Quiz: Module 04 Endpoint and Application Development Security
Which boot security mode sends information on the boot process to a remote server? a. Secure Boot b. Measured Boot c. Trusted Boot d. UEFI Native Mode
Measured Boot Computer's firmware logs the boot process so OS can send it to a trusted server to assess the security for the highest degree of security in Measured Boot.
What are the two concerns about using public information sharing centers? a. Regulatory approval and sharing b. Cost and availability c. Privacy and speed d. Security and privacy
Privacy and speed There are generally two concerns around public information sharing centers. These are the privacy of shared information and the speed at which the information is shared.
Which of the following is an application protocol for exchanging cyberthreat intelligence over HTTPS? a. AIP-TAR b. STIX c. TCP-Over-Secure (ToP) d. TAXII
TAXII Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS). TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers.
Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information? a. CISA b. PCII c. FOIA d. TLP
TLP TLP uses four colors (red, amber, green, and white) to indicate the expected sharing limitations that applied by the recipients.
Which of these is a list of preapproved applications? a. Greenlist b. Blacklist c. Redlist d. Whitelist
Whitelist Whitelisting is approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied.
Which of the following is NOT a limitation of a threat map? a. Because threat maps show anonymized data it is impossible to know the identity of the attackers or the victims. b. Many maps claim that they show data in real time, but most are simply a playback of previous attacks. c. Threat actors usually mask their real locations so what is displayed on a threat map is incorrect. d. They can be difficult to visualize.
They can be difficult to visualize. A cybersecurity threat map illustrates cyberthreats overlaid on a diagrammatic representation of a geographical area.
Which model uses a sequential design process? a. Secure model b. Rigid model c. Agile model d. Waterfall model
Waterfall model The waterfall model uses a sequential design process: as each stage is fully completed, the developers then move on to the next stage. This means that once a stage is finished, developers cannot go back to a previous stage without starting all over again.
What are the two limitations of private information sharing centers? a. Bandwidth and CPU b. Government approval and cost c. Timing of reports and remote access d. Access to data and participation
Access to data and participation Organizations that are participants in closed source information are part of private information sharing centers that restrict both access to data and participation.
Which of the following is NOT an important OS security configuration? a. Disabling default accounts b. Disabling unnecessary services c. Restricting patch management d. Employing least functionality
Restricting patch management Patch management should not be restricted on an OS.
Which of the following is NOT an advantage to an automated patch update service? a. Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs. b. Downloading patches from a local server instead of using the vendor's online update service can save bandwidth and time because each computer does not have to connect to an external server. c. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor's online update service. d. Specific types of updates that the organization does not test, such as hotfixes, can be automatically installed whenever they become available.
Users can disable or circumvent updates just as they can if their computer is configured to use the vendor's online update service. It is not an advantage to disable downloading patches.
What type of analysis is heuristic monitoring based on? a. Input analysis b. Dynamic analysis c. Static analysis d. Code analysis
Dynamic analysis A newer approach to AV is heuristic monitoring (called dynamic analysis), which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches.
Which of the following tries to detect and stop an attack? a. HIPS b. SOMA c. HIDS d. RDE
HIPS A host intrusion prevention system (HIPS) monitors endpoint activity to immediately react to block a malicious attack by following specific rules. Activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. When a HIPS blocks action it then alerts the user so an appropriate decision about what to do can be made.
Which of the following is FALSE about a quarantine process? a. It can send a sanitized version of the attachment. b. It holds a suspicious application until the user gives approval. c. It is most often used with email attachments. d. It can send a URL to the document that is on a restricted computer.
It holds a suspicious application until the user gives approval. The quarantine process does not ask the user for approval.
What is the advantage of a secure cookie? a. It is analyzed by AV before it is transmitted. b. It only exists in RAM and is deleted once the web browser is closed. c. It is sent to the server over HTTPS. d. It cannot be stored on the local computer without the user's express permission.
It is sent to the server over HTTPS. This cookie is only sent to the server with an encrypted request over the secure HTTPS protocol. This prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser and the web server.
An IOC occurs when what metric exceeds its normal bounds? a. EXR b. LRG c. KRI d. IRR
KRI A KRI is a metric of the upper and lower bounds of specific indicators of normal network activity. These indicators may include the total network logs per second, \number of failed remote logins, network bandwidth, and outbound email traffic. Once a KRI exceeds its normal bounds, this could be (but is not always) evidence of an indicator of compromise (IOC). An IOC shows a malicious activity is occurring but is still in the early stages of an attack.
What does Windows 10 Tamper Protection do? a. Limits access to the registry b. Prevents any updates to the registry until the user approves the update. c. Compresses and locks the registry d. Creates a secure backup copy of the registry
Limits access to the registry The Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry. Instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software.
Which stage conducts a test that will verify the code functions as intended? a. Staging stage b. Production stage c. Testing stage d. Development stage
Staging stage The staging stage tests to verify that the code functions as intended.
Which of the following is not an improvement of UEFI over BIOS? a. Stronger boot security b. Access larger hard drives c. Support of USB 3.0 d. Networking functionality in UEFI
Support of USB 3.0 USB 3.0 is not dependent on UEFI.
Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked him to look into how the process can be automated so that the information can feed directly into their technology security. What technology will Oskar recommend? a. Linefeed Access b. Lightwire JSON Control c. Automated Indicator Sharing (AIS) d. Bidirectional Security Protocol (BSP)
Automated Indicator Sharing (AIS) Critical threat intelligence information should be distributed as quickly as possible to others. To rely on email alerts that require a human to read them and then react takes far too much time. As an alternative, Automated Indicator Sharing (AIS) can be used instead. AIS enables the exchange of cyberthreat indicators between parties through computer-to-computer communication and not email communication.
Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports back that he was unable to find anything due to how looking for information on the dark web is different from using the regular web. Which of the following is not different about looking for information on the dark web? a. Dark web search engines are identical to regular search engines. b. Dark web merchants open and close their sites without warning. c. It is necessary to use Tor or IP2. d. The naming structure is different on the dark web.
Dark web search engines are identical to regular search engines. Dark web search engines are very different from regular search engines.
