Security Operations and Incident Response Strategies

What are the three main steps in establishing secure baselines for computing resources?

Establish comprehensive security configurations and policies, Deploy these configurations across relevant systems, Maintain and regularly update the baselines.

What types of devices should be considered as hardening targets in security operations?

Mobile Devices, Workstations, Switches, Routers, Cloud Infrastructure, Servers, ICS/SCADA, Embedded Systems, RTOS, IoT Devices, Wireless Devices.

What is the purpose of conducting site surveys and using heat maps in wireless security?

To optimize wireless coverage and performance.

What is Mobile Device Management (MDM) and its purpose?

MDM solutions are implemented to centrally manage and secure mobile devices, applications, and data.

What are the three deployment models for mobile solutions?

Bring Your Own Device (BYOD), Corporate-Owned, Personally Enabled (COPE), Choose Your Own Device (CYOD).

What are some common connection methods for mobile devices?

Cellular, Wi-Fi, Bluetooth.

What are some robust wireless security settings that should be implemented?

Wi-Fi Protected Access 3 (WPA3), AAA/RADIUS, cryptographic and authentication protocols.

What are key practices to ensure application security?

Input validation, secure cookie handling, static code analysis, code signing.

What is the purpose of sandboxing in application security?

To isolate applications from the rest of the system to prevent unauthorized access and mitigate potential security breaches.

What is the importance of continuous monitoring in security operations?

To detect and respond to suspicious activities, anomalies, and security incidents effectively.

What are the key components of the acquisition/procurement process in asset management?

Ownership definition, asset classification, monitoring/asset tracking.

Why is it important to classify assets in asset management?

To ensure appropriate security measures based on their importance, sensitivity, and criticality.

What is the significance of maintaining an inventory of acquired assets?

To facilitate efficient tracking and management of hardware, software, and data.

What is the purpose of data sanitization in asset disposal?

To securely remove sensitive information from decommissioned assets.

What should be done to ensure the destruction of assets during disposal?

Physically destroy assets beyond recovery to prevent unauthorized access to confidential data.

What is the role of certification in asset disposal?

To obtain compliance documentation that validates proper disposal of assets and adherence to regulatory requirements.

What are the key activities associated with vulnerability management?

Identification methods, application security assessments, threat intelligence gathering.

What is a vulnerability scan and its purpose?

An automated tool used to identify weaknesses and vulnerabilities in systems, networks, and applications.

What are the two types of application security analysis?

Static Analysis (analyzing source code or binaries without execution) and Dynamic Analysis (assessing applications during runtime).

What is the purpose of package monitoring in application security?

To monitor software dependencies for known vulnerabilities and security issues.

What is Open-Source Intelligence (OSINT) in the context of threat intelligence?

Gathering intelligence from publicly available sources to identify potential threats and vulnerabilities.

What is the benefit of subscribing to proprietary or third-party threat intelligence services?

To stay updated on emerging threats and vulnerabilities.

What is the purpose of an Information-Sharing Organization?

To collaborate with industry peers to share threat intelligence and enhance collective security.

What is the Dark Web in the context of security monitoring?

It refers to underground forums and marketplaces that are monitored to identify potential threats and indicators of compromise.

What is Penetration Testing?

A method to simulate real-world attacks to identify vulnerabilities and assess the security posture of systems and networks.

What is a Bug Bounty Program?

A program that incentivizes ethical hackers to report security vulnerabilities by offering rewards for valid submissions.

What is the purpose of a System/Process Audit?

To conduct comprehensive reviews of systems, processes, and controls to identify security gaps and compliance issues.

What is a False Positive in security analysis?

Instances where a reported vulnerability does not pose an actual threat.

What is a False Negative in security analysis?

Undetected vulnerabilities that represent genuine security risks.

How do you prioritize identified vulnerabilities?

By assessing and prioritizing them based on their severity, impact, and exploitability.

What is the Common Vulnerability Scoring System (CVSS)?

A standardized framework used to assess and score the severity of vulnerabilities.

What does Common Vulnerability Enumeration (CVE) refer to?

Unique identifiers assigned to vulnerabilities for tracking and management.

What is Vulnerability Classification?

The categorization of vulnerabilities based on their nature, impact, and affected assets.

What is the Exposure Factor?

An evaluation of the potential impact of a vulnerability based on the percentage of assets or data exposed.

What are Environmental Variables in vulnerability assessment?

Contextual factors such as network architecture, system configurations, and user behavior.

What does Risk Tolerance mean in an organizational context?

The level of risk that an organization is willing to accept or tolerate.

What is the purpose of Patching in vulnerability management?

To apply security patches and updates to remediate identified vulnerabilities promptly.

How does Insurance relate to security risk management?

It transfers residual risk through coverage against potential financial losses from security incidents.

What is Segmentation in network security?

The implementation of network segmentation to isolate vulnerable assets and contain potential threats.

What are Compensating Controls?

Alternative security measures implemented to mitigate risks in the absence of direct remediation.

What is Rescanning?

The reassessment of systems and networks after applying remediation measures to verify effectiveness.

What is the purpose of Reporting in vulnerability management?

To document and communicate findings, remediation efforts, and risk status to relevant stakeholders, management, and regulatory authorities.

What does Log Aggregation involve?

The collection and consolidation of logs from various sources for centralized analysis and monitoring.

What is the function of Alerting in security monitoring?

To set up alerts and notifications to promptly identify and respond to security incidents, anomalies, or deviations from established baselines.

What is the purpose of scanning in cybersecurity?

To conduct regular scans of systems and networks to identify vulnerabilities, misconfigurations, and security weaknesses.

What is the role of reporting in cybersecurity?

To generate reports and dashboards that provide insights into system performance, security posture, and compliance status.

Why is archiving important in cybersecurity?

To archive logs, reports, and other relevant data for historical analysis, compliance requirements, and forensic investigations.

What does quarantine mean in the context of cybersecurity?

To isolate compromised systems or devices to prevent further spread of malware or unauthorized access.

What is alert tuning?

The process of fine-tuning alerting thresholds and criteria to reduce false positives and focus on actionable alerts.

What is the Security Content Automation Protocol (SCAP)?

A standardized protocol for automating vulnerability management, security measurement, and policy compliance evaluation.

How are benchmarks used in cybersecurity?

To assess and measure the security configuration of systems and applications using security benchmarks and best practices.

What is the difference between agent and agentless monitoring?

Agent-based solutions employ monitoring agents to collect data, while agentless solutions do not require installation of agents.

What is the function of a Security Information and Event Management (SIEM) system?

A centralized platform for collecting, correlating, and analyzing security event data from various sources for threat detection and response.

What is the purpose of antivirus software?

To detect, prevent, and remove malicious software and threats from systems and networks.

How do SNMP traps function in network management?

They are used to monitor and manage network devices and receive notifications about significant events or conditions.

What is NetFlow used for in cybersecurity?

To analyze network traffic patterns, identify anomalies, and detect potential security threats.

What is the purpose of vulnerability scanners?

To use automated tools to identify security vulnerabilities and weaknesses within systems, applications, and networks.

What are firewall rules?

Policies and regulations governing traffic flow between networks, specifying what is allowed or denied based on predefined criteria.

What are access lists in the context of firewalls?

Lists of rules that determine which traffic is permitted or denied based on source and destination IP addresses, ports, and protocols.

How do screened subnets enhance security?

By implementing security zones with layered defenses, typically consisting of a screening router or firewall between internal and external networks.

What is the function of IDS/IPS systems?

To analyze patterns and behaviors to detect and prevent potential security threats and attacks in real-time.

What is the role of web filters in cybersecurity?

To monitor and filter web traffic based on predefined policies and rules.

What is URL scanning in web filtering?

The process of inspecting URLs in web traffic to identify and block malicious or suspicious websites based on reputation and content.

What are block rules in web filtering?

Defined rules to block access to specific websites, web applications, or content categories based on policy requirements.

How is website reputation evaluated in cybersecurity?

By assessing the risk level associated with accessing websites and URLs to determine their safety.

What is Group Policy used for in Windows-based systems?

To enforce security settings, configurations, and restrictions across a network.

What does SELinux stand for and what is its purpose?

Security-Enhanced Linux; it implements mandatory access control policies to confine processes and enforce security policies on Linux-based systems.

What secure communication protocols should be chosen for encrypting data in transit?

Protocols such as HTTPS and SSH.

How should firewall rules be configured for secure protocols?

Allow only essential ports for secure protocols while blocking unnecessary or vulnerable ports.

What transport methods should be used to encrypt data transmission?

Secure transport methods like TLS/SSL.

What is the purpose of DNS Filtering?

To filter and block malicious or unauthorized DNS requests, preventing access to malicious domains.

What does DMARC stand for and what is its function?

Domain-based Message Authentication, Reporting, and Conformance; it detects and prevents email spoofing and phishing attacks.

How does DKIM work in email security?

It verifies the authenticity of email messages by adding digital signatures to email headers.

What is the role of SPF in email security?

Sender Policy Framework; it verifies the sender's domain and prevents email spoofing by defining authorized mail servers.

What is File Integrity Monitoring?

Monitoring and detecting unauthorized changes or modifications to files and system configurations.

What does DLP stand for and what does it do?

Data Loss Prevention; it prevents unauthorized access, use, or transmission of sensitive data.

What is the purpose of NAC?

Network Access Control; it enforces security policies to regulate access to network resources based on identity and compliance status.

What does EDR/XDR stand for and what is its function?

Endpoint Detection and Response/Extended Detection and Response; it monitors and responds to security threats on endpoints.

What is User Behavior Analytics used for?

To analyze user behavior patterns to detect anomalies and identify insider threats.

What is the importance of Permission Assignments in user account management?

They define user permissions and access rights based on job roles, ensuring appropriate access to resources.

What is Identity Proofing?

Verifying the identity of users before granting access to sensitive systems or data.

What is Federation in the context of identity management?

Enabling single sign-on (SSO) across multiple domains or organizations using trusted identity providers.

What is Single Sign-On (SSO)?

A method that allows users to access multiple applications with a single set of login credentials.

What is LDAP used for?

Lightweight Directory Access Protocol; it is used for accessing and managing directory information services.

What does OAuth allow users to do?

Grant third-party applications limited access to their resources without revealing their credentials.

What is SAML and what is its purpose?

Security Assertion Markup Language; it is an XML-based standard for exchanging authentication and authorization data.

What does interoperability ensure in identity and access management systems?

Compatibility and seamless integration between different systems and protocols.

What is attestation in the context of security?

Verify the accuracy and validity of user permissions and access rights through regular reviews and audits.

What is Mandatory Access Control (MAC)?

Enforce access restrictions based on security labels assigned to users and resources, typically used in highly secure environments.

How does Discretionary Access Control (DAC) function?

Allows resource owners to determine access permissions for users based on their discretion.

What is Role-Based Access Control (RBAC)?

Assign access rights to users based on their roles within an organization, streamlining access management and ensuring least privilege.

What is Rule-Based Access Control?

Define access rules and policies based on specific conditions or criteria.

What is Attribute-Based Access Control?

Determine access rights based on user attributes such as job title, department, or location.

What are Time-of-Day Restrictions?

Restrict user access to resources based on specific time periods or schedules.

What does the principle of Least Privilege entail?

Grant users the minimum level of access required to perform their job functions, reducing the risk of unauthorized access and privilege escalation.

What is Multifactor Authentication (MFA)?

Enhance authentication security by requiring users to provide multiple forms of verification before accessing resources.

What are some implementations of MFA?

Biometrics, Hard/Soft Authentication Tokens, and Security Keys.

What are biometrics in authentication?

Authenticate users based on unique biological characteristics such as fingerprints, iris patterns, or facial recognition.

What are Hard/Soft Authentication Tokens?

Generate one-time passwords or cryptographic keys to verify user identity.