Know Thy Self
DevSecOps
Access
DR/BCP
The Attack Chain
100

What frameworks are part of risk3sixty's IMS? 

ISO 27001 (Security), ISO 27701 (Privacy), ISO 22301 (Business Continuity)

100

What are the steps of the DevOps lifecycle? 

Plan, Code, Build, Test, Release, Deploy, Operate, Monitor

100

What is MFA? What is an example? 

Multi-Factor-Authentication

Username, password, authenticator app (Something you know, something you have, something you are.) 

100

What is a Business Impact Assessment (BIA?)

A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.

100

Describe how an attacker may compromise an endpoint device. 

Examples:

- Phishing Email

- Virus

- Compromised Credentials

- Exploiting a 0 day

200

Where does risk3sixty track vendors and perform third party vendor risk assessments? 

Phalanx - The Vendor Management Module
200

What are examples of static and dynamic source code scanning? 

Static: Can help analyze source code or compiled versions of code to help find security flaws. (Synopsis, SonarQube) https://owasp.org/www-community/Source_Code_Analysis_Tools

Dynamic: to test a running application for potentially exploitable vulnerabilities (Veracode, Fortinet, QualysGuard) https://owasp.org/www-community/Vulnerability_Scanning_Tools

200

According to NIST 800-63 how often should passwords be rotated? Why? 

NIST recommended against password rotation policies due to cost, complexity, and better security alternatives. 

200

When discussing availability what does the term "three 9's" or "four 9s" mean? 

99.9% or 99.99% uptime
200

What is OSINT? Name 3 examples. 

Open Source Intelligence Gathering

1) Social Media

2) Public Records (e.g., tax, voting, criminal)

3) Previously compromised credentials 

300

What tools does risk3sixty use for the following:

1) Mobile Device Management

2) Vulnerability Scanning

3) Email Security

1) Kaseya or SentinalOne

2) Nessus and AWS Inspector

3) MS365 email protection

300

What is "merging a branch to master"? 

A branch is a component of source code that is being developed. The "master" is the full body of source code. To get developed source code into production the "branch" must be merged into "master". Merging branches requires access and approval, typically after QA and testing. 

300
What is the risk of using generic/service accounts. What are techniques to secure these types of accounts? 

Generic or service accounts could be compromised without attribution. Left uncontrolled, generic and service accounts are difficult to inventory and tie to a legitimate business use. 

- Inventory all service/generic accounts including their owner and use

- Leverage a Privileged Access Management (PAM) system

300

What is the difference between a hot site and a cold site? 

Hot Site: A backup facility that is already live and can be used for instant (or near instant) failover. 

Cold Site: A backup facility that will need to be "booted up" in the event of failover. 

300
How might an attacker compromise an unpatched network device? 

An attacker could leverage a vulnerability on an internet router/access point to intercept traffic. By intercepting traffic they could capture encrypted logon credentials. They could then decrypt the logon credentials to compromise a system. 

400

Who are the members of risk3sixty's Information Risk Council? What policy can you find this information? 

Christian, CW, Ryan, Philip, Lance, Tim, Sawyer

Information Risk Council Charter

400

How would an engineer typically log into a virtual machine or end-compute-resource? What are some of the security risks associated with this methodology? 

An engineer will not typically log on to a virtual machine via a front end. They will typically log on leveraging a crypto-key (like SSH). 

Without regular key rotation and logging of assigned keys it can be difficult to track what engineers have access to what resources. It can also be difficult to deprovision when an engineer exits the company. 

400

What are example AWS admin accounts? 

-Root User

- Administrator User

- Administrator Group

- Any group (or user in the group) assigned administrator access

400

What is the difference between differential backups, full backups, and real time data replication? 

What are the risks of real time data replication vs. typical backups? 

Differential - Backs up only the changes

Full - Complete backup compiles

Real Time Replication - Typically stores two copies of the same data. 

RTR risks: You could backup corrupted data without a clean backup copy. 

400

How might an attacker bypass MFA? 

1. See Asher's presentation on malicious/fraudulent MS365 apps. 

2. An attacker could leverage phishing or social engineering to obtain an authenticator code OR change the phone number where texts are sent to acquire security codes. 

500

What are 5 of risk3sixty's security, privacy, and continuity KPIs? What ISO 27001 clause does this represent? 

See risk3sixty's IMS pages 13-15.

Clause 6.2

500

What are 5 opportunities to automate in the DevSecOps lifecycle? 

- Testing source code for security vulnerabilities

- QA Testing

- Auto-scaling and deploying infrastructure

- Testing source code dependencies 

- Deploying pre-configured and secure containers

- Backups

500
What is a bastion host? Describe how it would support network segmentation. 

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

500

How would you test if the use of cloud infrastructure (AWS, Azure, GCP) supports high availability and disaster recovery? 

Review the network diagram and system configuration settings to validate the organization is using multiple availability zones configured for high availability and automatic failover. Often supported by real time data duplication and two availability zones that mirror each other configured to automatically failover. 

500

What is password spraying? What are 3 mitigating controls? 

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application.

- Limit the number of failed login attempts

- Leverage a reCAPTCHA 

- Have username and passwords on seperate login screens

- Leverage MFA