csds exam 2

Zed Attack Proxy (ZAP)

An open-source tool by OWASP for finding web app vulnerabilities. It scans, spiders, and intercepts traffic to help with security testing.

Burp Suite

A web vulnerability scanner and proxy tool used for testing and exploiting security flaws in web apps. Popular in penetration testing.

Automated Scanners

Use pre-defined rules to identify known vulnerabilities quickly (e.g., open ports, outdated libraries).

Manual Pen Testing

Human-driven testing focusing on logic flaws, business logic issues, and chained vulnerabilities.

Key Difference between Automated and Manual Pen Testing

Automation finds common issues fast; manual testing uncovers complex, logic-based flaws.

Focus of Vulnerability Assessment

Discovery only, not exploitation — ensures systems aren't harmed during the test.

Why Focus on Discovery Only?

Prevents system damage or disruption, ensures compliance with ethical/legal boundaries, prioritizes risk identification over causing harm.

Continuous Vulnerability Scanning

Recommendation: Yes, regularly scan systems to detect new vulnerabilities as systems, code, and threats evolve.

Authenticated Scans

Run with valid credentials; more thorough.

Unauthenticated Scans

External perspective; less coverage.

Cloud Security Challenges

Shared responsibility model, dynamic resources and ephemeral services, lack of visibility into cloud provider infrastructure.

National Vulnerability Database (NVD)

U.S. government repository of known software vulnerabilities.

National Vulnerability database Usage in Reports

Reference CVEs (Common Vulnerabilities and Exposures) to validate and support findings.

Penetration Testing Process

Phases include Scoping, Reconnaissance, Discovery, Exploitation, and Reporting.

Scoping

Define scope, rules, and goals of engagement.

Reconnaissance

Gather information about targets.

Discovery

Scan for vulnerabilities.

Exploitation

Attempt to manipulate discovered vulnerabilities (in real pen tests).

Reporting

Document findings, risks, and mitigation strategies.

Types of Penetration Testing

Includes Application Testing, Network Testing, and Physical Pen Testing.

Application Testing

Focus on web apps, mobile apps, APIs, and other software to find flaws like injection attacks, authentication/authorization issues, insecure storage, and misconfigurations.

Network Testing

Focus on internal and external network infrastructure (routers, firewalls, switches, servers) to identify vulnerabilities like open ports, weak protocols, insecure configurations, or privilege escalation paths.

Physical Pen Testing

Focus on physical security controls — facilities, data centers, office spaces to test access controls like locks, ID checks, cameras, and employee vigilance.

Social Engineering

Focus: Human vulnerabilities and behavior.

Example of Social Engineering

Phishing emails, pretexting phone calls, or impersonation to get login credentials or access to restricted areas.

Static Testing (SAST)

Analyze code without executing it.

Dynamic Testing (DAST)

Analyze application during runtime.

Black Box Testing

No prior knowledge of the system.

White Box Testing

Full access to source code and infrastructure.

Grey Box Testing

Limited internal knowledge (balanced).

Red Team

Offensive security experts simulating attackers.

Blue Team

Defensive security experts protecting the organization.

Buffer Overflow

A vulnerability where more data is written to a buffer than it can hold, potentially overwriting memory and enabling code execution.

Race Conditions

A flaw that occurs when a system’s outcome depends on the timing of uncontrolled events, leading to unexpected or unsafe behavior.

Input Validation

The process of checking user input to ensure it's safe and expected, preventing attacks like XSS, SQL injection, and more.

How to defend Authentication/Authorization Attacks

Use multi-factor auth and role-based access control.

How to fix Password Vulnerabilities

Enforce strong policies, hash + salt storage.

How to fix Authorization Bypass

Validate user permissions on server side.

Client-Side Attacks XSS

An attack where malicious scripts are injected into web pages, executed in the user’s browser to steal data or hijack sessions.

Server-Side Attacks :SQL & Path

SQL Injection manipulates DB queries to access or alter data. Path Traversal accesses files outside intended directories using sequences like ../.

Juice Shop Review

Practice identifying and exploiting common vulnerabilities like injection, access control, XSS, etc.

AI-Generated Code Caution

Always audit and test for vulnerabilities — code from AI may miss security best practices.

Broken Access Control

Example: Users accessing data they shouldn't. Prevention: Enforce server-side access control.

Injection

Example: SQL, command, or path injection. Prevention: Use parameterized queries, input sanitization.

Insecure Design

Example: Unauthenticated endpoints. Prevention: Threat modeling, secure design practices.

Security Misconfiguration

Example: Exposed stack traces. Prevention: Harden systems, review and validate configurations.

Identity and Access Management (IAM)

Authentication Methods: Something you know: Password, Something you have: Token, phone, Something you are: Biometrics.

Multi-Factor Authentication (MFA)

Combines two or more authentication factors for increased security.

Mutual Authentication

Both parties verify each other; prevents man-in-the-middle attacks.

Authentication vs Authorization

Authentication: Verifying identity. Authorization: Determining access rights.

Out-of-Band Authentication

Uses separate channel (e.g., SMS code) for verification.

Linux Password Policies

Options: Minimum length, complexity, expiration, reuse restrictions.

Access Control Models

RBAC (Role-Based Access Control): Access based on user roles.

RBAC

Allow access based on user

Tracking Techniques

Organizations and third parties use various methods to monitor user activity and gather behavioral data.

Mobile Apps Tracking

Often request access to location, contacts, camera, microphone, and storage.

Web Cookies

Small text files stored in your browser that track user sessions and preferences. Third-party (from advertisers) allow cross-site tracking.

DNS Queries

Every website visit involves a DNS request. These can be logged by ISPs or other intermediaries, revealing browsing behavior even if the user uses HTTPS.

Email Pixels

Invisible 1x1 images embedded in emails. When the email is opened, the pixel loads and notifies the sender, revealing when, where, and on what device the email was viewed.

Browser Fingerprints

A set of unique attributes about a user's browser and device that can be combined to identify and track users without cookies.

Collected Data Includes

Browser type and version, screen resolution, installed fonts and plugins, time zone, operating system, and language settings.

Private Browsing (Incognito Mode)

Prevents local storage of browsing history, cookies, and form data. Helpful on shared devices to prevent casual snooping.

Limitations of Private Browsing

Does not stop websites, advertisers, your employer, or your ISP from tracking your activity. Does not block fingerprinting, IP-based tracking, or DNS logging. Does not protect against malware or phishing.

Mobile Privacy

Mobile devices pose unique and significant privacy challenges.

Permissions Model

Apps may ask for permissions that exceed their functionality (e.g., a flashlight app requesting location).

Persistent Identifiers

Devices use unique IDs (IMEI, MAC address, advertising ID) that can be used to track across apps and services.

Background Data Collection

Apps may collect and transmit data even when not in use, such as location and user habits.

Location Tracking

GPS, Wi-Fi networks, and cell towers can be used to pinpoint a user's movements in real-time or over time.

Microphone & Camera Access

Apps with granted permissions can access these features without immediate user interaction.

Laws and Compliance

Legal obligations, protect users, avoid fines and lawsuits.

Consequences of Non-Compliance

Fines, legal action, reputation damage.

Information Security Policy

Components: Title, authorship, date, applicability, scope.

Purpose of Information Security Policy

Outline security requirements and responsibilities.

Control Types

Technical: OS hardening, firewall, access controls. Administrative: Documented policies and procedures. Physical: Badges, security cameras, locked doors.

Key Regulations

HIPAA: Health data protection. PCI-DSS: Payment card security. FERPA: Student education records. GDPR: EU data protection law.

Right to be Forgotten

Users can request erasure of their data.