Module 4: Endpoint & Application Development Security Flashcards
Define Key Risk Indicator (KRI)
A metric of the upper & lower bounds of specific indicators of normal network activity
Define Indicator of Compromise (IOC)
Shows that a malicious activity is occurring but it still in the early stages of an attack
Define Predictive Analysis
Discovering an attack before it occurs
What do Key Risk Indicators (KRIs) include?
1) Total network logs per second
2) Number of failed remote logins
3) Network bandwidth
4) Outbound email traffic
What does Indicator of Compromise (IOC) show?
That a malicious activity is occurring but is still in the early stages of an attack
Aids in predicitve anaysis
Define Open Source.
Refers to anything that could be freely used w/o restriction, such as open source film or open source curriculum
What is Open Source Intelligence (OSINT)?
Open source threat intelligence information that is freely available
What are 4 services that CISCP provides?
1) Analyst-to-analyst technical exchanges
2) CISCP analytical products
3) Cross industry orchestration
4) Digital malware analysis
What are analyst-to-analysst technical exchanges?
A CISCP service:
Partners can share & receive information on threat actor tactics, techniques, & procedures (TTPs) & emerging trends
What are CISCP analytical products?
A CISCP service:
A portal can be accessed through which partners can receive analysis of products & threats
What is cross industry orchestration?
A CISCP service:
Partners can share lessons learned & their expertise w/ peers across common sectors
What is digital malware analysis?
A CISCP service:
Suspected malware can be submitted to be analyzed & then used to generate malware analysis reports to mitigate threats & attack vectors
What are 2 concerns around public information sharing centers?
1) Privacy
2) Speed
What does Automated Indicator Sharing (AIS) do?
Enables the exchange of cyberthreat indicators b/t parties through computer-to-computer communication, not email communication
What are 4 CISCP privacy protections?
1) Cybersecurity Information Sharing Act (CISA)
2) Freedom of Information Act (FOIA)
3) Traffic-Light Protocol (TPL)
4) Protected Critical Infrastructure Information Act (PCII)
What is Cybersecurity Information Sharing Act (CISA)?
Federal law passed in 2015 that provides authority for cybersecurity information sharing b/w the private sector, state, & local governments, & the federal government
What is Freedom of Information Act (FOIA)?
Passed in 1967 & provides the public the right to request access to records from any federal agency
What is Traffic-Light Protocol (TLP)?
Set of designations used to ensure that sensitive information is shared only w/ the appropriate audience
What is Protected Critical Infrastructure Informatoin Act (PCII)?
2002 act that protects private sector infrastructure information that is voluntarily shared w/ the government for the purposes of homeland security
What is Structured Threat Information Expression (STIX)?
A language & format used to exchange cyberthreat intelligence
What is Trusted Automated Exchange of Intelligence Information (TAXII)?
An application protocol for exchanging cyberthreat intelligence over HTTPS
Define Closed Source?
Opposite of open source; proprietary, meaning it is owned by an entity that has an exclusive right to it
What are private information sharing centers?
Organizations participating in closed source information that restrict both access to data & participation
What are 4 sources of threat intelligence?
1) Vulnerability database
2) Threat maps
3) File and code repositories
4) Dark web
What are the 3 tasks that securing endpoint computers primarily involves?
1) Confirming that the computer has started securely
2) Protecting the computer from attacks
3) Hardening it for even greater protection
What is BIOS?
A chip integrated into the computer’s motherboard; when computer was powered on, the BIOS software would “awaken” & perform a legacy BIOS boot
What is Unified Extensible Firmware Interface (UEFI)?
An improved firmware interface was developed to replace the BIOS
What are the 4 enhancements of UEFI over BIOS?
1) Ability to access hard drives that are larger than 2 TB
2) Support for an unlimited number of primary hard drive partitions
3) Faster booting
4) Support for networking functionality in the UEFI
What is the chain of trust?
Each element relies on the confirmation of the previous element to know that the entire process is secure
What is the Hardware Root of Trust?
The strongest starting point in the chain of trust is hardware, which cannot be modified like software
What are the 5 Boot Security Modes?
1) Legacy BIOS Boot
2) UEFI Native Mode
3) Secure Boot
4) Trusted Boot
5) Measured Boot
Description/Advantages/Disadvantages of Legacy BIOS Boot.
Description:
Uses BIOS for boot functions
Advantages:
Compatible w/ older systems
Disadvantages:
No security features
Description/Advantages/Disadvantages of UEFI Native Mode.
Description:
Uses UEFI standards for boot functions
Advantages:
Security boot modules can be patched or updated as needed
Disadvantages:
No validation or protection of the boot process
Description/Advantages/Disadvantages of Secure Boot.
Description:
Each firmware & software executable at boot time must be verified as having prior approval
Advantages:
All system firmware, bootloaders, kernels, & other boot-time executables are validated
Disadvantages:
Custom hardware, firmware, & software may not pass w/o first being submitted to system vendors like Microsoft
Description/Advantages/Disadvantages of Trusted Boot.
Description:
Windows OS checks the integrity of every component of boot process before loading it
Advantages:
Takes over where Secure Boot leaves off by validating the Windows 10 software before loading it
Disadvantages:
Requires using Microsoft OS
Description/Advantages/Disadvantages of Measured Boot.
Description:
Computer’s firmware logs the boot process so the OS can send it to a trusted server to assess the security
Advantages:
Provides highest degree of security
Disadvantages:
Could slow down the boot process
What are 4 ways endpoints are protected?
1) Antivirus Software
2) Antimalware
3) Web Browser Protections
4) Monitoring & Response Systems
How does Antivirus Software protect endpoints?
- Can examine a computer for file-based virus infections & monitor computer activity (such as scanning new documents that might contain a virus)
- Log files created by AV products can provide beneficial info regarding attacks
- Many AV products use signature-based monitoring, called static analysis
- A newer approach to AV is heuristic monitoring, called dynamic analysis
How does Antimalware protect endpoints?
- Suite of software intended to provide protections against multiple types of malware
- Antimalware spam protection is often performed using a technique called Bayesian filtering
Filters by analyzing every word in each email & determines how frequently a word occurs in a spam pile versus a nonspam pile - Another component of an antimalware suite is antispyware, which helps prevent computers from becoming infected by spyware
Uses pop-up blocker, which allow the user to select the level of blocking, ranging from blocking all pop-ups to allowing specific pop-ups
How Do Web Browsers protect endpoints (2)?
1) Secure Cookies
2) HTTP Headers
- Secure cookies are sent to a web server w/ an encrypted request over the secure HTTPS protocol
- This prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser & the web server
- HTTP Response Header are headers that tell the browser how to behave while communicating w/ the website
What is stateless protocol vs stateful protocol?
Stateless - “Forgets” what occurs when the session is interrupted or ends
Stateful - “Remembers” everything that occurs b/t the browser client & the server
What are 3 ways the stateless protocol can mimic stateful protocol?
1) Using a URL extension so the state is sent as part of the URL as a response
2) Using “hidden from fields” in which the state is sent to the client as part of the response & returned to the server as a part of a form’s hidden data
3) Storing user-specific information in a file on the user’s local computer & then retrieve is later in a file called a cookie
What are the 3 types of Monitoring & Response Systems?
1) Host Intrusion Detection Systems (HIDS)
2) Host Intrusion Prevention Systems (HIPS)
3) Endpoint Detection & Response (EDR)
What is Host Intrusion Detection Systems (HIDS)?
Software-based application than runs on an endpoint computer & can detect an attack has occurred
What is Host Intrusion Prevention Systems (HIPS)?
Monitor endpoint activity to immediately block a malicious attack by following specific rules
What is Endpoint Detection & Response (EDR)?
Tools are considered more robust than HIDS & HIPs:
- An EDR can aggregate data from multiple endpoint computers to a centralized database
- EDR tools can perform more sophisticated analytics that identify patterns & detect anomalies
What are the 4 types of HTTP Response Headers?
1) HTTP Strict Transport Security (HSTS)
2) Content Security Policy (CSP)
3) Cross Site Scripting Protection (X-XSS)
4) X-Frame-Options
Description/Protection of HTTP Strict Transport Security (HSTS).
Description:
Forces browser to communicate over more secure HTTPS instead of HTTP
Protection:
Encrypts transmissions to prevent unauthorized user from intercepting
Description/Protection of Content Security Policy (CSP).
Description:
Restricts the resources a user is allowed to load within the website
Protection:
Protects against injection attacks
Description/Protection of Cross Site Scripting Protection (X-XSS).
Description:
Prohibits a page from loading if it detects a cross-site scripting attack
Protection:
Prevents XSS attacks
Description/Protection of X-Frame-Options.
Description:
Prevents attackers from “overlaying” their content on the webpage
Protection:
Foils a threat actor’s attempt to trick a user into providing personal information
What are 3 ways HIDs typically monitor installed agents/types of endpoint computer functions?
1) System calls
2) File system access
3) Host input/output
What does Hardening Endpoints involve (2)?
1) Patch management
2) OS Protections
Patch management involves what 2 types of patch management tools to administer patches?
1) Patch distribution
2) Patch reception
What are 3 advantages of automated patch update service?
1) Downloading patches from a local server instead of using the vendor’s online update service can save bandwidth & time because each computer does not have to connect to an external server
2) Administrators can approve or decline updates for client systems, force updates to install by a specific date, & obtain reports on what updates each computer needs
3) Administrators can approve updates for “detection” only; this allows them to see which computers require the update w/o installing it
What 3 options does patch reception in Microsoft Windows 10 include?
1) Forced updates
2) No selective updates
3) More efficient distribution
What are 3 security configurations a typical OS should include?
1) Disabling unncessary ports & services
2) Disabling default accounts/passwords
3) Employing least functionality
What are 6 OS types?
1) Network OS
2) Server OS
3) Workstation OS
4) Appliance OS
5) Kiosk OS
6) Mobile OS
Uses & Example of Network OS.
Uses:
Software that runs on a network device like a firewall, router, or switch
Examples:
Cisco Internetwork Operating System (IOS), Juniper JUNOS, MikroTik RouterOS
Uses & Example of Server OS.
Uses:
OS that runs on a network server to provide resources to network users
Examples:
Microsoft Windows Server, Apple macOS Server, Red Hat Linux
Uses & Example of Workstation OS.
Uses:
Software that manages hardware & software on a client computer
Examples:
Microsoft Windows, Apple macOS, Ubuntu Linux
Uses & Example of Appliance OS.
Uses:
OS in firmware that is designed to manage a specific device like a digital video recorder or video game console
Examples:
Linpus Linux
Uses & Example of Kiosk OS.
Uses:
System & user interface software for an interactive kiosk
Examples:
Microsoft Windows, Google Chrome OS, Apple iOS, Instant WebKiosk, KioWare (Android)
Uses & Example of Mobile OS.
Uses:
OS for mobile phones, smartphones, tablets, & other handheld devices
Examples:
Google Android, Apple iOS, Apple iPadOS
Confinement Tools - 3 tools that can be used to restrict malware.
1) Application whitelisting/blacklisting
2) Sandbox
3) Quarantine
What are 3 attacks based on application vulnerabilities?
1) Executable files attack
2) System tampering
3) Process spawning control
Description/Defense of Executable files attack.
Description:
Trick the vulnerable application into modifying or creating executable files on the system
Defense:
Prevent the application from creating or modifying executable files for its proper function
Description/Defense of System tampering.
Description:
Uses the vulnerable application to modify special sensitive areas of the OS (Microsoft Windows registry keys, system startup files, etc.) & take advantage of those modifications
Defense:
Do not allow applications to modify special areas of the OS
Description/Defense of Process spawning control.
Description:
Trick the vulnerable application into spawning executable files on the system
Defense:
Take away the process spawning ability from the application
What does a directory traversal attack take advantage of?
Vulnerability in the web application program or the web server software so that a user can move from the root directory to other restricted directories
What is a command injection?
The ability to move could allow an unauthorized user to view confidential files or enter commands to execute on a service
What are poor memory management vulnerabilities?
Other dangerous weaknesses in an application can create vulnerabilities in computer memory or buffer areas that can be easily exploited
What results in poor memory management vulnerabilities (4)?
1) Buffer overflow
2) Integer overflow
3) Pointer/object dereference
4) DLL injection attacks
What are 2 levels of application development concepts?
1) General concepts that apply to all application development
2) General concepts that apply to rigorous security-based approach
What are the 4 stages an application requires completing during development?
1) Development
2) Testing
3) Staging
4) Production
What happens in the Development Stage of an application?
The requirements for the application are established, & it is confirmed that the application meets the intended business needs before the actual coding begins
What happens in the Testing Stage of an application?
Thoroughly tests the application for any errors that could result in a security vulnerability
What happens in the Staging Stage of an application?
Tests to verify that the code functions as intended
What happens in the Production Stage of an application?
The application is released to be used in its actual setting
What is Software Diversity?
A software development technique in which 2 or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams
What are the 3 intents that Software Diversity provide?
1) Error detection
2) Increased reliability
3) Additional documentation
What is Provisioning?
The enterprise-wide configuration, deployment, & management of multiple types of IT system resources
What is Deprovisioning?
Application development is removing a resource that is no longer needed
What is Integrity Measurement?
An “attestation mechanism” designed to be able to convince a remote party that an application is running only a set of known & approved executables
What is an application development lifecycle model?
A conceptual model that describes the stages involved in creating an application & are usually one of the following 2:
1) Waterfall model
2) Agile model
What is the design of the waterfall model?
Uses a sequential design process; as each stage is fully completed, the developers move on to the next stage
What is the design of the agile model?
Designed to overcome the disadvantages of the waterfall model; takes an incremental approach
What is SecDevOps?
The process of integrating secure development best practices & methodologies into application software development & deployment processes using the agile model
What terms is SecDevOps often promoted to?
1) Elasticity
2) Scalability
What is the cornerstone of SecDevOps?
Automation
What 5 things does automation enable r/t SecDevOps?
1) Continuous monitoring
2) Continuous validation
3) Continous integration
4) Continuous delivery
5) Continuous deployment
What is Continuous Monitoring?
Examining processes in real time instead of at the end of a stage
What is Continuous Validation?
Ongoing approvals of the code
What s Continuous Integration?
Ensuring that security features are incorporated at each stage
What is Continuous Delivery?
Moving the code to each stage as it is completed
What is Continuous Deployment?
Continuous code implementation
What are immutable systems?
Once a value or configuration is employed as a part of an application, it is not modified; if changes are necessary, a new system must be created
What is infrastructure as code?
Managing a hardware & software infrastructure using the same principles as developing computer code
What is baselining?
Creating a starting point for comparison purposes in order to apply targets & goals to measure success
What coding techniques are used to create secure applications & limit data exposure or disclosing sensitive data to attackers (2)?
1) Determining how encryption will be implemented
2) Ensuring that memory management is handled correctly so as not to introduce memory vulnerabilities
What are 3 secure software development lifecycle sources?
1) OWASP (Open Web Application Security Project)
2) SANS (SysAdmin, Audit, Network & Security Institute)
3) CIS (Center of Internet Security)
Description/Materials Available of OWASP.
Description:
A group that monitors web attacks
Materials Available:
Maturity models, development guides, testing guides, code review guides, & application security verification standards
Description/Materials Available of SANS (SysAdmin, Audit, Network, & Security Institute).
Description:
A company that specializes in cybersecurity & secure web application development
Materials Available:
White papers, research reports, & best practices guidelines
Description/Materials Available of Center for Internet Security (CIS).
Description:
Not-for-profit organization that compiles CIS security controls
Materials Available:
Training, assessment tools, & consulting services
What is one of the most important steps in SecDevOps?
Testing!
When should testing be done r/t SecDevOps?
During the implementation & verification phases of a software development process
What 2 codes analysis are involved with testing SecDevOps?
1) Static Code Analysis
2) Dynamic Code Analysis
What is static code analysis?
Tests ran before the source code is even compiled & may be accompanied by manual peer reviews
What is dynamic code analysis?
Security testing performed after the source code is complied
What is Fuzzing?
Used by dynamic code analysis tools & provides random input to a program in an attempt to trigger exceptions
What are the 8 secure coding techniques?
1) Proper input validation
2) Normalization
3) Stored procedure
4) Code signing
5) Obfuscation/camouflaged code
6) Dead code
7) Server-side execution & validation or Client-side execution & validation
8) Code reuse of third-party libraries & SDKs
Description/Security Advantage of Proper Input Validation.
Description:
Accounting for errors such as incorrect user input (entering a file name for a file that does not exist)
Security Advantage:
Can prevent Cross-site scription (XSS) and Cross-site forgery (CSRF)
Description/Security Advantage of Normalization.
Description:
Organizing data within a database to minimize redundancy
Security Advantage:
Reduces footprint of data exposed to attackers
Description/Security Advantage of Stored Procedure.
Description:
A subroutine available to applications that access a relational database
Security Advantage:
Eliminates the need to write a subroutine that could have vulnerabilities
Description/Security Advantage of Code Signing.
Description:
Digitally signing applications
Security Advantage:
Confirms the software author and guarantees the code has not been altered or corrupted
Description/Security Advantage of Obfuscation/Camouflaged Code.
Description:
Writing an application in such a way that its inner functionality is difficult for an outsider to understand
Security Advantage:
Helps prevent an attacker from understanding a program’s function
Description/Security Advantage of Dead Code.
Description:
A section of an application that executes but performs no meaningful function
Security Advantage:
Provides an unnecessary attack vector for attackers
Description/Security Advantage of Server-Side Execution & Validation or Client-Side Execution & Validation.
Description:
Input validation generally uses the server to perform validation but can also have the client perform validation by the user’s web browser
Security Advantage:
Adds another validation to the process
Description/Security Advantage of Code Reuse of Third-Party Libraries and SDKs.
Description:
Code reuse is using existing software in a new application; a software development kit (SDK) is a set of tools used to write applications
Security Advantage:
Existing libraries that have already been vetted as secure eliminate the need to write new code
What does Windows 10 Tamper Protection do?
Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry
