Cybersecurity Techniques

Questions and Answers

What is the main advantage of serverless computing?

• It abstracts infrastructure management, allowing developers to focus solely on writing and deploying code (correct)
• It detects malicious software based on behavior
• It enables multiple operating systems and applications to run on a single physical server
• It improves process efficiency in security operations

Virtualization involves creating an actual version of something, such as a server, operating system, storage device, or network resources.

False (B)

Match the following cloud computing concepts with their descriptions:

Serverless = A cloud computing model where the cloud provider dynamically manages the allocation of resources Virtualization = Involves creating a virtual version of something, such as a server, operating system, storage device, or network resources Containerization = OS-level virtualization method where applications and their dependencies are packaged into containers

What is the purpose of sending reports to stakeholders regularly and promptly?

To develop action plans (D)

Top 10 lists of vulnerabilities are used to track zero-day vulnerabilities.

False (B)

What do Service Level Objectives (SLOs) define in a vulnerability management program?

Goals for timely remediation

Memorandums of Understanding (MOUs) and Service Level Agreements (SLAs) can conflict with _______________________ schedules.

patching

Which of the following is a critical stakeholder for incident response?

Legal (D)

Legacy and proprietary systems always have available patches.

False (B)

Match the following stakeholders with their roles in incident response:

Legal = Advises on legal implications and compliance requirements Public Relations = Manages communication with customers, media, and the public Regulatory Bodies = Ensures compliance with reporting requirements

What do action plans based on reports include?

tasks like configuration management, patching, implementing compensating controls, awareness training, and aligning with business requirements

What is the purpose of conducting a business impact analysis in cybersecurity?

To assess the probability of each risk occurring and the potential magnitude of its impact on the organization (B)

Risk acceptance is a risk management strategy that involves eliminating or reducing risks.

False (B)

What is the main purpose of performing vendor due diligence?

To mitigate the risk of unforeseen vulnerabilities or breaches originating from vendors

_____________________ is a software security testing tool that involves executing code to uncover runtime vulnerabilities and behavior.

Dynamic Analysis

Match the risk management strategies with their descriptions:

Risk Avoidance = Changing business practices to eliminate or reduce risks Risk Mitigation = Reducing the probability or impact of risks through preventive measures Risk Transference = Shifting some risk to a third party, such as through insurance or outsourcing Risk Acceptance = Acknowledging the existence of a risk and continuing normal operations while monitoring and managing the risk

What is the primary goal of cybersecurity analysts when identifying potential risks?

To identify all potential risks facing the organization (A)

Verifying _______________________ authenticity ensures that hardware components have not been tampered with after leaving the vendor's control.

hardware source

What is the first phase of the Cybersecurity Incident Response Process?

Preparation (B)

Every event necessarily constitutes an incident.

False (B)

What are some examples of security event indicators?

Alerts from IDPS, logs generated by operating systems, publicly available information on new vulnerabilities and exploits, reports from internal personnel or external sources indicating suspicious activities.

The ______________ phase of the Cybersecurity Incident Response Process involves monitoring and identifying potential security incidents.

Detection and Analysis

What is the primary concern in on-premises networks?

Perimeter security (D)

What is the purpose of an Incident Response Policy?

To establish the framework and authority for incident response efforts at a high level within the organization (D)

Software-Defined Networking (SDN) uses hardware-based controllers.

False (B)

Procedures are strategic guidelines for incident response efforts.

False (B)

What is the main purpose of Network Segmentation?

To improve security and performance by limiting the impact of breaches and controlling network traffic flow

Zero Trust is a security model that assumes no trust within or outside the network _______________________.

perimeter

Match the following with their corresponding descriptions:

i. Incident Response Policy = Establishes the framework and authority for incident response efforts ii. Procedures = Detailed tactical instructions for incident response activities iii. Preparation = First phase of the Cybersecurity Incident Response Process iv. Containment, Eradication, and Recovery = Prevents further damage, eradicates the cause, and restores affected systems

Match the following authentication methods with their descriptions:

Multifactor Authentication (MFA) = Requires users to provide two or more verification factors Passwordless Authentication = Methods like biometrics or cryptographic keys to authenticate without passwords Single Sign-On (SSO) = Allows users to access multiple applications with a single set of credentials

The ______________ phase of the Cybersecurity Incident Response Process involves conducting lessons learned sessions and documenting the incident response process.

Post-Incident Activities

What is the main purpose of Cloud Access Security Brokers (CASB)?

To enforce security policies in cloud environments (C)

Privileged Access Management (PAM) is used to control and monitor non-privileged accounts.

False (B)

Hybrid networks combine _______________________ and cloud environments.

on-premises

Study Notes

Reverse Engineering Techniques

• Sandboxing: Detects malicious software based on behavior rather than signatures, providing a safe environment to analyze potential threats.
• Disassembling software: Reveals components and functionality, though complex and time-consuming.

Machine Learning in Cybersecurity

• Automates analysis of vast security data, extracting valuable insights and patterns to identify potential threats.
• Enhances security tool capability by learning from previous experiences and improving detection and response times.

Efficiency and Process Improvements in Security Operations

• Streamlining operations, standardizing processes, and integrating tools enhance the efficiency and effectiveness of cybersecurity analysts.
• Reduces errors, improves response times, and ensures consistent application of security measures.

Serverless, Virtualization, and Containerization Concepts

• Serverless: Cloud computing model where the cloud provider dynamically manages resource allocation, abstracting infrastructure management.
• Virtualization: Creates a virtual version of something, enabling multiple operating systems and applications to run on a single physical server.
• Containerization: OS-level virtualization method where applications and dependencies are packaged into containers.

Network Architecture Concepts and Technologies

• On-premises, Cloud, and Hybrid Networks:
  • On-premises: Infrastructure hosted locally within an organization.
  • Cloud: Services and resources delivered via the internet by a cloud provider.
  • Hybrid: Combination of on-premises and cloud environments, providing flexibility and scalability.
• Security Concerns: Each model has unique security challenges.
• Network Segmentation: Divides a network into smaller segments to improve security and performance, limiting the impact of breaches and controlling network traffic flow.
• Software-Defined Networking (SDN), Zero Trust, Secure Access Service Edge (SASE):
  • SDN: Centralized management of network traffic using software-based controllers.
  • Zero Trust: Security model that assumes no trust within or outside the network perimeter, requiring strict access controls and verification.
  • SASE: Integration of networking and security functions to support secure access from anywhere.

Identity and Access Management

• Multifactor Authentication (MFA): Requires two or more verification factors to gain access.
• Passwordless Authentication: Methods like biometrics or cryptographic keys to authenticate without passwords.
• Single Sign-On (SSO): Allows users to access multiple applications with a single set of credentials.
• Federation: Collaboration between different identity management systems to enable seamless access across organizations.
• Privileged Access Management (PAM): Controls and monitors privileged accounts to prevent misuse and unauthorized access.
• Cloud Access Security Brokers (CASB): Security policy enforcement points that sit between cloud service consumers and cloud service providers to secure cloud environments.

Risk Management

• Cybersecurity analysts identify potential risks, conduct a business impact analysis, and prioritize risks based on probability and impact.
• Vendors as a Source of External Risk: Vendors introduce external risks; performing vendor due diligence helps mitigate these risks.
• Risk Management Strategies:
  • Risk Avoidance: Changes business practices to eliminate or reduce risks.
  • Risk Mitigation: Reduces the probability or impact of risks through preventive measures.
  • Risk Transference: Shifts some risk to a third party, such as through insurance or outsourcing.
  • Risk Acceptance: Acknowledges the existence of a risk and continues normal operations while monitoring and managing the risk.

Software Security Testing Tools

• Static Code Analysis: Analyzes code structure and content without executing it, identifying potential vulnerabilities.
• Dynamic Analysis: Executes code to uncover runtime vulnerabilities and behavior.
• Fuzzing: Sends malformed or unexpected inputs to applications to uncover vulnerabilities.
• Debuggers: Analyzes and understands the behavior of executable code, aiding in identifying vulnerabilities or unintended behaviors.

Incident Response

• Every incident comprises one or more events, but not every event necessarily constitutes an incident.
• Four Phases of Cybersecurity Incident Response Process:
  • Preparation: Establishes an incident response team, defines roles and responsibilities, develops policies and procedures, and implements necessary tools and technologies.
  • Detection and Analysis: Monitors and identifies potential security incidents, analyzes the nature and scope of detected incidents.
  • Containment, Eradication, and Recovery: Contains the incident to prevent further damage, eradicates the cause of the incident, and restores affected systems to normal operation.
  • Post-Incident Activities: Conducts lessons learned sessions, documents the incident response process, and improves incident response procedures based on feedback and analysis.
• Security Event Indicators:
  • Alerts from IDPS, SIEM systems, antivirus software, and file integrity checking tools.
  • Logs generated by operating systems, services, applications, network devices, and network flows.
  • Publicly available information on new vulnerabilities and exploits detected in real-world environments or controlled settings.
  • Reports from internal personnel or external sources indicating suspicious activities that may suggest ongoing security incidents.

Policies, Procedures, and Playbooks in Incident Response

• Incident Response Policy: Establishes the framework and authority for incident response efforts at a high level within the organization.
• Procedures: Detailed tactical instructions that guide CSIRT members during incident response activities.
• Reports should be sent to stakeholders regularly and promptly, including compliance reports for regulatory purposes.

Vulnerability Management Metrics and KPIs

• Trend data: Indicates whether the vulnerability management program is effective or if new issues are emerging frequently.
• Top 10 lists: Identify the most common vulnerabilities within the organization, guiding prioritization efforts.
• Critical vulnerability lists: Focus attention on the most severe vulnerabilities that pose significant risk.
• Tracking zero-day vulnerabilities: Presents challenges due to their unexpected nature but may be required by leadership for awareness.
• Service level objectives (SLOs): Define goals for timely remediation and measure whether the organization meets these goals effectively.

Inhibitors to Remediation

• Memorandums of Understanding (MOUs) and Service Level Agreements (SLAs): Define uptime and performance targets that may conflict with patching schedules.
• Organizational governance: Introduces processes that can slow down or add requirements to patching procedures.
• Business process interruption: Concerns about disruptions or degraded functionality due to patching activities.
• Legacy and proprietary systems: Lack of available patches or difficulty in installing patches without losing vendor support can hinder remediation efforts.

Critical Stakeholders for Incident Response

• Stakeholders for incident response include:
  • Legal: Advises on legal implications and compliance requirements.
  • Public relations: Manages communication with customers, media, and the public.
  • Regulatory bodies: Ensures compliance with reporting requirements.

Description

This quiz covers advanced techniques in cybersecurity, including reverse engineering and machine learning in threat detection and analysis.