DC Incentro Cyber Security 08-08-2022
1 / 86
Items in this lesson
Slide 1 - Slide
Slide 2 - Slide
Slide 3 - Slide
Slide 4 - Slide
Slide 5 - Slide
Slide 6 - Slide
Slide 7 - Slide
Slide 8 - Slide
Slide 9 - Slide
Slide 10 - Slide
Slide 11 - Slide
Slide 12 - Slide
Slide 13 - Slide
Slide 14 - Slide
Why should you always lock your computer screen when you step away from your computer?
A
Someone can add or delete files from your computer
B
Colleagues might use your computer to announce that you're buying lunch for everyone!
C
An unauthorized person can have access to confidential client data
D
You save power!
Slide 15 - Quiz
Slide 16 - Slide
"What does the “https://” at the beginning of a URL
denote, as opposed to ""http://"" (without the “s”)?"
denote, as opposed to ""http://"" (without the “s”)?"
A
That the site is the newest version available
B
That information entered into the site is encrypted
C
The site is not accessible to certain computers
D
That the site has special high definition
Slide 17 - Quiz
Slide 18 - Slide
What is not an element of cyber security
A
confidentiality
B
reproducability
C
integrity
D
integrity
Slide 19 - Quiz
Slide 20 - Slide
What is an example of shadow IT?
A
a hacker group
B
Joining an online meeting with not enough light so your face can not be seen
C
Having an IT job that is higly confidential so you can't talk about it at social gatherings
D
The use of your kids school tabet to join an online meeting
Slide 21 - Quiz
Slide 22 - Slide
A memory leak is an example of a cyber security issue
A
False, it is a bug in the code
B
True, a hacker can use it to take down your application
C
False, my code never has memory leaks
D
It's mark Rutte not recollecting major political things
Slide 23 - Quiz
Slide 24 - Slide
HTTPS is helpful for?
A
For preventing CSRF attacks
B
For preventing XSS attacks
C
For preventing SQL injections
D
For preventing Sniffing attacks
Slide 25 - Quiz
Slide 26 - Slide
Slide 27 - Slide
The best way to store passwords is by
A
Make sure that POST, PUT, PATCH & DELETE calls are idempotent
B
Transmit the CSRF token by only using cookies
C
Generate the CSRF token on the service-side and require a custom-HTTP-header per request
D
Only permit HTTPS requests
Slide 28 - Quiz
Slide 29 - Slide
Slide 30 - Slide
Slide 31 - Slide
Which of the following is the most secure password option?
A
x509 certificate
B
Welkom2007
C
hI678gbCV#?$%:t:u7?3H%>-3tH(e3SksNr.b#
D
pointed-silica-womb-garden
Slide 32 - Quiz
Slide 33 - Slide
I can use my API key in multiple locations without security issues
A
Yes, API keys are secure by design
B
Yes, but only in related services
C
Nope, usage in multiple places gives a higher risk of a security breach
Slide 34 - Quiz
Slide 35 - Slide
To make account management easier I should create a single user for my whole team
A
Yes, this ensures that if people leave the team we still have the credentials
B
Yes, I can then easily onboard people by sharing the same password
C
No, because I don't like sharing
D
No, because this will hide who does what
Slide 36 - Quiz
Slide 37 - Slide
I only need to think about securing my API if and when I make it public
A
TRUE
B
FALSE
Slide 38 - Quiz
Slide 39 - Slide
Slide 40 - Slide
If I find a cool open source librarly I can use it without problems, as long as it has many github stars
A
True, many github stars mean that lots of people use it, so any issues wil be quickly fixed
B
False, I still need to review the code itself before using it
C
False, I also need to look at when the latest update has happened to make sure it is still up to date
Slide 41 - Quiz
Slide 42 - Slide
What flaw can lead to exposure of resources or functionality to unintended actors?
A
Improper Authentication
B
Session Fixation
C
Insecure Cryptographic Storage
D
Unvalidated Redirects and Forwards
Slide 43 - Quiz
Slide 44 - Slide
What security risk is GraphQL known for?
A
DoS attacks using expensive queries
B
Apollo Server having major security holes in major version releases
C
GraphQL doesn't support JWT tokens
D
Blabla, REST is better, blabla
Slide 45 - Quiz
Slide 46 - Slide
What information can you trust from a JWT you received?
A
The user ID
B
The expiration date
C
The algorithm that was used to sign it
D
Everything, as long as you validate the signature with your private key.
Slide 47 - Quiz
Slide 48 - Slide
What should you do to keep your Angular application up to date regarding security?
A
Nothing, Angular got you covered
B
Keep current with the latest Angular library releases
C
Use a 3rd party library
D
Don't modify your copy of Angular
Slide 49 - Quiz
Slide 50 - Slide
An unexpected result when two actions do not occur in the same order is called what?
A
De-referencing
B
A race condition
C
An insecure function
D
Improper error handling
Slide 51 - Quiz
Slide 52 - Slide
Logging is only meant to tell me my code is misbehaving
A
True, it is only written so a developer can see what is happening
B
False, it can also be used as a reporting tool
C
False, it can also give insights in common and unexpected usage of my code
Slide 53 - Quiz
Slide 54 - Slide
I should commit passwords with my code as my repository is protection enough
A
TRUE
B
FALSE
Slide 55 - Quiz
Slide 56 - Slide
I should provide as much information in my error message as possible
A
True, this makes debugging easier
B
False, this would make the payload larger than necessary
C
False, this might expose the behaviour of my code
Slide 57 - Quiz
Slide 58 - Slide
Which statement is true?
A
REST APIs should deny access by default, except public resources
B
JWT tokens can manually be invalidated
C
The following header is valid, “Access-Control-Alllow-origin: https://*.website.com”
D
Limit the rate of API access does not minimize the harm from automated attack tooling
Slide 59 - Quiz
Slide 60 - Slide
Slide 61 - Slide
Slide 62 - Slide
You just received an email that looks phishy, what do you do with it?
A
Report it to information-security-nl@incentro.com
B
Ignore it and throw it in the digital bin
C
Report it through the Google phishing report-button
D
Click all the available links to investigate where it came from so you can report them.
Slide 63 - Quiz
Slide 64 - Slide
You just received an email that looks phishy, and have clicked the link... now what?
A
Report it to information-security-nl@incentro.com
B
Ignore it and throw it in the digital bin
C
Report it through the Google phishing report-button
D
Click all the available links to investigate where it came from so you can report them.
Slide 65 - Quiz
Slide 66 - Slide
What is the most common cause of IT security breaches
A
Hackers
B
Code errors
C
Human behavior
D
Phishing emails
Slide 67 - Quiz
Slide 68 - Slide
Which threat vector is most commonly exploited by attackers who are at a distance
A
email
B
direct access
C
wireless
D
Removable media
Slide 69 - Quiz
Slide 70 - Slide
Which ones are valid web security vulnerabilities?
A
CSRF
B
XSS
C
UDP
D
SSRF
Slide 71 - Quiz
Slide 72 - Slide
What should you do to protect a React application against XSS attacks?
A
Sanitize all the user content strings you output
B
Nothing, React has built-in XSS protection
C
Throw an error if a user tries to input characters like `<>`
D
alert(1);
Slide 73 - Quiz
Slide 74 - Slide
Which signs should I check in order to recognize a phishing email?
A
The time it was sent
B
Content poorly written, often with misspelling
C
Including suspicious links and/or attachments
D
Sent by a wrong domain
Slide 75 - Quiz
Slide 76 - Slide
Spoofing a WiFi Access point is also called?
A
An evil twin attack
B
Pineapple attack
C
A keystroke Injection
D
Nmap scan Attack
Slide 77 - Quiz
Slide 78 - Slide
Slide 79 - Slide
To prevent an CSRF attack, an web application should?
A
Make sure that POST, PUT, PATCH & DELETE calls are idempotent
B
Transmit the CSRF token by only using cookies
C
Generate the CSRF token on the service-side and require a custom-HTTP-header per request
D
Only permit HTTPS requests
Slide 80 - Quiz
Slide 81 - Slide
Slide 82 - Slide
Which statement is true?
A
REST APIs should deny access by default, except public resources
B
JWT tokens can manually be invalidated
C
The following header is valid, “Access-Control-Alllow-origin: https://*.website.com”
D
Limit the rate of API access does not minimize the harm from automated attack tooling
