information sharing centers; these types of sharing centers restrict both access to data and participation

Question 24

What is Automate Indicator Sharing (AIS) and what are the 2 tools that help facilitate AIS?

Answer 24

Automate Indicator Sharing (AIS) enables exchange of cyber-threat indicators between parties through computer-to-computer communication, not email communication; threat indicators such as malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks; AIS assists with the speed in which threat intelligence information is distributed

the 2 tools that help facilitate AIS are Structure Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII)

STIX is a language and format used to exchange cyber-threat intelligence; all information about a threat can be represented with objects and descriptive relationships; STIX information can be visually represented for a security analyst to view or stored in a lightweight format to be used by a computer

TAXII is an application protocol for exchanging cyber-threat intelligence over HTTPS; TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers

Question 25

What are some sources of threat intelligence?

Answer 25

vulnerability database - is a repository of known vulnerabilities and information as to how they have been exploited; these databases create “feeds” of the latest cybersecurity incidences

threat maps - illustrates cyber-threats overlaid on a diagrammatic representation of a geographical area; threat maps help visualize attacks and provide a limited amount of context of the source and the target countries, the attack types and historical and near real-time data about threats; in reality threat maps provide limited valuable information because even though they claim to show attacks in real-time, most are simply a playback of previous attacks and because threat maps show anonymized data, it is impossible to know the identity of the attackers or the victims; also threat actors usually mask their real locations, so an attack claiming to come from a certain geographic area is most likely incorrect

file and code repositories - is a database of malicious files and software code that has been uploaded by victims of an attack; these files and code can be examined by others to learn more about the attacks in ordered to shore up their defenses

dark web - the dark web is like the deep web in that it is beyond the reach of normal search engine but it is the domain of threat actors; a user must use special software such as Tor or I2P, this software will mask the user’s identity to allow for malicious activity; some security professionals and organizations use the dark web on a limited basis to look for signs that information critical to the enterprise is being sough out or sold on the dark web

Question 26

What are the stages involved in creating and deploying SecDevOps?

Answer 26

Development - at the development stage, the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins

Testing - the testing stage thoroughly tests the application for any errors that could result in a security vulnerability

Staging - the staging stage tests to verify that the code functions as intended

Production - in the production stage the application is released to be used in its actual setting

Question 27

What is software diversity, binary and compilers in regards to creating and deploying SecDevOps?

Answer 27

software diversity - is a software development technique in which two or more functionally identical variants of a program are developed from the same specifications but by different programmers or programming teams; the intent is to provide error detection, increased reliability and additional documentation; it can also reduce the probability that errors created by different compilers that create binary machine code from the human source code

a compiler is a program that takes human source code and converts it to binary machine code

binary is machine code; it is the 1’s and 0’s that are pieced together from human source code; computers, servers and other network devices only communicate in machine code

Question 28

What is provisioning and deprovisioning in regards to SecDevOps?

Answer 28

provisioning is the enterprise-wide configuration, deployment and management of multiple types of IT system resources, of which the new application would be viewed as a new resource

deprovisioning in application development is removing a resource that is no longer needed

Question 29

What is quality assurance in regards to SecDevOps?

Answer 29

it is the verification of quality of a software application; in the waterfall method this would occur at the end of the software development where as with the agile method QA occurs throughout the process of the software application development

Question 30

What is an Integrity Measurement in regards to SecDevOps?

Answer 30

is an “attestation mechanism” designed to be able to convince a remote party (external to the coding team) that an application is running only a set of known and approved executables; whenever a file is called in an executable mode, such as when a program is invoked or a sharable library is mapped, the integrity measurement tool generates a unique digital value of that file; on request, the tool can produce a list of all programs run and their corresponding digital values; this list can then be examined to ensure that no unknown vulnerable applications have been run

Question 31

What makes SecDevOps an appealing methodology for creating and deploying secure applications?

Answer 31

elasticity - flexibility or resilience in code development

scalability - expandability from projects to very large products

automation - is the cornerstone of DevSecOps

SecDevOps is often promoted in terms of its elasticity and scalability, however the cornerstone of SecDevOps is automation; with standard application development, security teams often find themselves stuck with time-consuming manual tasks; SecDevOps applies what is called automated courses of action to develop the code as quickly and securely as possible

Question 32

What are the different parts of automate courses of action when developing secure applications?

Answer 32

continuous monitoring - examining the processes in real-time instead of at the end of a stage

continuous validation - ongoing approvals of the code

continuous integration - ensuring that security features are incorporated at each stage

continuous delivery - moving the code to each stage as it is completed

continuous deployment - continual code implementation

Question 33

What are some secure Software Development Life Cycle resources available?

Answer 33

1) Open Web Application Security Project (OWASP) - a group that monitors web attacks; materials available include: maturity models, development guides, testing guides, code review guides, and application security verification standards
2) SysAdmin, Audit, Network and Security Institute (SANS) - a company that specializes in cybersecurity and secure web application development; materials available include: white papers, research reports and best practices guidelines
3) Center for Internet Security (CIS) - not-for-profit organization that compiles CIS security controls; materials include: training, assessment tools, and consulting services

Question 34

What are some secure coding techniques?

Answer 34

1) proper input validation - accounting for errors such as incorrect user input (entering a file name for a file that does not exist); can prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks
2) normalization - organizing data within a database to minimize redundancy; reduces footprint of data exposed to attackers
3) stored procedure - a subroutine available to applications that access a relational database; eliminates the need to write a subroutine that could have vulnerabilities
4) code signing - digitally signing applications; confirms the software author and guarantees the code has not been altered or corrupted
5) obfuscation/camouflaged code - writing an application in such a way that its inner functionality is difficult for an outsider to understand; helps prevent an attacker from understanding a program’s function
6) dead code - a section of application that executes but performs no meaningful function; provides an unnecessary attack vector for attackers
7) server-side execution and validation or client-side execution and validation - input validation generally uses the server to perform validation but can also have the client program validation by the user’s web browser; adds another validation to the process
8) code reuse of third-party libraries and SDKs - code reuse is using existing software in a new application; a software development kit (SDK) is a set of tools used to write applications; existing libraries that have already been vetted as secure eliminate the need to write new code

Question 35

What are some different ways to secure and protect endpoints and give examples.

Answer 35

antivirus - software that can examine a computer for file-based virus infections as well as monitor computer activity and scan new documents that might contain a virus; many AV products use signature-based monitoring, also called static analysis; the different scanning techniques used are: string scanning (attempting to match known virus patterns against potentially infected files), wildcard scanning (a wildcard is allowed to skip bytes or ranges of bytes instead of looking for an exact match), mismatch scanning (mismatches allow a set number of bytes in the string to be any value regardless of their position in the string) another and newer approach to AV is heuristic monitoring (called dynamic analysis) which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches

antimalware - is a suite of software intended to provide protections against multiple types of malware including ransomware, cryptomalware, spyware and trojans

host intrusion detection system (HIDS) - is a software-based application that runs on an endpoint computer and can detect that an attack has occurred; the primary function of a HIDS is automated detection, which saves someone from sorting through log files to find an indication of unusual behavior, HIDS can quickly detect evidence that an intrusion has occurred

host intrusion prevention system (HIPS) - monitors endpoint activity to immediately block a malicious attack by following specific rules; activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers; one of the drawbacks to a HIPS is a high number of false positives can be generated; both legitimate and malicious programs often access the same resource, and each can cause a HIPS to then block the action

endpoint detection and response (EDR) - tools that have a similar functionality to HIDS of monitoring endpoint events and of HIPS of taking immediate action; however, EDR tools are considered more robust than HIDS and HIPS; first an EDR can aggregate data from multiple endpoint computers to a centralized database so that security personnel can further investigate and gain a better picture of events occurring across multiple endpoints instead of just on a single endpoint

next generation firewall (NGFW) - a firewall that has additional functionality beyond a traditional firewall such as the ability to filter packets based on applications

host-based firewall - a software firewall that runs as a program on the local device to block or filter traffic coming into and out of the computer

data loss prevention (DLP) - a system of security tools used to recognize and identify data that is critical to the organization and ensure it is protected

Question 36

What tools do today’s computers use to secure and confirm boot integrity?

Answer 36

today’s computer’s use an improved firmware interface known as Unified Extensible Firmware Interface (UEFI) to replace BIOS; UEFI provides several enhancements over BIOS; this includes the ability to access hard drives that are larger than two terabytes (TB), support for an unlimited number of primary hard drive partitions, faster booting and support for networking functionality in the UEFI firmware itself to aid in remote troubleshooting

boot integrity involves validating that each element used in each step of the boot process has not been modified; this process begins with the validation of the first element (boot software); once the first element has been validated, it can then validate the next item (such as software drivers) and so on until control has been handed over to the OS; this leads to the hardware root of trust; hardware is the strongest starting point because hardware is more difficult to corrupt than software; because the chain of trust begins with hardware verification, each subsequent check rely upon it (called boot attestation)

Question 37

What are the different boot security modes?

Answer 37

Legacy BIOS Boot - uses BIOS for boot functions; compatible with older systems; has no security features

UEFI Native Mode - uses UEFI standards for boot functions; security boot modules can be patched or updated as needed; no validation or protection of the boot process

Secure Boot - each firmware and software executable at boot time must be verified as having prior approval; all system firmware, bootloaders, kernels and other boot-time executables are validated; custom hardware, firmware and software may not pass without first being submitted to system vendors like Mircrosoft

Trusted Boot - Windows OS checks the integrity of every component of boot process before loading it; takes over where Secure Boot leaves off by validating the Windows 10 software before loading it; requires using Microsoft OS

Measured Boot - computer’s firmware logs the boot process so the OS can send it to a trusted server to assess the security; provides the highest degree of security; could slow down the boot process

Question 38

What are some confinement tools used to “confine” or restrict malware?

Answer 38

application whitelisting and blacklisting

whitelisting - is approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied (default-deny)

blacklisting - is creating a list of unapproved software so that any item not on the list of blacklisted applications can run (default-allow)

Question 39

What is static code analysis and dynamic code analysis?

Answer 39

static code analysis - is the analysis and testing of software should occur from a security perspective before the source code is even compiled; automated static code analysis may also be accompanied by manual peer review; in these reviews, software engineers and developers are paired together or grouped in larger teams to laboriously examine each line of code, looking for vulnerabilities

dynamic code analysis - security testing that is performed after the source code is compiled and when all components are integrated and running; this testing uses a tool or suite of pre-built attacks or testing tools that specifically monitor the application’s behavior for memory corruption, user privilege issues and other critical security problems; some of the most common dynamic code analysis tools use a process called fuzzing which provides random input to a program in an attempt to trigger exceptions such as memory corruption, program crashes, or security breaches; an advantage of fuzzing is that it produces a record of what input triggered the exception so it can be reproduced to track down the problem within the code

Question 40

What are some ways to harden endpoints after securing the boot process and confirming the endpoints have protection?

Answer 40

patch management - one of the most important steps in securing an endpoint computer is promptly installing patches; a growing number of applications and utility software developers distribute patches known as 3rd-party updates; the best way to secure an endpoint computer is to have the computer automatically install patches as the become available; this is known as auto-update

disabling unnecessary open ports and services - turning off any service that is not being used; ports are used by TCP and UDP protocols in networking and leaving ports open that are not being utilized creates a vector for an attacker to exploit; ex) users should always turn off TCP port 23 (Telnet)

for a Microsoft Windows endpoint computer, it is also important to secure the registry, which is a database that contains low-level settings used by the Windows OS and for those applications that use the registry; to mitigate this risk, the Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry; instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software