Appendix A. Answers to the “Do I Know This Already?” Quizzes and Review Questions
Chapter 1
Do I Know This Already?
1. D. Proprietary/closed-source intelligence sources are those that are not publicly available and usually require a fee to access. Examples of this are platforms maintained by private organizations that supply constantly updating intelligence information. In many cases this data is developed from all of the provider’s customers and other sources.
2. A. Trusted Automated eXchange of Indicator Information (TAXII) is an application protocol for exchanging cyber threat information (CTI) over HTTPS. It defines two primary services, Collections and Channels.
3. B. Because zero-day attacks occur before a fix or patch has been released, it is difficult to prevent them. As with many other attacks, keeping all software and firmware up to date with the latest updates and patches is important.
4. C. Hacktivists are activists for a cause, such as animal rights, that use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their cause.
5. B. Collection is the stage in which most of the hard work occurs. It is also the stage at which recent advances in artificial intelligence (AI) and automation have changed the game. It’s time-consuming work that involves web searches, interviews, identifying sources, and monitoring, to name a few activities.
6. B. Commodity malware is malware that is widely available either for purchase or by free download. It is not customized or tailored to a specific attack. It does not require complete understanding of its processes and is used by a wide range of threat actors with a range of skill levels.
7. A. In the healthcare community, where protection of patient data is legally required by HIPAA, an example of a sharing platform is H-ISAC (Health Information Sharing and Analysis Center). It is a global operation focused on sharing timely, actionable, and relevant information among its members, including intelligence on threats, incidents, and vulnerabilities.
Review Questions
1. Possible answers can include the following:
• Print and online media
• Internet blogs and discussion groups
• Unclassified government data
• Academic and professional publications
• Industry group data
2. Structured Threat Information eXchange (STIX). While STIX was originally sponsored by the office of Cybersecurity and Communications within the U.S. Department of Homeland Security, it is now under the management of the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that seeks to advance the development, convergence, and adoption of open standards for the Internet.
3. STIX: An XML-based programming language that can be used to communicate cybersecurity data among those using the language.
OpenIOC: An open framework that is designed for sharing threat intelligence information in a machine-readable format.
Cyber Intelligence Analytics Platform (CAP) v2.0: Uses its proprietary artificial intelligence and machine learning algorithms to help organizations unravel cyber risks and threats and enables proactive cyber posture management.
4. Insider. Insiders who are already inside the network perimeter and already know the network are a critical danger.
5. The models are as follows:
• Hub and spoke: One central clearinghouse
• Source/subscriber: One organization is the single source of information
• Peer-to-peer: Multiple organizations share their information
6. Hacktivists. are activists for a cause, such as animal rights, that use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their causes.
7. Zero-day: Threat with no known solution
APT: Threat carried out over a long period of time
Terrorist: Hacks not for monetary gain but simply to destroy or deface
8. Nation-state. Nation-state or state sponsors are usually foreign governments. They are interested in pilfering data, including intellectual property and research and development data, from major manufacturers, tech companies, government agencies, and defense contractors. They have the most resources and are the best organized of any of the threat actor groups.
9. Requirements. Before beginning intelligence activities, security professionals must identify what the immediate issue is and define as closely as possible the requirements of the information that needs to be collected and analyzed. This means the types of data to be sought is driven by what we might fear the most or by recent breaches or issues. The amount of potential information may be so vast that unless we filter it to what is relevant, we may be unable to fully understand what is occurring in the environment.
10. CISA. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a number of chartered organizations, among them the Aviation Government Coordinating Council.
Chapter 2
Do I Know This Already?
1. C. MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices based on it have been created for various industries. It is designed as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
2. A. Some threat intelligence data is generated from past activities. Reputational scores may be generated for traffic sourced from certain IP address ranges, domain names, and URLs.
3. C. First, you must have a grasp of the capabilities of the attacker or adversary. Threat actors have widely varying capabilities. When carrying out threat modeling, you may decide to develop a more comprehensive list of threat actors to help in scenario development.
4. B. Security engineering is the process of architecting security features into the design of a system or set of systems. It has as its goal an emphasis on security from the ground up, sometimes stated as “building in security.” Unless the very latest threats are shared with this function, engineers cannot be expected to build in features that prevent threats from being realized.
Review Questions
2. adversary. Adversary focuses on the intent of the attack.
3. Behavioral. Some threat intelligence data is based not on reputation but on the behavior of the traffic in question. Behavioral analysis is another term for anomaly analysis.
4. indicator of compromise (IoC). An IoC is any activity, artifact, or log entry that is typically associated with an attack of some sort.
5. Examples include the following:
• Virus signatures
• Known malicious file types
• Domain names of known botnet servers
An indicator of compromise (IoC) is any activity, artifact, or log entry that is typically associated with an attack of some sort.
7. Pr:L stands for Privileges Required, where L stands for Low and the attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on predefined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met.
8. Base
CVSS is composed of three metric groups:
• Base: Characteristics of a vulnerability that are constant over time and user environments
• Temporal: Characteristics of a vulnerability that change over time but not among user environments
• Environmental: Characteristics of a vulnerability that are relevant and unique to a particular user’s environment
9. AV. Attack Vector (AV) describes how the attacker would exploit the vulnerability and has four possible values:
• L: Stands for Local and means that the attacker must have physical or logical access to the affected system
• A: Stands for Adjacent network and means that the attacker must be on the local network
• N: Stands for Network and means that the attacker can cause the vulnerability from any network
• P: Stands for Physical and requires the attacker to physically touch or manipulate the vulnerable component
Chapter 3
Do I Know This Already?
1. C. The relative value of the information that could be discovered through the compromise of the components under assessment helps to identify the number and type of resources that should be devoted to the issue.
2. A. A true positive occurs when the scanner correctly identifies a vulnerability. True means the scanner is correct and positive means it identified a vulnerability.
3. A. The patch management life cycle includes the following steps:
Step 1. Determine the priority of the patches and schedule the patches for deployment.
Step 2. Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues.
Step 3. Install the patches in the live environment.
Step 4. After patches are deployed, ensure that they work properly.
4. D. While running a scan does distract from day-to-day operations, it is not considered to be a risk. Failure to scan actually increases risk.
5. B. A memorandum of understanding (MOU) is a document that, while not legally binding, indicates a general agreement between the principals to do something together. An organization may have MOUs with multiple organizations, and MOUs may in some instances contain security requirements that inhibit or prevent the deployment of certain measures.
Review Questions
1. Asset criticality. Data and assets should be classified based on their value to the organization and their sensitivity to disclosure. Assigning a value to data and assets allows an organization to determine the resources that should be used to protect them
2. Acceptable answers include the following:
• Will you be able to recover the data in case of disaster?
• How long will it take to recover the data?
• What is the effect of this downtime, including loss of public standing?
Criticality is a measure of the importance of the data. Data that is considered sensitive may not necessarily be considered critical. Assigning a level of criticality to a particular data set requires considering the answers to the preceding questions
3. Passive. The biggest benefit of a passive vulnerability scanner is its ability to do its work without impacting the monitored network. Some examples of PVSs are the Nessus Network Monitor (formerly Tenable PVS) and NetScanTools Pro.
True means the scanner is correct in its assessment and false means it is incorrect. Positive means a vulnerability was detected and negative means that one was not detected.
5. Configuration baselines. A baseline is a floor or minimum standard that is required. With respect to configuration baselines, they are security settings that are required on devices of various types. These settings should be driven by results of vulnerability and risk management processes.
6. Step 1. Determine the priority of the patches and schedule the patches for deployment.
Step 2. Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues.
Step 3. Install the patches in the live environment.
Step 4. After the patches are deployed, ensure that they work properly.
To ensure that all devices have the latest patches installed, you should deploy a formal system to ensure that all systems receive the latest updates after thorough testing in a non-production environment.
7. Compensating control. A compensating control, also known as a countermeasure or safeguard, reduces the potential risk.
8. Acceptable answers include the following:
• Remove unnecessary applications.
• Disable unnecessary services.
• Block unrequired ports.
• Tightly control the connecting of external storage devices and media (if it’s allowed at all).
Another of the ongoing goals of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The hardening can be accomplished both on physical and logical bases.
In many cases the response is dictated by balancing the value of the information against the cost of the countermeasure.
10. Acceptable answers include the following:
• A false sense of security can be introduced because scans are not error free.
• Many tools rely on a database of known vulnerabilities and are only as valid as the latest update.
• Identifying vulnerabilities does not in and of itself reduce your risk or improve your security.
While vulnerability scanning is an advisable and valid process, these risks should be noted.
Chapter 4
Do I Know This Already?
1. B. Synthetic transaction monitoring, which is a type of proactive monitoring, uses external agents to run scripted transactions against an application. This type of monitoring is often preferred for websites and applications.
2. B. Qualys is an example of a cloud-based vulnerability scanner. Sensors are placed throughout the network, and they upload data to the cloud for analysis.
3. C. The steps in the software development life cycle (SDLC) are
Step 1. Plan/initiate project
Step 2. Gather requirements
Step 3. Design
Step 4. Develop
Step 5. Test/validate
Step 6. Release/maintain
Step 7. Certify/accredit
Step 8. Perform change management and configuration management/replacement
4. C. Network enumeration is the process of discovering and listing pieces of information that might be helpful in a network attack or compromise.
5. B. Aircrack-ng focuses on these areas of Wi-Fi security:
• Monitoring: Packet capture and export of data to text files for further processing by third-party tools
• Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection
• Testing: Checking Wi-Fi cards and driver capabilities (capture and injection)
• Cracking: WEP and WPA PSK (WPA1 and 2)
6. B. ScoutSuite is a data collection tool that allows you to use longitudinal survey panels to track and monitor the cloud environment. ScoutSuite is open source and utilizes APIs made available by the cloud provider.
Review Questions
1. Open Web Application Security Project (OWASP). OWASP produces an interception proxy called Zed Attack Proxy (ZAP).
3. Possible answers are as follows:
• Installation costs are low because there is no installation and configuration for the client to complete.
• Maintenance costs are low because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client).
• Upgrades are included in a subscription.
• Costs are distributed among all customers.
• It does not require the client to provide onsite equipment.
In the cloud-based approach, the vulnerability management platform is in the cloud.
4. Answer:
Step 1. Plan/initiate project
Step 2. Gather requirements
Step 3. Design
Step 4. Develop
Step 5. Test/validate
Step 6. Release/maintain
Step 7. Certify/accredit
Step 8. Perform change management and configuration management/replacement
The software development life cycle (SDLC) is a set of ordered steps to help ensure that software is developed to enhance both security and functionality.
5. Static. Static code analysis is done without the code executing. Code review and testing must occur throughout the entire SDLC.
6. Acceptable answers are as follows:
• Data flow analysis: This analysis looks at runtime information while the software is in a static state.
• Control flow graph: A graph of the components and their relationships can be developed and used for testing by focusing on the entry and exit points of each component or module.
• Taint analysis: This analysis attempts to identify variables that are tainted with user-controllable input.
• Lexical analysis: This analysis converts source code into tokens of information to abstract the code and make it easier to manipulate for testing purposes.
Static code review can be done with scanning tools that look for common issues. These tools can use a variety of approaches to find bugs.
8. Possible answers are as follows:
• Implement fuzz testing to help identify problems.
• Adhere to safe coding and project management practices.
• Deploy application-level firewalls.
10. Possible answers are as follows:
• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform
• Alibaba Cloud (alpha)
• Oracle Cloud Infrastructure (alpha)
ScoutSuite is a data collection tool that allows you to use longitudinal survey panels to track and monitor the cloud environment. It is open source and utilizes APIs made available by the cloud provider.
Chapter 5
Do I Know This Already?
1. B. USB On-The-Go (USB OTG) is a specification first used in late 2001 that allows USB devices, such as tablets and smartphones, to act as either a USB host or a USB device. With respect to smartphones, USB OTG has been used to hack around an iPhone security feature that requires a valid iPhone username and password to use a device after a factory reset.
2. A. The five groups of IoT deployments are as follows:
• Smart home: Includes products that are used in the home. They range from personal assistance devices, such as Amazon Alexa, to HVAC components, such as Nest thermostats. These devices are designed for home management and automation.
• Wearables: Includes products that are worn by users. They range from watches, such as the Apple Watch, to personal fitness devices, such as the Fitbit.
• Smart cities: Includes devices that help resolve traffic congestion issues and reduce noise, crime, and pollution. They include smart energy, smart transportation, smart data, smart infrastructure, and smart mobility devices.
• Connected cars: Includes vehicles that include Internet access and data sharing capabilities. Technologies include GPS devices, OnStar, and AT&T connected cars.
• Business automation: Includes devices that automate HVAC, lighting, access control, and fire detection for organizations.
3. C. An embedded system is a piece of software that is built into a larger piece of software and is in charge of performing some specific function on behalf of the larger system. The embedded part of the solution might address specific hardware communications and might require drivers to talk between the larger system and some specific hardware.
4. C. A real-time operating system (RTOS) is designed to process data as it comes in, typically without buffer delays. Traditionally, security hasn’t been a top concern in the design of RTOSs and, consequently, some vulnerabilities have surfaced. For example, VxWorks 6.5 and later versions have found to be susceptible to a vulnerability that allows remote attackers full control over targeted devices.
5. C. Systems-on-a Chip (SoCs) have become typical inside cell phone electronics for their reduced energy use. An example is a baseband processor. This is a chip in a network interface that manages all the radio functions. A baseband processor typically uses its own RAM and firmware.
6. B. A field programmable gate array (FPGA) is a type of programmable logic device (PLD) that is programmed by blowing fuse connections on the chip or using an antifuse that makes a connection when a high voltage is applied to the junction. (A PLD is an integrated circuit with connections or internal logic gates that can be changed through a programming process.)
7. C. With a mantrap, the user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs (such as a guard visually identifying the person), and then the person is allowed through the second door.
8. A. HVAC systems usually use a protocol called Building Automation and Control Networks (BACnet), which is an application, network, and media access control (MAC) layer communications service. It can operate over a number of Layer 2 protocols, including Ethernet.
9. A. Controller Area Network (CAN bus) is designed to allow vehicle microcontrollers and devices to communicate with each other’s applications without a host computer.
10. B. Automation tools such as Puppet, Chef, and Ansible and scripting are automating once manual networking tasks such as log analyses, patch application, and intrusion prevention.
11. A. The Incident Command System (ICS) is designed to provide a way to enable effective and efficient domestic incident management by integrating a combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure.
12. B. An industrial control system includes the following components:
• Sensors: Sensors typically have digital or analog I/O and are not in a form that can be easily communicated over long distances.
• Remote terminal units (RTUs): RTUs connect to the sensors and convert sensor data to digital data, including telemetry hardware.
• Programmable logic controllers (PLCs): PLCs connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware.
• Telemetry system: Such a system connects RTUs and PLCs to control centers and the enterprise.
• Human interface: Such an interface presents data to the operator.
Review Questions
1. Possible answer include the following:
• Insecure web browsing
• Insecure Wi-Fi connectivity
• Lost or stolen devices holding company data
• Corrupt application downloads and installations
• Missing security patches
• Constant upgrading of personal devices
• Use of location services
While the most common types of corporate information stored on personal devices are corporate emails and company contact information, it is alarming to note that almost half of these devices also contain customer data, network login credentials, and corporate data accessed through business applications.
2. A lost or stolen device containing irreplaceable or sensitive data. Organizations should ensure that they can remotely wipe the device when this occurs.
4. The IoT has presented attackers with a new medium through which to carry out an attack. Often the developers of the IoT devices add the IoT functionality without thoroughly considering the security implications of such functionality or without building in any security controls to protect the IoT devices.
5. Geotagging. Geotagging is the process of adding geographical identification metadata to various media and is enabled by default on many smartphones (to the surprise of some users). In many cases, this location information can be used to locate where images, video, websites, and SMS messages originate.
7. Short Message Service (SMS) technologies present security challenges. Because messages are sent in clear text, both are susceptible to spoofing and spamming.
8. Possible answers include the following:
• Smart home: Includes products that are used in the home. They range from personal assistance devices, such as Amazon Alexa, to HVAC components, such as Nest thermostats. These devices are designed for home management and automation.
• Wearables: Includes products that are worn by users. They range from watches, such as the Apple Watch, to personal fitness devices, like the Fitbit.
• Smart cities: Includes devices that help resolve traffic congestion issues and reduce noise, crime, and pollution. They include smart energy, smart transportation, smart data, smart infrastructure, and smart mobility devices.
• Connected cars: Includes vehicles that include Internet access and data sharing capabilities. Technologies include GPS devices, OnStar, and AT&T connected cars.
• Business automation: Includes devices that automate HVAC, lighting, access control, and fire detection for organizations.
IoT deployments include a wide variety of devices, but are broadly categorized into these five groups.
9. mantrap. The user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs (such as a guard visually identifying the person), and then the person is allowed through the second door.
10. BACnet/IP (B/IP). The BACnet standard makes exclusive use of MAC addresses for all data links, including Ethernet. To support IP, IP addresses are needed, which is why B/IP was developed.
Chapter 6
Do I Know This Already?
1. D. A hybrid cloud is a cloud computing model in which an organization provides and manages some resources in-house and has others provided externally via a public cloud. This model requires a relationship with the service provider as well as an in-house cloud deployment specialist.
2. B. With Platform as a Service (PaaS), the vendor provides the hardware platform or data center and the software running on the platform, including the operating systems and infrastructure software. The company is still involved in managing the system. An example of this is a company that contacts a third party to provide a development platform for internal developers to use for development and testing.
3. A. Function as a Service (FaaS) is an extension of Platform as a Service (PaaS) that goes further and completely abstracts the virtual server from the developers.
4. A. In another reordering of the way data centers are handled, Infrastructure as Code (IaC) manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
5. A. In-memory processing is an approach in which all data in a set is processed from memory rather than from the hard drive. It assumes that all the data will be available in memory rather than just the most recently used data, as is usually done using RAM or cache memory. This results in faster reporting and decision making in business. Securing this requires encrypting the data in RAM. The Data Protection API (DPAPI) lets you encrypt data using the user’s login credentials.
6. A. NIST SP 800-57 REV. 5 contains recommendations for key management in three parts:
• Part 1: This publication covers general recommendations for key management.
• Part 2: This publication covers the best practices for a key management organization.
• Part 3: This publication covers the application-specific key management guidance.
7. B. Interfaces and application programming interfaces (APIs) tend to be the most exposed parts of a system because they’re usually accessible from the open Internet.
8. B. Without proper auditing, you have no accountability.
Review Questions
1. Software as a Service (SaaS). With SaaS, the vendor provides an end to end solution. The vendor may provide an email system, for example, in which it hosts and manages everything for the customer.
3. Possible answers are
• Lower cost
• Faster speed
• Risk reduction (remove errors and security violations)
In another reordering of the way data centers are handled, Infrastructure as Code (IaC) manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
4. Application programming interfaces (APIs). With respect to APIs, a host of approaches—including Simple Object Access Protocol (SOAP), Representational State Transfer (REST), and JavaScript Object Notation (JSON)—are available, and many enterprises find themselves using all of them.
5. Internet of Things (IoT). APIs are used in the IoT so that devices can speak to each other without users even knowing they are there. APIs are used to control and monitor things we use every day, including fitness bands, home thermostats, lighting, and automobiles
6. Answer can include the following
• Function event data injection: Triggered not only through untrusted input such as through a web API call
• Broken authentication: Coding issues ripe for exploit and attacks, which lead to unauthorized authentication
• Insecure serverless deployment configuration: Human error in setup
• Over-privileged function permissions and roles: Failure to implement the least privilege concept
8. pre-operational. In the pre-operational phase, the keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase, as well
9. Possible answers are as follows:
• Data breaches: Although cloud providers may include safeguards in service-level agreements (SLAs), ultimately the organization is responsible for protecting its own data, regardless of where it is located. When this data is not in your hands—and you may not even know where it is physically located at any point in time—protecting your data is difficult.
• Authentication system failures: These failures allow malicious individuals into the cloud. This issue sometimes is made worse by the organization itself when developers embed credentials and cryptographic keys in source code and leave them in public-facing repositories.
• Weak interfaces and APIs: Interfaces and application programming interfaces (APIs) tend to be the most exposed parts of a system because they’re usually accessible from the open Internet.
10. Big data. Big data is a term for sets of data so large or complex that they cannot be analyzed by using traditional data processing applications. Specialized applications have been designed to help organizations with their big data. The big data challenges that may be encountered include data analysis, data capture, data search, data sharing, data storage, and data privacy.
Chapter 7
Do I Know This Already?
1. B. To address XML-based attacks, consider eXtensible Access Control Markup Language (XACML), which is a standard for an access control policy language using XML. Its goal is to create an attribute-based access control (ABAC) system that decouples the access decision from the application or the local machine.
2. A. A SQL injection attack inserts, or “injects,” a SQL query as the input data from the client to the application. This type of attack can result in reading sensitive data from the database, modifying database data, executing administrative operations on the database, recovering the content of a given file, and even issuing commands to the operating system.
3. C. A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. If an attacker can intentionally trigger a null-pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information.
4. A. A race condition is an attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome. A type of race condition is time-of-check/time-of-use. In this attack, a system is changed between a condition check and the display of the check’s results
Review Questions
1. policy enforcement point (PEP). When the PEP receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information.
3. Possible answers include the following:
• Attributes of the user requesting access (for example, all division managers in London)
• The protocol over which the request is made (for example, HTTPS)
• The authentication mechanism (for example, requester must be authenticated with a certificate)
By leveraging XACML, developers can remove authorization logic from an application and centrally manage access using policies that can be managed or modified based on business need without making any additional changes to the applications themselves.
4. Integer overflow. Integer overflow occurs when math operations try to create a numeric value that is too large for the available space. The register width of a processor determines the range of values that can be represented.
6. Possible answers include the following:
• Guessing the session ID: This involves gathering samples of session IDs and guessing a valid ID assigned to another user’s session.
• Using a stolen session ID: Although TLS/SSL connections hide these IDs, many sites do not require an SSL connection using session ID cookies. They also can be stolen through XSS attacks and by gaining physical access to the cookie stored on a user’s computer.
7. Steal a cookie from an authenticated user. Many websites allow and even incorporate user input into a web page to customize the web page. If a web application does not properly validate this input, one of two things could happen: the text may be rendered on the page, or a script may be executed when others visit the web page.
9. Possible answers include the following:
• Report the status of change processing.
• Document the functional and physical characteristics of each configuration item.
• Perform information capture and version control.
• Control changes to the configuration items, and issue versions of configuration items from the software library.
Although it’s really a subset of change management, configuration management specifically focuses itself on bringing order out of the chaos that can occur when multiple engineers and technicians have administrative access to the computers and devices that make the network function.
10. strcpy. It copies the C string pointed by source into the array pointed by destination, including the terminating null character (and stopping at that point). The issue is that if the destination is not long enough to contain the string we get an overrun.
Chapter 8
Do I Know This Already?
1. B. Multitenancy in a cloud does not necessarily prevent residual data of former tenants from being exposed in storage space assigned to new tenants. In fact, that is one of the dangers of multitenancy.
2. B. Geotagging involves marking a video, photo, or other digital media with a GPS location. This feature has received criticism recently because attackers can use it to pinpoint personal information, such as the location of a person’s home.
3. C. While systems in the DMZ typically require no authentication, the resources in the extranet do.
4. C. A bastion host may or may not be a firewall. The term actually refers to the position of any device. If the device is exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure, it is a bastion host.
5. B. Each request should not be approved as quickly as possible. Each request should be analyzed to ensure it supports all goals and polices.
6. A. A Type 1 hypervisor is virtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. A guest operating system runs on another level above the hypervisor. Examples of Type 1 hypervisors are Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.
7. A. A newer approach to virtualization is referred to as container-based virtualization, also called operating system virtualization. Containerization is a technique in which the kernel allows for multiple isolated user space instances. The instances are known as containers, virtual private servers, or virtual environments.
8. C. Characteristic factor authentication is authentication that is provided based on something a person is. This type of authentication is referred to as a Type III authentication factor. Biometric technology is the technology that allows users to be authenticated based on physiological or behavioral characteristics.
9. B. A cloud security broker, or cloud access security broker (CASB), is a software layer that operates as a gatekeeper between an organization’s on-premise network and the provider’s cloud environment. It can provide many services in this strategic position.
10. B. The ultimate purpose of honeypot systems is to divert attention from more valuable resources and to gather as much information about an attack or attacker as possible.
11. C. According to NIST SP 800-137, information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
12. B. Hash functions do not prevent data alteration but provide the best method to determine whether data alteration has occurred.
13. C. Any participant that requests a certificate must first go through the registration authority (RA), which verifies the requestor’s identity and registers the requestor. After the identity is verified, the RA passes the request to the certificate authority (CA).
14. A. Hunt teams work together to detect, identify, and understand advanced and determined threat actors. A hunt team is a costly investment on the part of an organization.
Review Questions
1. Asset tagging. Asset tagging can also be a part of a more robust asset tracking system when implemented in such a way that the device can be tracked and located at any point in time.
2. Possible answers include DMZ, extranet, VLANs, and subnets. One of the best ways to protect sensitive resources is to utilize network segmentation. When you segment a network, you create security zones that are separated from one another by devices such as firewalls and routers that can be used to control the flow of traffic between the zones.
4. screened subnet. In a screened subnet, two firewalls are used, creating a subnet between them that is screened both from the internal network and the Internet.
5. Answers can include any of the three planes:
• The control plane carries signaling traffic originating from or destined for a router. This is the information that allows routers to share information and build routing tables.
• The data plane, also known as the forwarding plane, carries user traffic.
• The management plane administers the router.
7. Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP creates a security association (SA) for each connection, enabling multiple IPsec connections at a time.
8. Possible answers are
• Data is encrypted.
• SSL/TLS is supported on all browsers.
• Users can easily identify its use (via https://).
SSL/TLS is often used to protect other protocols. Secure Copy Protocol (SCP), for example, uses SSL/TLS to secure file transfers between hosts.
10. Ownership factors. Ownership factor authentication is authentication that is provided based on something that a person has. This type of authentication is referred to as a Type II authentication factor.
Chapter 9
Do I Know This Already?
1. C. Most mobile device management (MDM) software can create an encrypted “container” to hold and quarantine corporate data separately from that of the users’ data. This allows for MDM policies to be applied only to that container and not to the rest of the device.
2. B. The software development life cycle steps are as follows:
Step 1. Plan/initiate project
Step 2. Gather requirements
Step 3. Design
Step 4. Develop
Step 5. Test/validate
Step 6. Release/maintain
Step 7. Certify/accredit
Step 8. Change management and configuration management/replacement
3. B. Traditionally, three main actors in the software development process—development (Dev), quality assurance (QA), and operations (Ops)—performed their functions separately, or operated in “silos.” In DevOps they work together on all steps of the process.
4. B. Regression testing is done to verify functionality after making a change to the software. Security regression testing is a subset of regression testing that validates that changes have not reduced the security of the application or opened new weaknesses.
5. C. Encoding is the process of changing data into another form using code. When this process is applied to output, it is done to prevent the inclusion of dangerous character types that might be inserted by malicious individuals.
6. B. Because a static state means the software is not running it is a type of code review.
7. B. Synthetic transaction monitoring, which is a type of proactive monitoring, is often preferred for websites and applications. It provides insight into the application’s availability and performance, warning of any potential issue before users experience any degradation in application behavior.
8. B. Formal methods can be used at a number of levels:
• Level 0: Formal specification may be undertaken and then a program developed from this informally. The least formal method. This is the least expensive to undertake.
• Level 1: Formal development and formal verification may be used to produce a program in a more formal manner. For example, proofs of properties or refinement from the specification to a program may be undertaken. This may be most appropriate in high-integrity systems involving safety or security.
• Level 2: Theorem provers may be used to undertake fully formal machine-checked proofs. This can be very expensive and is only practically worthwhile if the cost of mistakes is extremely high (e.g., in critical parts of microprocessor design).
9. D. Representational State Transfer (REST) is a client/server model for interacting with content on remote systems, typically using HTTP. It involves accessing and modifying existing content and also adding content to a system in a particular way
Review Questions
1. Corporate-owned, personally enabled (COPE). COPE is a strategy in which an organization purchases mobile devices and users manage those devices. By using a COPE strategy, organizations can often monitor and control the users’ activity to a larger degree than with personally owned devices.
2. Possible answers include the following:
1. Application vetting process
2. Application intake process
3. Application testing process
4. Application approval/rejection process
5. Results submission process
6. App Re-Vetting process
To help ensure that an app conforms to such requirements, a process for evaluating the security of apps should be performed
4. Representational State Transfer (REST). REST involves accessing and modifying existing content and also adding content to a system. REST does not require a specific message format during HTTP resource exchanges.
5. Possible answers include the following:
• Size: REST/JSON is a lot smaller and less bloated than SOAP/XML. Therefore, much less data is passed over the network, which is particularly important for mobile devices.
• Efficiency: REST/JSON makes it easier to parse data, thereby making it easier to extract and convert the data. As a result, it requires much less from the client’s CPU.
• Caching: REST/JSON provides improved response times and server loading due to support from caching.
• Implementation: REST/JSON interfaces are much easier than SOAP/XML to design and implement.
7. Stress testing. Stress testing determines the workload that the application can withstand. These tests should always have defined objectives before testing begins.
8. Possible answers include the following:
• Formal review: This is an extremely thorough, line-by-line inspection, usually performed by multiple participants using multiple phases. This is the most time-consuming type of code review but the most effective at finding defects.
• Lightweight review: This type of code review is much more cursory than a formal review. It is usually done as a normal part of the development process. It can happen in several forms:
• Pair programming: Two coders work side by side, checking one another’s work as they go.
• E-mail review: Code is e-mailed around to colleagues for them to review when time permits.
• Over the shoulder: Coworkers review the code while the author explains his or her reasoning.
• Tool-assisted: Using automated testing tools is perhaps the most efficient method.
10. URL encoding. Best known is the UTF-8 character encoding standard, which is a variable-length encoding (1, 2, 3, or 4 units of 8 bits, hence the name UTF-8).
Chapter 10
Do I Know This Already?
1. A. NIST SP 800-164 is a draft Special Publication that gives guidelines on hardware-rooted security in mobile devices. It defines three required security components for mobile devices: Roots of Trust (RoTs), an application programming interface (API) to expose the RoTs to the platform, and a Policy Enforcement Engine (PEnE).
2. B. An eFuse allows for the dynamic real-time reprogramming of computer chips. Utilizing a set of eFuses, a chip manufacturer can allow for the circuits on a chip to change while it is in operation.
3. C. The traditional BIOS has been replaced with the Unified Extensible Firmware Interface (UEFI). UEFI maintains support for legacy BIOS devices but is considered a more advanced interface than the traditional BIOS.
4. D. The Trusted Foundry program can help you exercise care in ensuring the authenticity and integrity of the components of hardware purchased from a vendor. This DoD program identifies “trusted vendors” and ensures a “trusted supply chain.”
5. A. A secure enclave is a part of an operating system that cannot be compromised even when the operating system kernel is compromised, because the enclave has its own CPU and is separated from the rest of the system.
6. B. Anti-tamper technology is designed to prevent access to sensitive information and encryption keys on a device. Anti-tamper processors, for example, store and process private or sensitive information, such as private keys or electronic money credit. The chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures, such as required authentication credentials.
7. A. Self-encrypting drives do exactly as the name implies: they encrypt themselves without any user intervention. It is so transparent to the user that the user may not even be aware the encryption is occurring. It uses a unique and random data encryption key (DEK).
8. A. Obtain firmware updates only from the vendor directly. Never use a third-party facilitator for this. Also make sure you verify the hash value that comes along with the update to ensure that it has not been altered since its creation.
9. D. Measured Boot, also known as Secure Boot, is a term that applies to several technologies that follow the Secure Boot standard. Its implementations include Windows Secure Boot, measured launch, and Integrity Measurement Architecture (IMA).
10. B. Bus encryption is necessary not only to prevent tampering of encrypted instructions that may be easily discovered on a data bus or during data transmission, but also to prevent discovery of decrypted instructions that may reveal security weaknesses that an intruder can exploit.
Review Questions
1. API. This provides application developers a set of security services and capabilities they can use to secure their applications and protect the data they process.
2. Possible answers include the following:
• Endorsement key (EK): The EK is persistent memory installed by the manufacturer that contains a public/private key pair.
• Storage root key (SRK): The SRK is persistent memory that secures the keys stored in the TPM.
• Attestation identity key (AIK): The AIK is versatile memory that ensures the integrity of the EK.
• Platform configuration register (PCR) hash: A PCR hash is versatile memory that stores data hashes for the sealing function.
• Storage keys: A storage key is versatile memory that contains the keys used to encrypt the computer’s storage, including hard drives, USB flash drives, and so on.
A TPM chip consists of both static memory and versatile memory that is used to retain the important information when the computer is turned off.
4. Secure Boot. Secure Boot requires that all boot loader components are found on the trusted list.
5. Intel Software Guard Extensions (SGX). It defines private regions of memory, called enclaves, whose contents are protected and unable to be either read or saved by any process outside the enclave itself, including processes running at higher privilege levels.
7. Integrity Measurement Architecture (IMA). Anchoring the list to the TPM chip in hardware prevents its compromise.
8. It prevents installing any other operating systems or running any live Linux media.
10. Unified Extensible Firmware Interface (UEFI). UEFI maintains support for legacy BIOS devices, but is considered a more advanced interface than traditional BIOS.
Chapter 11
Do I Know This Already?
1. A. Heuristics is often utilized by antivirus software to identify threats that signature analysis can’t discover because the threats either are too new to have been analyzed (called zero-day threats) or are multipronged attacks that are constructed in such a way that existing signatures do not identify them.
2. B. the identification of threats based on behavior that typically accompanies such threats is a characteristic of heuristics, not trend analysis.
3. C. According to NIST SP 800-128, endpoints (for example, laptops, desktops, mobile devices) are a fundamental part of any organizational system. Endpoints are an important source of connecting end users to networks and systems, and are also a major source of vulnerabilities and a frequent target of attackers looking to penetrate a network.
4. D. urlQuery is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites.
5. A. Syslog provides a simple framework for log entry generation, storage, and transfer that any OS, security software, or application could use if designed to do so.
6. B. The purpose of determining the impact is to
• Identify what systems were impacted
• Determine what role the quality of the response played in the severity of the issue
• For the future, associate the attack type with the systems that were impacted
7. C. In a transitive or tracking rule, the target in the first event (N malware infection) becomes the source in the second event (malware infection of another machine). This is typically used in worm/malware outbreak scenarios.
8. D. String searches are used to look within a log file or data stream and locate any instances of that string. A string can be any combination of letters, numbers, and other characters.
9. A. DomainKeys Identified Mail (DKIM) enables you to verify the source of an e-mail. DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
Review Questions
1. mobile code. Organizations should exercise caution in allowing the use of mobile code such as ActiveX, Java, and JavaScript. An attacker can easily attach a script to a URL in a web page or e-mail that, when clicked, executes malicious code within the computer’s browser.
2. Answers can include the following:
• Boot sector: This type of virus infects the boot sector of a computer and either overwrites files or installs code into the sector so that the virus initiates at startup.
• Parasitic: This type of virus attaches itself to a file, usually an executable file, and then delivers the payload when the program is used.
• Stealth: This type of virus hides the modifications that it is making to the system to help avoid detection.
• Polymorphic: This type of virus makes copies of itself, and then makes changes to those copies. It does this in hopes of avoiding detection from antivirus software.
• Macro: This type of virus infects programs written in Word, Basic, Visual Basic, or VBScript that are used to automate functions. Macro viruses infect Microsoft Office files and are easy to create because the underlying language is simple and intuitive to apply. They are especially dangerous in that they infect the operating system itself. They also can be transported between different operating systems because the languages are platform independent.
• Multipartite: Originally, these viruses could infect both program files and boot sectors. This term now means that the virus can infect more than one type of object or can infect in more than one way.
• File or system infector: File infectors infect program files, and system infectors infect system program files.
• Companion: This type of virus does not physically touch the target file. It is also referred to as a spawn virus.
• E-mail: This type of virus specifically uses an e-mail system to spread itself because it is aware of the e-mail system functions. Knowledge of the functions allows this type of virus to take advantage of all e-mail system capabilities.
• Script: This type of virus is a stand-alone file that can be executed by an interpreter.
4. Secured memory. Based on the nature of data in a partition, the partition can be designated as a security-sensitive or a non-security-sensitive partition. In a security breach (such as tamper detection), the contents of a security-sensitive partition can be erased by the controller itself, while the contents of the non-security-sensitive partitions can remain unchanged.
5. Possible answers include the following:
• Phishing: A social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that very closely resembles a legitimate website. Users enter data, including credentials, on the fake website, allowing the attackers to capture any information entered.
• Spear phishing: A phishing attack carried out against a specific target by learning about the target’s habits and likes. Spear phishing attacks take longer to carry out than phishing attacks because of the information that must be gathered.
• Pharming: Similar to phishing, but pharming actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.
• Shoulder surfing: Occurs when an attacker watches a user enter login or other confidential data. Encourage users to always be aware of who is observing their actions. Implementing privacy screens helps ensure that data entry cannot be recorded.
• Identity theft: Occurs when someone obtains personal information, including driver’s license number, bank account number, and Social Security number, and uses that information to assume an identity of the individual whose information was stolen. After the identity is assumed, the attack can go in any direction. In most cases, attackers open financial accounts in the user’s name. Attackers also can gain access to the user’s valid accounts.
• Dumpster diving: Occurs when attackers examine garbage contents to obtain confidential information. This includes personnel information, account login information, network diagrams, and organizational financial data. Organizations should implement policies for shredding documents that contain this information.
7. NetFlow. The traffic information is exported using UDP packets to a NetFlow analyzer, which can then organize the information in useful ways.
8. Answers can include
• Facility: The source of the message. The source can be the operating system, the process, or an application.
• Severity: Rated using a numeric scale.
• Source: The log from which this entry came.
• Action: The action taken on the packet.
• Source: The source IP address and port number.
• Destination: The destination IP address and port number.
Syslog messages all follow the same format because they have, for the most part, been standardized.
10. DomainKeys Identified Mail (DKIM). DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
Chapter 12
Do I Know This Already?
1. C. Rights allow administrators to assign specific privileges and logon rights to groups or users. Rights manage who is allowed to perform certain operations on an entire computer or within a domain, rather than a particular object within a computer.
2. A. Whitelisting is the process of identifying what values are acceptable (IP addresses, e-mail addresses, MAC addresses, web URLs, file types) while excluding all others.
3. C. A blacklist constitutes the file types that are denied, so you must constantly update this with new malicious file types.
4. A. NGFWs are application aware, which means they can distinguish between specific applications instead of allowing all traffic coming in via typical web ports. Moreover, they examine packets only once, during the deep packet inspection phase (which is required to detect malware and anomalies).
5. A. A rule-based IPS is an expert system that uses a knowledge base, an inference engine, and rule-based programming. The knowledge is configured as rules.
6. B. Data loss prevention software uses ingress and egress filters to identify sensitive data that is leaving the organization and can prevent such leakage.
7. C. Endpoint detection and response is a proactive endpoint security approach designed to supplement existing defenses.
8. A. The goal of network access control is to examine all devices requesting network access for malware, missing security updates, and any other security issues the devices could potentially introduce to the network.
9. A. A sinkhole is a router designed to accept and analyze attack traffic. Sinkholes can be used to do the following:
• Draw traffic away from a target
• Monitor worm traffic
• Monitor other malicious traffic
10. B. Network security devices such as SIEM, IPS, IDS, and firewall systems must be able to recognize the malware when it is still contained in network packets before it reaches devices. This requires identifying a malware signature.
11. A. By using sandboxing tools, you can execute malware executable files without allowing the files to interact with the local system.
12. B. Port security applies to ports on a switch, and because it relies on monitoring the MAC addresses of the devices attached to the switch ports, it is considered to be Layer 2 security.
Review Questions
1. right. Rights allow administrators to assign specific privileges and logon rights to groups or users. Rights manage who is allowed to perform certain operations on an entire computer or within a domain, rather than on a particular object within a computer.
2. Possible answers include
Cannot prevent:
• IP spoofing
• Attacks that are specific to an application
• Attacks that depend on packet fragmentation
• Attacks that take advantage of the TCP handshake
4. Possible answers include the following:
• Secure addresses from exposure
• Support a multiprotocol environment
• Allow for comprehensive logging
5. Network data loss prevention (DLP). There are two locations where you can implement DLP:
• Network DLP: Installed at network egress points near the perimeter, network DLP analyzes network traffic.
• Endpoint DLP: Endpoint DLP runs on end-user workstations or servers in the organization.
7. Possible answers include the following:
• Encrypts only the password in the access request packet
• Does not support any of the following:
• Apple Remote Access protocol
• NetBIOS Frame Protocol Control protocol
• X.25 PAD connections
• Does not support securing the available commands on routers and switches
While RADIUS and TACACS+ perform the same roles, they have different characteristics. These differences must be taken into consideration when choosing a method. Keep in mind also that while RADIUS is a standard, TACACS+ is Cisco proprietary.
8. Sheep dip system. Another sandboxing option for studying malware is to set up a sheep dip computer.
10. Possible answers include the following:
• Install port monitors to discover ports used by the malware.
• Install file monitors to discover what changes may be made to files.
• Install network monitors to identify what communications the malware may attempt.
• Install one or more antivirus programs to perform malware analysis.
Chapter 13
Do I Know This Already?
1. A. The steps are as follows:
1. Ask a question.
2. Establish a hypothesis.
3. Conduct an experiment.
4. Analyze the results.
5. Make a conclusion.
2. A. The FBI has not singled out hacktivists as a major group and would probably include them in the category of terrorists since they seek to damage or deface in the name of a cause.
3. A. When the processor is very busy with very little or nothing running to generate the activity, it could be a sign that the processor is working on behalf of malicious software. Executable process analysis allows you to determine this. This is one of the key reasons any compromise is typically accompanied by a drop in performance.
4. A. The configuration lockdown setting helps support change control.
5. B. Some data requires special care and handling, especially when inappropriate handling could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals.
6. B. Attack Vector (AV) describes how the attacker would exploit the vulnerability and has three possible values:
• L: Stands for Local and means that the attacker must have physical or logical access to the affected system.
• A: Stands for Adjacent network and means that the attacker must be on the local network.
• N: Stands for Network and means that the attacker can cause the vulnerability from any network.
• P: Stands for Physical and requires the attacker to physically touch or manipulate the vulnerable component.
7. C. The Integrated Intelligence Center (IIC) is a unit at the Center for Internet Security (CIS) that focuses on merging cybersecurity and physical security to aid governments in dealing with emerging threats. IIC attempts to create predictive models using the multiple data sources at its disposal.
8. C. Implementation results are analyzed to determine if the implementation made a difference in Step 3, Check. Deming’s Plan–Do–Check–Act cycle steps are as follows:
1. Plan: Identify an area for improvement and make a formal plan to implement it.
2. Do: Implement the plan on a small scale.
3. Check: Analyze the results of the implementation to determine whether it made a difference.
4. Act: If the implementation made a positive change, implement it on a wider scale. Continuously analyze the results.
Review Questions
Applying the scientific method to proactive threat hunting, making an executed guess about the aims and nature of an attack is the first step. Then you conduct experiments (or gather more network data) to either prove or disprove the hypothesis. Then the process starts again with a new hypothesis if the old one has been disproved.
2. Possible answers include the following:
• Threat Modeling Tool (formerly SDL Threat Modeling Tool) identifies threats based on the STRIDE threat classification scheme.
• ThreatModeler identifies threats based on a customizable comprehensive threat library and is intended for collaborative use across all organizational stakeholders.
• IriusRisk offers both community and commercial versions of a tool that focuses on the creation and maintenance of a live threat model through the entire SDLC. It connects with several different tools to empower automation.
• securiCAD focuses on threat modeling of IT infrastructures using a computer-based design (CAD) approach where assets are automatically or manually placed on a drawing pane.
• SD Elements is a software security requirements management platform that includes automated threat modeling capabilities.
3. Executable process analysis. When the processor is very busy with very little or nothing running to generate the activity, it could be a sign that the processor is working on behalf of malicious software. Executable process analysis allows you to determine this.
5. The military/government data classification levels in order are as follows:
1. Top secret: Data that is top secret includes weapon blueprints, technology specifications, spy satellite information, and other military information that could gravely damage national security if disclosed.
2. Secret: Data that is secret includes deployment plans, missile placement, and other information that could seriously damage national security if disclosed.
3. Confidential: Data that is confidential includes patents, trade secrets, and other information that could seriously affect the government if unauthorized disclosure occurred.
4. Sensitive but unclassified: Data that is sensitive but unclassified includes medical or other personal data that might not cause serious damage to national security but could cause citizens to question the reputation of the government.
5. Unclassified: Military and government information that does not fall into any of the other four categories is considered unclassified and usually has to be granted to the public based on the Freedom of Information Act.
6. attack vector. Each attack vector can be thought of as a source of malicious content or a potentially vulnerable processor of that malicious content.
8. Possible answers include the following:
• Remove unnecessary applications.
• Disable unnecessary services.
• Block unrequired ports.
• Tightly control the connecting of external storage devices and media, if allowed at all.
Another of the ongoing goals of operations security is to ensure that all systems have been hardened to the extent possible and still provide functionality.
9. value, sensitivity. Data should be classified based on its value to the organization and its sensitivity to disclosure. Assigning a value to data allows an organization to determine the resources that should be used to protect the data.
Chapter 14
Do I Know This Already?
1. A. Workflow orchestration can be used in the security world. Examples include
• Dynamic incident response plans that adapt in real time
• Automated workflows to empower analysts and enable faster response
2. B. Common scripting languages include the following:
• bash: Used to work in the Linux interface
• Node js: Framework to write network applications using JavaScript
• Ruby: Great for web development
• Python: Supports procedure-oriented programming and object-oriented programming
• Perl: Found on all Linux servers, helps in text manipulation tasks
3. C. An API is a set of clearly defined methods of communication between various software components. As such, you should think of an API as a connection point that requires security consideration; for example, between your e-commerce site and a payment gateway.
4. C. Automated malware signature creation is an additional method of identifying malware. The antivirus software monitors incoming unknown files for the presence of malware and analyzes each file based on both classifiers of file behavior and classifiers of file content.
5. D. Data enrichment is a technique that allows one process to gather information from another process or source and then customize a response to a third process using the data from the second process or source.
6. A. Although threat feeds can tell you about malware out in the wild, it can’t tell you whether you are currently infected.
7. B. Automatic exploit generation (AEG) is the “first end-to-end system for fully automatic exploit generation,” according to the Carnegie Mellon Institute’s own description of its AI named Mayhem. Developed for off-the-shelf as well as the enterprise software being increasingly used in smart devices and appliances, AEG can find a bug and determine whether it is exploitable.
8. C. The Security Content Automation Protocol (SCAP) standardizes the nomenclature and formats used. A vendor of a security automation product can obtain a validation against SCAP, demonstrating that its product will interoperate with other scanners and express the scan results in a standardized way.
9. B. The idea behind continuous integration is to identity bugs as early as possible in the development process.
10. C. Continuous deployment/delivery takes continuous integration one step further, with every change that passes all stages of your production pipeline being released to your customers. This helps to improve the feedback loop.
Review Questions
1. Orchestration. Over time, orchestration has been increasingly used to automate processes that were formerly carried out manually by humans.
2. Possible answers include the following:
• Dynamic incident response plans that adapt in real time
• Automated workflows to empower analysts and enable faster response
Orchestration is the sequencing of events based on certain parameters by using scripting and scripting tools.
4. Windows PowerShell
5. Possible answers include the following:
• Common Configuration Enumeration (CCE): These are configuration best practice statements maintained by the National Institute of Standards and Technology (NIST).
• Common Platform Enumeration (CPE): These are methods for describing and classifying operating systems, applications, and hardware devices.
• Common Weakness Enumeration (CWE): These are design flaws in the development of software that can lead to vulnerabilities.
• Common Vulnerabilities and Exposures (CVE): These are vulnerabilities in published operating systems and applications software.
6. scripting. Examples of scripting tools are Puppet, Chef, and Ansible.
7. Possible answers include the following:
• Suspicious domains
• Lists of known malware hashes
• IP addresses associated with malicious activity
Threat intelligence feeds are constantly updating streams of indicators or artifacts derived from a source outside the organization.
9. Continuous integration. The idea behind this is to identify bugs as early as possible in the development process.
10. Possible answers include the following:
• Combine: Gathers threat intelligence feeds from publicly available sources
• Palo Alto Networks AutoFocus: Provides intelligence, correlation, added context, and automated prevention workflows
• Anomali ThreatStream: Helps deduplicate data, removes false positives, and feeds intelligence to security tools
• ThreatQuotient: Helps accelerate security operations with an integrated threat library and shared contextual intelligence
• ThreatConnect: Combines external threat data from trusted sources with in-house data
Using SIEM (or other aggregation tools) to aggregate threat feeds can also be beneficial.
12. Apps. In the VMware world, technicians can create what are called apps. Apps are groups of virtual machines (VMs) that are managed and orchestrated as a unit to provide a service to users.
Chapter 15
Do I Know This Already?
1. B. The content of these communications should be limited to what is necessary for each stakeholder to perform his or her role.
2. A. In the healthcare field, the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).
3. B. The role of the legal department is to perform the following:
• Review nondisclosure agreements (NDAs) to ensure support for incident response efforts.
• Develop wording of documents used to contact possibly affected sites and organizations.
• Assess site liability for illegal computer activity.
4. D. Public relations (PR) roles include the following:
• Handling all press conferences that may be held
• Developing all written responses to the outside world concerning an incident and its response
5. C. As part of the security measures that organizations must take to protect privacy, personally identifiable information (PII) must be understood, identified, and protected. PII is any piece of data that can be used alone or with other information to identify a single person.
6. D. Contracts are not considered intellectual property because they are not unique creations of the mind.
Review Questions
1. public relations. All information released to the public and the press should be handled by public relations or persons trained for this type of communication.
2. Possible answers include the following:
• Develop job descriptions for those persons who will be hired for positions involved in incident response.
• Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.
HR should ensure that these activities are spelled out in policies and new hire documents as activities that are punishable by firing.
4. human resources (HR). The role of the HR department involves the following responsibilities in incident response:
• Develop job descriptions for those persons who will be hired for positions involved in incident response.
• Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.
5. Possible answers include the following:
• Communicate the importance of the incident response plan to all parts of the organization.
• Create agreements that detail the authority of the incident response team to take over business systems if necessary.
• Create decision systems for determining when key systems must be removed from the network.
The most important factor in the success of an incident response plan is the support, both verbal and financial (through the budget process), of upper management.
7. senior leadership. Moreover, all other levels of management should fall in line with support of all efforts.
8. Possible answers include the following:
• Will you be able to recover the data in case of disaster?
• How long will it take to recover the data?
• What is the effect of this downtime, including loss of public standing?
Data is considered critical when it is essential to the organization’s business.
10. corporate confidential data. Corporate confidential data is anything that needs to be kept confidential within the organization.
Chapter 16
Do I Know This Already?
1. C. The steps in the incident response process are as follows:
1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication and recovery
6. Post-incident activities
2. C. Technical staff should receive technical training on configuring and maintaining security controls, including how to recognize an attack when it occurs. In addition, technical staff should be encouraged to pursue industry certifications and higher education degrees.
3. A. The scope determines the impact and is a function of how widespread the incident is and the potential economic and intangible impacts it could have on the business.
4. C. Mean time to repair (MTTR) is the average time required to repair a single resource or function when a disaster or disruption occurs.
5. B. The segmentation process involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments. These segments could be defined at either Layer 3 or Layer 2 of the OSI reference model.
6. A. You can use port security to isolate a device at Layer 2 without removing it from the network.
7. B. Clearing includes removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools. With this method, the data is recoverable only using special forensic techniques.
8. D. Sanitization refers to removing all traces of a threat by overwriting the drive multiple times to ensure that the threat is removed. This works well for mechanical hard disk drives, but solid-state drives present a challenge in that they cannot be overwritten.
9. A. Indicators of compromise (IoCs) are behaviors and activities that precede or accompany a security incident.
10. C. The first document that should be drafted is a lessons learned report. It briefly lists and discusses what was learned about how and why the incident occurred and how to prevent it from occurring again.
Review Questions
1. preparation. Responders should be well prepared and equipped with all the tools they need to provide a robust response.
2. Answer: The steps are as follows:
1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication and recovery
6. Post-incident activities
Incident response procedures should be clearly documented.
4. Remediation. This step involves eliminating any residual danger or damage to the network that still might exist. For example, in the case of a virus outbreak, it could mean scanning all systems to root out any additional affected machines. These measures are designed to make a more detailed mitigation when time allows.
5. Possible answers include the following:
• Value to owner
• Work required to develop or obtain the asset
• Costs to maintain the asset
• Damage that would result if the asset were lost
• Cost that competitors would pay for the asset
• Penalties that would result if the asset were lost
The value of an asset should be considered with respect to the asset owner’s view.
7. call list/escalation list. First responders to an incident should have contact information for all individuals who might need to be alerted during the investigation.
8. Possible answers include the following:
• Disassembly
• Decompiling
• Debugging
With respect to reverse engineering malware, this process refers to extracting the code from the binary executable to identify how it was programmed and what it does.
10. Indicators of compromise (IoCs). You should always record or generate the IoCs that you find related to the incident. This information may be used to detect the same sort of incident later, before it advances to the point of a breach
Chapter 17
Do I Know This Already?
1. C. Whenever bandwidth usage is above normal and there is no known legitimate activity generating the traffic, you should suspect security issues that generate unusual amounts of traffic, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
2. B. At the very least, illegal file sharing could be occurring, and at the worst, this peer-to-peer (P2P) communication could be the result of a botnet. Peer-to-peer botnets differ from normal botnets in their structure and operation.
3. A. Also known as ICMP sweeps, ping sweeps use ICMP to identify all live hosts by pinging all IP addresses in the known network. All devices that answer are up and running.
4. D. Locating unauthorized software cannot be done by using Task Manager.
5. B. You can sometimes locate processes that are using either CPU or memory by using Task Manager, but again, many malware programs don’t show up in Task Manager. Either Process Explorer or some other tool may give better results than Task Manager.
6. B. The System File Checker (SFC) is a utility built into Windows 10 that checks for and restores corrupt operating system files.
7. C. Any unexpected outbound traffic should be investigated, regardless of whether it was discovered as a result of network monitoring or as a result of monitoring the host or application. With regard to the application, it can mean that data is being transmitted back to the malicious individual.
8. A. Event Viewer displays the Application log, an event log dedicated to errors and issues related to applications.
9. D. Beaconing is a network-related IoC.
Review Questions
1. Beaconing. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home) the malicious party that compromised the host.
2. Possible answers include the following:
• Bandwidth consumption
• Beaconing
• Irregular peer-to-peer communication
• Scan/sweep
• Unusual traffic spike
• Common protocol over non-standard port
4. Application log. Events in this log are classified as error, warning, or information, depending on the severity of the event.
5. Possible answers include the following:
• Processor consumption
• Drive capacity consumption
• Unauthorized software
• Malicious process
• Unauthorized change
• Unauthorized privilege
• Data exfiltration
• Abnormal OS process behavior
These are behaviors of a single system rather than network symptoms.
7. Process Explorer. Process Explorer is a Sysinternals tool that enables you to see in the Notification area the top CPU offender, without requiring you to open Task Manager.
8. Possible answers include the following:
• Anomalous activity
• Introduction of new accounts
• Unexpected output
• Unexpected outbound communication
• Service interruption
• Application log
In some cases, symptoms are not present on the network or in the activities of the host operating system, but they are present in the behavior displayed by a compromised application.
10. uncredentialed scan. The good news is that uncredentialed scans expose less information than credentialed scans.
Chapter 18
Do I Know This Already?
1. A. One of the most widely used packet analyzers is Wireshark. It captures raw packets off the interface on which it is configured and allows you to examine each packet. If the data is unencrypted, you can read the data.
2. D. One of the most well-known password cracking programs is Cain and Abel. It can recover passwords by sniffing the network; crack encrypted passwords using dictionary, brute-force, and cryptanalysis attacks; record VoIP conversations; decode scrambled passwords; reveal password boxes; uncover cached passwords; and analyze routing protocols.
3. C. Cellebrite has found a niche by focusing on collecting evidence from smartphones.
4. B. Maintenance costs are lower because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client).
5. D. Using forensic tools for the virtual environment does not require access to the hypervisor code. In fact, you will not have access to that code as you are a licensed user and not the owner of the code.
6. C. Legal holds often require that organizations maintain archived data for longer periods. Data on a legal hold must be properly identified, and the appropriate security controls should be put into place to ensure that the data cannot be tampered with or deleted.
7. A. One of the tasks you will be performing as a security professional is making copies of storage devices. For this you need a disk imaging tool.
8. D. SHA-3, the latest version, is actually a family of hash functions, each of which provides different functional limits.
9. D. Forensic Explorer is a data carving tool that searches for signatures. It offers carving support for more than 300 file types. It supports
• Cluster-based file carving
• Sector-based file carving
• Byte-based file carving
10. C. Cellebrite has found a niche by focusing on collecting evidence from smartphones.
Review Questions
1. tcpdump is a command-line tool that can capture packets on Linux and Unix platforms. A version for Windows, windump, is available as well.
2. Possible answers include the following:
• Cain and Abel
• Jack the Ripper
In the process of executing a forensic investigation, it may be necessary to crack passwords. Often files have been encrypted or password protected by malicious individuals, and you need to attempt to recover the password.
4. dcfldd. By simply using dd with the proper parameters and the correct syntax, you can make an image of a disk, but dcfldd enables you to also generate a hash of the source disk at the same time.
5. Possible answers include the following:
• Memdump: This free tool runs on Windows, Linux, and Solaris. It simply creates a bit-by-bit copy of the volatile memory on a system.
• KnTTools: This memory acquisition and analysis tool used with Windows systems captures physical memory and stores it to a removable drive or sends it over the network to be archived on a separate machine.
• FATKit: This popular memory forensic tool automates the process of extracting interesting data from volatile memory. FATKit helps an analyst visualize the objects it finds to help in understanding the data that the tool was able to find.
Many penetration testing tools perform an operation called a core dump or memory dump. Hackers can use memory-reading tools to analyze the entire memory content used by an application.
7. smartphones. Cellebrite makes extraction devices that can be used in the field and software that does the same things.
8. Possible answers include the following:
• Installation costs are low because there is no installation and configuration for the client to complete.
• Maintenance costs are low because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client).
• Upgrades are included in a subscription.
• Costs are distributed among all customers.
• It does not require the client to provide onsite equipment.
However, a considerable disadvantage to the cloud-based approach is that the data is resident with the provider.
10. Legal holds. Data on a legal hold must be properly identified, and the appropriate security controls should be put into place to ensure that the data cannot be tampered with or deleted.
Chapter 19
Do I Know This Already?
1. B. Privacy relates to rights to control the sharing and use of one’s personal information. This type of information is called personally identifiable information (PII).
2. B. A privacy impact assessment (PIA) is a risk assessment that determines risks associated with PII collection, use, storage, and transmission. A PIA should determine whether appropriate PII controls and safeguards are implemented to prevent PII disclosure or compromise.
3. A. As part of prevention of privacy policy violations, any contracted third parties that have access to PII should be assessed to ensure that the appropriate controls are in place. In addition, third-party personnel should be familiarized with organizational policies and should sign non-disclosure agreements (NDAs).
4. A. Sensitivity is a measure of how freely data can be handled. Some data requires special care and handling, especially when inappropriate handling could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals.
5. B. The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder information for the major credit card companies. The latest version is 3.2.1.
6. D. The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearinghouses. It is enforced by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS).
7. A. Encryption and cryptography are technologies that comprise a technical control that can be used to provide the confidentiality objective of the CIA triad.
8. B. Cryptography in the form of hashing algorithms provides a way to assess data integrity.
9. B. Data masking means altering data from its original state to protect it. Two forms of masking are encryption (storing the data in an encrypted form) and hashing (storing a hash value, generated from the data by a hashing algorithm, rather than the data itself).
Review Questions
1. value. Assigning a value to data allows an organization to determine the resources that should be used to protect the data.
2. Possible answers including the following:
• Will you be able to recover the data in case of disaster?
• How long will it take to recover the data?
• What is the effect of this downtime, including loss of public standing?
Data is considered essential when it is critical to the organization’s business.
4. data retention. A retention policy usually identifies the purpose of the policy, the portion of the organization affected by the policy, any exclusions to the policy, the personnel responsible for overseeing the policy, the personnel responsible for data destruction, the data types covered by the policy, and the retention schedule.
5. Possible answers include the following:
• If the data subject has given consent to the processing of his or her personal data
• To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract
• To comply with a data controller's legal obligations
• To protect the vital interests of a data subject or another individual
• To perform a task in the public interest or in official authority
• For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)
7. Data masking means altering data from its original state to protect it. Two forms of masking are encryption and hashing.
8. Possible answers include the following:
• Using substitution tables and aliases for the data
• Redacting or replacing the sensitive data with a random value
• Averaging or taking individual values and averaging them (adding them and then dividing by the number of individual values) or aggregating them (totaling them and using only the total value)
• Encrypting the data
• Hashing the data
10. Geofencing. Geofencing depends on the use of Global Positioning System (GPS) or radio frequency identification (RFID) technology to create a virtual geographic boundary.
Chapter 20
Do I Know This Already?
1. C. The four main steps of the business impact analysis (BIA) are as follows:
1. Identify critical processes and resources.
2. Identify outage impacts and estimate downtime.
3. Identify resource requirements.
4. Identify recovery priorities.
2. B. Risk assessment (or analysis) has four main goals:
• Identify assets and asset value.
• Identify vulnerabilities and threats.
• Calculate threat probability and business impact.
• Balance threat impact with countermeasure costs.
3. B. Single loss expectancy (SLE) is the monetary impact of each threat occurrence. To determine the SLE, you must know the asset value (AV) and the exposure factor (EF). The EF is the percentage value or functionality of an asset that will be lost when a threat event occurs. The calculation for obtaining the SLE is as follows:
SLE = AV × EF
4. C. The non-technical leadership audience needs the message to be put in context with their responsibilities. This audience needs the cost of cybersecurity expenditures to be tied to business performance.
5. A. Risk avoidance consists of terminating the activity that causes a risk or choosing an alternative that is not as risky.
6. B. Certification evaluates the technical system components, whereas accreditation occurs when the adequacy of a system’s overall security is accepted by management.
7. B. The first step is to obtain management support, which is critical to both the support of the program and its budget.
8. A. Compensative controls are put in place to substitute for a primary access control and mainly act to mitigate risks. By using compensative controls, you can reduce risk to a more manageable level.
9. B. The red team acts as the attacking force. It typically carries out penetration tests by following a well-established process of gathering information about the network, scanning the network for vulnerabilities, and then attempting to take advantage of the vulnerabilities.
Review Questions
1. Business Continuity Planning (BCP) committee. The BIA relies heavily on any vulnerability analysis and risk assessment that is completed.
2. The four main steps of the BIA are as follows:
1. Identify critical processes and resources.
2. Identify outage impacts and estimate downtime.
3. Identify resource requirements.
4. Identify recovery priorities.
The BIA helps the organization to understand what impact a disruptive event would have on the organization.
4. Quantitative risk analysis. Equations are used to determine total and residual risks. An advantage of quantitative over qualitative risk analysis is that quantitative uses less guesswork than qualitative.
5. 5000.00. The calculation for obtaining the SLE is as follows:
SLE = AV × EF (20,000.00 × .25 = 5000.00)
7. risk assessment matrix. Subject experts grade all risks based on their likelihood and impact.
8. Possible answers include the following:
• Risk avoidance: Terminating the activity that causes a risk or choosing an alternative that is not as risky
• Risk transfer: Passing on the risk to a third party, such as an insurance company
• Risk mitigation: Defining the acceptable risk level the organization can tolerate and reducing the risk to that level
• Risk acceptance: Understanding and accepting the level of risk as well as the cost of damages that can occur
10. ALE = SLE × ARO. The annual loss expectancy (ALE) is the expected risk factor of an annual threat event. To determine the ALE, you must know the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). The ARO is the estimate of how often a given threat might occur annually.
Chapter 21
Do I Know This Already?
1. C. The four domains are
• Business architecture: Business strategy, governance, organization, and key business processes
• Application architecture: Individual systems to be deployed, interactions between the application systems, and their relationships to the core business processes
• Data architecture: Structure of an organizations logical and physical data assets
• Technology architecture: Hardware, software, and network infrastructure
2. D. NIST SP 800-53 Rev 4 is a security controls development framework developed by the NIST body of the U.S. Department of Commerce.
3. D. A code of conduct policy is one intended to demonstrate a commitment to ethics in the activities of the principles. It is typically a broad statement of commitment that is supported by detailed procedures designed to prevent unethical activities.
4. A. As the name implies, these passwords consist of single words that often include a mixture of upper- and lowercase letters. The advantage of this password type is that it is easy to remember. A disadvantage of this password type is that it is easy for attackers to crack or break, resulting in compromised accounts.
5. A. Managerial controls are implemented to administer the organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management. These controls are commonly referred to as soft controls. Specific examples are personnel controls, data classification, data labeling, security awareness training, and supervision.
6. C. Unlike preventative controls, deterrent controls are designed to discourage but not necessarily prevent malicious activity.
7. A. An SSAE 18 audit results in a Service Organization Control (SOC) 1 report, which focuses on internal controls over financial reporting.
8. A. An SSAE 18 audit results in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting.
9. A. Management or administrative controls are implemented to administer the organization’s assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management..
10. C. Directive controls specify acceptable practices within an organization. They are in place to formalize an organization’s security directive mainly to its employees. The most popular directive control is an acceptable use policy (AUP), which lists proper (and often examples of improper) procedures and behaviors that personnel must follow.
Review Questions
1. NIST SP 800-53 Rev 4. The NIST SP 800-53 Rev 4 framework divides the controls into three classes: technical, operational, and management.
2. Possible answers include the following:
4. Answers can include the following:
• At minimum, perform annual audits to establish a security baseline.
• Determine your organization’s objectives for the audit and share them with the auditors.
• Set the ground rules for the audit before the audit starts, including the dates/times of the audit.
• Choose auditors who have security experience.
• Involve business unit managers early in the process.
• Ensure that auditors rely on experience, not just checklists.
• Ensure that the auditor’s report reflects risks that your organization has identified.
• Ensure that the audit is conducted properly.
• Ensure that the audit covers all systems and all policies and procedures.
• Examine the report when the audit is complete.
5. Possible answers include the following:
7. Logical, or technical. Specific examples of technical controls are firewalls, IDSs, IPSs, encryption, authentication systems, protocols, auditing and monitoring, biometrics, smart cards, and passwords.
8. Possible answers include the following:
• Password life: How long a password will be valid
• Password history: How long before a password can be reused
• Authentication period: How long a user can remain logged in
• Password complexity: How the password will be structured
• Password length: How long the password must be
10. code of conduct/ethics