UNIT 2
Vulnerabilities & Risk Assessment
Application security risks, types of vulnerable applications, and OWASP Top 10 vulnerabilities. Each answer below is structured for 10-mark depth.
Q1
What is Application Security? Explain the types of applications that require security.
10 Marks
โพ
Definition
Application Security is the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access, data breaches, and malicious manipulation.
Application security is critical across all software types as attackers increasingly target apps to exploit sensitive user data, disrupt services, or gain unauthorized access.
Types of Applications Requiring Security
- Web Applications: Accessible via browsers and are high-risk targets. Common threats include SQL Injection (SQLi), Cross-Site Scripting (XSS), and session hijacking. Because they are publicly accessible, they represent the largest attack surface.
- Mobile Applications: Run on Android/iOS devices and require protection for locally stored data, secure API communication, and prevention of reverse engineering or tampering of the APK/IPA binary.
- Cloud Applications: Includes SaaS, PaaS, and IaaS platforms. Security concerns include misconfigured storage buckets, improper access controls, and insecure data transmission between cloud services.
- API-Driven Applications: APIs enable communication between different systems. They are critical targets for data interception and unauthorized access if not properly authenticated and rate-limited.
- Containerized Applications: Applications running in Kubernetes or Docker environments. They need protection against container escape vulnerabilities, image tampering, and misconfigured container permissions.
- IoT (Internet of Things) Applications: Software that controls smart devices (cameras, sensors, smart home equipment). Often lacks robust security, making them vulnerable to malware and botnet recruitment.
- Desktop Applications: Software installed directly on endpoints. May handle sensitive user data and can be vulnerable to local privilege escalation, insecure storage, and reverse engineering.
Key Point for Exam: Each application type faces unique threats. Web apps face injection/XSS; mobile apps face reverse engineering; cloud faces misconfiguration; IoT lacks built-in security mechanisms.
Q2
What are Application Security Risks? Explain the OWASP Top 10 risks in detail.
10 Marks
โพ
Definition
Application Security Risks are vulnerabilities in software that allow attackers to compromise data, disrupt services, or gain unauthorized access. The OWASP (Open Web Application Security Project) publishes the Top 10 most critical risks.
OWASP Top 10 Application Security Risks
| # | Risk | Description | Example |
|---|---|---|---|
| 1 | Broken Access Control | Restrictions on authenticated users are improperly enforced, allowing attackers to access unauthorized functionality or data. | A normal user accessing admin pages by modifying the URL. |
| 2 | Cryptographic Failures | Inadequate protection of sensitive data (financial, PII) due to weak encryption or poor key management. | Storing passwords in plain text or using MD5 hashing. |
| 3 | Injection Flaws | Untrusted data is sent to an interpreter as a command. Includes SQL, NoSQL, OS, LDAP injections. | SQL Injection: ' OR '1'='1 bypasses login. |
| 4 | Insecure Design | Flaws in the application's architecture that cannot be fixed by implementation alone โ requires secure design from the start. | No rate-limiting on password reset, allowing brute force. |
| 5 | Security Misconfiguration | Insecure default configurations, open cloud storage, misconfigured HTTP headers, or unnecessary features enabled. | Default admin credentials left unchanged on a server. |
| 6 | Vulnerable & Outdated Components | Using libraries, frameworks, or software components with known security weaknesses (unpatched CVEs). | Using an old version of OpenSSL with Heartbleed vulnerability. |
| 7 | Identification & Authentication Failures | Weaknesses that allow attackers to compromise passwords, keys, or session tokens to assume user identities. | No multi-factor authentication, allowing credential stuffing attacks. |
| 8 | Software & Data Integrity Failures | Code or infrastructure that does not protect against integrity violations, such as insecure CI/CD pipelines or untrusted update mechanisms. | Attacker injects malicious code into a software update. |
| 9 | Security Logging & Monitoring Failures | Insufficient detection, logging, and alerting that prevents timely response to breaches. | No logs of failed login attempts, so a brute-force attack goes undetected. |
| 10 | Server-Side Request Forgery (SSRF) | The application fetches a remote resource without validating the user-supplied URL, allowing attackers to target internal systems. | An attacker forces the server to access internal metadata service at 169.254.169.254. |
Mitigation Strategy: Proactive security testing (penetration testing, code reviews) and secure coding practices (input validation, parameterized queries, least-privilege access) are essential to mitigate these risks.
Q3
Explain Injection Flaws and Broken Access Control with examples.
10 Marks
โพ
1. Injection Flaws
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
- SQL Injection (SQLi): Malicious SQL statements inserted into an input field.
Example: Login form input' OR '1'='1' --bypasses authentication by making the SQL query always true. - NoSQL Injection: Targets NoSQL databases like MongoDB using JSON-based payloads.
- OS Command Injection: Attacker runs system-level commands through the application.
- LDAP Injection: Manipulates LDAP queries to bypass authentication or access directory information.
Prevention: Use parameterized queries / prepared statements, input validation, and least-privilege database accounts.
2. Broken Access Control
Broken Access Control occurs when restrictions on what authenticated users are allowed to do are not properly enforced, allowing attackers to access unauthorized functionality or data.
- Horizontal Privilege Escalation: User A accesses User B's data by changing a URL parameter (e.g.,
/account?id=1002โ/account?id=1003). - Vertical Privilege Escalation: A regular user accesses admin-only functionality by guessing or manipulating URLs.
- Insecure Direct Object Reference (IDOR): Application exposes internal implementation objects (file names, database keys) directly.
- Missing Function-Level Access Control: APIs don't enforce access controls on sensitive endpoints.
Prevention: Deny access by default, enforce access control server-side, log access violations, and regularly test access controls.
Q4
Describe Cryptographic Failures, Security Misconfiguration, and SSRF vulnerabilities.
10 Marks
โพ
1. Cryptographic Failures
Previously called "Sensitive Data Exposure." Relates to failures in cryptography that lead to exposure of sensitive data such as passwords, credit card numbers, health records, or personal information.
- Transmitting data in plain text (using HTTP instead of HTTPS).
- Using weak or deprecated cryptographic algorithms (MD5, SHA1, DES).
- Poor key management โ hardcoded keys in source code.
- Not enforcing encryption at rest for sensitive database fields.
Prevention: Use strong algorithms (AES-256, RSA-2048), enforce HTTPS/TLS, store passwords using bcrypt/scrypt/Argon2, and properly manage encryption keys.
2. Security Misconfiguration
The most commonly seen issue. Results from insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, or verbose error messages.
- Default credentials not changed (admin/admin).
- Unnecessary features, ports, services enabled.
- Verbose error messages revealing stack traces to users.
- Open S3 buckets in cloud environments exposing sensitive files.
- Missing security headers like Content-Security-Policy, HSTS.
Prevention: Harden configuration, disable unused features, automate configuration audits, and regularly review cloud resource permissions.
3. Server-Side Request Forgery (SSRF)
SSRF flaws occur when a web application fetches a remote resource based on user-supplied input without validating the URL. This lets attackers force the server to make requests to unintended locations โ including internal systems.
- Attacker provides URL pointing to internal services:
http://192.168.1.1/admin - Access cloud metadata services:
http://169.254.169.254/latest/meta-data/(common in AWS) - Can be used to scan internal networks, bypass firewalls, or access credentials.
Prevention: Validate and sanitize all client-supplied URLs, use allowlists for permitted domains, disable HTTP redirections, and enforce network segmentation.
UNIT 3
Incident Response Planning
Cyber Incident Response lifecycle, phases, planning steps, technologies, and strategies โ structured for 10-mark exam answers.
Q5
What is Cyber Incident Response? Explain its importance and common types of cyber incidents.
10 Marks
โพ
Definition
Cyber Incident Response (CIR) is a structured and systematic approach used by organizations to detect, manage, and recover from cybersecurity incidents that threaten the confidentiality, integrity, or availability of information systems.
A cyber incident may include events such as malware infections, ransomware attacks, phishing campaigns, data breaches, insider threats, or Distributed Denial-of-Service (DDoS) attacks.
Main Goal
To minimize damage, reduce recovery time and costs, protect organizational reputation, and prevent similar incidents from occurring in the future โ following the NIST lifecycle model.
Common Types of Cyber Incidents
Malware Attacks
Ransomware
Phishing
Data Breaches
DDoS Attacks
Insider Threats
Unauthorized Access
- Malware Attacks: Malicious software (viruses, trojans, ransomware, spyware) that disrupts, damages, or gains unauthorized access to systems.
- Phishing & Social Engineering: Deceptive emails or messages that trick users into revealing credentials or installing malware. Example: Fake bank emails with malicious links.
- Data Breaches: Unauthorized access to confidential data โ customer records, financial info, intellectual property.
- DDoS (Distributed Denial of Service): Floods a server or network with traffic from multiple sources to make services unavailable to legitimate users.
- Insider Threats: Malicious or negligent actions by employees, contractors, or business partners with internal access.
- Unauthorized Access: An attacker gains access to systems, networks, or data without permission โ often through stolen credentials.
Why Incident Response is Important
- Reduces financial losses from breaches, downtime, and regulatory fines.
- Protects organizational reputation by demonstrating control and responsibility.
- Ensures legal and regulatory compliance (GDPR, HIPAA, ISO 27001).
- Minimizes downtime and business disruption.
- Improves future security posture through lessons learned.
Q6
Explain the phases of the Incident Response lifecycle (NIST model) in detail.
10 Marks
โพ
NIST Incident Response Lifecycle
The National Institute of Standards and Technology (NIST) recommends a 6-phase incident response lifecycle that provides a structured, cyclical approach to handling cybersecurity incidents.
Phase 1
Preparation
Develop IR plan, train staff, deploy monitoring tools (SIEM, IDS), define communication channels. Build the foundation BEFORE incidents occur.
Phase 2
Identification
Detect suspicious activity, analyze logs, confirm whether an incident occurred, determine scope and impact. Collect and interpret evidence.
Phase 3
Containment
Isolate affected systems, disable compromised accounts, prevent further spread. Short-term and long-term containment strategies.
Phase 4
Eradication
Remove malware, patch vulnerabilities, close security gaps. Ensure the root cause is completely eliminated from the environment.
Phase 5
Recovery
Restore systems from backups, monitor for recurring issues, return to normal operations. Verify systems are clean before bringing back online.
Phase 6
Lessons Learned
Document the incident, conduct a post-mortem review, update the plan and controls to prevent recurrence and improve future responses.
Detailed Phase Breakdown
- Preparation: This is the most important phase. Develop an incident response policy, create playbooks for common threats (ransomware, phishing), define roles and responsibilities, train the CSIRT (Computer Security Incident Response Team), and deploy SIEM/IDS tools.
- Identification: Monitor systems continuously. When an alert fires, analysts determine if it's a true positive incident โ not just a false alarm. They analyze logs, network traffic, and user behavior to determine the scope and severity.
- Containment: Act quickly to prevent the incident from spreading. This may involve isolating affected machines from the network, blocking malicious IPs, or disabling compromised user accounts.
- Eradication: After containment, fully remove the threat. This includes deleting malware, patching the exploited vulnerability, resetting compromised credentials, and closing entry points.
- Recovery: Restore affected systems from clean backups and bring services back online in a controlled manner. Monitor closely for any signs of re-infection.
- Lessons Learned: After recovery, the team holds a review meeting to document what happened, how it was handled, what worked, and what needs improvement. The IR plan is updated accordingly.
Remember: The lifecycle is cyclical โ Lessons Learned feeds back into better Preparation for future incidents.
Q7
Describe the steps/process of Incident Response Planning in detail.
10 Marks
โพ
Definition
Incident Response Planning is the process of creating a comprehensive, documented plan that guides an organization in detecting, responding to, and recovering from cybersecurity incidents in a structured and effective manner.
10 Steps of Incident Response Planning
- Establish Objectives and Scope: Define what the plan aims to protect (data, systems, networks). Identify critical assets and business priorities. Determine which types of incidents are covered (malware, insider threats, DDoS, etc.).
- Develop an Incident Response Policy: Create a formal policy approved by senior management. Define authority levels and decision-making structure. Align with standards such as NIST SP 800-61 or ISO/IEC 27035.
- Form the Incident Response Team (IRT): Assign clear roles โ Incident Manager, Security Analysts, IT Support, Legal & Compliance, Communication/PR. Define contact details and escalation paths for each role.
- Identify Critical Assets and Risks: Conduct risk assessments to identify vulnerabilities and potential threats. Prioritize systems based on their impact and sensitivity to the organization.
- Develop Response Procedures and Playbooks: Create step-by-step procedures for common incident types (ransomware, phishing, data breach). Include containment, eradication, and recovery instructions. Define evidence handling procedures (chain of custody for forensics).
- Implement Detection and Monitoring Tools: Deploy SIEM systems, Intrusion Detection Systems (IDS), and Endpoint Detection & Response (EDR). Set up alert mechanisms and define logging policies.
- Establish a Communication Plan: Define internal communication channels. Prepare notification templates for management, employees, customers, and regulatory authorities. Plan for media handling if a major breach occurs.
- Training and Awareness: Conduct regular employee security training. Perform incident response drills and tabletop simulations to test team readiness.
- Testing and Review: Perform tabletop exercises and penetration testing. Identify gaps in the existing plan and update it regularly.
- Plan Maintenance and Continuous Improvement: Review the plan after every incident. Update based on lessons learned. Adapt to new threats and evolving technologies.
Key Exam Point: A good IR plan is a living document โ it must be continuously tested, updated, and improved. A plan that is never tested is as dangerous as having no plan.
Q8
Explain the Incident Response Technologies used in cybersecurity.
10 Marks
โพ
Definition
Incident Response Technologies are specialized tools and systems used to detect, analyze, contain, and recover from cybersecurity incidents. They form the technical backbone of modern cybersecurity defense.
Key Technologies
| Technology | Full Form | Function | Best For |
|---|---|---|---|
| SIEM | Security Information and Event Management | Collects and correlates logs and security data from across systems. Helps teams spot real threats and reduce alert noise. | Early threat detection and centralized analysis. |
| SOAR | Security Orchestration, Automation, and Response | Automates repetitive response tasks and integrates multiple security tools. Defines automated playbooks for known incident types. | Reducing analyst workload, faster automated response. |
| EDR | Endpoint Detection and Response | Monitors and protects individual devices against threats that bypass traditional antivirus. Collects endpoint telemetry and can quarantine infected systems. | Device-level threat detection and isolation. |
| XDR | Extended Detection and Response | Expands detection across endpoints, networks, cloud, and other sources in a unified system. Detects complex multi-vector threat patterns. | Unified visibility and cross-environment response. |
| UEBA | User and Entity Behavior Analytics | Uses machine learning to identify abnormal behavior by users or devices that may indicate insider threats or compromised accounts. | Detecting insider threats and account compromise. |
| IDS/IPS | Intrusion Detection/Prevention Systems | IDS monitors network traffic for suspicious patterns and generates alerts. IPS actively blocks suspicious traffic in real-time. | Network-level threat monitoring and blocking. |
Importance of These Technologies
- Faster Detection: Helps catch threats before they spread widely across the network.
- Automated Responses: Reduces manual analyst workload and speeds up mitigation actions through automation.
- Better Coordination: Provides responders with contextual insights and unified views of attacks across the entire environment.
SIEM vs SOAR: SIEM collects and correlates data (detection focus). SOAR automates the response actions after detection. In modern environments, they work together โ SIEM feeds alerts into SOAR for automated orchestrated response.
Q9
Explain the Incident Response Strategy and its essential elements for success.
10 Marks
โพ
Definition
An Incident Response Strategy is a comprehensive, high-level plan that defines how an organization will detect, respond to, and recover from cybersecurity incidents using a structured, cyclical approach โ minimizing damage and improving resilience over time.
Key Phases of an IR Strategy
- Preparation: Develop policies, identify critical assets, train the CSIRT (Computer Security Incident Response Team), and set up tools for detection and analysis. This phase creates the foundation for all subsequent phases.
- Detection and Analysis: Continuously monitor systems to identify potential security incidents. Determine the incident's scope and severity. Classify the type of attack.
- Containment, Eradication, and Recovery: Isolate affected systems to prevent spread, eliminate the threat (malware/attacker presence), restore services safely from clean backups.
- Post-Incident Activity: Document everything, conduct a "lessons learned" review with all stakeholders, and update the strategy to improve future responses.
Essential Elements for a Successful IR Strategy
- Defined Roles: Clearly identify who is responsible for declaring an incident, managing communications, executing technical tasks (forensics, remediation), and legal obligations. Without defined roles, response becomes chaotic.
- Incident Playbooks: Specific, step-by-step instructions for common scenarios like ransomware attacks, phishing incidents, insider threats, or data breaches. Playbooks eliminate guesswork under pressure.
- Communication Plan: Establish secure, out-of-band communication channels for the IR team. Regular corporate email may be compromised during an incident. Include templates for notifying management, staff, customers, and regulators.
- Documentation: Keep a detailed incident log tracking all actions taken. This is critical for legal and forensic purposes, regulatory compliance reporting, and future improvement.
- Regular Training: Conduct tabletop exercises to simulate real incidents and test the plan. Ensures team members know their roles and can act confidently without referring to documentation every step.
Real-World Note: A key reason many organizations fail during incidents is the absence of out-of-band communication. If attackers control email servers, the incident team cannot coordinate โ always have a secondary communication channel (Signal, encrypted chat, phone tree).
QUICK
Last-Minute Reference
Key definitions, acronyms, and comparisons โ review this 30 minutes before the exam.
AโZ
All Key Acronyms & Definitions
Quick Ref
โพ
| Acronym | Full Form | One-Line Purpose |
|---|---|---|
| OWASP | Open Web Application Security Project | Organization that publishes the Top 10 application security risks. |
| SQLi | SQL Injection | Inserting malicious SQL to manipulate database queries. |
| XSS | Cross-Site Scripting | Injecting malicious scripts into web pages viewed by other users. |
| SSRF | Server-Side Request Forgery | Forcing server to make requests to internal/unintended systems. |
| NIST | National Institute of Standards and Technology | US body that defines cybersecurity frameworks and IR guidelines. |
| CIR | Cyber Incident Response | Structured approach to detect, manage, and recover from incidents. |
| CSIRT | Computer Security Incident Response Team | The dedicated team that handles cybersecurity incidents. |
| IRT | Incident Response Team | Broader term for the team executing the IR plan. |
| SIEM | Security Information and Event Management | Centralized log collection, correlation, and threat detection. |
| SOAR | Security Orchestration, Automation, and Response | Automates IR workflows and integrates security tools. |
| EDR | Endpoint Detection and Response | Monitors and responds to threats on individual devices. |
| XDR | Extended Detection and Response | Unified detection across endpoints, networks, and cloud. |
| UEBA | User and Entity Behavior Analytics | ML-based detection of abnormal user/device behavior. |
| IDS | Intrusion Detection System | Monitors traffic and alerts on suspicious activity. |
| IPS | Intrusion Prevention System | Monitors and actively blocks suspicious traffic. |
| DDoS | Distributed Denial of Service | Flood attack from multiple sources to bring down services. |
| IDOR | Insecure Direct Object Reference | Accessing another user's data by manipulating object IDs. |
| CVE | Common Vulnerabilities and Exposures | Public database of known security vulnerabilities. |
| CI/CD | Continuous Integration / Continuous Deployment | Software delivery pipeline โ target for integrity failures. |
| IoT | Internet of Things | Network of smart devices โ often poorly secured. |
โ
OWASP Top 10 โ Memory Aid (In Order)
Quick Ref
โพ
Memorize these in order โ they're likely to appear in list-type questions.
- Broken Access Control โ Users accessing what they shouldn't
- Cryptographic Failures โ Weak encryption / plain-text sensitive data
- Injection โ SQL, NoSQL, OS command injection
- Insecure Design โ Architectural flaws, no threat modeling
- Security Misconfiguration โ Default creds, open cloud storage
- Vulnerable & Outdated Components โ Unpatched libraries
- Identification & Authentication Failures โ Weak passwords, no MFA
- Software & Data Integrity Failures โ Insecure CI/CD, bad updates
- Security Logging & Monitoring Failures โ No alerts, no audit logs
- Server-Side Request Forgery (SSRF) โ Server fetches attacker-controlled URLs
IR
IR Phases Summary โ NIST 6-Phase Model
Quick Ref
โพ
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
| Phase | Key Actions | Timing |
|---|---|---|
| Preparation | Policies, training, tools deployment, playbooks | Before incident |
| Identification | Detect, analyze, confirm, determine scope | During / onset |
| Containment | Isolate systems, disable accounts, block IPs | Immediately after detection |
| Eradication | Remove malware, patch vulns, close gaps | After containment |
| Recovery | Restore from backups, verify, monitor | After eradication |
| Lessons Learned | Post-mortem, update plan, improve controls | After recovery |