Module 4 - Endpoint and Application Development Security Flashcards
An indicator of compromise (IOC) occurs when what metric exceeds its normal bounds?
key risk indicators (KRIs) - a KRI is a metric of the upper and lower bounds of specific indicators of normal network activity
an IOC shows that a malicious activity is occurring but is still in the early stages of an attack
What are the 2 concerns about using public information sharing centers?
privacy and speed
an organization that is the victim of an attack must be careful not to share proprietary or sensitive information when providing IOCs and attack details
threat intelligence information must be distributed as quickly as possible to others; to rely on email alerts that require a human to read them and then react takes far too much time;
Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information?
Traffic Light Protocol (TLP) - TLP is a sete of designations used to ensure that sensitive information is sahred only with the appropriate audience; TLP uses four colors (red, amber, green and white) to indicate the expected sharing limitations the recipients should apply;
TLP is a privacy protection of the Cyber Information Sharing and Collaboration Program (CISCP)
Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked to look into how the process can be automated so that the information can feed directly into the team’s technology security. What technology with Oskar recommend?
Automated Indicator Sharing (AIS) - AIS enables the exchange of cyber-threat indicators between parties through computer-to-computer communication, not email communication; threat indicators such as malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks
Which of the following is an application protocol for exchanging cyber-threat intelligence over HTTPS?
a) STIX
b) AIP-TAR
c) TAXII
d) TCP - Over-Secure (ToP)
Trusted Automated Exchange of Intelligence Information (TAXII) - is an application protocol for exchanging cyber-threat intelligence over HTTPS; TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers
Which of the following is NOT a limitation of a threat map?
a) many maps claim that they show data in real-time, but most are simply a playback of previous attacks
b) because threat maps show anonymized data, it is impossible to know the identity of the attackers or the victims
c) they can be difficult to visualize
d) threat actors usually mask their real locations, so what is displayed on a threat map is incorrect
C - they can be difficult to visualize
What are the two limitations of private information sharing centers?
access to data and participation
whereas private sharing centers are similar to public sharing centers in that members share threat intelligence information, insights, and best practices, private sharing centers are restrictive regarding who may participate
Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports that he was unable to find anything because looking for information on the dark web is different from using the regular web. Which of the following is FALSE about looking for information on the dark web?
a) it is necessary to use Tor or IP2
b) dark web search engines are identical to regular search engines
c) dark web merchants open and close their sites without warning
d) the naming structure is different on the dark web
B - dark web search engines are identical to regular search engines
dark web search engines are difficult to use and notoriously inaccurate; one reason is because merchants who and buy sell stolen data or illicit drugs are constantly on the run, and their dark websites appear and suddenly disappear with no warning
Which of the following is NOT an improvement of UEFI over BIOS?
a) UEFI Native Mode
b) Secure Boot
c) Trusted Boot
d) Measured Boot
A - UEFI Native Mode
uses UEFI standards for boot functions; security boot modules can be patched or updated as needed; no validation or protection of the boot process
Which boot security mode sends information on the boot process to a remote server?
Measured Boot - the computer’s firmware logs the boot process so the OS can send it to a trusted server to assess the security; this provides the highest degree of security; could slow down the boot process
Which of the following is NOT an important OS security configuration?
a) employing least functionality
b) disabling default accounts
c) disabling unnecessary services
d) restricting patch management
D - restricting patch management
Which stage conducts a test that will verify the code functions as intended?
Staging - the staging stage tests to verify that the code functions as intended
Which model uses a sequential design process?
waterfall model
uses a sequential design process: as each stage is fully completed, the developers move on to the next stage; this means that once a stage is finished, developers cannot go back to a previous stage without starting all over again; this makes any issues uncovered by quality of assurance difficult to address since it is at the end of the process; the waterfall model demands extensive planning in the very beginning and requires that it be followed carefully
Which of the following is NOT an advantage of an automated patch update service?
a) downloading patches from a local server instead of using the vendor’s online update service can save bandwidth and time because each computer does not have to connect to an external server
b) administrators can approve updates for “detection” only; this allows them to see which computers require the update without installing it
c) users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service
d) administrators can approve or decline updates for client systems, force updates to install by a specific date and obtain reports on what updates each computer needs
C - users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service
What type of analysis is heuristic monitoring based on?
dynamic analysis - uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches; the difference between static analysis and dynamic analysis detection is similar to how airport security personnel in some nations screen for terrorists; a known terrorist attempting to go through security can be identified by comparing his face against photographs of known terrorists (static analysis); a terrorist with not photograph - security personnel can look at the person’s characteristics - holding a one-way ticket, not checking luggage, showing extreme nervousness - as possible indicators that the individual may need to be questioned (dynamic analysis)
Which of these is a list of pre-approved applications?
a) greenlist
b) redlist
c) blacklist
d) whitelist
D - whitelist
What is the advantage of a secure cookie?
this type of cookie is only sent to the server with an encrypted request over the secure HTTPS protocol; this prevents unauthorized persons from intercepting a cookie that is being transmitted between the browser and the web server
Which of the following tries to detect and stop an attack?
a) HIDS
b) HIPS
c) RDE
d) SOMA
B - Host Intrusion Prevention System (HIPS)
monitors endpoint activity to immediately block a malicious attack by following specific rules; activity that HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers; one of the drawbacks of HIPS is a high number of false positives can be generated; both legitimate and malicious programs often access the same resource, and each can cause a HIPS to then block the action
What does Windows 10 Tamper Protection do?
prevents any updates to the registry until the user approves the update
prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry; instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software
Which of the following is FALSE about a quarantine process?
a) it holds a suspicious application until the user gives approval
b) it can send a sanitized version of the attachment
c) it can send a URL to the document that is on a restricted computer
d) it is most often used with email attachments
A - it holds a suspicious application until the user gives approval; the quarantine process holds suspicious documents, not applications
What is an Indicator of Compromise (IOC)?
an IOC shows that a malicious activity is occurring but is still in the early stages of an attack
KRIs exceeding normal bounds could be (but not always) an IOC
What is predictive analysis?
discovering an attack before it occurs
IOC information that is available can assist companies in their predictive analysis by looking at what other companies have experienced in the past to indicate what a company may experience in the future
What are the two categories of threat intelligence sources and give examples of each.
the two categories are open source and closed source
open source threat intelligence information is freely available; also known a OSINT (Open Source Intelligence), OSINT has become a vital resource; this information is often collected and disseminated through public information sharing centers; a typical sharing center enables actionable, relevant and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure sectors; two concerns around public information sharing centers are privacy and speed
closed source threat intelligence is the opposite of open source; it is proprietary; organizations that participate in closed source information sharing are part of private information sharing centers; these types of sharing centers restrict both access to data and participation
What is Automate Indicator Sharing (AIS) and what are the 2 tools that help facilitate AIS?
Automate Indicator Sharing (AIS) enables exchange of cyber-threat indicators between parties through computer-to-computer communication, not email communication; threat indicators such as malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks; AIS assists with the speed in which threat intelligence information is distributed
the 2 tools that help facilitate AIS are Structure Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII)
STIX is a language and format used to exchange cyber-threat intelligence; all information about a threat can be represented with objects and descriptive relationships; STIX information can be visually represented for a security analyst to view or stored in a lightweight format to be used by a computer
TAXII is an application protocol for exchanging cyber-threat intelligence over HTTPS; TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers
