studying for APM beta exam, question on first two objectives

anyone else around studying for the beta APM (304) exam? as with the previous ones im using the blueprint as the basis for my studying. this time i even have the course study guide, though it was a bit disappointing, mainly focusing on configuring and not on theory.

 

but as before the blueprint throws some interesting curve balls. starting with the first objective:

 

• Objective 1.01 - Explain how APM mitigates common attack vectors and methodologies (e.g., cookie hijacking [front and back], DoS attack)

i searched every resource i could find, but nowhere these terms are even mentioned in combination with APM. am i overlooking some document somewhere? it reads like this is just taken from some product promotion document :) if there isnt some document, what other common attack vectors and methodologies can you think of?

 

based on some research i came up with these attacks:

 

• brute forcing (username / password)
• insufficient authentication* insufficient session expiration* badly written authentication code / input validation

as for mitigation:

 

• cookie hijacking (front and back) - use secure / httponly flag, use correct domain and path
• DoS attack - use the default BIG-IP options, use iRule (less sure about this one, but dont see how to APM itself does anything against a DoS attack, or does defend your backend systems from one of course)
• brute forcing (password / username) - per default the APM module protects you, with iRules you can make it more robust
• insufficient authentication - per default the APM module protects what is behind it
• insufficient session expiration - you can configure expiration and log off URI
• badly written authentication code / input validation - by default APM provides a well checked and proven authentication framework

the second objective feels like a double of the first

 

• Objective 1.02 - Identify which APM tool(s) should be used to mitigate a specific authentication attack

or does anyone have a different idea here?

 

stuff like this always bothers me with these blue prints, using totally different terms then anywhere else like "APM tool" and talking about matters like authentication attack without explaining what exactly. the same goes with the first objective, talking about these attack vectors and methodologies like everyone knows what they are.

 

objective 1.02 has an interesting sub section also Compare authentication methods

 

again, which authentication method? are we talking like password, token, certificate or bio-metric here or more like HTTP-basic, HTTP-digest and form based ... this annoys me.

 

DISCLAIMER: im not trying to get answers to actual exam questions here, im just looking for general information based on the blue prints.

 

some useful links:

 

• http://cwe.mitre.org/documents/sources/WASCThreatClassificationTaxonomyGraphic.pdf
• http://ict.govt.nz/guidance-and-resources/standards-compliance/authentication-standards/guidance-multi-factor-authentication/4-authentication-attac/
• http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.ips.doc/concepts/wap_authentication.htm