Securing against Threats (Ch. 5,6,7)

Question 1

VM escape

Answer 1

_ attack on host system from within a virtual guest system (running on the host)
_ protect by keeping host system up to date

Question 2

VM sprawl

Answer 2

_ when VMs are spun up and forgotten
_ don’t get patched

Question 3

endpoint

Answer 3

_ a computing device on a network

Question 4

EDR

Answer 4

_ endpoint detection and response
_ monitors endpoints for threats

Question 5

XDR

Answer 5

_ extended detection and response
_ more comprehensive than EDR
_ extends security to cloud

Question 6

HIPS

Answer 6

_ host intrusion prevention system
_ prevents intrusion on a single endpoint

Question 7

Secure baseline

Answer 7

_ known secure starting image for a system
_ maintained over time
_ facilitates deployment of new installations
_ can check systems for deviations from baseline

Question 8

FDE

Answer 8

_ full disk encryption

Question 9

SED

Answer 9

_ self-encrypting drive
_ aka hardware-based FDE drive
_ credentials created upon setting up drive

Question 10

UEFI

Answer 10

_ replacement for BIOS
_ can boot from large disks
_ CPU-independent
_ stored on firmware
_ overwritable with flashing

Question 11

TPM

Answer 11

_ trusted platform module
_ chip on motherboard that stores cryptographic keys
_ secures boot process
_ most computers have them
_ can be used to encrypt disk
_ contains a burned-in endorsement key
_ can store additional keys

Question 12

HSM

Answer 12

_ hardware security module
_ peripheral for storing cryptographic keys
_ provides security methods of TPM

Question 13

EOL

Answer 13

_ end-of-life (hardware)

Question 14

DLP

Answer 14

_ data loss prevention
_ can prevent use of USB flash drives
_ can block unauthorized data transfers
_ can examine content for terms that can’t be exported

Question 15

Secure enclave

Answer 15

_ aka trusted execution environment (TEE)
_ uses hardware to provide an isolated system for processing sensitive data

Question 16

PaaS vs IaaS

Answer 16

_ PaaS provides OS and apps, fully managed
_ IaaS provides hardware (perhaps virtual), customer installs and manages the OS and up

Question 17

XaaS

Answer 17

_ anything as a service
_ umbrella term that refers to the delivery of products, services, or resources as a service over the internet.

Question 18

Multi-cloud system

Answer 18

_ uses multiple cloud providers
_ increases resiliency and redundancy

Question 19

Hybrid cloud system

Answer 19

_ partly public, partly private

Question 20

DLP

Answer 20

_ data loss prevention

Question 21

MSSP

Answer 21

_ managed security service provider
_ provided by a third party
_ can be an appliance
_ patch management
_ vulnerability scanning
_ spam/virus filtering
_ data loss prevention (DLP)
_ VPN
_ proxy services for filtering the web
_ IDS and IPS
_ UTM appliances
_ next-generation firewall

Question 22

MSP

Answer 22

_ managed service provider
_ doesn’t just focus on security, but IT generally

Question 23

CSP

Answer 23

_ cloud service provider

Question 24

CASB

Answer 24

_ cloud access security broker
_ runs between an organization’s network and the cloud provider
_ monitors traffic and enforces security policies

Question 25

Cloud-based DLP

Answer 25

_ cloud-based data-loss prevention
_ implements policies for cloud-based data
_ e.g. detect PII or PHI, blocking and sending alerts

Question 26

SWG

Answer 26

_ secure web gateway
_ proxy server + stateless firewall
_ typically cloud-based
_ URL filtering to block unauthorized sites
_ packet monitoring for malicious traffic
_ malware detection and filtering

Question 27

Security group

Answer 27

_ means by which a firewall on a virtual cloud network allows you to specify your customer-specific security rules
_ customers can’t change firewall directly or cloud security rules directly because this would affect other customers

Question 28

IaC

Answer 28

_ infrastructure as code
_ managing data centers with code defining VMs and virtual networks
_ allows for script-based management

Question 29

Data plane

Answer 29

_ logic that forwards or blocks traffic

Question 30

Control plane

Answer 30

_ logic that identifies path for data to take

Question 31

SDN

Answer 31

_ software-defined networking
_ uses virtual technology to route traffic instead of using hardware routers and switches
_ common in cloud solutions
_ separates data and control planes

Question 32

Edge computing

Answer 32

_ storing and processing data close to the devices that generate and use the data
_ typically stores and processes data on a single node

Question 33

Fog computing

Answer 33

_ using networks at the edge

Question 34

CSA

Answer 34

_ cloud security alliance
_ non-profit promoting cloud best practices

Question 35

Mobile device

Answer 35

_ smartphone or tablet
_ has a full operating system
_ excludes laptops because they don’t include GPS
_ excludes most IoT for lacking an OS

Question 36

COPE

Answer 36

_ corporate-owned, personally enabled
_ mobile device policy
_ employees are free to use devices for personal purposes

Question 37

BYOD

Answer 37

_ bring your own device
_ must comply with corporate policies to connect to network

Question 38

CYOD

Answer 38

_ choose your own device
_ company provides list of acceptable devices

Question 39

MDM

Answer 39

_ mobile device management
_ ensures devices have security controls in place
_ at a minimum, blocks jailbroken Apple devices or rooted Android devices
_ assigns unique IDs to the endpoints

Question 40

UEM

Answer 40

_ unified endpoint management
_ vendor-provided solution
_ keeps devices up-to-date with patches
_ provides anti-virus
_ secured by standard practices

Question 41

Mobile device containerization

Answer 41

_ runs corporate app in a container on device
_ isolates app from device
_ container is encrypted

Question 42

geofencing

Answer 42

_ establishes a geographical fence
_ corporate apps might only run within the fence or only connect to network within the fence

Question 43

jailbreaking

Answer 43

_ removing all software restrictions form an Apple device
_ can thereafter install software from 3rd party sources

Question 44

rooting

Answer 44

_ gives user root-level access to an Android device

Question 45

OTA

Answer 45

_ over-the-air software updates

Question 46

tethering

Answer 46

_ sharing a device’s mobile Internet connection with other devices
_ can be used to bypass corporate firewalls and proxy servers

Question 47

Wi-Fi Direct

Answer 47

_ local wireless network among devices
_ not connected to the Internet

Question 48

SoC

Answer 48

_ system-on-chip
_ many components of a computer on a single chip

Question 49

Embedded system security

Answer 49

_ limited power limits use of cryptography
_ often not possible to patch

Question 50

APT

Answer 50

_ advanced persistent threat
_ organized group of threat actors targeting organizations
_ typically sponsored by nation-states

Question 51

Threat vector

Answer 51

_ path attacker uses to gain access to computers and networks

Question 52

Shadow IT

Answer 52

_ unauthorized systems or apps in an organization
_ can include cloud services

Question 53

virus

Answer 53

_ malware that runs when the host app runs (by virtue of being added to the app)

Question 54

worm

Answer 54

_ self-replicating malware that travels through a network without the assistance of a host app or user
_ can greatly slow network bandwidth

Question 55

Logic bomb

Answer 55

_ event-initiated malware found in an app or script

Question 56

scareware

Answer 56

_ a form of trojan scares users into downloading
_ e.g. “virus detected, download anti-virus now”

Question 57

rootkit

Answer 57

_ provides root access to a system
_ can manage hooks so that anti-virus won’t detect
_ RAM inspection tools can discover them

Question 58

Potential indicators of malware

Answer 58

_ extra traffic
_ data exfiltration
_ encrypted traffic
_ traffic to specified IPs
_ outgoing spam (lots of email)

Question 59

Access vestibule

Answer 59

_ aka mantrap
_ physically guarded buffer between secure and unsecured areas

Question 60

Watering hole attack

Answer 60

_ places malware on websites the targeted people are likely to visit

Question 61

BEC

Answer 61

_ business email compromise
_ exploits trust in high-level executives
_ requests info recipient should not send

Question 62

elicitation

Answer 62

_ social engineering techniques for getting information without asking for it directly
_ e.g. make false statements to be corrected
_ e.g. “bracket” – asserting ranges of numbers, awaiting correction

Question 63

pretexting

Answer 63

_ attacker makes of a convincing story to manipulate target into providing info or granting access
_ can be detailed and well-researched

Question 64

Spear phishing

Answer 64

_ targets a specific group or individual
_ digital signatures can discourage

Question 65

whaling

Answer 65

_ spear fishing that targets high-level executives

Question 66

vishing

Answer 66

_ voice message left asking you to call, whereupon it asks you to confirm your identity
_ can also call directly and ask for identifying info

Question 67

smishing

Answer 67

_ phishing via text instead of email

Question 68

File integrity monitor

Answer 68

_ periodically checks files against saved hashes

Question 69

OSINT

Answer 69

_ open-source intelligence
_ info available to general public

Question 70

TAXII

Answer 70

_ trusted automated eXchange of intelligence information
_ open standard for exchanging messages that share info
_ used to share cyber-threat info

Question 71

STIX

Answer 71

_ structured threat information eXpression
_ open standard identifying cyber threat info that organization should share
_ provides a common language for use with TAXII

Question 72

Dark web

Answer 72

_ alt Internet requiring credentials to access
_ criminal marketplace

Question 73

IoC

Answer 73

_ indicator of compromise

Question 74

Threat map

Answer 74

_ visual representation of active threats
_ shows replays of recent attacks

Question 75

Reflected DDoS

Answer 75

_ Sends request to third party
_ Spoofs the return address
_ Third party sends response to the spoofed address

Question 76

Amplified DDoS

Answer 76

_ a reflected DDoS attack in which the third party’s response is large, producing greater volume

Question 77

On-path attack

Answer 77

_ aka man-in-the-middle attack
_ forwards traffic between two target computers
_ used for eavesdropping, interrupting traffic, or inserting malicious code
_ SSH is subject to attack, but only if warnings are ignored
_ Upon creating keys, SSH creates “fingerprints”, which are verified on every subsequent connection, issuing warnings if they don’t match

Question 78

SSL stripping

Answer 78

_ changes an HTTPS connection into HTTP
_ also applies to TLS
_ HTTP connections are set up in the clear and can be intercepted and manipulated during initialization

Question 79

Pharming attack

Answer 79

_ as with DNS poisoning, directs user to a false website
_ but this attack occurs on the user’s system, not on the server
_ e.g. modifies “hosts” file

Question 80

DNS filtering

Answer 80

_ controls what websites users can visit

Question 81

DNS sinkhole

Answer 81

_ a DNS server that refuses to forward to certain sites
_ used by authorities to take down access to sites

Question 82

TOCTOU

Answer 82

_ time of check to time of use race condition
_ aka state attack
_ attack tries to accomplish something between the time the system verifies that a target is allowed to do something and the system doing that something (e.g. between DAC check and DAC action)

Question 83

OWASP recommended HTTP headers

Answer 83

_ applies to response headers
_ HTTP Strict-Transport-Security – tells browser to only display page if it was sent via HTTPS
_ Content-Security-Policy – what to expect in content
_ X-Frame-Options – whether X-frames are allowed (X-frames aren’t used any more due to vulnerabilities)

Question 84

Secure cookie

Answer 84

_ can only be sent over HTTPS

Question 85

SQLi

Answer 85

_ SQL injection attack

Question 86

Memory injection

Answer 86

_ taking advantage of buffer overflows to inject code into memory

Question 87

DLL injection

Answer 87

_ attacker puts a DLL into system memory and causes it to run

Question 88

LDAP injection

Answer 88

_ extends an LDAP query

Question 89

XML injection

Answer 89

_ embeds XML in data intended for embedding in XML
_ often used to create additional accounts by injecting new account data

Question 90

Directory traversal attack

Answer 90

_ adds traversal to a filename to access a different file

Question 91

Cross-site scripting

Answer 91

_ injects scripts into web pages

Question 92

Reflected XSS

Answer 92

_ aka non-persistent XSS
_ URL embedded in email or website
_ clicking on URL opens page with malicious code

Question 93

Stored XSS

Answer 93

_ aka persistent XSS
_ malicious code stored in database or web page

Question 94

User provisioning

Answer 94

_ automated process of creating, updating, and removing user accounts and permissions
_ reduces mistakes
_ improves reaction time
_ applies principle of least privilege

Question 95

Resource provisioning

Answer 95

_ automating creation, configuration, and removal of resources
_ reduces mistakes
_ improves reaction time