OWASP Top 10
The OWASP top 10 is a list of what?
Commonly seen security flaws in web applications
What does XSS stand for?
Cross-site Scripting
What should not be included in the logs?
PII/Sensitive Information
What are 2 types of Phishing?
Smsing, Spear Phishing, Fake emails, Phone calls
What makes a secure password?
Numbers, Letters, Special characters, Phrases, No password reuse
What is not in the OWASP top 10?
a) Sensitive Data Exposure
b) Injection Attacks
c) Click-Jacking Attacks
d) Server-Side Request Forgery (SSRF)
C. Click-jacking attacks
This attack typically involves an attacker sending multiple requests to a server at a time, resulting in legitimate requests being dropped or timed out
DOS/DDOS
dependabot and npm audit are examples of what?
Security Scanners of third-party libraries
What clues might you use to decide if an email is phishing or real? (List 4)
Sender address, Spelling/Grammar errors, Links, Requests for personal information, Attachments, HTTP instead of HTTPS, Generic Greeting, No Specifics, Too Specific
What should be done with your laptop when you walk away from it?
Laptop should be locked
What is #1 on the OWASP top 10?
Broken Access Control
Parameterization and encoding special characters are security practices most commonly associated with what type of vulnerability?
Injection vulnerabilities
What Static Application Security Testing tool does SwipedOn use?
Semgrep
If you receive a phishing email, what should you do?
Report it to security@swipedon.com
What happens if a Kolide warning is repeatedly ignored?
It gets escalated to a slack channel, then Vanessa will bug you, then escalated to a manager
What common type of attack moved from #1 to #3 on the OWASP Top 10 list with the latest release
Injection Attacks
What are 2 tasks that can be completed to minimise the attack surface of an application?
Remove unused code, Remove unused endpoints, keep libraries up to date, Use Strong Encryption, Security Awareness training
What is the KISS principle?
Keep it Simple Stupid! If anything relating to security is too difficult, people will actively avoid or try to find ways around doing it that way
What tool does SwipedOn use to ensure laptops are in security compliance?
Kolide
What Security Certifications did SwipedOn earn this year?
SOC2 and ISO 27001
What list item do these help prevent:
- Using 2FA
- Changing Default passwords
- Preventing the use of Weak passwords
- Limiting login attempts
- Logging all failed login attempts
Identification and Authentication Failures
Impersonation
What does the CIA triad stand for in reference to vulnerabilities?
Confidentiality, Integrity and Availability.
True or False?
SHA1 and SHA256 are both cryptographically secure hashing algorithms.
False, SHA1 has been shown to have hash collisions and should no longer be used.
What is SwipedOn's policy for customer data on work computers?
Once the ticket/work item regarding that customer data is complete, it should be deleted and the rubbish bin on the computer emptied.
Where can the SwipedOn Policies be found?
Google Drive or SecureFrame