1
Q
define Threat model approach STRIDE (6 steps)
A
- Spoofing
- Tampering
- Repudiation
- information disclosure
- Denial of service
- Elevation of privilege
2
Q
what are type of threat modeling approach
A
- STRIDE
- PASTA
- Linddun
- Trike
3
Q
what is the threat surface
A
the total of all of these crossing points for given perimeter or boundary. each boundary crossing is an opportunity to apply controls to mitigate attacks
4
Q
what is a Simple Waterfall Software Lifecycle Development (SDLC)
A
the waterfall SDLC is the traditional software development methodology
phase incl.
1. concept (need identified)
2. requirement definition
3. system design
4. software and data systems coding
5. unit, subsystem and systems testing
6. acceptance testing
7. deployment to operational use
5
Q
what is a source code
A
set of statements written in human-readable form that are implementation of given design
6
Q
what is executable code (or object code)
A
is a binary representation of the machine language instruction set that the CPU directly execute
7
Q
what is an intermediate code
A
in between source code and executable code
8
Q
what is arbitrary code
A
attacker can fool the CPU into executing a different set of instructions then design for
9
Q
what are the programming language generations
A
generation 1 : simple instruction directly to CPU
generation 2: symbols as abbreviation for major instructions
generation 3: words as part of commands
generation 4: very high-level language / report generation
generation 5: constraint-based or logic programming -> failed in 90s
10
Q
what are Object-oriented language key characteristics
A
- encapsulating: data hiding
- inheritance: define subclass of data based on common characteristics
- polymorphism: Object can take many forms based on how it is used
- different data type: different data type can be processed differently
11
Q
what is polyinstantiation
A
prevent inference possibilities by creating a new version of an object, using the same identifier or key
12
Q
what is “distributed object-oriented systems”
A
distributed computing allows the sharing of resources
13
Q
what is an example of approach of distributed architecture based on distributed object
A
COBRA / RMI / EJB / DCOM
COBRA is a set of standards that addresses the need for interoperability between hardware and software residing in different machine across network
COBRA uses an ORB (object request broker) security system to find objects
14
Q
what does COBRA security service support
A
- access control
- data protection
- non-repudiation
- auditing
15
Q
what is the IT supply chain (who write you source code)
A
Trusted
- major hardware & systems vendors
- applications software providers
- 3rd party developers
- in-house developers
Less secured/trustworthy
- Open-source providers
- citizen programmers
- mobile code
16
Q
what are type of coding standard library, software reuse
A
- OSs and hardware libraries
- programming language libraries (IDE)
- development framework
- in-house, project specific, etc libraries
- third-party, open-source libraries from reputable sources
- third-party, open-source from unknown sources
17
Q
what are common exploitable software source code errors
A
- Buffer overflow: buffer is contiguous area of storage used when transferring data
- Malformed input attack: leverage design errors in software by providing inconsistent data inputs to induce app malfunction
3.
18
Q
what id defense programming
A
translates the business logic about acceptable and harmful input into code, which allow processing of the acceptable, but safely blocks attempts to input (or inject) harmful inputs
19
Q
what is a covert channel
A
covert channel or cover path is a communication pathway between two or more processes that transfers information in ways that violate some security policy or requirement
20
Q
what are types of covert channels
A
- covert storage channels (CSCs)
- Covert timing channels (CTCs)
21
Q
what are common software attack vectors
A
- Social engineering
- TOCTOU (time of check vs time of use)
- Race condition : exist when 2 tasks each depend upon the other’s successful completion for their own input
- between the lines attack: tap lines and false data inserted
- trapdoor and backdoor: hidden mechanism to bypass security
22
Q
what are threats to database and data warehouse architecture
A
- aggregation & inference
- bypass attack
- compromising database views used for access control
- exploits against alternative access routes
- data contamination
- deadlocking
- DoS
- Improper modification of information
- interception of data
- query attack
- physical or direct logical access to the server
- TOCTOU
- web-based attack
- unauthorized access
23
Q
what is a data lake
A
refer to large collections of data that has not been put into a common format or structure for a data warehouse
24
Q
what is a data farm
A
where predictive analytics and other techniques are used to generate data in between known or observed data points
25
what is a Database management system (BDMS)
a suite of application programs that typically manages database and their environment
26
what are the minimum requirements of any database model
1. transaction persistence
2. fault tolerance and recovery
3. sharing by multiple users
4. security controls
27
what is the difference between database model and data model
database model: build specific database to meet business needs (DBMS)
data model: specific type of data in terms of logical structure, type values, inherent meaning
28
what are type of database model
- hierarchical DB model (oldest)
- network DB mgmt model (COBOL / CODASYL)
- relational DB mgmt model (think excel table witch common factor)
- Object-oriented DB model
- Achieving data integrity in different DB model
29
what are 2 advantages of network DB mgmt model
1. High-performance, high-volume storage mgmt
2. graph database
30
what are common database interface language
- Structure query language (SQL)
- Markup Language & DB (HTML)
31
what are the 3 sublanguages of SQL
1. data definition language (DDL)
2. Data Manipulation Language (DML)
3. Data Control Language (DCL)
32
what are common connecting application to database
1. Extensible Markup Language (XML)
2. Open DB Connectivity (ODBC)
3. Java DB connectivity (JDBC)
4. Object linking and embedding DB (OLE DB)
33
how are database access via internet
APIs -> application programming interfaces
others:
- tiered application approach
- ADO
- metadata
- OLAP
34
what are common mistakes making website vulnerable
- attempting to reinvent access control
- attempting to reinvent design
- hard coding of authentication
- poor access control mgmt
- rushing website / new apps
35
what are main web apps threats
- DoS
- man in the middle
- drive-by attack
- password attack
- SQL injection
- cross-site scripting
- eavesdropping
- birthday attack
- malware attack
36
what are the main web apps protection existing
- security assurance sign-off for web server
- hardening OS
- network & vulnerability scans
- IDS
- firewall
- disabling unnecessary docs
- admin interface removed securely
- access from authorized hosts or network
- no hard coding authentication
- account lockout
- traffic encryption
- separation of user interface
37
what is OWASP
provides several frameworks focused on the secure deployment of web apps
38
what is a malware or malicious software
applications that have be written to do something harmful to resources and assets that have value to an organization
defined in terms of ability to attach to programs or executable files and so must, in some way, compromise the integrity of applications
39
what is a virus
a software program written with intent and capability to copy and disperse itself without the knowledge and cooperation of the owner or user of the particular system
40
what are the common type of viruses
- file injectors
- boot sector infectors
- system infectors
- companion virus
- email virus
- multipartite
- macro virus
- script virus
41
what are other types of malware
- worms: reproduce and spread
- hoaxes: warning of non-existing virus
- trojans: program useful, but it is compromise by malicious
- RATs: provide remote access to host
- DDoS: sort of DoS -> overwhelm computing process
- Logic bombs: dormant until specific condition triggered
- spyware & adware: tracking tool
- pranks: commercial product for joking
- Botnets: network automated system/processes
- ransomware: encrypt files on targeted system
42
Malware protection/cyber hygiene should include
- security evaluation
- establish procedures to handle email, attachment etc. (verify senders, labeling, etc.)
- policies/guidelines for removable media (USB)
- BYOD access mgmt
- anti-malware defense
- keep system and endpoint devices updated
43
what are common tools anti-malware/anti-virus uses
- scanners
- heuristic scanners
- activity monitoring
- change detection
- reputation monitoring and zero-day exploits
- antivirus/anti-malware policies
44
what are common types pf malware protection
- anti-malware system
- IDS/IPS
- software block/allowed list
- managed security services
45
what are the main types of protection against ransomware
- denial
- detection
- containment
- response and recovery
46
what are the phase in classic software development lifecycle (SDLC)
1. initiation / requirements
2. function design
3. detailed design
4. development
5. testing
6. production
7. maintenance
(8. decommissioning/disposal)
47
what is an SDLC "independent verification & validation (IV&V)
as part of acceptance test (for the handover of the finished software), the independent verification & validation is a series of test to ensure the operationality of the software
48
what is DevOps and common principles
involves the quality assurance processes of the organization
common principles:
- develop and test against production-like systems
- deploy with repeatable and reliable process
- monitor and validate operational quality
- amplify feedback loops
49
what is DevSecOps
merges two process models to include security requirements
50
what are the different levels within capacity maturity model
- initial: process unpredictable / poorly controlled / reactive
- repeatable: processes are organized but reactive
- defined: processes well characterized / understood/proactiv
- managed: controlled using quantitative technics
- optimizing: processes are continually improved / optimized
51
what is Representational state transfer (REST)
architectural style for designing networked architectures where components need to talk to each other
REST uses HTTP to provide synch
52
what are REST-based APIs security recommendations
- employ the same security mechanism as APIs
- do not create / implement own security solution
- unless API is free (read-only public API), don't use single auth
- don't pass unencrypted static encryption keys
- use Hash-based message authentication cod (HMAC)
53
what are the 3 main authentication options for REST APIs
- basic authentication with TLS
- OAuth 1.0
- OAuth 2.0
54
what is a source code analysis tool and different approaches
designed to analyze source code and compiled or machine language code. it looks for security flaws and weakness
1. Static app security testing (SAST)
2. Dynamic app security testing (DAST)
3. Interactive app security testing (IAST)
4. Runtime app security protection (RASP)
55
what is a sandbox
area where we can test certain pieces of code to see if they are malicious. provides a protectives area for program execution
56
what are the 3 type of software development environment
1. development
2. Quality assurance
3. production
57
what is a trusted computing base
collection of all hardware, software, firmware component within an architecture responsible for supporting the security policy and the isolation of objects
58
DB mgmt system - ACID test
- atomicity = either do or not
- consistency = transform from state to another
- isolation = invisible until completed
- durability = transaction is permanent
59
what are type of DBMS access control
- view-based access control
- grant & revoke access control
- security for OO database
- metadata controls
- data contamination control
60
what is an "online transaction processing (OLTP)
used by industries such as finance, telecomms, insurance, retail, transport, etc.
record all business transaction (think travel)
61
what are configuration mgmt (CM) software security steps
1. identifying
2. controlling
3. accounting
4. auditing
62
what are the common "trusted computer system evaluation criteria (TCSEC) -> (cert. of evaluation assurance level EAL)
- EAL 7 = formally verified design and tested
- EAL 6 = semi-formally verified design and tested
- EAL 5 = semi-formally design and tested
- EAL 4 = Methodically designed tested & reviewed
- EAL 3 = Methodically tested & checked
- EAL 2 = structurally tested
- EAL 1 = functionally tested
63
What type of security vulnerability are developers most likely to introduce into code when they seek to facilitate their own access, for testing purposes, to software they developed?
Maintenance hook
Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls.
64
Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defence against these attacks?
Parameter checking
Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application.
65
Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?
A. Certification
B. Definition
C. Verification
D. Accreditation
Verification
The verification process is similar to the certification process in that it validates security controls.
66
The _________ of a process consist(s) of the limits set on the memory addresses and resources that the process may access.
A. Perimeter
B. Confinement limits
C. Metes
D. Bounds
Bounds
Each process that runs on a system is assigned certain physical or logical bounds for resource access, such as memory.
67
Object-oriented programming languages use a black box approach to development, where users of an object do not necessarily need to know the object’s implementation details. What term is used to describe this concept?
Abstraction
Abstraction uses a black box approach to hide the implementation details of an object from the users of that object
68
Which of the following items are not commonly associated with restricted interfaces?
A. Shells
B. Keyboards
C. Menus
D. Database views
Keyboards
Menus, shells, and database views are all commonly used for constrained interfaces.
69
What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
Race conditions
Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system
70
Which one of the following statements is not true about code review?
A. Code review should be a peer-driven process that includes multiple developers.
B. Code review may be automated.
C. Code review occurs during the design phase.
D. Code reviewers may expect to review several hundred lines of code per hour.
Code review occurs during the design phase.
Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC).
71
Which one of the following attack types attempts to exploit the trust relationship that a user’s browser has with other websites by forcing the submission of an authenticated request to a third-party site?
A. XSS
B. CSRF
C. SQL injection
D. Session hijacking
CSRF
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites
72
When using the SDLC, which one of these steps should you take before the others?
A. Functional requirements determination
B. Control specifications development
C. Code review
D. Design review
Functional requirements determination
The SDLC consists of seven phases, in the following order: conceptual definition, functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.
73
Which one of the following is not a goal of software threat modelling?
A. To reduce the number of security-related design flaws
B. To reduce the number of security-related coding flaws
C. To reduce the severity of non-security-related flaws
D. To reduce the number of threat vectors
To reduce the number of threat vectors
74
Which one of the following testing methodologies typically works without access to source code?
A. Dynamic testing
B. Static testing
C. White box testing
D. Code review
Dynamic testing
Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code.
75
What concept in object-oriented programming allows a subclass to access methods belonging to a superclass?
Inheritance
Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently.
76
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function?
Aggregate
Aggregate functions summarize large amounts of data and provide only summary information
77
Which one of the following controls would best protect an application against buffer overflow attacks?
A. Encryption
B. Input validation
C. Firewall
D. Intrusion prevention system
B. Input validation
The best protection against buffer overflow attacks is server-side input validation.
78
Which one of the following database keys is used to enforce referential integrity relationships between tables?
A. Primary key
B. Candidate key
C. Foreign key
D. Master key
C. Foreign key
Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.
79
Which one of the following files is most likely to contain a macro virus?
A. projections.doc
B. command.com
C. command.exe
D. loopmaster.exe
A. projections.doc
Macro viruses are most commonly found in office productivity documents
80
When should a design review take place when following an SDLC approach to software development?
After the development of functional requirements
Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.
81
Vivian would like to hire a software tester to come in and evaluate a new web application from a user’s perspective. Which of the following tests best simulates that perspective?
A. Black box
B. Gray box
C. Blue box
D. White box
Black box
Black box testing begins with no prior knowledge of the system implementation, simulating a user perspective. White box and gray box testing provide full and partial knowledge of the system, respectively, in advance of the test.
82
Which one of the following programming languages does not make use of a compiler?
A. Java
B. C++
C. C
D. JavaScript
D. JavaScript
JavaScript is an interpreted language that does not make use of a compiler to transform code into an executable state. Java, C, and C++ are all compiled languages
83
Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?
A. Stealth
B. Multipartitism
C. Polymorphism
D. Encryption
Multipartitism
Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software.
Stealth viruses tamper with the operating system to hide their existence.
Polymorphic viruses alter their code on each system they infect to defeat signature detection.
Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.
84
Which one of the following types of software testing usually occurs last and is executed against test scenarios?
A. Unit testing
B. Integration testing
C. User acceptance testing
D. System testing
User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases.
85
In an object-oriented programming language, what does one object invoke in a second object to interact with the second object?
Method
When one object wishes to interact with another object, it does so by invoking one of the second object’s methods, including required and, perhaps, optional arguments to that method
Work
flashcards
Decks in class (9)
# Cards
-
Chap 1 - information & Sec environment24
-
Chap 2 - Information asset security39
-
Chap 3 - Identity Access Mgmt71
-
chap 4 - Security architecture and engineering67
-
chap 5 - communication & network security104
-
chap 7 - security assessment and testing66
-
chap 6 - Software development security85
-
Chap 8 - Security operations73
-
Chap 9 - putting it together55
