CISS 310 Modules 4-5
Define open source
Anything that can be used freely without restrictions.
Describe 3 confinement tools
*Application whitelisting/blacklisting*: if something is prep approved it is whitelisted, if it is not - it is black listed *Sandbox*: A container in which an application can be run so that it does *not* affect the underlying OS. Anything that occurs within the sandbox is not visible to other applications or the OS outside the sandbox. Also, the contents of the sandbox are not saved when the sandbox is closed. *Quarantine*: the process that holds a suspicious document. It is most commonly used with email attachments. The quarantine process removes the attachment and, depending upon the policy set by the organization, either sends to the user sent a sanitized version of the attachment (such as a Word DOCX document that has been converted to a PDF document) or a URL to the document on a restricted computer so that the user can view, print, or delete the attachment.
In application development, what are the 4 general stages? (pg. 115)
*Development* - requirements are established and it is confirmed that the application meets the intended business needs before coding actually starts. *Testing* - thoroughly test the application to ensure there are no security vulnerabilities *Staging* - tests to verify that the code functions as intended *Production* - Application is released
What is the most popular wearable technology? (pg. 130)
A smartwatch.
Define antimalware
A suite of SW intended to provided protection against multiple types of malware such as ransomware, crytonmlaware, and Trojans.
Explain Automated Indicator Sharing (AIS)
A technology that enables the exchange of cyberthreat indicators between parties through computer to computer sharing. Threat indicators such as malicious IP addresses or the sender of a phishing email can be quickly shared with others to repel these attacks.
Define VoIP (pg. 141)
A technology that uses a data-based IP network to add digital voice clients and new voice applications onto the IP network.
Describe wildcard scanning
A wildcard is allowed to skip bytes or ranges of bytes instead of looking for an exact match.
Two Rights and a Wrong, select the wrong and explain. (pg. 145) A. Multiple SCADAs are controlled by an ICS. B. Power, compute, and network are all security constraints for embedded systems and specialized devices. C. An RTOS is tuned to accommodate very high volumes of data that must be immediately processed for critical decision making.
A. Multiple ICS are managed by a larger supervisory control and data acquisition (SCADA) system.
Describe Unified Endpoint Management (UEM) (pg. 137)
All the capabilities of MDM, MAM, and MCM can be supported by UEM. A group or class of SW tools that has a single management interface for mobile and computer devices.
Describe mobile device management (MDM) (pg. 137)
Allows a device to be managed remotely by and organization. Typically involves a *server component* which sends out management commands and a *client component* which runs on the mobile device to receive and implement the management commands. An administrator can then perform OTA updates or change the configuration on one device, groups of devices, or all devices.
Define integrity measurement and describe how it works. (pg. 115)
An "attestation mechanism" designed to ensure an application is running only known and approved executables. Whenever a file is called in an executable mode, such as when a program is invoked or a sharable library is mapped, the integrity measurement tool generates a unique digital value of that file. On request, the tool can produce a list of all programs run and their corresponding digital values. This list can then be examined to ensure that no unknown or known vulnerable applications have been run.
Describe the following mobile device connection vulnerability: USB On-The-Go (OTG) (pg. 134)
An OTG mobile device with a USB connection can function as either a host (to which other devices may be connected such as a USB flash drive) for external media access or as a peripheral (such as a mass storage device) to another host. Connecting a malicious flash drive infected with malware to a mobile device could result in an infection, just as using a device as a peripheral while connected to an infected computer could allow malware to be sent to the device.
What is the cornerstone of SecDevOps? Explain. (pg. 115)
Automation SecDevOps applies what is called automated courses of action to develop the code as quickly and securely as possible. This automation enables: continuous monitoring (examining the processes in real time instead of at the end of a stage), continuous validation (ongoing approvals of the code), continuous integration (ensuring that security features are incorporated at each stage), continuous delivery (moving the code to each stage as it is completed), and continuous deployment (continual code implementation).
What is CISCP?
CISCP - Cyber Information and Sharing Collaboration Program An open source intelligence sharing center run by the US Department of Homeland Security (DHS).
What are the three primary tasks to secure endpoint computers?
Confirm that the computer has started securely. Protecting the computer from attacks. Hardening the endpoint for even greater protection.
Describe Mobile Content Management (MCM) (pg. 137)
Content management supports the creation and subsequent editing and modification of digital content by multiple employees. It can include tracking editing history, version control (recording changes and "rolling back" to a previous version if necessary), indexing, and searching. A mobile content management (MCM) system is tuned to provide content management to hundreds or even thousands of mobile devices used by employees in an enterprise.
Describe third-party cookie
Cookies that are generated by external sites (e.g. via advertisements) are called third-party cookies.
Describe the following secure coding technique (pg. 115.5): code signing
Description: Digitally signing applications. Security advantage: Confirms the software author and guarantees the code has not been altered or corrupted.
Describe CYOD (choose your own device). (pg. 130)
Employees choose from a limited selection of approved devices but pay the upfront cost of the device while the business owns the contract. Employees are offered a suite of choices that the company has approved for security, reliability, and durability. Company often provides a stipend to pay monthly fees to wireless carrier.
Describe COPE (corporate owned, personally enabled). (pg. 130)
Employees choose from a selection of company-approved devices. Employees are supplied the device chosen and paid for by the company, but they can also use it for personal activities. Company decides the level of choice and freedom for employees.
What organizations are are particularly active in posting to file and code repositories?
FBI Cybersecurity and Infrastructure Security Agency (CISA) DoD US Cyber Command
List some real-world uses of FPGA (pg. 141).
FPGAs are used in aerospace and defense, medical electronics, digital television, consumer electronics, industrial motor control, scientific instruments, cybersecurity systems, and wireless communications. Microsoft is now using FPGAs in its data centers to run Bing search algorithms.
What is the most frequent cause of unsecure applications? What 3 aspects of creating and developing SW can help ensure secure applications? (pg. 113)
How the application was designed and written. Understanding: Application development concepts Secure coding techniques Code testing
Describe corporate owned (pg. 130)
The device is purchased and owned by the enterprise. Employees use the phone only for company-related business. Enterprise is responsible for all aspects of the device.
Describe security cookie
When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS).
Regarding files, when does AV software work?
When files are created, opened, or closed.
The __________________________________ security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry.
Windows 10 Tamper Protection
Do some EDRs also allow for a manual or user analysis of the data?
Yes
Like radar, predictive analysis helps determine ____________ and __________ attacks may occur.
when where
What 3 additional concepts does SecDevOps offer that increase its usefulness? (pg. 115)
*Immutable systems* - once something is created, it cannot be changed; a new system must be created *Infrastructure as code* - *Baselining* - creating a starting point for comparison purposes in order to apply targets and goals to measure success
What two tools facilitate AIS?
*Structured Threat Information Expression (STIX)* - A language and format used to exchange cyberthreat intelligence. STIX information can be visually represented for a security analyst to view or store in a lightweight format to be used by a computer. *Trusted Automated Exchange of Intelligence Information (TAXII)* - An application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS).
HIDSs typically monitor which 3 types of endpoint computer functions?
*System calls*: Each operation in a computing environment starts with a system call. A system call is an instruction that interrupts the program being executed and requests a service from the operating system. HIDS can monitor system calls based on the process, mode, and action being requested. *File system access*: System calls usually require specific files to be opened to access data. A HIDS works to ensure that all file openings are based on legitimate needs and are not the result of malicious activity. *Host input/output*: HIDS monitors all input and output communications to watch for malicious activity. For example, if the system never uses instant messaging (IM) and suddenly a threat attempts to open an IM connection from the system, the HIDS would detect this as anomalous activity.
What are the two major application development lifecycle models? Describe them. (pg. 115)
*Waterfall* - uses a sequential design process: as each stage is fully completed, developers move on to the next stage. Once a stage is completed, one cannot go back. *Agile* - it takes an incremental approach. Developers might start on a simple project design and work on small modules or "sprints". At the end of each sprint, the projects priorities are evaluated and tests are run. This approach allows for issues to be discovered and addressed along the way.
How can an organization prevent its employees from installing the latest patch until it has passed testing and still ensure that all users download and install necessary patches?
*automated patch update service* This service is used to manage patches within the enterprise instead of relying upon the vendor's online update service. An automated patch update service typically consists of a component installed on one or more servers inside the corporate network. Because these servers can replicate information among themselves, usually only one of the servers must be connected to the vendor's online update service. See image on pg. 108
How do users benefit from the flexility of the BYOD, COPE, and CYOD models? (pg. 130)
- Choice of device. Users like the freedom of choosing the type of mobile device with BYOD, COPE, and CYOD instead of being forced to accept a corporate device that may not meet their individual needs (corporate owned). - Choice of carrier. Most users have identified a specific wireless data carrier they want to use and often resist being forced to use a carrier with whom they have experienced a poor past relationship. - Convenience. Because almost all users already have their own device, the BYOD, COPE, and CYOD models provide the convenience of carrying only a single device.
List the 3 advantages of an automated patch update service.
- Downloading patches from a local server instead of using the vendor's online update service can save bandwidth and time because each computer does not have to connect to an external server. - Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs. - Administrators can approve updates for "detection" only; this allows them to see which computers require the update without installing it.
What are several benefits of the BYOD, COPE, and CYOD models for the enterprise? (pg. 130)
- Management flexibility. BYOD and CYOD ease the management burden by eliminating the need to select a wireless data carrier and manage plans for employees. - Less oversight. Businesses do not need to monitor employee telecommunications usage for overages or extra charges. - Cost savings. Because employees are responsible for their own mobile device purchases and wireless data plans (BYOD) or receive a small monthly stipend (CYOD), the company can save money. - Increased employee performance. Employees are more likely to be productive while traveling or working away from the office if they are comfortable with their device. - Simplified IT infrastructure. By using the existing cellular telephony network, companies do not have to support a remote data network for employees. - Reduced internal service. BYOD, COPE, and CYOD reduce the strain on IT help desks because users will be primarily contacting their wireless data carrier for support.
What benefits does UEFI have over BIOS?
- the ability to access hard drives larger than 2 TB - support for an unlimited number of primary hard drive partitions - faster booting - boot security - support for networking functionality in the in the UEFI firmware itself to assist in remote troubleshooting - it has a more advanced user interface for configurations and information
Describe the 3 steps of a legacy BIOS boot
1. The BIOS would first test the various components of the computer to ensure that they were functioning properly (called the POST or Power-On Self-Test). 2. Next, the BIOS would reference the Master Boot Record (MBR) that specified the computer's partition table, which instructed the BIOS where the computer's operating system (OS) could be located. 3. Finally, the BIOS passed control to the installed boot loader, which launched the OS.
List the 3 ways the stateless protocol HTTP can mimic a stateful protocol.
1. Using a URL extension so the state is sent as part of the URL as a response. 2. Using "hidden form fields" in which the state is sent to the client as part of the response and returned to the server as part of a form's hidden data. 3. Storing user-specific information in a file on the user's local computer and then retrieve it later in a file called a cookie.
Legacy BIOS boot support from motherboard manufacturers ended in ____________ and ___________ is now the standard.
2020 UEFI
Two Rights and a Wrong - select the wrong statement and explain why 1. Two concerns about public information sharing centers are the privacy of shared information and the speed at which the information is shared. 2. Two tools that facilitate AIS are STIX and TAXII. 3. Security professionals consider threat maps a vital source of information.
3. Security professionals consider threat maps a vital source of information. Cybersecurity threat maps only provide general location data and are simply a playback of previous attacks. They are not detail oriented or live.
In a recent survey, almost _______________ percent of organizations admitted to suffering a compromise due to a mobile device. (pg. 134)
40
Describe the following mobile device connection vulnerability: hotspot (pg. 134)
A hotspot is a location where users can access the Internet with a wireless signal (e.g., coffeeshop, airport). Because public hotspots are beyond the control of the organization, attackers can eavesdrop on the data transmissions and view sensitive information.
Define "registry"
A DB that contains low-level settings used by Windows OS and for those applications that elect to use it.
Describe the following mobile device connection vulnerability: malicious USB cable (pg. 134)
A USB cable could be embedded with a Wi-Fi controller that can receive commands from a nearby device to send malicious commands to the connected mobile device. The device will recognize the cable as a Human Interface Device (similar to a mouse or keyboard), giving the attacker enough permissions to exploit the system.
What is a security template?
A collection of security configuration settings that can be used to create the same security settings among multiple endpoints in a network.
What is Arduino? How does it differ from Raspberry Pi? (pg. 141)
A controller for other devices. Arduino has an 8-bit microcontroller whereas Raspberry Pi has a 64-bit. It has a limited amount of RAM. No OS Can only run program on the Arduino platform, most of which must be written in C++.
Describe a threat map
A cybersecurity threat map illustrates cyberthreats on a map. Threat maps help in visualizing attacks and provide a *limited* amount of context of the source and target countries, the attack types, and historical and near real-time data about threats.
Describe first-party cookie
A first-party cookie is characterized by the fact that it can only be created and viewed by the website operator whose page you are visiting.
Define and describe a field-programmable gate array (FPGA). (pg. 141)
A hardware integrated circuit that can be programmed by the user. A user can write software that loads onto the FPGA chip and executes functions, and that software can later be replaced or deleted.
Describe an HTTP Response Header
A header that can inform the browser how to function while communicating with the website.
What is a drawback of HIPS?
A high number of false positives can be generated. Both legitimate and malicious programs often access the same resource, and then each can cause a HIPS to block the action.
What device was regarded as the earliest portable computer? (pg. 130)
A laptop computer
What is Raspberry Pi and what is it capable of doing? (pg. 141)
A low-cost, credit-card-sized computer motherboard. The Raspberry Pi can perform almost any task that a standard computer device can, such as browsing the Internet, playing high-definition video, creating spreadsheets, and playing games. It can also be used to control a specialized device.
Describe the following mobile device connection vulnerability: tethering (pg. 134)
A mobile device with an active Internet connection can be used to share that connection with other mobile devices through Bluetooth or Wi-Fi. An unsecured mobile device may infect other tethered mobile devices or the corporate network.
Describe body area network (BAN) (pg. 141)
A network system of IoT devices in close proximity to a person's body that cooperate for the benefit of the user.
Describe the dark web
A part of the web that is beyond the reach of normal search engines and is the domain of threat actors. Using specialized software such as Tor or I2P (Invisible Internet Project) this software will mask a user's identity to engage in illegal activities such as selling drugs or stolen information such as credit card numbers, SSN, PII.
Define compiler (pg. 115)
A program that creates binary source code from machine code.
Define "public information sharing center"
A repository by which open source cybersecurity information is collected and disseminated.
Describe vulnerability database
A repository of known vulnerabilities and information as to how they have been exploited. The adversary tactics, techniques, and procedures (TTP) is a database of the behavior of threat actors and how they orchestrate and manage attacks.
Define and describe system on a chip (SoC). (pg. 141)
A single microprocessor chip on which all of the necessary hardware components are contained. It is smaller than Raspberry Pi or Arduino.
Is a single fuzzer sufficient? Why or why not? (pg. 117)
A single pass of a fuzzer is unlikely to find all exceptions in software due to the randomness in the fuzzing process. The mutation of the inputs relies on randomness to determine where to mutate input and what to mutate. Fuzzers require multiple trials and statistical tests.
Describe file and code repositories
An area in which victims of an attack can upload malicious files and software code that can be examined by others to learn more about these attacks and craft their defenses. Often samples of recently discovered malware variants are uploaded to the VirusTotal malware aggregation repository along with published detailed malware analysis reports (MARs) containing IOCs for each malware variant.
What is a BIOS attack? Why are they difficult to uncover?
An attack that exploits the update feature of the BIOS. BIOS resides in firmware and therefore an infected BIOS would persistently re-infect the computer anytime it was powered on.
How can a threat actor use a QR code? (pg. 134)
An attacker can create an advertisement listing a reputable website, such as a bank, but include a QR code that contains a malicious URL. Once the user snaps a picture of the QR code using the camera on a mobile device, the code directs the web browser on the mobile device to the attacker's imposter website or to a site that immediately downloads malware.
Define "predictive analysis"
An evaluation used for discovering an attack before it occurs.
What are some of CISCP's activities?
Analyst to analyst technical exchanges CISCP analytical products - a portal where analysts can receive analysis of products and threats Cross industry orchestration Digital malware analysis - suspected malware can be submitted for analysis
Describe static code analysis (pg. 117)
Analyzing and testing SW from a security perspective before the source code is compiled.
Next flashcard goes here (pg. 108)
And here
List some of the features MDM can offer. (pg. 137)
Apply or modify default device settings. Approve or quarantine new mobile devices. Configure email, calendar, contacts, and Wi-Fi profile settings. Detect and restrict jailbroken and rooted devices. Display an acceptable use policy that requires consent before allowing access. Distribute and manage public and corporate apps. Enforce encryption settings, antivirus updates, and patch management. Enforce geofencing, which is using the device's GPS to define geographical boundaries where an app can be used. Securely share and update documents and corporate policies. Selectively erase corporate data while leaving personal data intact. Send SMS text messages to selected users or groups of users (called push notification services).
Is Raspberry Pi or Arduino generally considered a better solution? (pg. 141)
Arduino
Two Rights and a Wrong, select the wrong and explain. (pg. 117) A. A goal of software diversity is to reduce the probability that errors created by different compilers will influence the end results. B. Provisioning is removing a resource that is no longer needed. C. SecDevOps has elasticity and scalability.
B. Provisioning is removing a resource that is no longer needed. *Deprovisioning* is the removal of a resource that is no longer needed. *Provisioning* is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources, of which the new application would be viewed as a new resource.
The booting process on early personal computers, both Apple Mac and Windows PC, used firmware called what?
BIOS (Basic Input/Output System)
List the 5 Enterprise Deployment Model (pg. 130)
BYOD - Bring Your Own Device COPE - Corporate owned, personally enabled CYOD - Choose your own device VDI - Virtual Desktop Infrastructure Corporate owned
Explain how antimalware works using the most common technique
Bayesian filtering The software divides email messages that have been received into two piles, spam and nonspam. The filter then analyzes every word in each email and determines how frequently a word occurs in the spam pile compared to the nonspam pile. A word such as "the" would occur equally in both piles and be given a neutral 50 percent ranking. A word such as "report" may occur frequently in nonspam messages and would receive a 99 percent probability of being a nonspam word, while a word like "sex" may receive a 99 percent probability of being a spam word. Whenever email arrives, the filter looks for the 15 words with the highest probabilities to calculate the message's overall spam probability rating.
Why must endpoint desktop and laptop computers be secured?
Because they are typically connected to corporate networks and if the data is stored locally (on the device), the desktops/laptops can be used as a springboard to attack other endpoints.
Bayesian filters generally trap a/the _______________ percentage of spam than other techniques. A. Lower B. Same C. Higher
C. Higher
What are the 6 mobile device connectivity methods? (pg. 130)
Cellular WiFi Infrared - light that is next to the visible light on the light spectrum that was once used for data communication. Due to slow speeds and other limitations, it is no longer used. USB connections Bluetooth (discussed in Module 11) NFC (discussed in Module 11)
Define rooting (pg. 134)
Circumventing the installed built-in limitations on Android devices.
Define jailbreaking (pg. 134)
Circumventing the installed built-in limitations on Apple iOS devices.
Define embedded system (pg. 137.5)
Computer HW and SW contained within a larger system that is designed for a specific function.
List the four CISCP privacy protections (pg. 98 in e-book for more detail)
Cybersecurity Information Sharing Act (CISA) - Federal law passed in 2015 that allows for cybersecurity information to be shared between the private sector, state, and local governments and the federal government. Freedom of Information Act (FOIA) - Passed in 1967 and allows the public the right to request access from any federal agency. FOIA offers 9 exemptions, one of them which protects interests such as personal privacy. Traffic Light Protocol (TLP) - A set of designations used to ensure that sensitive information is only shared with appropriate audience. There are four colors (red, amber, green, white) to indicate the sharing limitations. Protected Critical Infrastructure Information (PCII) - PCII Act of 2002 protects private sector infrastructure information that is voluntarily shared with the government for the purposes of homeland security.
Describe the following secure coding technique (pg. 115.5): Dead code
Description: A section of an application that executes but performs no meaningful function. Security advantage: Provides an unnecessary attack vector for attackers
Describe the following secure coding technique (pg. 115.5): stored procedure
Description: A subroutine available to applications that access a relational database. Security advantage: Eliminates the need to write a subroutine that could have security vulnerabilities.
Describe the following secure coding technique (pg. 115.5): proper input validation
Description: Accounting for errors such as incorrect user input (entering a file name for a file that does not exist). Security advantage: Can prevent Cross-site scripting (XSS) and Cross-site request forgery (CSRF) attacks
Describe the following secure coding technique (pg. 115.5): Code reuse of third-party libraries and SDKs
Description: Code reuse is using existing software in a new application; a software development kit (SDK) is a set of tools used to write applications. Security advantage: Existing libraries that have already been vetted as secure eliminate the need to write code.
Describe the following secure coding technique (pg. 115.5): Server-side execution and validation or Client-side execution and validation
Description: Input validation generally uses the server to perform validation but can also have the client perform validation by the user's web browser. Security advantage: Adds an additional validation to the process.
Describe the following secure coding technique (pg. 115.5): Normalization
Description: Organizing data within a DB to minimize redundancy. Security advantage: Reduces the footprint of data exposed to attackers.
Describe the following secure coding technique (pg. 115.5): Obfuscation/camouflaged code
Description: Writing an application in such a way that it is difficult for an outsider to understand. Security advantage: Helps prevent an attacker from understanding a program's function.
Define automated courses of action (pg. 115)
Developing code as quickly and securely as possible.
Which mobile management tool offers greater control of the device and which tool offers greater control of the apps? (pg. 137)
Device: MDM Apps: MAM
Can a cookie access personal information stored on a local computer?
No
A typical OS security configuration should include what 3 items?
Disabling unnecessary open ports and services Disabling default accounts and pw's Employing least functionality - The concept of "least functionality" states a user should only be given the minimum set of permissions required to perform necessary tasks
What is data exposure? (pg. 115.5)
Disclosing sensitive data to hackers.
Define sideloading (pg. 134)
Downloading unofficial apps
Describe "chain of trust"
Each element relies on confirmation of the previous element to know that the entire process is secure.
Describe BYOD (Bring Your Own Device). (pg. 130)
Employees use their own personal mobile devices for business purposes. Employees have full responsibility for choosing and supporting the device. This model is popular with smaller companies or those with a temporary staff.
Describe dynamic code analysis (pg. 117)
Examining code after the source code is compiled and when all components are integrated and running. This testing typically uses a tool or suite of pre-built attacks or testing tools that specifically monitor the application's behavior for memory corruption, user privilege issues, and other critical security problems.
List the 3 types of attacks that can be launched using vulnerabilities in applications. (pg. 113)
Executable file attack - Trick the vulnerable application into modifying or creating executable files on the system Defense: Prevent the application from creating or modifying executable files for its proper function System tampering - Use the vulnerable application to modify special sensitive areas of the operating system (Microsoft Windows registry keys, system startup files, etc.) and take advantage of those modifications Defense: Do not allow applications to modify special areas of the OS Process spawning control - Trick the vulnerable application into spawning executable files on the system Defense: Take away the process spawning ability from the application.
Describe a memory management vulnerability and what types of attacks can be caused by this? (pg. 113)
Failure of programmers to create secure code which allows vulnerabilities that manipulate computer RAM. Buffer overflow (covered in Mod. 3) Integer overflow (covered in Mod. 3) pointer/object deference (covered in Mod. 3) DLL injection attack (covered in Mod. 3)
Describe Endpoint Detection and Response (EDR)
First, an EDR *can aggregate data from multiple endpoint computers to a centralized database* so that security professionals can further investigate and gain a better picture of events occurring across multiple endpoints instead of just on a single endpoint. This can help determine if an attack is more widespread across the enterprise and if more comprehensive and higher-level action needs to be taken. Second, EDR tools can perform more sophisticated analytics that identify patterns and detect anomalies.
Define elasticity (pg. 115)
Flexibility or resilience in code development
In addition to Tamper Protection, a ______________________ setting can prevent access to the tool that can alter the registry. This setting is _____________________________________________.
Group Policy Prevent access to registry editing tools
List and describe the 4 HTTP Response Headers noted in this chapter (pg. 104)
HTTP Strict Transport Security (HSTS) - Forces browser to communicate over more secure HTTPS instead of HTTP Content Security Policy (CSP) - Restricts the resources a user is allowed to load within the website Cross Site Scripting Protection (X-XSS) - Prohibits a page from loading if it detects a cross-site scripting attack X-Frame-Options - Prevents attackers from "overlaying" their content on the webpage
What step needs to be taken after boot security and protecting end points?
Hardening the end points
What is the strongest starting point in terms of security? And why?
Hardware because it cannot be modified like software.
Define antispyware
Helps computers from being infected by spyware
List the 3 types of monitoring and response systems for endpoint computers (pg. 104)
Host Intrusion Detection System (HIDS) Host Intrusion Prevention System (HIPS) Endpoint Detection and Response (EDR)
Define autonomous body sensor network (ABSN). (pg. 141)
It is the most robust of the body sensor networks. Instead of only reading and transmitting information, an ABSN introduces actuators in addition to the sensors so that immediate effects can be made on the human body.
Describe SecDevOps What SDLC does it fall under? (pg. 115)
It is the process of integrating secure development best practices and methodologies into SW application development and deployment processes using the agile model. It is a set of best practices designed to help organizations implant secure coding deep in the heart of their applications. Agile
Why is it helpful to share IOC information?
It may indicate a common attack that other organizations are currently experience or may experience in the future.
What is an IOC?
Indicator of compromise An indicator that malicious activity is occurring but still in the early stages.
Define IoT (pg. 141)
Internet of Things Connecting any device to the Internet for the purpose of sending and receiving data to be acted upon.
What was introduced in the US Senate in 2019 to propose or enact legislation to require stronger security on embedded systems and specialized devices? What did it require? (pg. 145)
Internet of Things (IoT) Cybersecurity Improvement Act of 2019 Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing the policies at least every five years. Require any Internet-connected devices purchased by the federal government to comply with those recommendations. Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed. Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies so that if a vulnerability is uncovered, that information is disseminated.
Define provisioning (pg. 115)
Is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources, of which the new application would be viewed as a new resource.
Describe a web-based computer. (pg. 130)
It contains a limited version of an OS and a web browser with an integrated media player. Web-based computers are designed to be used while connected to the Internet. *No traditional software applications can be installed, and no user files are stored locally on the device.* Instead, the device accesses online web apps and saves user files on the Internet. The most common OSs for web-based computers are the Google Chrome OS and Microsoft Windows 10 in S Mode.
Why do companies feel more comfortable today sharing their vulnerabilities?
It helps them and other organizations shore up their defenses.
Describe a Host Intrusion Detection System (HIDS)
It is a software-based application that runs on an endpoint computer and can detect that an attack has occurred. The primary function of a HIDS is automated detection, which saves someone from sorting through log files to find an indication of unusual behavior. HIDS can quickly detect evidence that an intrusion has occurred.
What is one limitation of HTTP?
It is a stateless protocol which means it "forgets" what occurs when a session is interrupted or ends.
Describe code emulation
It is an AV heuristic monitoring technique where a virtual environment is created that simulates the CPU and memory of the computer. Any questionable code is inserted into the VM and *not* the real environment.
Spell out and define KRI
Key Risk Indicator A metric of the upper and lower bounds of specific indicators of normal network activity. A KRI exceeding its normal range could be an indicator of compromise (IOC).
List the 6 Boot Security Modes (pg. 102).
Legacy BIOS Boot UEFI Native Mode Secure Boot Trusted Boot Measured Boot
What is the most secure boot security mode? Why? What is its disadvantage?
Measured boot The computer's firmware logs the boot process so the OS can send it to a trusted server to assess the security. It could slow down the boot process.
List and describe the 4 advantages of smart meters over analog meters. (pg. 141)
Meter readings - Meter readings are transmitted daily, hourly, or even by the minute to the utility company. Servicing - battery replacement every 20 years Tamper protection - Can alert utility in the event of tampering or theft. Emergency communication - Transmits "last gasp" notification of a problem to utility company.
Describe mismatch scanning
Mismatches allow a set number of bytes in the string to be any value regardless of their position in the string.
Describe mobile device vulnerability: location tracking (pg. 134)
Mobile devices using geolocation are at increased risk of targeted physical attacks. An attacker can determine where users with mobile devices are currently located and use that information to follow them and steal the mobile devices or inflict physical harm. A related risk is GPS tagging (also called geo-tagging), which is adding geographical identification data to media such as digital photos taken on a mobile device. A user who, for example, posts a photo on a social networking site may inadvertently identify a private location to anyone who can access the photo.
Define MTSO (pg. 130)
Mobile telecommunications switching office - it is part of a cellphone network. It serves as a link between the cellular network and wired telephone world.
Describe Patch Distribution (pg. 108)
Modern operating systems—such as Red Hat Linux, Apple macOS, Ubuntu Linux, and Microsoft Windows—frequently distribute patches. These patches, however, can sometimes create new problems, such as preventing a custom application from running correctly. Organizations that have these types of applications usually test patches when they are released to ensure that they do not adversely affect any customized applications.
List the 6 types of OSs noted in Module 4.
Network OS - Software that runs on a network device like a firewall, router, or switch Server OS - Operating system software that runs on a network server to provide resources to network users Workstation OS - Software that manages HW and SW on a computer. Appliance OS - OS in firmware that is designed to manage a specific device like a digital video recorder or video game console. Kiosk OS - System and user interface SW for an interactive kiosk. Mobile OS - OS for mobile phones, smartphones, tablets, and other handheld devices.
Are a sandbox and VM the same thing? Explain.
No A virtual machine is a "computer within a computer" in which an entire OS runs as an application on top of the regular OS. Its contents can be saved for future use. The contents of a sandbox are not saved when the sandbox is closed.
Are jailbreaking and rooting the same thing as carrier unlocking? Explain. (pg. 134)
No Uncoupling a phone from a specific wireless provider.
Does UEFI provide security on its own? Why or why not?
No, it must be paired with other boot security functions.
List and describe 3 secure SDLC sources (Table 4-6, pg. 115)
OWASP (Open Web Application Security Project) - a group that monitors web attacks SANS (SysAdmin, Audit, Network and Security Institute) - a company that specializes in cybersecurity and cure web app development CIS (Center for Internet Security) - Not-for-profit organization that compiles CIS security controls.
Describe patch management (pg. 108)
One of the most important steps in securing an endpoint computer is to promptly install patches. Threat actors often watch for the release of a patch and then immediately craft an attack around the vulnerability the patch addresses, knowing that many users and organizations are lax in applying patches. Effective patch management involves two types of patch management tools to administer patches. The first type includes tools for patch distribution, while the second type involves patch reception.
What is OSINT?
Open Source Intelligence
What is a concern of using public information sharing centers? And why?
Privacy An organization that is a victim of an attack must be careful not to disclose proprietary or sensitive information.
Define closed source and its role in cybersecurity.
Proprietary information owned by an entity that has an exclusive right to it. Organizations that are participate in closed source information are part of private information sharing centers that both restrict access to data and participation. All organizations that choose to join must be vetted and meet certain criteria.
Describe fuzzing (pg. 117) and an advantage it provides.
Provides random input to a program in an attempt to trigger exceptions, such as memory corruption, program crashes, or security breaches. Produces a record of what input triggered the exception so it can be reproduced to track down the problem within the code. Fuzzing test software consists of an execution engine and an input generator, which usually allows the tester to configure the types of inputs
What is a weakness of the waterfall application development lifecycle model? (pg. 115)
Quality assurance (QA) *only* occurs after the application has been tested and before it is finally places in production. This means any issues discovered by QA are difficult to address as it's already at the end of the process. This means waterfall demands extensive planning in the very beginning.
Define deprovisioning (pg. 115)
Removing a resource that is no longer needed.
Untrusted content can also invade mobile devices through which types of messages? Describe what can occur. (pg. 134)
SMS MMS RCS Threat actors can send SMS messages containing links to untrusted content or specially crafted MMS or RCS videos that can introduce malware into the device.
Define version control (pg. 115)
SW that allows for changes to be immediately recorded and, if necessary, "rolled back" to a previous version.
Describe Host Intrusion Prevention System (HIPS)
SW that monitors endpoint activity to immediately block a malicious attack by following specific rules. Activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. A HIPS *blocks* action and then *alerts* the user so an appropriate decision about what to do can be made.
What is "hardware root of trust"?
Security checks that begin with hardware checks.
Describe mobile device vulnerability: limited updates (pg. 134)
Security patches and updates for these two mobile OSs (Apple iOS and Android) are distributed through firmware over-the-air (OTA) updates. Though they are called "firmware" OTA updates, they include modifying the device's firmware and updating the OS software. Apple commits to providing OTA updates for at least four years after the OS is released. However, OTA updates for Android OSs vary considerably. Mobile hardware devices developed and sold by Google receive Android OTA updates for three years after the device is first released. Other OEMs are required to provide OTAs for at least two years. OEMs want to sell as many devices as possible, they have no financial incentive to update mobile devices that users would then continue to use indefinitely. *Due to the high cost of some mobile devices, users are keeping their devices for longer periods of time. This can result in people using mobile devices that no longer receive OTA security updates and thus have become vulnerable.*
Describe a managed body sensor network (pg. 141)
Sensors are placed on the human body to monitor electrocardiogram (EKG) impulses, blood pressure, glucose, and other human biological functions. The readings are transmitted via computer or smartphone to a third-party physician who can make decisions regarding any medications to prescribe or lifestyle changes to recommend.
Is a notebook computer bigger or smaller than a laptop? (pg. 130)
Smaller
Describe software diversity. List the 3 intentions of it. (pg. 115)
Software diversity is a software development technique in which two or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams. provide error detection increased reliability and additional documentation
Define antivirus (AV) software
Software that examines a computer for file-based virus infections and also monitor computer activity and scan new documents that might contain a virus.
Describe VDI (Virtual Desktop Infrastructure) (pg. 130)
Stores sensitive applications and data on a remote server accessed through a smartphone. Users can customize the display of data as if the data were residing on their own mobile device. Enterprise can centrally protect and manage apps and data on server instead of distributing to smartphones.
Describe industrial control systems (ICS) and how they're controlled. (pg. 141)
Systems that control locally or at remote locations by collecting, monitoring, and processing real-time data to control machines. ICSs are controlled by a larger supervisory control and data acquisition (SCADA) system. SCADAs help to maintain efficiency and provide information on issues to help reduce downtime.
Describe a directory traversal attack (pg. 113)
Takes advantage of vulnerability in the web application program or the web server software so that a user can move from the root directory to other restricted directories. The ability to move to another directory could allow an unauthorized user to view confidential files or even enter commands to execute on a server known as command injection.
List the 4 mobile device connection vulnerabilities (pg. 134)
Tethering USB On-The-Go (OTG) Malicious USB cable Hotspots
Describe static analysis
The AV software scans files by attempting to match known virus patterns against potentially infected files (called string scanning).
What are the weaknesses of signature based monitoring?
The AV vendor must be constantly searching for new viruses, extracting virus signatures, and distributing those updated DBs to all users.
Describe mobile device vulnerability: physical security (pg. 134)
The greatest asset of a mobile device—its portability—is also one of its greatest vulnerabilities. Mobile devices are frequently lost or stolen. Unless properly protected, any data on a stolen or lost device could be retrieved by a thief. *Of greater concern may be that the device itself can serve as an entry point into corporate data.*
Define geolocation (pg. 134)
The process of identifying the geographical location of a device.
The security of an OS depends upon what?
The proper configuration of its built-in security features.
What is the preferred way for an enterprise to deploy a security template among multiple endpoints?
Though the use of Group Policy. It provides centralized management and configuration of computers and remote users who are using Microsoft Active Directory (AD). Group Policy allows for a single configuration to be set and then deployed to multiple users.
Define and describe segment storage (pg. 137)
The separation of business data from personal data. Users can apply containerization thereby putting business and personal information into different "containers". Advantages: - helps companies avoid data ownership privacy issues and legal concerns regarding a user's personal data stored on the device - allows companies to delete only business data when necessary without touching personal data
Why is it important to secure the Microsoft registry on an endpoint computer?
Threat actors who can modify the registry could be able to: disable antivirus and antimalware protections disable any cloud-delivered protection and remove security updates.
Why do threat attacks attack mobile devices? (pg. 134)
To pivot to other targets.
What is the purpose of the two LED lights on the underside of the device? Describe and also explain why there are 2 colors. (pg. 130)
To read vital signs on the human body and then measure the light absorption with photodiodes. They use *green* LED lights when the wearer is exercising (such as running or bicycle riding) by flashing green light onto the wrist hundreds of times per second. Human blood absorbs green light, so the heart rate can be determined by measuring the changes in green light absorption (a method called photoplethysmography, or PPG). *Red* LED lights are used when the wearer is not exercising. Human blood reflects red light, so about every 10 minutes, the red LEDs flash to measure the resting heart rate. The *reason* for having two colors of LED lights is due to accuracy and battery life. Green LEDs are more accurate, which is more important when assessing a rapid heart rate than a sedentary heart rate. But since green LEDs require more power, red LEDs are also used to save battery life.
Describe Patch Reception (pg. 108)
Today users have fewer—if any—options regarding patches: usually patches are automatically downloaded and installed whenever they become available. This is called auto-update , and it ensures that the software is always up to date.
Describe Mobile Application Management (MAM) (pg. 137)
Tools that are used for distributing and controlling access to apps on mobile devices.
What firmware interface replaced BIOS?
UEFI - Unified Extensible Firmware Interface
Ensuring secure startup involves the _________________________________ and its __________________ features.
Unified Extensible Firmware Interface (UEFI) boot security
Describe dynamic analysis (heuristic monitoring)
Uses a variety of techniques to look for the *characteristics* of a virus instead of attempting to make matches.
Define context aware configuration (pg. 137)
Using a contextual setting to validate a user.
Describe mobile device vulnerability: unauthorized recording (pg. 134)
Video cameras ("webcams") and microphones on mobile devices have been a frequent target of attackers. By infecting a device with malware, a threat actor can secretly spy on an unsuspecting victim and record conversations or videos.
Those users who are concerned about maintaining the highest level of security on their data often turn off backups to _____________________________________. And, why? (pg. 137)
iCloud or Google servers Courts routinely serve orders to Apple and Google to provide the same data stored on their servers using their decryption keys.
List the 4 mobile management tools. (pg. 137)
mobile device management mobile application management mobile content management unified endpoint management
Security risks associated with using mobile devices include what 3 over arching themes? (pg. 134)
mobile device vulnerabilities connection vulnerabilities accessing untrusted content
Although it is possible for the user to disable Secure Boot to install hardware or run software or OS that have not been trusted by the manufacturer, this makes it difficult or impossible to _________________________________________________.
reactivate Secure Boot without restoring the computer back to its original factory state.
SoCs often use what kind of operating system? And why? (pg. 141)
real-time operating system (RTOS) RTOS are able to accommodate high volumes of data that must be immediately.
What security items do web browsers offer?
secure cookies HTTP headers
Not only do participants receive indicators, but they can also __________ indicators they have observed in their own network defenses to the public center, which then distributes them to all participants.
share
TAXII defines an _________________________ and a set of _______________ for TAXII clients and servers.
application protocol interface (API) requirements
Some security professionals and organizations use the ________________ on a ____________ basis to look for signs that information critical to that enterprise is being sought out or sold on the dark web.
dark web limited
Testing involves _____________ code analysis and _____________ code analysis. (pg. 117)
static dynamic
Name and describe the encryption Android uses. (pg. 137)
file-based encryption File-based encryption *encrypts each file with a different key so that files can be unlocked independently without decrypting an entire partition at once.* The device can decrypt and use files needed to boot the system and process critical notifications while not decrypting personal apps and data.
Many threat maps claim that they show data in real time, but most are simply ____________________________________.
a playback of previous attacks
Tablets have a sensor called a(n) ____________________ that detects vibrations and movements. It can determine the orientation of the device so that the screen image is always displayed upright. (pg. 130)
accelerometer
List the 5 security features for locating lost or stolen mobile devices. (pg. 137)
alarm last known location locate remote lockout thief picture
List and describe the 5 Android context aware configurations. Which one is the least secure? (pg. 137)
on-body detection trusted places.- device will be unlocked within a certain radius of a trusted location trusted devices - Device will unlock whenever it is connected to another specific device. trusted face - least secure trusted voice
What are the two categories of threat intelligence sources?
open source closed source
What two steps/processes does hardening end points entail?
patch management OS protections
Mobile device vulnerabilities include what 4 subtopics? (pg. 134)
physical security limited updates location tracking unauthorized recording
List some security constraints of embedded systems and specialized devices. (pg. 145)
power - To prolong battery life, devices and systems are optimized to draw very low levels of power and thus lack the ability to perform strong security measures. compute - Due to their size, small devices typically possess low processing capabilities, which restricts complex and comprehensive security measures. network - To simplify connecting a device to a network, many device designers support network protocols that lack advanced security features. Cryptography - Encryption and decryption are resource-intensive tasks that require significant processing and storage capacities that these devices lack. Inability to patch - Few, if any, devices have been designed with the capacity for being updated to address exposed security vulnerabilities. Authentication - To keep costs at a minimum, most devices lack authentication features. Range - Not all devices have long-range capabilities to access remote security updates. Cost - Most developers are concerned primarily with making products as inexpensive as possible, which means leaving out all security protections. Implied trust - Many devices are designed without any security features but operate on an "implied trust" basis that assumes all other devices or users can be trusted. Weak defaults - User names (such as "root," "admin," and "support") and passwords ("admin," "888888," "default," "123456," "54321," and even "password") for accessing devices are often simple and well known.
AIS is used more extensively with ___________ information sharing centers than _________________ centers.
public private
What does strong device configuration involve? (pg. 137)
strong authentication managing encryption segmenting storage enabling loss or theft services