Topic 8B

Question 1

time-of-check to time-of-use (TOCTOU)

Answer 1

where a system state changes between the check (verification) stage and the use (execution) stage.

Question 1

Application race condition

Answer 1

refer to software flaws associated with the timing or order of events within a software program, which can be manipulated, causing undesirable or unpredictable outcomes.

A race condition describes when two or more operations must execute in the correct order.

When software logic does not check or enforce the expected order of events, security issues such as data corruption, unauthorized access, or similar security breaches may occur

Race conditions manifest in a wide variety of ways, such as time-of-check to time-of-use (TOCTOU) vulnerabilities

Question 2

significant examples of race conditions

Answer 2

Dirty COW Vulnerability (CVE-2016-5195), which is a race condition vulnerability in the Linux Kernel, allowing a local user to gain privileged access

Microsoft Windows Elevation of Privilege Vulnerability (CVE-2020-0796), which is a race condition vulnerability associated with the Microsoft Server Message Block 3.1.1 (SMBv3) protocol allowing an attacker to execute arbitrary code on a target SMB server or client.

Question 3

Memory injection

Answer 3

refer to a type of security flaw where an attacker can introduce (inject) malicious code into a running application’s process memory.

An attacker often designs the injected code to alter an application’s behavior to provide unauthorized access or control over the system.

inject code that installs malware, exfiltrates sensitive data, or creates a backdoor for future access. Injected code generally runs with the same level of privileges as the compromised application, which can lead to a full system compromise if the exploited application has high-level permissions

Common memory injection attacks include buffer overflow attacks, format string vulnerabilities, and code injection attacks.

typically mitigated with secure coding practices such as input and output validation, encoding, type-casting, access controls, static and dynamic application testing

Question 4

buffer overflow vulnerability

Answer 4

A buffer is an area of memory that the application reserves to store expected data.

To exploit, the attacker passes data that deliberately overfills the buffer.

One of the most common vulnerabilities is a stack overflow.

The stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that called the subroutine.

An attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system.

Buffer overflow attacks are mitigated on modern hardware and operating systems via address space layout randomization (ASLR) and Data Execution Prevention (DEP)controls, utilizing type-safe programming languages and incorporating secure coding practices.

Question 5

type-safe programming languages

Answer 5

A program that enforces strict type-checking during compilation and ensures variables and data are used correctly. It prevents memory-related vulnerabilities and injection attacks.

Question 6

malicious update

Answer 6

an update that appears legitimate but contains harmful code

The significance of such attacks lies in their deceptive nature; users trust and frequently accept software updates, making malicious updates a highly effective infiltration strategy.

In 2017, the legitimate software CCleaner was compromised when an unauthorized update was released containing a malicious payload. This affected millions of users who downloaded the update, believing it was a standard upgrade to improve their system’s performance.

Question 7

Evaluation target or scope

Answer 7

refers to the product, system, or service being analyzed for potential security vulnerabilities

The target is the focus of a specific evaluation process, where it is subjected to rigorous testing and analysis to identify any possible weaknesses or vulnerabilities in its design, implementation, or operation

Question 8

Security Testing

Answer 8

Conducting vulnerability assessments and penetration testing to identify potential weaknesses, vulnerabilities, or misconfigurations.

Question 9

Documentation Review

Answer 9

Reviewing documentation, such as design specifications, architecture diagrams, security policies, and procedures, to ensure the system is implemented according to secure design principles and compliance requirements.

Question 10

Source Code Analysis

Answer 10

Analyzing source code to identify potential security vulnerabilities or coding errors to uncover issues related to input validation, secure coding practices, and coding standards.

Question 11

Configuration Assessment

Answer 11

Evaluating configuration settings to ensure they align with security best practices and industry standards, such as assessing access controls, encryption settings, authentication mechanisms, and other security-related configurations.

Question 12

Cryptographic Analysis

Answer 12

Assessing cryptographic mechanisms, including encryption algorithms, key management, and secure key storage, to ensure the proper implementation and use of cryptographic schemes according to industry standards and guidelines.

Question 13

Compliance Verification

Answer 13

Verifying compliance with standards specified by relevant regulations, frameworks, or security certifications.

Question 14

Security Architecture Review

Answer 14

Evaluating security architecture and design to identify potential weaknesses or gaps in security controls, such as insufficient segregation of duties, lack of audit trails, or inadequate access controls.

Question 15

Web application attacks

Answer 15

target applications accessible over the Internet, exploiting vulnerabilities in these applications to gain unauthorized access, steal sensitive data, disrupt services, or perform other malicious activities.

The defining characteristics of web application attacks often involve the exploitation of poor input validation (leading to attacks like SQL injection or cross-site scripting), misconfigured security settings, and outdated software with known vulnerabilities.

Unlike attacks on desktop applications or embedded systems, web application attacks must navigate the client-server model, often requiring the attacker to bypass network and application-level security controls.

Also, web application vulnerabilities can often be exploited remotely by any attacker on the Internet, making them a popular target for cybercriminals.

Question 16

What is true of HTTP?

Answer 16

It is stateless, meaning each request is independent, and the server does not retain information about the client’s state.

Question 17

cross-site scripting (XSS) attack

Answer 17

exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit. XSS inserts a malicious script that appears to be part of the trusted site. Web applications depend on scripting, and most websites these days are web applications rather than static webpages.

Question 18

A nonpersistent type of XSS attack would proceed as follows:

Answer 18

The attacker identifies an input validation vulnerability in the trusted site.

The attacker crafts a URL to perform a code injection against the trusted site.
This could be coded in a link from the attacker’s site to the trusted site or a link in an email message.

When the user clicks the link, the trusted site returns a page containing the malicious code injected by the attacker. As the browser is likely to be configured to allow the site to run scripts, the malicious code will execute.

Question 19

a reflected or nonpersistent XSS attack

Answer 19

An attack where the malicious input comes from a crafted link

Question 20

Document Object Model (DOM)

Answer 20

When attackers send malicious scripts to a web app’s client-side implementation of JavaScript to execute their attack solely on the client.

For example, the “document.write” method enables a page to take some user input and modify the page accordingly

Question 21

SQL Injection (SQLi)

Answer 21

Where an overflow attack works against the way a process performs memory management, an injection attack exploits some unsecure way in which the application processes requests and queries.

the threat actor modifies one or more of these four basic functions (selecting data (SELECT), inserting data (INSERT), deleting data (DELETE), and updating data (UPDATE)), by adding code to some input accepted by the app, causing it to execute the attacker’s own set of SQL queries or parameters.

If successful, this could allow the attacker to extract or insert information into the database or execute arbitrary code on the remote system using the same privileges as the database application

Question 22

Cloud-based application attacks generally involve the exploitation of

Answer 22

misconfigurations in the cloud environment, weak authentication mechanisms, insufficient network segmentation, or poorly implemented access controls.

the shared responsibility model can lead to confusion about who is responsible for what, potentially leaving security gaps that attackers can exploit.

The highly accessible and scalable nature of the cloud can make cloud-based applications attractive targets for attackers.

Some attack types are specific to the cloud, such as side-channel attacks, where an attacker with an instance running on the same physical server as the victim attempts to extract information from the victim’s instance via shared resources.

Cloud services can also be used for cryptojacking, where an attacker uses the cloud’s processing power to mine cryptocurrency without the user’s consent, leading to (vastly) increased costs for the cloud user and degraded performance of their provisioned resources.

Question 23

cloud access security broker (CASB)

Answer 23

enterprise management software designed to mediate access to cloud services by users across all types of devices. CASB vendors include Blue Coat, now owned by Symantec, SkyHigh security, Forcepoint, Microsoft cloud app security, and cisco cloud lock.

Question 24

CASBs provide visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are the following:

Answer 24

Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider.

Scan for malware and rogue or noncompliant device access.

Monitor and audit user and resource activity.

Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

Question 25

In general, CASBs are implemented in one of three ways:

Answer 25

Forward proxy—is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with a policy. This requires configuration of users’ devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications.

The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure.

Forward proxy—is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with a policy. This requires configuration of users’ devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications.

The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure.

Application programming interface (API)—brokers connections between the cloud service and the cloud consumer rather than placing a CASB appliance or host inline with cloud consumers and the cloud services. For example, if a user account has been disabled or an authorization has been revoked on the local network, the API-based CASB would communicate this to the cloud service and use its API to disable access there too.

This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.

Question 26

software bill of materials (SBOM)

Answer 26

A software bill of materials (SBOM) is a comprehensive inventory of all components in a software product. This includes the primary application code and all dependencies, such as libraries, frameworks, and other third-party components. The SBOM includes details like component names, versions, and information about the suppliers.

This visibility aids in identifying potential vulnerabilities in third-party components, allowing them to be patched or replaced before issues materialize

Question 27

OWASP Dependency-Check

Answer 27

is a Software Composition Analysis (SCA) tool that identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities associated with them.