Module 6 chapter 4:Endpoint and Application and Devolopment Security

1. Which tries to block a malicious attack by following specific rules? a. HIDS b. HIPS c. EDR d. Https

Host Based Intrusion Detection Prevention

Which of these is a list of preapproved applications? a. Greenlist b. Redlist c. Blacklist d. Whitelist

Whitelist

Key risk indicators (KRIs)

metrics of the upper and lower bounds of specific insidcators of normal network activity logrythm

Which model uses a sequential design process? a. Secure model b. Agile model c. Rigid model d. Waterfall model

waterfall model uses a sequential design process: as each stage is fully completed, the developers then move on to the next stage. This means that once a stage is finished, developers cannot go back to a previous stage without starting all over again.

Which of the following is FALSE about a quarantine process? a. It holds a suspicious application until the user gives approval. b. It can send a sanitized version of the attachment. c. It can send a URL to the document that is on a restricted computer. d. It is most often used with email attachments.

It holds a suspicious application until the user gives approval.

What does Windows 10 Tamper Protection do? a. Limits access to the registry b. Prevents any updates to the registry until the user approves the update. c. Compresses and locks the registry d. Creates a secure backup copy of the registry

Limits access to the registry

What are the two concerns about using public information sharing centers? a. Cost and availability b. Privacy and speed c. Security and privacy d. Regulatory approval and sharing

Privacy and Speed Privacy of shared information and the speed of which the information is shared

which of the following is NOT an important OS security configuration? a. Employing least functionality b. Disabling default accounts c. Disabling unnecessary services d. Restricting patch management

Restricting patch management

indicators of compromise

- unusual outbound traffic - anomalies in privileged account - geographic irregularities - login failures - swells in database read volume - large html responses - many requests for one file - mismatched port-applications - suspicious registry changes - spikes in dns requests from one host

What are the two limitations of private information sharing centers? a. Access to data and participation b. Government approval and cost c. Timing of reports and remote access d. Bandwidth and CPU

Access to data and participation Organizations that are participants in closed source information are part of private information sharing centers that restrict both access to data and participation.

Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked him to look into how the process can be automated so that the information can feed directly into their technology security. What technology will Oskar recommend? a. Automated Indicator Sharing (AIS) b. Bidirectional Security Protocol (BSP) c. Linefeed Access d. Lightwire JSON Control

Automated Indicator Sharing (AIS) Critical threat intelligence information should be distributed as quickly as possible to others. To rely on email alerts that require a human to read them and then react takes far too much time. As an alternative, Automated Indicator Sharing (AIS) can be used instead. AIS enables the exchange of cyberthreat indicators between parties through computer-to-computer communication and not email communication.

Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports back that he was unable to find anything due to how looking for information on the dark web is different from using the regular web. Which of the following is not different about looking for information on the dark web? a. It is necessary to use Tor or IP2. b. Dark web search engines are identical to regular search engines. c. Dark web merchants open and close their sites without warning. d. The naming structure is different on the dark web.

Dark web search engines are identical to regular search engines. Dark web search engines are very different from regular search engines.

Which of the following takes advantage of vulnerabilities in the web application so that a user can move from the root directory to other restricted directories? a. Software Diversity attack b. Zero-Day Exploit c. Directory traversal attack d. Deprovisioning

Directory traversal attack

What type of analysis is heuristic monitoring based on? a. Dynamic analysis b. Static analysis c. Code analysis d. Input analysis

Dynamic analysis A newer approach to AV is heuristic monitoring (called dynamic analysis), which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches.

Which of the following tries to detect and stop an attack? a. HIDS b. HIPS c. RDE d. SOMA

HIPS . A host intrusion prevention system (HIPS) monitors endpoint activity to immediately react to block a malicious attack by following specific rules. Activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. When a HIPS blocks action it then alerts the user so an appropriate decision about what to do can be made.

What is the advantage of a secure cookie? a. It cannot be stored on the local computer without the user's express permission. b. It is sent to the server over HTTPS. c. It is analyzed by AV before it is transmitted. d. It only exists in RAM and is deleted once the web browser is closed.

It is sent to the server over HTTPS. cookie is only sent to the server with an encrypted request over the secure HTTPS protocol. This prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser and the web server.

An IOC occurs when what metric exceeds its normal bounds? a. IRR b. LRG c. EXR d. KRI

KRI A KRI is a metric of the upper and lower bounds of specific indicators of normal network activity. These indicators may include the total network logs per second, \number of failed remote logins, network bandwidth, and outbound email traffic. Once a KRI exceeds its normal bounds, this could be (but is not always) evidence of an indicator of compromise (IOC). An IOC shows a malicious activity is occurring but is still in the early stages of an attack.

Which stage conducts a test that will verify the code functions as intended? a. Production stage b. Testing stage c. Staging stage d. Development stage

Staging Stage The staging stage tests to verify that the code functions as intended.

Which of the following is not an improvement of UEFI over BIOS? a. Stronger boot security b. Networking functionality in UEFI c. Access larger hard drives d. Support of USB 3.0

Support of USB 3.0 USB 3.0 is not dependent on UEFI.

Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information? a. CISA b. FOIA c. TLP d. PCII

TLP uses four colors (red, amber, green, and white) to indicate the expected sharing limitations that applied by the recipients.

Which of the following is NOT an advantage to an automated patch update service? a. Downloading patches from a local server instead of using the vendor's online update service can save bandwidth and time because each computer does not have to connect to an external server. b. Specific types of updates that the organization does not test, such as hotfixes, can be automatically installed whenever they become available. c. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor's online update service. d. Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs.

Users can disable or circumvent updates just as they can if their computer is configured to use the vendor's online update service.

1. What statement is FALSE concerning Antivirus? a. Many AV products use signature-based monitoring, call static analysis, ans uses only virus signatures b. Dynamic Analysis is also called heuristic, where many indicators are used to determine a virus c. On average, AV software is only 85% effective at detecting malware d. AV software can examine a computer for file-based virus infections and monitor computer activity.

a. On average, AV software is only 85% effective at detecting malware ) - 25% effective

1. Securing endpoint computers primarily involves three major tasks. Which of the following is NOT one of the three major tasks? a. Hardening it for even greater protection b. Confirming that the computer has started securely c. Provisioning for increased zero-day exploits d. Protecting the computer from attacks

c. Provisioning for increased zero-day exploits

1. SecDevOps applies automated courses of action to develop code as quickly and securely as possible. Which of the following is NOT an automated course of action? a. Continuous monitoring b. Continuous validation c. Continuous deterrent d. Continuous deployment

a. Continuous deterrent

A typical OS security configuration should include all but one of the following: a. Employing least functionality b. Disabling the Administrator from the ability to login c. Disabling default accounts/passwords d. Disabling unnecessary ports and services

a. Disabling the Administrator from the ability to login

Which of the following is an application protocol for exchanging cyberthreat intelligence over HTTPS? a. STIX b. AIP-TAR c. TAXII d. TCP-Over-Secure (ToP)

TAXII Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS). TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers.

Which of the following is NOT a limitation of a threat map? a. Many maps claim that they show data in real time, but most are simply a playback of previous attacks. b. Because threat maps show anonymized data it is impossible to know the identity of the attackers or the victims. c. They can be difficult to visualize. d. Threat actors usually mask their real locations so what is displayed on a threat map is incorrect.

They can be difficult to visualize. A cybersecurity threat map illustrates cyberthreats overlaid on a diagrammatic representation of a geographical area.

Which boot security mode sends information on the boot process to a remote server? a. UEFI Native Mode b. Secure Boot c. Trusted Boot d. Measured Boot

d. Measured Boot Computer's firmware logs the boot process so OS can send it to a trusted server to assess the security for the highest degree of security in Measured Boot.