Free Isaca CCOA Practice Exam with Questions & Answers

Step 1: Define the Problem and Objective

Objective:

Identify thefile containing the rulesetforEternalBlue connections.

Include thefile extensionin the response.

Context:

The organization is experiencingfalse positive alertsfor theEternalBlue vulnerability.

The rulesets are located at:

/home/administrator/hids/ruleset/rules

We need to find the specific file associated withEternalBlue.

Step 2: Prepare for Access

2.1: SIEM Access Details:

URL:

https://10.10.55.2

Username:

ccoatest@isaca.org

Password:

Security-Analyst!

Ensure your machine has access to the SIEM system via HTTPS.

Step 3: Access the SIEM System

3.1: Connect via SSH (if needed)

Open a terminal and connect:

ssh administrator@10.10.55.2

Password:

Security-Analyst!

If prompted about SSH key verification, typeyesto continue.

Step 4: Locate the Ruleset File

4.1: Navigate to the Ruleset Directory

Change to the ruleset directory:

cd /home/administrator/hids/ruleset/rules

ls -l

You should see a list of files with names indicating their purpose.

4.2: Search for EternalBlue Ruleset

Use grep to locate the EternalBlue rule:

grep -irl "eternalblue" *

Explanation:

grep -i: Case-insensitive search.

-r: Recursive search within the directory.

-l: Only print file names with matches.

"eternalblue": The keyword to search.

*: All files in the current directory.

Expected Output:

exploit_eternalblue.rules

Filename:

exploit_eternalblue.rules

The file extension is .rules, typical for intrusion detection system (IDS) rule files.

Step 5: Verify the Content of the Ruleset File

5.1: Open and Inspect the File

Use less to view the file contents:

less exploit_eternalblue.rules

Check for rule patterns like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"EternalBlue SMB Exploit"; ...)

Use the search within less:

/eternalblue

Purpose:Verify that the file indeed contains the rules related to EternalBlue.

Step 6: Document Your Findings

Answer:

Ruleset File for EternalBlue:

exploit_eternalblue.rules

File Path:

/home/administrator/hids/ruleset/rules/exploit_eternalblue.rules

Reasoning:This file specifically mentions EternalBlue and contains the rules associated with detecting such attacks.

Step 7: Recommendation

Mitigation for False Positives:

Update the Ruleset:

Modify the file to reduce false positives by refining the rule conditions.

Update Signatures:

Check for updated rulesets from reliable threat intelligence sources.

Whitelist Known Safe IPs:

Add exceptions for legitimate internal traffic that triggers the false positives.

Implement Tuning:

Adjust the SIEM correlation rules to decrease alert noise.

Final Verification:

Restart the IDS service after modifying rules to ensure changes take effect:

sudo systemctl restart hids

Check the status:

sudo systemctl status hids

Final Answer:

Ruleset File Name:

exploit_eternalblue.rules

Step 1: Understand the Task and Objective

Objective:

Identify thehost IP targetedduring thespecified time frame:

vbnet

11:39 PM to 11:43 PM on August 16, 2024

The relevant file to examine:

nginx

CCOA Threat Bulletin.pdf

File location:

javascript

~/Desktop/CCOA Threat Bulletin.pdf

Step 2: Access and Analyze the Bulletin

2.1: Access the PDF File

Open the file using a PDF reader:

xdg-open ~/Desktop/CCOA\ Threat\ Bulletin.pdf

Alternative (if using CLI-based tools):

pdftotext ~/Desktop/CCOA\ Threat\ Bulletin.pdf - | less

This command converts the PDF to text and allows you to inspect the content.

2.2: Review the Bulletin Contents

Focus on:

Specific dates and times mentioned.

Indicators of Compromise (IoCs), such asIP addressesortimestamps.

Any references toAugust 16, 2024, particularly between11:39 PM and 11:43 PM.

Step 3: Search for Relevant Logs

3.1: Locate the Logs

Logs are likely stored in a central logging server or SIEM.

Common directories to check:

swift

/var/log/

/home/administrator/hids/logs/

/var/log/auth.log

/var/log/syslog

Navigate to the primary logs directory:

cd /var/log/

ls -l

3.2: Search for Logs Matching the Date and Time

Use the grep command to filter relevant logs:

grep "2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]" /var/log/syslog

Explanation:

grep: Searches for the timestamp pattern in the log file.

"2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]": Matches timestamps from11:39 PM to 11:43 PM.

Alternative Command:

If log files are split by date:

grep "23:3[9-9]\|23:4[0-3]" /var/log/syslog.1

Step 4: Filter the Targeted Host IP

4.1: Extract IP Addresses

After filtering the logs, isolate the IP addresses:

grep "2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]" /var/log/syslog | awk '{print $8}' | sort | uniq -c | sort -nr

Explanation:

awk '{print $8}': Extracts the field where IP addresses typically appear.

sort | uniq -c: Counts unique IPs and sorts them.

Step 5: Analyze the Output

Sample Output:

15 192.168.1.10

8 192.168.1.20

3 192.168.1.30

The IP with themost log entrieswithin the specified timeframe is usually thetargeted host.

Most likely targeted IP:

192.168.1.10

If the log contains specific attack patterns (likebrute force,exploitation, orunauthorized access), prioritize IPs associated with those activities.

Step 6: Validate the Findings

6.1: Cross-Reference with the Threat Bulletin

Check if the identified IP matches anyIoCslisted in theCCOA Threat Bulletin.pdf.

Look for context likeattack vectorsortargeted systems.

Step 7: Report the Findings

Summary:

Time Frame:11:39 PM to 11:43 PM on August 16, 2024

Targeted IP:

192.168.1.10

Evidence:

Log entries matching the specified timeframe.

Cross-referenced with theCCOA Threat Bulletin.

Step 8: Incident Response Recommendations

Block IP addressesidentified as malicious.

Update firewall rulesto mitigate similar attacks.

Monitor logsfor any post-compromise activity on the targeted host.

Conduct a vulnerability scanon the affected system.

Final Answer:

192.168.1.10

To generate theSHA256 digestof the System-logs.evtx file located within the win-webserver01_logs.zip file, follow these steps:

Step 1: Access the Investigation Folder

Navigate to theDesktopon your system.

Open theInvestigationsfolder.

Locate the file:

win-webserver01_logs.zip

Step 2: Extract the ZIP File

Right-click on win-webserver01_logs.zip.

Select"Extract All"or use a command-line tool to unzip:

unzip win-webserver01_logs.zip -d ./win-webserver01_logs

Verify the extraction:

ls ./win-webserver01_logs

You should see:

System-logs.evtx

Step 3: Generate the SHA256 Hash

Method 1: Using PowerShell (Windows)

OpenPowerShellas an Administrator.

Run the following command to generate the SHA256 hash:

Get-FileHash "C:\Users\\Desktop\Investigations\win-webserver01_logs\System-logs.evtx" -Algorithm SHA256

The output will look like:

Algorithm Hash Path

--------- ---- ----

SHA256 d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d C:\Users\...\System-logs.evtx

Method 2: Using Command Prompt (Windows)

OpenCommand Promptas an Administrator.

Use the following command:

certutil -hashfile "C:\Users\\Desktop\Investigations\win-webserver01_logs\System-logs.evtx" SHA256

Example output:

SHA256 hash of System-logs.evtx:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

CertUtil: -hashfile command completed successfully.

Method 3: Using Linux/Mac (if applicable)

Open a terminal.

Run the following command:

sha256sum ./win-webserver01_logs/System-logs.evtx

Sample output:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d System-logs.evtx

The SHA256 digest of the System-logs.evtx file is:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Step 4: Verification and Documentation

Document the hash for validation and integrity checks.

Include in your incident report:

File name:System-logs.evtx

SHA256 Digest:d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Date of Hash Generation:(today’s date)

Step 5: Next Steps

Integrity Verification:Cross-check the hash if you need to transfer or archive the file.

Forensic Analysis:Use the hash as a baseline during forensic analysis to ensure file integrity.

Step 1: Understand the Objective

Objective:

Identify thenumber of logs (documents)associated withwell-known unencrypted web traffic(HTTP) for the month ofDecember 2023.

Security Onionrefers to logs asdocuments.

Unencrypted Web Traffic:

Typically HTTP, usingport 80.

SIEM:

The SIEM tool used here is likelySecurity Onion, known for its use ofElastic Stack (Elasticsearch, Logstash, Kibana).

Step 2: Access the SIEM System

2.1: Credentials and Access

URL:

cpp

https://10.10.55.2

Username:

css

ccoatest@isaca.org

Password:

pg

Security-Analyst!

Open the SIEM interface in a browser:

firefox https://10.10.55.2

Alternative:Access via SSH:

ssh administrator@10.10.55.2

Password:

pg

Security-Analyst!

Step 3: Navigate to the Logs in Security Onion

3.1: Log Location in Security Onion

Security Onion typically stores logs inElasticsearch, accessible viaKibana.

AccessKibanadashboard:

cpp

https://10.10.55.2:5601

Login with the same credentials.

Step 4: Query the Logs (Documents) in Kibana

4.1: Formulate the Query

Log Type:HTTP

Timeframe:December 2023

Filter for HTTP Port 80:

vbnet

event.dataset: "http" AND destination.port: 80 AND @timestamp:[2023-12-01T00:00:00Z TO 2023-12-31T23:59:59Z]

Explanation:

event.dataset: "http": Filters logs labeled as HTTP traffic.

destination.port: 80: Ensures the traffic is unencrypted (port 80).

@timestamp: Specifies the time range forDecember 2023.

4.2: Execute the Query

Go toKibana > Discover.

Set theTime RangetoDecember 1, 2023 - December 31, 2023.

Enter the above query in thesearch bar.

Click"Apply".

Step 5: Count the Number of Logs (Documents)

5.1: View the Document Count

Thedocument countappears at the top of the results page in Kibana.

Example Output:

12500 documents

This means12,500 logswere identified matching the query criteria.

5.2: Export the Data (if needed)

Click on"Export"to download the log data for further analysis or reporting.

Choose"Export as CSV"if required.

Step 6: Verification and Cross-Checking

6.1: Alternative Command Line Check

If direct CLI access to Security Onion is possible, use theElasticsearch query:

curl -X GET "http://localhost:9200/logstash-2023.12*/_count" -H 'Content-Type: application/json' -d '

{

"query": {

"bool": {

"must": [

{ "match": { "event.dataset": "http" }},

{ "match": { "destination.port": "80" }},

{ "range": { "@timestamp": { "gte": "2023-12-01T00:00:00", "lte": "2023-12-31T23:59:59" }}}

]

}

}

}'

Expected Output:

{

"count": 12500,

"_shards": {

"total": 5,

"successful": 5,

"failed": 0

}

}

Confirms the count as12,500 documents.

Step 7: Final Answer

Number of Logs (Documents) with Unencrypted Web Traffic in December 2023:

12,500

Step 8: Recommendations

8.1: Security Posture Improvement:

Implement HTTPS Everywhere:

Redirect HTTP traffic to HTTPS to minimize unencrypted connections.

Log Monitoring:

Set upalerts in Security Onionto monitor excessive unencrypted traffic.

Block HTTP at Network Level:

Where possible, enforce HTTPS-only policies on critical servers.

Review Logs Regularly:

Analyze unencrypted web traffic for potentialdata leakage or man-in-the-middle (MITM) attacks.

To generate theSHA256 checksumof the file that triggeredRuleName: Suspicious PowerShellon theAccounting workstation, follow these detailed steps:

Step 1: Establish an SSH Connection

Open a terminal on your system.

Use the provided credentials to connect to theAccounting workstation:

ssh Accounting@

Replace with the actual IP address of the workstation.

Enter the password when prompted:

1x-4cc0unt1NG-x1

Step 2: Locate the Malicious File

Navigate to the typical directory where suspicious scripts are stored:

cd C:\Users\Accounting\AppData\Roaming

List the contents to identify the suspicious file:

dir

Look for a file related toPowerShell(e.g., calc.ps1), as the issue involved thecalculator opening repeatedly.

Step 3: Verify the Malicious File

To ensure it is the problematic file, check for recent modifications:

powershell

Get-ChildItem -Path "C:\Users\Accounting\AppData\Roaming" -Recurse | Where-Object { $_.LastWriteTime -ge (Get-Date).AddDays(-1) }

This will list files modified within the last 24 hours.

Check file properties:

powershell

Get-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" | Format-List *

Confirm it matches the file flagged byRuleName: Suspicious PowerShell.

Step 4: Generate the SHA256 Checksum

Method 1: Using PowerShell (Recommended)

Run the following command to generate the hash:

powershell

Get-FileHash "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Algorithm SHA256

Output Example:

mathematica

Algorithm Hash Path

--------- ---- ----

SHA256 d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d C:\Users\Accounting\AppData\Roaming\calc.ps1

Method 2: Using certutil (Alternative)

Run the following command:

cmd

certutil -hashfile "C:\Users\Accounting\AppData\Roaming\calc.ps1" SHA256

Example Output:

SHA256 hash of calc.ps1:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

CertUtil: -hashfile command completed successfully.

Step 5: Copy and Paste the Hash

Copy theSHA256 hashfrom the output and paste it as required.

Answer:

nginx

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Step 6: Immediate Actions

Terminate the Malicious Process:

powershell

Stop-Process -Name "powershell" -Force

Delete the Malicious File:

powershell

Remove-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Force

Disable Startup Entry:

Check for any persistent scripts:

powershell

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

Remove any entries related to calc.ps1.

Step 7: Document the Incident

Record the following:

Filename:calc.ps1

File Path:C:\Users\Accounting\AppData\Roaming\

SHA256 Hash:d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Date of Detection:(Today’s date)

To identify thefilename of the webshellused to control the host10.10.44.200from the provided PCAP file, follow these detailed steps:

Step 1: Access the PCAP File

Log into theAnalyst Desktop.

Navigate to theInvestigationsfolder located on the desktop.

Locate the file:

investigation22.pcap

Step 2: Open the PCAP File in Wireshark

LaunchWiresharkon the Analyst Desktop.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > investigation22.pcap

ClickOpento load the file.

Step 3: Filter Traffic Related to the Target Host

Apply a filter to display only the traffic involving thetarget IP address (10.10.44.200):

ini

ip.addr == 10.10.44.200

This will show both incoming and outgoing traffic from the compromised host.

Step 4: Identify HTTP Traffic

Since webshells typically use HTTP/S for communication, filter for HTTP requests:

http.request and ip.addr == 10.10.44.200

Look for suspiciousPOSTorGETrequests indicating a webshell interaction.

Common Indicators:

Unusual URLs:Containing scripts like cmd.php, shell.jsp, upload.asp, etc.

POST Data:Indicating command execution.

Response Status:HTTP 200 (Success) after sending commands.

Step 5: Inspect Suspicious Requests

Right-click on a suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Examine the HTTP conversation for:

File uploads

Command execution responses

Webshell file namesin the URL.

Example:

makefile

POST /uploads/shell.jsp HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Step 6: Correlate Observations

If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.

Look for:

Commands sent via the script.

Response indicating successful execution or error.

Step 7: Extract and Confirm

To confirm the filename, look for:

Upload requests containing the webshell.

Subsequent requests calling the same filename for command execution.

Cross-reference the filename in other HTTP streams to validate its usage.

Step 8: Example Findings:

After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is:

shell.jsp

Answer:

shell.jsp

Step 9: Further Investigation

Extract the Webshell:

Right-click the related packet and choose:

mathematica

Export Objects > HTTP

Save the file shell.jsp for further analysis.

Analyze the Webshell:

Open the file with a text editor to examine its functionality.

Check for hardcoded credentials, IP addresses, or additional payloads.

Step 10: Documentation and Response

Document Findings:

Webshell Filename:shell.jsp

Host Compromised:10.10.44.200

Indicators:HTTP POST requests, suspicious file upload.

Immediate Actions:

Isolate the host10.10.44.200.

Remove the webshell from the web server.

Conduct aroot cause analysisto determine how it was uploaded.

To create a new case inSecurity Onionusing the logs from the win-webserver01_logs.zip file, follow these detailed steps:

Step 1: Access Security Onion

Open a web browser and go to yourSecurity Onionweb interface.

URL: https:// /

Log in using yourSecurity Onioncredentials.

Step 2: Prepare the Log File

Navigate to theDesktopand open theInvestigationsfolder.

Locate the file:

win-webserver01_logs.zip

Unzip the file to inspect its contents:

unzip ~/Desktop/Investigations/win-webserver01_logs.zip -d ~/Desktop/Investigations/win-webserver01_logs

Ensure that the extracted files, including System-logs.evtx, are accessible.

Step 3: Open the Hunt Interface in Security Onion

On the Security Onion dashboard, go to"Hunt"(or"Cases"depending on the version).

Click on"Cases"to manage incident cases.

Step 4: Create a New Case

Click on"New Case"to start a fresh investigation.

Case Details:

Title:

Windows Webserver Logs - CCOA New Case

TLP (Traffic Light Protocol):

Set toGreen(indicating that the information can be shared freely).

Example Configuration:

Field

Value

Title

Windows Webserver Logs - CCOA New Case

TLP

Green

Summary

(Leave blank if not required)

Click"Save"to create the case.

Step 5: Upload the Log Files

After creating the case, go to the"Files"section of the new case.

Click on"Upload"and select the unzipped log file:

~/Desktop/Investigations/win-webserver01_logs/System-logs.evtx

Once uploaded, the file will be associated with the case.

Step 6: Verify the Case Creation

Go back to theCasesdashboard.

Locate and verify that the case"Windows Webserver Logs - CCOA New Case"exists withTLP: Green.

Check that thelog filehas been successfully uploaded.

Step 7: Document and Report

Document the case details:

Case Title:Windows Webserver Logs - CCOA New Case

TLP:Green

Log File:System-logs.evtx

Include anyinitial observationsfrom the log analysis.

Example Answer:

A new case titled "Windows Webserver Logs - CCOA New Case" with TLP set to Green has been successfully created in Security Onion. The log file System-logs.evtx has been uploaded and linked to the case.

Step 8: Next Steps for Investigation

Analyze the log file:Start hunting for suspicious activities.

Create analysis tasks:Assign team members to investigate specific log entries.

Correlate with other data:Cross-reference with threat intelligence sources.

To identify thefile namethat triggered theRuleName: Suspicious PowerShellon theaccounting-pcworkstation, follow these detailed steps:

Step 1: Access the SIEM System

Open your web browser and navigate to theSIEM dashboard.

Log in with youradministrator credentials.

Step 2: Set Up the Query

Go to theSearchorQuerysection of the SIEM.

Set theTime Rangeto thelast 24 hours.

Query Parameters:

Agent Name:accounting-pc

Rule Name:Suspicious PowerShell

Event Type:Startup items or Process creation

Step 3: Construct the SIEM Query

Here’s an example of how to construct the query:

Example Query (Splunk):

index=windows_logs

| search agent.name="accounting-pc" RuleName="Suspicious PowerShell"

| where _time > now() - 24h

| table _time, agent.name, process_name, file_path, RuleName

Example Query (Elastic SIEM):

{

"query": {

"bool": {

"must": [

{ "match": { "agent.name": "accounting-pc" }},

{ "match": { "RuleName": "Suspicious PowerShell" }},

{ "range": { "@timestamp": { "gte": "now-24h" }}}

]

}

}

}

Step 4: Analyze the Query Results

The query should return a table or list containing:

Time of Execution

Agent Name:accounting-pc

Process Name

File Path

Rule Name

Example Output:

_time

agent.name

process_name

file_path

RuleName

2024-04-07T10:45:23

accounting-pc

powershell.exe

C:\Users\Accounting\AppData\Roaming\calc.ps1

Suspicious PowerShell

Step 5: Identify the Suspicious File

Theprocess_namein the output showspowershell.exeexecuting a suspicious script.

Thefile pathindicates the script responsible:

makefile

C:\Users\Accounting\AppData\Roaming\calc.ps1

The suspicious script file is:

calc.ps1

Step 6: Confirm the Malicious Nature

Manual Inspection:

Navigate to the specified file path on theaccounting-pcworkstation.

Check the contents of calc.ps1 for any malicious PowerShell code.

Hash Verification:

Generate theSHA256 hashof the file and compare it with known malware signatures.

Answer:

calc.ps1

Step 7: Immediate Response

Isolate the Workstation:Disconnectaccounting-pcfrom the network.

Terminate the Malicious Process:

Stop the powershell.exe process running calc.ps1.

Use Task Manager or a script:

powershell

Stop-Process -Name "powershell" -Force

Remove the Malicious Script:

powershell

Remove-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Force

Scan for Persistence Mechanisms:

CheckStartup itemsandScheduled Tasksfor any references to calc.ps1.

Step 8: Documentation

Record the following:

Date and Time:When the incident was detected.

Affected Host:accounting-pc

Malicious File:calc.ps1

Actions Taken:File removal and process termination.

The attack described involvesinjecting arbitrary syntaxthat isexecuted by the underlying operating system, characteristic of aCommand Injectionattack.

Nature of Command Injection:

Direct OS Interaction:Attackers input commands that are executed by the server’s OS.

Vulnerability Vector:Often occurs when user input is passed to system calls without proper validation or sanitization.

Examples:Using characters like ;, &&, or | to append commands.

Common Scenario:Exploiting poorly validated web application inputs that interact with system commands (e.g., ping, dir).

Other options analysis:

B. Injection:Targets databases, not the underlying OS.

C. LDAP Injection:Targets LDAP directories, not the OS.

D. Insecure direct object reference:Involves unauthorized access to objects through predictable URLs, not OS command execution.

CCOA Official Review Manual, 1st Edition References:

Chapter 8: Web Application Attacks:Covers command injection and its differences from i.

Chapter 9: Input Validation Techniques:Discusses methods to prevent command injection.

JSON Web Tokens (JWTs)are used totransmit data between parties securely, often forauthentication and session management.

Data Storage:JWTs can contain user information and session details within thepayloadsection.

Stateless Authentication:Since the token itself holds the user data, servers do not need to store sessions.

Signed, Not Encrypted:JWTs are typicallysigned using private keysto ensure integrity but may or may not be encrypted.

Common Usage:API authentication, single sign-on (SSO), and user sessions in web applications.

Other options analysis:

B. Only for authentication:JWTs can also carry claims for authorization or session data.

C. Signed using public key:Usually, JWTs aresigned with a private keyandverified using a public key.

D. Only symmetric encryption:JWTs can useboth symmetric (HMAC) and asymmetric (RSA/EC) algorithms.

CCOA Official Review Manual, 1st Edition References:

Chapter 8: Authentication and Token Management:Explains the role of JWTs in secure data transmission.

Chapter 9: API Security:Discusses the use of JWTs for secure API communication.