Sec+ Set D Sec Ops

Secure Baseline

A documented minimum security configuration standard for a device type. All new devices must meet the baseline before deployment. Drift from baseline must be detected and remediated. CIS Benchmarks provide industry-standard baselines.

Hardening

Reducing a system’s attack surface. Steps - change default credentials, disable unnecessary services and ports, remove unused software, apply patches, enable logging, restrict user permissions, enable host firewall.

Patch Management

Process of identifying, testing, and applying software updates to fix vulnerabilities. Critical patches applied urgently. Non-critical follow change management process. Unpatched systems are the leading cause of breaches.

Vulnerability Scanning

Automated testing of systems to identify known vulnerabilities, misconfigurations, and missing patches. Produces prioritised list using CVSS scores. Must be authenticated for complete results. Run regularly and after changes.

Penetration Testing

Authorised simulated attack attempting to exploit vulnerabilities. Goes beyond scanning to actually exploit weaknesses. Types - black box (no prior knowledge), white box (full knowledge), grey box (partial knowledge).

Penetration Testing Phases

Reconnaissance (information gathering), Scanning (identify targets), Exploitation (attack), Post-exploitation (lateral movement, persistence), Reporting (document findings and recommendations).

Vulnerability Management Lifecycle

Identify (scanning) - Analyse (prioritise by CVSS and context) - Remediate (patch, mitigate, or accept) - Verify (rescan to confirm fix) - Report (document and communicate).

False Positive

A security alert indicating a threat that does not actually exist. Wastes analyst time. Too many false positives cause alert fatigue. Must be tuned to reduce without missing real threats.

False Negative

A real threat that is not detected by security controls. More dangerous than false positives. Must be minimised through comprehensive detection coverage.

EDR (Endpoint Detection and Response)

Security solution monitoring endpoints for suspicious activity, recording events, and enabling rapid investigation and response. Goes beyond traditional antivirus to detect behavioural anomalies.

XDR (Extended Detection and Response)

Extends EDR across multiple security layers - endpoints, network, email, cloud. Correlates data from multiple sources for comprehensive threat detection and response.

SIEM (Security Information and Event Management)

Centralised platform aggregating, correlating, and analysing security logs. Real-time alerting, dashboards, and forensic investigation. Requires tuning to reduce false positives. Examples - Splunk, Microsoft Sentinel, IBM QRadar.

SOAR (Security Orchestration, Automation and Response)

Automates repetitive security tasks and incident response workflows. Works alongside SIEM. Can automatically contain threats (block IP, isolate endpoint) without human intervention.

DLP (Data Loss Prevention)

Technology preventing unauthorised transmission of sensitive data. Monitors network traffic, email, endpoints, and cloud storage. Blocks or alerts on attempts to send PII, credit card numbers, or classified data.

NAC (Network Access Control)

Controls which devices can access the network based on compliance with security policies. Checks - antivirus current, OS patched, encryption enabled. Non-compliant devices quarantined to remediation VLAN.

DNS Filtering

Blocking access to malicious or prohibited domains at the DNS level. Prevents connections to known malware C2 servers, phishing sites, and inappropriate content. Low overhead, effective first line of defence.

Firewall Types

Packet filtering (Layer 3-4, stateless), Stateful inspection (tracks connection state), Application-layer/proxy (Layer 7 aware), NGFW (combines all with IDS/IPS, app awareness, user identity).

IDS vs IPS

IDS (Intrusion Detection System) - passive, out-of-band, alerts only. IPS (Intrusion Prevention System) - inline, active, blocks traffic. IDS cannot stop attacks. IPS can but may block legitimate traffic (false positives).

Signature-Based Detection

Compares activity against database of known attack patterns. Fast and accurate for known threats. Cannot detect unknown or zero-day attacks. Requires regular signature updates.

Anomaly-Based (Heuristic) Detection

Establishes a baseline of normal behaviour and alerts on deviations. Can detect unknown threats. Higher false positive rate. Used alongside signature-based.

Identity and Access Management (IAM)

Framework managing digital identities and controlling access to resources. Covers - provisioning, authentication, authorisation, deprovisioning. Principle of least privilege applied throughout.

Provisioning

Creating and configuring user accounts and granting appropriate access when users join an organisation. Must follow least privilege. Often automated through HR system integration.

Deprovisioning

Removing user access when they leave an organisation or change roles. Critical security step - must be timely. Accounts not deprovisioned are orphaned accounts that can be exploited.

MFA (Multifactor Authentication)

Requires two or more factors from different categories. Something you know (password/PIN). Something you have (token, smart card, phone). Something you are (biometrics). Significantly reduces account compromise risk.

MFA - TOTP (Time-based One-Time Password)

Codes changing every 30 seconds based on shared secret and time. Authenticator apps (Google Authenticator, Authy). Vulnerable to phishing if codes are entered on fake sites.

MFA - Push Notification

Authentication app sends a push notification for user approval. Convenient. Vulnerable to MFA fatigue attacks (bombing user with requests until they approve).

MFA - Hardware Token

Physical device generating one-time codes. RSA SecurID. More secure than software tokens. Not vulnerable to malware on the user’s phone.

MFA - FIDO2/WebAuthn

Phishing-resistant MFA standard. Uses public key cryptography. Private key never leaves the device. Examples - YubiKey, Windows Hello, passkeys. The most secure MFA method.

Privileged Access Management (PAM)

Controls and monitors access to privileged accounts (admin, root). Features - just-in-time access, credential vaulting, session recording, approval workflows. Limits standing privilege.

Just-In-Time (JIT) Access

Privileged access granted only when needed and automatically revoked after a set time. Reduces risk from standing admin accounts. Part of PAM strategy.

SSO (Single Sign-On)

Authenticate once, access multiple applications. Improves user experience. Centralises authentication risk - SSO compromise affects all linked apps. Requires strong primary authentication.

Federation

Extending authentication trust across organisational boundaries. Example - logging into a third-party app using corporate credentials. Protocols - SAML, OAuth, OIDC.

SAML (Security Assertion Markup Language)

XML-based standard for exchanging authentication data between Identity Provider (IdP) and Service Provider (SP). Used for enterprise SSO and federated identity.

OAuth 2.0

Authorisation framework allowing third-party apps limited access to user accounts without exposing credentials. Used for - Sign in with Google. Delegates authorisation, not authentication.

OpenID Connect (OIDC)

Authentication layer built on top of OAuth 2.0. Provides authentication (who you are) while OAuth provides authorisation (what you can do). Used for modern SSO.

Incident Response Process

Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned. (PICERL). Each phase has specific actions and must be documented.

Incident Response - Preparation

Developing IR plan, training team, establishing communication channels, acquiring tools, conducting tabletop exercises before an incident occurs.

Incident Response - Identification

Detecting and confirming an incident has occurred. Sources - SIEM alerts, user reports, threat intelligence. Determine scope and type of incident.

Incident Response - Containment

Limiting the spread and impact of the incident. Short-term - isolate affected systems. Long-term - patch vulnerabilities. Balance containment with preserving evidence.

Incident Response - Eradication

Removing the threat from the environment. Delete malware, close vulnerabilities, remove attacker persistence mechanisms. Verify threat is fully removed before recovery.

Incident Response - Recovery

Restoring systems to normal operation from clean backups. Verify systems are clean. Monitor closely for recurrence. May be gradual rollback of containment measures.

Incident Response - Lessons Learned

Post-incident review documenting what happened, what worked, what failed, and how to improve. Must occur promptly while details are fresh. Updates IR plan and controls.

Digital Forensics

Collection and analysis of digital evidence following proper procedures to maintain admissibility in legal proceedings. Must preserve evidence integrity using chain of custody.

Chain of Custody

Documentation tracking who had access to evidence, when, and what was done with it. Maintains evidence integrity. Breaks in chain of custody can make evidence inadmissible.

Order of Volatility

Priority for collecting digital evidence from most to least volatile. Registers/cache - RAM - Swap/page file - Hard disk - Remote logging - Archival media. Collect most volatile first as it disappears fastest.

Log Analysis

Reviewing system, application, and security logs to identify anomalies, trace attacks, and support investigations. Key logs - authentication logs, firewall logs, web server logs, system event logs.

Threat Hunting

Proactively searching for hidden threats that have evaded automated detection. Hypothesis-driven. Uses threat intelligence, analytics, and manual investigation. Assumes breach mentality.

Threat Intelligence

Information about current and emerging threats. Used to improve detection and defence. Sources - ISACs, vendor feeds, dark web monitoring, government agencies (CISA).

Sandboxing

Executing suspicious code in an isolated environment to observe behaviour without risk to production systems. Used for malware analysis and application testing.

Automation and Orchestration

Using scripts and tools to automate repetitive security tasks. Benefits - faster response, consistency, scalability, reduces human error. Risks - automated response may cause unintended consequences.