Know Thy Self
What frameworks are part of risk3sixty's IMS?
ISO 27001 (Security), ISO 27701 (Privacy), ISO 22301 (Business Continuity)
What are the steps of the DevOps lifecycle?
Plan, Code, Build, Test, Release, Deploy, Operate, Monitor
What is MFA? What is an example?
Multi-Factor-Authentication
Username, password, authenticator app (Something you know, something you have, something you are.)
What is a Business Impact Assessment (BIA?)
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
Describe how an attacker may compromise an endpoint device.
- Phishing Email
- Virus
- Compromised Credentials
- Exploiting a 0 day
Where does risk3sixty track vendors and perform third party vendor risk assessments?
What are examples of static and dynamic source code scanning?
Static: Can help analyze source code or compiled versions of code to help find security flaws. (Synopsis, SonarQube) https://owasp.org/www-community/Source_Code_Analysis_Tools
Dynamic: to test a running application for potentially exploitable vulnerabilities (Veracode, Fortinet, QualysGuard) https://owasp.org/www-community/Vulnerability_Scanning_Tools
According to NIST 800-63 how often should passwords be rotated? Why?
NIST recommended against password rotation policies due to cost, complexity, and better security alternatives.
When discussing availability what does the term "three 9's" or "four 9s" mean?
What is OSINT? Name 3 examples.
1) Social Media
2) Public Records (e.g., tax, voting, criminal)
3) Previously compromised credentials
What tools does risk3sixty use for the following:
1) Mobile Device Management
2) Vulnerability Scanning
3) Email Security
1) Kaseya or SentinalOne
2) Nessus and AWS Inspector
3) MS365 email protection
What is "merging a branch to master"?
A branch is a component of source code that is being developed. The "master" is the full body of source code. To get developed source code into production the "branch" must be merged into "master". Merging branches requires access and approval, typically after QA and testing.
Generic or service accounts could be compromised without attribution. Left uncontrolled, generic and service accounts are difficult to inventory and tie to a legitimate business use.
- Inventory all service/generic accounts including their owner and use
- Leverage a Privileged Access Management (PAM) system
What is the difference between a hot site and a cold site?
Hot Site: A backup facility that is already live and can be used for instant (or near instant) failover.
Cold Site: A backup facility that will need to be "booted up" in the event of failover.
An attacker could leverage a vulnerability on an internet router/access point to intercept traffic. By intercepting traffic they could capture encrypted logon credentials. They could then decrypt the logon credentials to compromise a system.
Who are the members of risk3sixty's Information Risk Council? What policy can you find this information?
Christian, CW, Ryan, Philip, Lance, Tim, Sawyer
Information Risk Council Charter
How would an engineer typically log into a virtual machine or end-compute-resource? What are some of the security risks associated with this methodology?
An engineer will not typically log on to a virtual machine via a front end. They will typically log on leveraging a crypto-key (like SSH).
Without regular key rotation and logging of assigned keys it can be difficult to track what engineers have access to what resources. It can also be difficult to deprovision when an engineer exits the company.
What are example AWS admin accounts?
-Root User
- Administrator User
- Administrator Group
- Any group (or user in the group) assigned administrator access
What is the difference between differential backups, full backups, and real time data replication?
What are the risks of real time data replication vs. typical backups?
Differential - Backs up only the changes
Full - Complete backup compiles
Real Time Replication - Typically stores two copies of the same data.
RTR risks: You could backup corrupted data without a clean backup copy.
How might an attacker bypass MFA?
1. See Asher's presentation on malicious/fraudulent MS365 apps.
2. An attacker could leverage phishing or social engineering to obtain an authenticator code OR change the phone number where texts are sent to acquire security codes.
What are 5 of risk3sixty's security, privacy, and continuity KPIs? What ISO 27001 clause does this represent?
See risk3sixty's IMS pages 13-15.
Clause 6.2
What are 5 opportunities to automate in the DevSecOps lifecycle?
- Testing source code for security vulnerabilities
- QA Testing
- Auto-scaling and deploying infrastructure
- Testing source code dependencies
- Deploying pre-configured and secure containers
- Backups
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.
How would you test if the use of cloud infrastructure (AWS, Azure, GCP) supports high availability and disaster recovery?
Review the network diagram and system configuration settings to validate the organization is using multiple availability zones configured for high availability and automatic failover. Often supported by real time data duplication and two availability zones that mirror each other configured to automatically failover.
What is password spraying? What are 3 mitigating controls?
Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application.
- Limit the number of failed login attempts
- Leverage a reCAPTCHA
- Have username and passwords on seperate login screens
- Leverage MFA