- (Topic 1)
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
Correct Answer:
A
- (Topic 2)
When a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline?
Correct Answer:
A
- (Topic 3)
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?
Correct Answer:
C
This question shows a classic example of an IDOR vulnerability. Rob substitutes Ned's name in the "name" parameter and if the developer has not fixed this vulnerability, then Rob will gain access to Ned's account. Below you will find more detailed information about IDOR vulnerability.
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction.
Most web applications use simple IDs to reference objects. For example, a user in a database will usually be referred to via the user ID. The same user ID is the primary key to the database column containing user information and is generated automatically. The database key generation algorithm is very simple: it usually uses the next available integer. The same database ID generation mechanisms are used for all other types of database records.
The approach described above is legitimate but not recommended because it could enable the attacker to enumerate all users. If it??s necessary to maintain this approach, the developer must at least make absolutely sure that more than just a reference is needed to access resources. For example, let??s say that the web application displays transaction details using the following URL:
✑ https://www.example.com/transaction.php?id=74656
A malicious hacker could try to substitute the id parameter value 74656 with other similar values, for example:
✑ https://www.example.com/transaction.php?id=74657
The 74657 transaction could be a valid transaction belonging to another user. The malicious hacker should not be authorized to see it. However, if the developer made an error, the attacker would see this transaction and hence we would have an insecure direct object reference vulnerability.
- (Topic 3)
As a cybersecurity analyst for SecureNet, you are performing a security assessment of a new mobile payment application. One of your primary concerns is the secure storage of customer data on the device. The application
stores sensitive information such as credit card details and personal identification numbers (PINs) on the device. Which of the following measures would best ensure the security of this data?
Correct Answer:
B
Encrypting all sensitive data stored on the device is the best measure to ensure the security of this data, because it protects the data from unauthorized access or disclosure, even if the device is lost, stolen, or compromised. Encryption is a process of transforming data into an unreadable format using a secret key or algorithm. Only authorized parties who have the correct key or algorithm can decrypt and access the data. Encryption can be applied to data at rest, such as files or databases, or data in transit, such as network traffic or messages. Encryption can prevent attackers from stealing or tampering with the customer data stored on the device, such as credit card details and PINs, which can cause financial or identity fraud.
The other options are not as effective or sufficient as encryption for securing the customer data stored on the device. Implementing biometric authentication for app access may provide an additional layer of security, but it does not protect the data from being accessed by other means, such as malware, physical access, or backup extraction. Enabling GPS tracking for all devices using the app may help locate the device in case of loss or theft, but it does not prevent the data from being accessed by unauthorized parties, and it may also pose privacy risks. Regularly updating the app to the latest version may help fix bugs or vulnerabilities, but it does not guarantee the security of the data, especially if the app does not use encryption or other security features. References:
✑ Securely Storing Data | Security.org
✑ Data Storage Security: 5 Best Practices to Secure Your Data
✑ M9: Insecure Data Storage | OWASP Foundation
- (Topic 1)
Steve, a scientist who works in a governmental security agency, developed a technological solution to identify people based on walking patterns and implemented this approach to a physical control access.
A camera captures people walking and identifies the individuals using Steve??s approach. After that, people must approximate their RFID badges. Both the identifications are
required to open the door. In this case, we can say:
Correct Answer:
B