Module 4: Endpoint & Application Development Security

Question 1

Define Key Risk Indicator (KRI)

Answer 1

A metric of the upper & lower bounds of specific indicators of normal network activity

Question 2

Define Indicator of Compromise (IOC)

Answer 2

Shows that a malicious activity is occurring but it still in the early stages of an attack

Question 3

Define Predictive Analysis

Answer 3

Discovering an attack before it occurs

Question 4

What do Key Risk Indicators (KRIs) include?

Answer 4

1) Total network logs per second
2) Number of failed remote logins
3) Network bandwidth
4) Outbound email traffic

Question 5

What does Indicator of Compromise (IOC) show?

Answer 5

That a malicious activity is occurring but is still in the early stages of an attack

Aids in predicitve anaysis

Question 6

Define Open Source.

Answer 6

Refers to anything that could be freely used w/o restriction, such as open source film or open source curriculum

Question 7

What is Open Source Intelligence (OSINT)?

Answer 7

Open source threat intelligence information that is freely available

Question 8

What are 4 services that CISCP provides?

Answer 8

1) Analyst-to-analyst technical exchanges
2) CISCP analytical products
3) Cross industry orchestration
4) Digital malware analysis

Question 9

What are analyst-to-analysst technical exchanges?

Answer 9

A CISCP service:

Partners can share & receive information on threat actor tactics, techniques, & procedures (TTPs) & emerging trends

Question 10

What are CISCP analytical products?

Answer 10

A CISCP service:

A portal can be accessed through which partners can receive analysis of products & threats

Question 11

What is cross industry orchestration?

Answer 11

A CISCP service:

Partners can share lessons learned & their expertise w/ peers across common sectors

Question 12

What is digital malware analysis?

Answer 12

A CISCP service:

Suspected malware can be submitted to be analyzed & then used to generate malware analysis reports to mitigate threats & attack vectors

Question 13

What are 2 concerns around public information sharing centers?

Answer 13

1) Privacy
2) Speed

Question 14

What does Automated Indicator Sharing (AIS) do?

Answer 14

Enables the exchange of cyberthreat indicators b/t parties through computer-to-computer communication, not email communication

Question 15

What are 4 CISCP privacy protections?

Answer 15

1) Cybersecurity Information Sharing Act (CISA)
2) Freedom of Information Act (FOIA)
3) Traffic-Light Protocol (TPL)
4) Protected Critical Infrastructure Information Act (PCII)

Question 16

What is Cybersecurity Information Sharing Act (CISA)?

Answer 16

Federal law passed in 2015 that provides authority for cybersecurity information sharing b/w the private sector, state, & local governments, & the federal government

Question 17

What is Freedom of Information Act (FOIA)?

Answer 17

Passed in 1967 & provides the public the right to request access to records from any federal agency

Question 18

What is Traffic-Light Protocol (TLP)?

Answer 18

Set of designations used to ensure that sensitive information is shared only w/ the appropriate audience

Question 19

What is Protected Critical Infrastructure Informatoin Act (PCII)?

Answer 19

2002 act that protects private sector infrastructure information that is voluntarily shared w/ the government for the purposes of homeland security

Question 20

What is Structured Threat Information Expression (STIX)?

Answer 20

A language & format used to exchange cyberthreat intelligence

Question 21

What is Trusted Automated Exchange of Intelligence Information (TAXII)?

Answer 21

An application protocol for exchanging cyberthreat intelligence over HTTPS

Question 22

Define Closed Source?

Answer 22

Opposite of open source; proprietary, meaning it is owned by an entity that has an exclusive right to it

Question 23

What are private information sharing centers?

Answer 23

Organizations participating in closed source information that restrict both access to data & participation

Question 24

What are 4 sources of threat intelligence?

Answer 24

1) Vulnerability database
2) Threat maps
3) File and code repositories
4) Dark web

Question 25

What are the 3 tasks that securing endpoint computers primarily involves?

Answer 25

1) Confirming that the computer has started securely
2) Protecting the computer from attacks
3) Hardening it for even greater protection

Question 26

What is BIOS?

Answer 26

A chip integrated into the computer’s motherboard; when computer was powered on, the BIOS software would “awaken” & perform a legacy BIOS boot

Question 27

What is Unified Extensible Firmware Interface (UEFI)?

Answer 27

An improved firmware interface was developed to replace the BIOS

Question 28

What are the 4 enhancements of UEFI over BIOS?

Answer 28

1) Ability to access hard drives that are larger than 2 TB
2) Support for an unlimited number of primary hard drive partitions
3) Faster booting
4) Support for networking functionality in the UEFI

Question 29

What is the chain of trust?

Answer 29

Each element relies on the confirmation of the previous element to know that the entire process is secure

Question 30

What is the Hardware Root of Trust?

Answer 30

The strongest starting point in the chain of trust is hardware, which cannot be modified like software

Question 31

What are the 5 Boot Security Modes?

Answer 31

1) Legacy BIOS Boot
2) UEFI Native Mode
3) Secure Boot
4) Trusted Boot
5) Measured Boot

Question 32

Description/Advantages/Disadvantages of Legacy BIOS Boot.

Answer 32

Description:
Uses BIOS for boot functions

Advantages:
Compatible w/ older systems

Disadvantages:
No security features

Question 33

Description/Advantages/Disadvantages of UEFI Native Mode.

Answer 33

Description:
Uses UEFI standards for boot functions

Advantages:
Security boot modules can be patched or updated as needed

Disadvantages:
No validation or protection of the boot process

Question 34

Description/Advantages/Disadvantages of Secure Boot.

Answer 34

Description:
Each firmware & software executable at boot time must be verified as having prior approval

Advantages:
All system firmware, bootloaders, kernels, & other boot-time executables are validated

Disadvantages:
Custom hardware, firmware, & software may not pass w/o first being submitted to system vendors like Microsoft

Question 35

Description/Advantages/Disadvantages of Trusted Boot.

Answer 35

Description:
Windows OS checks the integrity of every component of boot process before loading it

Advantages:
Takes over where Secure Boot leaves off by validating the Windows 10 software before loading it

Disadvantages:
Requires using Microsoft OS

Question 36

Description/Advantages/Disadvantages of Measured Boot.

Answer 36

Description:
Computer’s firmware logs the boot process so the OS can send it to a trusted server to assess the security

Advantages:
Provides highest degree of security

Disadvantages:
Could slow down the boot process

Question 37

What are 4 ways endpoints are protected?

Answer 37

1) Antivirus Software
2) Antimalware
3) Web Browser Protections
4) Monitoring & Response Systems

Question 38

How does Antivirus Software protect endpoints?

Answer 38

• Can examine a computer for file-based virus infections & monitor computer activity (such as scanning new documents that might contain a virus)
• Log files created by AV products can provide beneficial info regarding attacks
• Many AV products use signature-based monitoring, called static analysis
• A newer approach to AV is heuristic monitoring, called dynamic analysis

Question 39

How does Antimalware protect endpoints?

Answer 39

• Suite of software intended to provide protections against multiple types of malware
• Antimalware spam protection is often performed using a technique called Bayesian filtering
   Filters by analyzing every word in each email & determines how frequently a word occurs in a spam pile versus a nonspam pile
• Another component of an antimalware suite is antispyware, which helps prevent computers from becoming infected by spyware
   Uses pop-up blocker, which allow the user to select the level of blocking, ranging from blocking all pop-ups to allowing specific pop-ups

Question 40

How Do Web Browsers protect endpoints (2)?

Answer 40

1) Secure Cookies
2) HTTP Headers

• Secure cookies are sent to a web server w/ an encrypted request over the secure HTTPS protocol
• This prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser & the web server
• HTTP Response Header are headers that tell the browser how to behave while communicating w/ the website

Question 41

What is stateless protocol vs stateful protocol?

Answer 41

Stateless - “Forgets” what occurs when the session is interrupted or ends

Stateful - “Remembers” everything that occurs b/t the browser client & the server

Question 42

What are 3 ways the stateless protocol can mimic stateful protocol?

Answer 42

1) Using a URL extension so the state is sent as part of the URL as a response

2) Using “hidden from fields” in which the state is sent to the client as part of the response & returned to the server as a part of a form’s hidden data

3) Storing user-specific information in a file on the user’s local computer & then retrieve is later in a file called a cookie

Question 43

What are the 3 types of Monitoring & Response Systems?

Answer 43

1) Host Intrusion Detection Systems (HIDS)
2) Host Intrusion Prevention Systems (HIPS)
3) Endpoint Detection & Response (EDR)

Question 44

What is Host Intrusion Detection Systems (HIDS)?

Answer 44

Software-based application than runs on an endpoint computer & can detect an attack has occurred

Question 45

What is Host Intrusion Prevention Systems (HIPS)?

Answer 45

Monitor endpoint activity to immediately block a malicious attack by following specific rules

Question 46

What is Endpoint Detection & Response (EDR)?

Answer 46

Tools are considered more robust than HIDS & HIPs:

• An EDR can aggregate data from multiple endpoint computers to a centralized database
• EDR tools can perform more sophisticated analytics that identify patterns & detect anomalies

Question 47

What are the 4 types of HTTP Response Headers?

Answer 47

1) HTTP Strict Transport Security (HSTS)
2) Content Security Policy (CSP)
3) Cross Site Scripting Protection (X-XSS)
4) X-Frame-Options

Question 48

Description/Protection of HTTP Strict Transport Security (HSTS).

Answer 48

Description:
Forces browser to communicate over more secure HTTPS instead of HTTP

Protection:
Encrypts transmissions to prevent unauthorized user from intercepting

Question 49

Description/Protection of Content Security Policy (CSP).

Answer 49

Description:
Restricts the resources a user is allowed to load within the website

Protection:
Protects against injection attacks

Question 50

Description/Protection of Cross Site Scripting Protection (X-XSS).

Answer 50

Description:
Prohibits a page from loading if it detects a cross-site scripting attack

Protection:
Prevents XSS attacks

Question 51

Description/Protection of X-Frame-Options.

Answer 51

Description:
Prevents attackers from “overlaying” their content on the webpage

Protection:
Foils a threat actor’s attempt to trick a user into providing personal information

Question 52

What are 3 ways HIDs typically monitor installed agents/types of endpoint computer functions?

Answer 52

1) System calls
2) File system access
3) Host input/output

Question 53

What does Hardening Endpoints involve (2)?

Answer 53

1) Patch management
2) OS Protections

Question 54

Patch management involves what 2 types of patch management tools to administer patches?

Answer 54

1) Patch distribution
2) Patch reception

Question 55

What are 3 advantages of automated patch update service?

Answer 55

1) Downloading patches from a local server instead of using the vendor’s online update service can save bandwidth & time because each computer does not have to connect to an external server

2) Administrators can approve or decline updates for client systems, force updates to install by a specific date, & obtain reports on what updates each computer needs

3) Administrators can approve updates for “detection” only; this allows them to see which computers require the update w/o installing it

Question 56

What 3 options does patch reception in Microsoft Windows 10 include?

Answer 56

1) Forced updates
2) No selective updates
3) More efficient distribution

Question 57

What are 3 security configurations a typical OS should include?

Answer 57

1) Disabling unncessary ports & services
2) Disabling default accounts/passwords
3) Employing least functionality

Question 58

What are 6 OS types?

Answer 58

1) Network OS
2) Server OS
3) Workstation OS
4) Appliance OS
5) Kiosk OS
6) Mobile OS

Question 59

Uses & Example of Network OS.

Answer 59

Uses:
Software that runs on a network device like a firewall, router, or switch

Examples:
Cisco Internetwork Operating System (IOS), Juniper JUNOS, MikroTik RouterOS

Question 60

Uses & Example of Server OS.

Answer 60

Uses:
OS that runs on a network server to provide resources to network users

Examples:
Microsoft Windows Server, Apple macOS Server, Red Hat Linux

Question 61

Uses & Example of Workstation OS.

Answer 61

Uses:
Software that manages hardware & software on a client computer

Examples:
Microsoft Windows, Apple macOS, Ubuntu Linux

Question 62

Uses & Example of Appliance OS.

Answer 62

Uses:
OS in firmware that is designed to manage a specific device like a digital video recorder or video game console

Examples:
Linpus Linux

Question 63

Uses & Example of Kiosk OS.

Answer 63

Uses:
System & user interface software for an interactive kiosk

Examples:
Microsoft Windows, Google Chrome OS, Apple iOS, Instant WebKiosk, KioWare (Android)

Question 64

Uses & Example of Mobile OS.

Answer 64

Uses:
OS for mobile phones, smartphones, tablets, & other handheld devices

Examples:
Google Android, Apple iOS, Apple iPadOS

Question 65

Confinement Tools - 3 tools that can be used to restrict malware.

Answer 65

1) Application whitelisting/blacklisting
2) Sandbox
3) Quarantine

Question 66

What are 3 attacks based on application vulnerabilities?

Answer 66

1) Executable files attack
2) System tampering
3) Process spawning control

Question 67

Description/Defense of Executable files attack.

Answer 67

Description:
Trick the vulnerable application into modifying or creating executable files on the system

Defense:
Prevent the application from creating or modifying executable files for its proper function

Question 68

Description/Defense of System tampering.

Answer 68

Description:
Uses the vulnerable application to modify special sensitive areas of the OS (Microsoft Windows registry keys, system startup files, etc.) & take advantage of those modifications

Defense:
Do not allow applications to modify special areas of the OS

Question 69

Description/Defense of Process spawning control.

Answer 69

Description:
Trick the vulnerable application into spawning executable files on the system

Defense:
Take away the process spawning ability from the application

Question 70

What does a directory traversal attack take advantage of?

Answer 70

Vulnerability in the web application program or the web server software so that a user can move from the root directory to other restricted directories

Question 71

What is a command injection?

Answer 71

The ability to move could allow an unauthorized user to view confidential files or enter commands to execute on a service

Question 72

What are poor memory management vulnerabilities?

Answer 72

Other dangerous weaknesses in an application can create vulnerabilities in computer memory or buffer areas that can be easily exploited

Question 73

What results in poor memory management vulnerabilities (4)?

Answer 73

1) Buffer overflow
2) Integer overflow
3) Pointer/object dereference
4) DLL injection attacks

Question 74

What are 2 levels of application development concepts?

Answer 74

1) General concepts that apply to all application development
2) General concepts that apply to rigorous security-based approach

Question 75

What are the 4 stages an application requires completing during development?

Answer 75

1) Development
2) Testing
3) Staging
4) Production

Question 76

What happens in the Development Stage of an application?

Answer 76

The requirements for the application are established, & it is confirmed that the application meets the intended business needs before the actual coding begins

Question 77

What happens in the Testing Stage of an application?

Answer 77

Thoroughly tests the application for any errors that could result in a security vulnerability

Question 78

What happens in the Staging Stage of an application?

Answer 78

Tests to verify that the code functions as intended

Question 79

What happens in the Production Stage of an application?

Answer 79

The application is released to be used in its actual setting

Question 80

What is Software Diversity?

Answer 80

A software development technique in which 2 or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams

Question 81

What are the 3 intents that Software Diversity provide?

Answer 81

1) Error detection
2) Increased reliability
3) Additional documentation

Question 82

What is Provisioning?

Answer 82

The enterprise-wide configuration, deployment, & management of multiple types of IT system resources

Question 83

What is Deprovisioning?

Answer 83

Application development is removing a resource that is no longer needed

Question 84

What is Integrity Measurement?

Answer 84

An “attestation mechanism” designed to be able to convince a remote party that an application is running only a set of known & approved executables

Question 85

What is an application development lifecycle model?

Answer 85

A conceptual model that describes the stages involved in creating an application & are usually one of the following 2:

1) Waterfall model
2) Agile model

Question 86

What is the design of the waterfall model?

Answer 86

Uses a sequential design process; as each stage is fully completed, the developers move on to the next stage

Question 87

What is the design of the agile model?

Answer 87

Designed to overcome the disadvantages of the waterfall model; takes an incremental approach

Question 88

What is SecDevOps?

Answer 88

The process of integrating secure development best practices & methodologies into application software development & deployment processes using the agile model

Question 89

What terms is SecDevOps often promoted to?

Answer 89

1) Elasticity
2) Scalability

Question 90

What is the cornerstone of SecDevOps?

Answer 90

Automation

Question 91

What 5 things does automation enable r/t SecDevOps?

Answer 91

1) Continuous monitoring
2) Continuous validation
3) Continous integration
4) Continuous delivery
5) Continuous deployment

Question 92

What is Continuous Monitoring?

Answer 92

Examining processes in real time instead of at the end of a stage

Question 93

What is Continuous Validation?

Answer 93

Ongoing approvals of the code

Question 94

What s Continuous Integration?

Answer 94

Ensuring that security features are incorporated at each stage

Question 95

What is Continuous Delivery?

Answer 95

Moving the code to each stage as it is completed

Question 96

What is Continuous Deployment?

Answer 96

Continuous code implementation

Question 97

What are immutable systems?

Answer 97

Once a value or configuration is employed as a part of an application, it is not modified; if changes are necessary, a new system must be created

Question 98

What is infrastructure as code?

Answer 98

Managing a hardware & software infrastructure using the same principles as developing computer code

Question 99

What is baselining?

Answer 99

Creating a starting point for comparison purposes in order to apply targets & goals to measure success

Question 100

What coding techniques are used to create secure applications & limit data exposure or disclosing sensitive data to attackers (2)?

Answer 100

1) Determining how encryption will be implemented
2) Ensuring that memory management is handled correctly so as not to introduce memory vulnerabilities

Question 101

What are 3 secure software development lifecycle sources?

Answer 101

1) OWASP (Open Web Application Security Project)
2) SANS (SysAdmin, Audit, Network & Security Institute)
3) CIS (Center of Internet Security)

Question 102

Description/Materials Available of OWASP.

Answer 102

Description:
A group that monitors web attacks

Materials Available:
Maturity models, development guides, testing guides, code review guides, & application security verification standards

Question 103

Description/Materials Available of SANS (SysAdmin, Audit, Network, & Security Institute).

Answer 103

Description:
A company that specializes in cybersecurity & secure web application development

Materials Available:
White papers, research reports, & best practices guidelines

Question 104

Description/Materials Available of Center for Internet Security (CIS).

Answer 104

Description:
Not-for-profit organization that compiles CIS security controls

Materials Available:
Training, assessment tools, & consulting services

Question 105

What is one of the most important steps in SecDevOps?

Answer 105

Testing!

Question 106

When should testing be done r/t SecDevOps?

Answer 106

During the implementation & verification phases of a software development process

Question 107

What 2 codes analysis are involved with testing SecDevOps?

Answer 107

1) Static Code Analysis
2) Dynamic Code Analysis

Question 108

What is static code analysis?

Answer 108

Tests ran before the source code is even compiled & may be accompanied by manual peer reviews

Question 109

What is dynamic code analysis?

Answer 109

Security testing performed after the source code is complied

Question 110

What is Fuzzing?

Answer 110

Used by dynamic code analysis tools & provides random input to a program in an attempt to trigger exceptions

Question 111

What are the 8 secure coding techniques?

Answer 111

1) Proper input validation
2) Normalization
3) Stored procedure
4) Code signing
5) Obfuscation/camouflaged code
6) Dead code
7) Server-side execution & validation or Client-side execution & validation
8) Code reuse of third-party libraries & SDKs

Question 112

Description/Security Advantage of Proper Input Validation.

Answer 112

Description:
Accounting for errors such as incorrect user input (entering a file name for a file that does not exist)

Security Advantage:
Can prevent Cross-site scription (XSS) and Cross-site forgery (CSRF)

Question 113

Description/Security Advantage of Normalization.

Answer 113

Description:
Organizing data within a database to minimize redundancy

Security Advantage:
Reduces footprint of data exposed to attackers

Question 114

Description/Security Advantage of Stored Procedure.

Answer 114

Description:
A subroutine available to applications that access a relational database

Security Advantage:
Eliminates the need to write a subroutine that could have vulnerabilities

Question 115

Description/Security Advantage of Code Signing.

Answer 115

Description:
Digitally signing applications

Security Advantage:
Confirms the software author and guarantees the code has not been altered or corrupted

Question 116

Description/Security Advantage of Obfuscation/Camouflaged Code.

Answer 116

Description:
Writing an application in such a way that its inner functionality is difficult for an outsider to understand

Security Advantage:
Helps prevent an attacker from understanding a program’s function

Question 117

Description/Security Advantage of Dead Code.

Answer 117

Description:
A section of an application that executes but performs no meaningful function

Security Advantage:
Provides an unnecessary attack vector for attackers

Question 118

Description/Security Advantage of Server-Side Execution & Validation or Client-Side Execution & Validation.

Answer 118

Description:
Input validation generally uses the server to perform validation but can also have the client perform validation by the user’s web browser

Security Advantage:
Adds another validation to the process

Question 119

Description/Security Advantage of Code Reuse of Third-Party Libraries and SDKs.

Answer 119

Description:
Code reuse is using existing software in a new application; a software development kit (SDK) is a set of tools used to write applications

Security Advantage:
Existing libraries that have already been vetted as secure eliminate the need to write new code

Question 120

What does Windows 10 Tamper Protection do?

Answer 120

Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry