Security 101

Questions and Answers

Which of the following is an important aspect of communicating security issues to non-technical staff?

• Explaining the potential impact in business terms. (correct)
• Avoiding any discussion of technical details.
• Blaming the IT department for the vulnerability.
• Using highly technical jargon to emphasise the severity.

A cloud service provider experiences a major outage affecting multiple customers. Which security principle is MOST relevant to preventing this type of widespread impact in the future?

• Separation of duties
• Least privilege
• Defense in depth
• Diversity (correct)

You are tasked with improving your company's defenses against unauthorised software installations. You've chosen a whitelisting approach. What does this involve?

• Identifying and blocking applications after they are detected on the network.
• Monitoring network traffic for signs of unauthorised software downloads.
• Creating a list of prohibited applications and preventing their installation.
• Only authorising specific applications to run, blocking all others by default. (correct)

A security analyst identifies multiple log entries indicating 'failed password for invalid user' originating from a public IP address targeting SSH (Port 22). What immediate action should the analyst prioritise?

Blocking the offending IP address in the firewall (D)

Given log entries indicating a brute force attack on SSH from a public IP address, which additional security measure should the analyst implement to enhance security against future attacks?

Implementing multi-factor authentication (MFA) for SSH access (C)

A security analyst is reviewing logs showing repeated failed login attempts against multiple user accounts from a single IP address. What type of attack is MOST likely occurring?

Password spraying (D)

A security analyst discovers a series of log entries indicating numerous failed SSH login attempts from a single IP address. Which action would LEAST likely be helpful in responding to this?

Restart SSH servers (A)

What is a primary limitation of using CAPTCHA as a security measure against brute force attacks?

CAPTCHA is ineffective against manual brute force attacks. (A)

A company network is being targeted by brute force password attacks. Which of the following security measures is the BEST initial step to mitigate this type of attack?

Enforcing account lockout policies (C)

An organisation wants to ensure data confidentiality and integrity, especially during transit. Which mechanism provides the STRONGEST protection against eavesdropping and data manipulation?

Using Transport Layer Security (TLS) with strong cipher suites and regularly updated certificates. (C)

A security architect is designing a system to minimise the impact of a successful ransomware attack. Which strategy would be MOST effective in limiting the blast radius of such an attack?

Segmenting the network into isolated zones with strict access control lists and limited inter-zone communication. (B)

A security team discovers that several employees have unknowingly installed a rogue application that is subtly modifying system configurations to weaken security controls. This is MOST indicative of what type of threat?

Rootkit (C)

A company suspects an insider threat. Which security measure is MOST effective for identifying anomalies related to such threats?

Security Incident and Event Management (SIEM) system (B)

A Security Professional finds that employees are storing login credentials in clear text. What is the BEST way to make sure this doesn't happen again?

Implementing user training emphasising the organisation’s Security policies (A)

A company is developing a new web application that will handle sensitive customer data. Which secure coding practice is MOST effective in preventing SQL injection attacks?

Using parameterised queries or prepared statements to sanitise user inputs. (A)

During incident response, analysts identify a series of unusual network connections originating from a compromised endpoint. What action provides the MOST effective containment strategy to prevent further lateral movement?

Isolating the compromised endpoint from the network to prevent further communication. (B)

Which task is most important when addressing any vulnerability?

Understand the risk the application creates. (C)

What should you do after discovering a large increase in network traffic?

Determine if the traffic is legitimate. (D)

What is the primary goal of the NIST Cybersecurity Framework (CSF)?

To manage cybersecurity risk. (D)

Flashcards

SIEM System

Aggregates logs across the system to identify anomalies related to insider threats.

Account Lockout Policies

Security measure that locks accounts after a limited number of incorrect password attempts.

Whitelisting

Authorizing specific applications, blocking all others by default.

Password Springing

A brute force attack on multiple user accounts.

Log analysis: efficient approach

Reading answers, then analyzing logs.

Immediate action: brute force

Blocking the IP address in the firewall.

Brute Force Attack

An attack that attempts many passwords on a single user account.

CAPTCHA

An automated test to tell Computers and Humans Apart, used to prevent automated brute force attacks.

Strong Password Policies

A policy that requires users to create strong, complex passwords.

Multi-Factor Authentication (MFA)

Adding an extra layer of verification during login, like a code from your phone.

Coursera Security+ Discount Hack

A cost-effective method to prepare for the Security+ exam by leveraging a free trial for discount voucher access.

Security+ Priming Phase

An initial review to familiarize oneself with the material before detailed study.

Security+ Learning Phase

In-depth study of all materials, focusing on understanding both correct and incorrect answers.

Security+ Polishing Phase

Refining knowledge by revisiting weak areas and incorrect answers until mastery is achieved.

Free Security+ Practice Questions

Freely accessible Security+ practice questions categorized by chapter.

Cybersecurity Course

A structured program designed to transition individuals from Security+ certification to cybersecurity employment.

Job Hunting Section

Resume building, portfolio development, and interview skills enhancement.

Practical Training

Building a Security Operations Center (SOC) and honeynet in the cloud for real-time incident response training.

Theory Section

Focuses on foundational concepts crucial for entering the cybersecurity field.

Physical Control for Data Center Security

Installing locks on server racks to restrict physical access.

Technical Control for Data Exfiltration

Monitoring and controlling network traffic to prevent unauthorized data from leaving.

Deterrent Control for Tailgating

Installing surveillance cameras to discourage unauthorized entry.

Gaining Access to Restricted Smartphone Features

Process of overwriting the operating system for unrestricted administrative functions.

Ensuring Confidentiality and Integrity

Ensuring data is encrypted and verified using hashing algorithms.

Identifying Discrepancies in Security Posture

Determining the difference between the current and desired security states.

Mitigating Vehicle-Based Threats

Erecting bollards to prevent vehicle ramming attacks.

Implementing a New Firewall System

Obtaining formal approval from senior management before implementing significant changes.

Ensuring Evidence Integrity

Documents when evidence was collected, and how it was collected.

Securing User Passwords in a Database

Employing hashing to secure passwords.

Cybersecurity Interview Focus

Five key areas: answering unfamiliar questions, behavior-based questions (STAR), scenario-based questions, industry awareness, and cybersecurity frameworks.

STAR Format

Situation, Task, Action, Result: a structured method for answering behavior-based questions effectively.

Incident Response Steps

Analyze, quarantine, eradicate, recover, and document incident appropriately.

Key Cybersecurity Frameworks

NIST, CSF, PCI DSS, GDPR, and HIPAA.

SIM Rule Tuning

Alerting on unauthorized access, viewing sensitive info, or brute-force attempts.

Monitoring Unauthorized Data

Turn on file system auditing, define protected files, and determine what is authorized vs. unauthorized access.

VM Brute Force Remediation

Lock VM, reset passwords, and close incident.

Communicate Vulnerabilities

Explain the exploit, potential damage, and necessary actions in business terms.

Remediate Exposed Key Vault

Private endpoint prevents key vault access from the public internet.

Prioritize Security Projects

Determine high-impact processes and prioritize protections based on risk reduction.

Study Notes

Security+ Exam Preparation

• Scenario-based questions are prevalent on the Security+ SY0-701 exam.
• Scoring 80% on 50 practice questions indicates exam readiness.
• Exam objectives can be downloaded for free from CompTIA's website.
• Additional resources include a Security+ course on Udemy and 550 practice questions available via provided links.

Detecting Insider Threats

• A cybersecurity analyst aims to detect unusual behavior patterns indicative of insider threats on a company network.

Solution Effectiveness for Anomaly Detection

• Security Incident and Event Management (SIEM) systems are most effective in identifying anomalies related to insider threats.

Intrusion Prevention System (IPS)

• While IPS primarily focuses on malware, it can indirectly help identify insider threats if the threat involves malware.

Data Loss Prevention (DLP)

• DLP is suitable for tracking insider threats by providing additional security layers; not the best option.

Firewalls

• Firewalls can help detect threats from both inside and outside the network.
• SIEM is superior to both firewall and IPS.
• DLP is superior to IPS.

SIEM System

• SIEM systems use multiple logs.
• SIEM systems offer more accurate and direct insights compared to DLP.
• SIEM is effective, as it aggregates logs across the system.
• When configuring rules within a Security Information and Event Management Platform (SIM), an alert should trigger during the event of something happening.
• Logging integration with SIM depends on the environment, as well as critical assets and resources.
• It's beneficial to ingest logs from all authentication methods into the SIM.

Brute Force Attack Protection

• Scenario involves a company network compromised via a brute force attack on user accounts.

Measures to Protect Against Brute Force Attacks

• Account lockout policies are the best security measure.
• Strong password policies are a good way of stopping brute force attacks.
• Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) can stop against automated brute force attacks.

CAPTCHA Limitations

• CAPTCHA is ineffective against manual brute force attacks.

Captive Portals

• Captive portals, typically used in public Wi-Fi, are not suitable for enterprise networks.

Account Lockout Policies

• Account lockout policies enhance security by locking accounts after a limited number of incorrect password attempts.
• Account lockout can be more effective at stopping brute force attacks than strong password policies.

Preventing Unauthorized Application Installations

• A company wants to prevent users from installing unauthorized applications.

Technologies for Preventing Unauthorized Applications (Whitelisting)

• Whitelisting is the best technology.
• Data Loss Prevention (DLP) focuses on preventing data exfiltration, not unauthorized application installation.
• While blacklisting involves identifying and blocking unwanted applications, whitelisting is superior.

Intrusion Detection System (IDS)

• Intrusion Detection Systems focus on identifying malware.

Blacklisting

• Blacklisting requires IT to identify applications they do not want users to install.

Whitelisting (Allow Listing)

• Whitelisting involves only authorizing specific applications, blocking all others by default.
• Whitelisting is generally superior in enterprise environments to prevent the installation of unauthorized applications.

Log Analysis & Security Analyst Priorities

• Log analysis questions are best approached by process of elimination.
• Prioritize reading answers first, then analyze the logs to efficiently use time.
• Time management is critical for certification exams.

Analyzing Log Entries

• Logs indicate a brute force attack attempt from a public IP address on SSH (Port 22).
• The specific log entries include "failed password for invalid user."
• Key log data includes IP addresses and ports (22, 80).

Prioritized Security Analyst Actions

• Block the offending IP address (203.0.113.45) in the firewall to stop further attempts.
• This is a direct response to the observed brute force attack.
• Review SSH configurations and logs for vulnerabilities due to the attempted intrusion.
• Implement multi-factor authentication (MFA) for SSH access to enhance security.
• MFA provides an extra layer of security against unauthorized access.
• Avoid creating new SSH accounts for the attacker or restarting SSH servers based solely on this log data.

Actions to Avoid & Why

• Avoid investigating potential insider threats based on this specific log data.
• The attacking IP address (203.0.113.45) is public, indicating an external source.
• Do not restart SSH servers, as it won't address the attack itself.
• Refrain from disabling Port 80 without clear evidence of a threat on HTTP connections in the logs.
• Also avoid installing a Web Application Firewall (WAF) without evidence of specific web-based attacks (like SQL injection) in the logs.
• Don't disable DNS resolution without log-based evidence of name resolution problems.

Brute Force & Password Springing

• Brute force attacks often involve attempts from a single user account.
• Password Springing involves attempts to log into multiple different user accounts.

Key Strategy for "Select All That Apply" Questions

• Evaluate each choice (A, B, C, etc.) individually.
• Determine if it makes sense based solely on the provided log entries.
• Focus on what the logs directly indicate, without making assumptions.
• Prioritize answering based solely on what is explicitly in the logs and not on "making it more secure"

Security+ Practice Questions

• Over 15,500 Security+ practice questions align with the newest exam objectives.
• Online access is free via a browser.
• Questions are grouped by chapter from the CompTIA Security+ "Get Certified Get Ahead" book by Daryl Gibson.
• Each question provides a complete explanation with a reference to the book, including the page number.

Offline Security+ Practice Questions

• A free offline version of the practice questions is available after entering an email address.
• Requires Anki software installation (free on most platforms, potentially paid on iOS).
• Progress can be tracked using the offline version.
• The offline version can be used on phones and laptops.

Security+ Discount

• Completing the Google Cyber Security Professional Certificate program on Coursera can earn a 30% off coupon for the Security+ exam.
• The Coursera program may cost about $50 per month.
• Completing the Google program has an approximate savings of $70.
• The 7-day free trial on Coursera could be used to quickly complete the program and get the discount voucher.

Three-Phase Approach to Passing Security+

• Priming Phase: Quickly get an overview of the material.
• This phase is best accomplished with the Google Cyber Security Professional Certificate Program on Coursera.
• Aim to complete the Coursera program in one month.
• Learning Phase: Thoroughly go through all the material to be learned
• Use the practice questions (the offline version is optimal for progress tracking).
• Understand why correct answers are correct and why incorrect answers are incorrect.
• Use the recommended book or online resources such as Google or ChatGPT for additional help.
• Polishing Phase: Focus on areas of weakness and questions answered incorrectly.
• Redo difficult questions until they are mostly correct.

Cyber Security Course

• Designed to bridge the gap between Security+ and finding a cybersecurity job.
• The course is split into three sections:
• Theory: Covers essential concepts for getting into cybersecurity.
• Practical: Build a Security Operations Center and honeynet in the cloud to address real-time incidents.
• Job Hunting: Focuses on resume building, portfolio development, and interview practice.
• Aims to assist candidates in securing jobs.
• Broaden job search to include general IT positions to transition into cybersecurity.

Physical Control for Data Center Security

• Installing locks on the server rack is the most appropriate physical control, when data center racks are accessible to all employees, posing a risk to critical infrastructure
• Network intrusion detection systems and antivirus software are technical controls
• Risk assessments are administrative controls.

Technical Control for Data Exfiltration

• Implement a firewall to monitor and control incoming and outgoing traffic as a technical control, when unusual outbound traffic suggests potential data exfiltration from a server hosting sensitive data.
• Security awareness training is administrative.
• Biometric access control is physical.
• Updating security policy is administrative.

Deterrent Control for Tailgating

• Install more surveillance cameras at all entry points as a deterrent control, after instances of tailgating, where unauthorized individuals follow employees into restricted areas.
• Stricter password policies are technical.
• Security audits are operational but less of a deterrent.
• Software-based IPS is technical.

Gaining Access to Restricted Smartphone Features

• Jailbreaking is the process of overwriting the operating system for administrative functions, when a smartphone user requires access to features not available in the standard operating system.
• Exploiting database vulnerabilities, utilizing scripting vulnerabilities, and direct software installation are incorrect options.

Ensuring Confidentiality and Integrity (CIA Triad)

• Data encryption in storage ensures confidentiality, when ensuring a financial firm's data storage system aligns with confidentiality (C) and integrity (I) of the CIA Triad.
• Hashing is used for verifying data integrity.
• Firewalls can help with confidentiality.
• Regularly updating software may impact C and I, but is not as direct.
• Background checks are less effective for C and I.

Identifying Discrepancies in Security Posture

• Gap analysis is used to determine what needs to be achieved when identifying discrepancies between the current and desired security states in an organization.
• Risk assessment, penetration testing, and compliance auditing are incorrect options.

Mitigating Vehicle-Based Threats

• Erecting bollards is the most suitable physical security measure for protecting a corporate building in a busy downtown area against vehicle ramming attacks.
• Video surveillance cameras are deterrent, not preventive.
• Access control vestibules prevent tailgating.
• Enhanced lighting is not physically preventative.

Implementing a New Firewall System

• Obtain formal approval of the project from Senior Management when implementing a new firewall system that includes significant changes to the current network infrastructure.
• Impact analysis, scheduling a maintenance window, and preparing a backout plan all come after approval.

Offensive and Defensive Security Testing

• Red teams perform offensive security measures.
• Blue teams perform defensive security measures.
• A team that does both offensive and defensive tasks is known as the Purple team.

Ensuring Evidence Integrity

• Chain of custody documents when the evidence was collected, how it was collected, and who collected it.
• The chain of custody ensures there is no tempering or illegal modifications to the evidence.

Secure Communication Channel for Key Exchange

• Use an asymmetric algorithm such as Diffie-Hellman (DH) to securely establish a shared secret key for symmetric encryption between organizations.
• Public key infrastructure (PKI) does more than just transfer a symmetric key.
• Digitally sending in the symmetric key over email will expose it.
• Encrypting the key using symmetric encryption will cause an issue of transferring.

Securing User Passwords in a Database

• Use hashing for all passwords to securely store user passwords in a database to protect them from exposure in case of a breach.
• Digital signatures, file permissions, and blockchain are incorrect options.

Promptly Revoking Compromised Certificate Trust

• Certificate revocation list, or certificate authority, will contain information if your certificate is compromised, to quickly revoke the trust of a compromised certificate across all SSL/TLS secured devices.
• Self-sign certificates, certificate signing request, third party certificates are incorrect options.

Identifying Threat Actors

• An employee that is a threat actor is an Insider threat.
• Organized crime, nation states, activist are incorrect options.

Cyber Security Attack Types

• A website that is rigged to look legitimate to trick employees of a company is referred to as a water and hole attack.
• Identity theft, misinformation, and spear phishing are incorrect options

Addressing a Security Vulnerability Found in an IOT Device

• Patching the device can fix security vulnerabilties in IOT devices.
• Conduct a risk analysis, network restructuring, and device upgrading are incorrect options.

Social Engineering

• Vision, voice fish, is the only choice that deals with phone calls when employees are receiving phone calls to provide out login credentials to It support team that are fake.
• Typo swat and water and whole attacks is when you mistype someones domain name and it takes you to a bad website, whaling is when try to fish the big fish in the business.

Identifying Creator and Date of Suspicious File

• Files metadata can specify who created the file.
• Files hash value is only going to show if the file has been modified or changed, network activity logs is going to show network traffic across the network, server access log is going to say who accessed the server.

Virtual Machine Escape Characteristics

• A security Breach where malicious attacker gains control of the main system from within a virtual machine.
• The process of migrating a virtual machine from one host to another, practice of cloning virtual machines, the deployment of virtual machines across multiple physical are incorrect options.

The Most Effective Strategy for Installing Harmful Applications

• Implemented Application allow list, is a list of a particular softwares and if it's not on the list you can't use it.
• Regular malware scans, vpm implementations, user access list are incorrect options

Types of Malware Attacks

• A worm attack replication is the malware that is rapidly spreading through the organizations creating copies of itself and consuming network resources.
• Troan attack, spy, spyware are incorrect options.

Logs From Critical Network Devices

• The security engineer should investigate the cause of the missing logs when missing logs are from critical network devices, such as firewalls and intrusion detection.
• The missing logs are result of log rotation, the published documentation regarding log storage is accurate and no action are incorrect options:.

Securing Servers and a Data Center

• Host based firewall is used to Control incoming and outgoing Network traffic on each server to protect against unauthorized access and network based attacks.
• Default password changes, host based firewall encryption, removal of unnecessary software or necessary software features are incorrect options.

On Premises

• Hosting data on servers within a physical facility is the primary characteristics of an on premises architectural model for hosting servers and data.
• Relies on a third party, not Distributing data are incorrect options.

IOT Device

• IDs system sends alerts for water treatment plants.
• IDS Mobile device Management are incorrect options.
• IOT devices widen security concerns due to functionality, require more frequent patching, and can introduce vulnerabilities such as recording children's voices.

Enhancing a Network Enviroment.

• Intrusion Protection will enhance a Network Environment.
• Firewall, nework access control, or File Intergrity Management are incorrect options.

Desktop Services

• Setup a VPN when a secuirty analyst recommenting if a remote desktop service is accesible from the internet.
• Strong Encryption, and default Port are incorrect options.

High Availability

• Load Balancing is needed during shopping season to maintains unreppted service.
• Hotsite, Geographic spreading, countio of orporation are incorrect options.

Security

• Need network access control when gaining access to switch ports.
• Intrusion detection, SSL, and VLAN are incorrect options.

Security Vulnerablities

• Use analysis static when a software development project is identifing a miniting of potential vulnerbilties in the application source code.
• Input validation, secure cookes and code signning are incorrect options.

Action

• Instate the Auquistition in order to have an acuurate institory to maintain.
• Retaintion Polcies, Schedule the destruction, Desiable the sotware are incorrect options.

Pentration

• Work work to to is needed to document time reaqured.
• Non Dicoa agremeent, sevrice level agreement, Business agrement are incorrect options.

What Tool

• Seam system is needed for real time secruity.
• Arciving toll, anti vires tool, security content are incorrect options.

Access to personal

• Control of access is required when wanting access to secure peronal.
• Perimeter fencing, CCtv mointoring are incorrect options.

Implements for

• Just in Time Permission is required to implement permonate and temporary access.
• Totnization, brometic mnanagers are incorrect otions.

Scale Auto

• Empolyee Reduction results in cost Reduction.
• Standart infrasturte configure ation , scaling in a secrue maner are incorrect options.

Analaysis

• The application Logs are needed during a Suspicoius security Breach in organziation.
• Inpont Logs are incorrect options.

Used in Company

• A Maintance of risk registre will document Risk Assign responsibilites.
• Definition of risk tolerence, proess of risk transfe, condunting a risk are incorrect options.

Copied Signls

• Cloning actack results when having unauthorized signals, and allowing unauthorsiced.
• Envoronment, brute force, and social engineer are incorrect options.

Atackers Access

• On path atack is when attackers wants to newtork and intercept and manupilate network trafic.
• Macilous coed, Rotskit, and security profecionall are incorrect options.

Force Mobiles

• Risk Acceptance results when using MDM polcies to seure the smart phones of employyees.
• Serue data instruction, data encryption, end point security are incorrect options.

Reconassance Activities

• Passisve reconissance is an active to Secruisty Proffesion.
• Activre reconossiance, defensive penettration, and Envitomentall tetsting are incorrect options.

Implement MAF for Employess

• User authintication results from implement MAF for Employess to access systems resoures.
• Threat anlayis, security awareness, traingin, and ascess control are incorrect options.

Analzyies Networks

• Tratn Hunting is used when analyzies networks in order to log to identify at potential services and contact of theat detections and analyis.
• Intrusion, persentios. risk anlayisics, mitigation are incorrect options.

Encroced the Device

• Confenditiiality results when Mobiles device encription policies.
• Data interity, availability, authintication are incorrect options.

Tehnich to Implement

• Air Gap is needed is when a Government Agecing Requred to Secrued and to protect system, and implment isilation.
• Virtualzation, logic segmintation, Sofware define networking are incorrect options.

Bank Riqures Vendor

• Disk encrypted is needed to prevents labtop data lost for Bank's vendor contracts.
• Data permessions, information , ascess to right limiation are incorrect options.

Ensure Authentic Software

• Code Signning is what a software devellpment manager implement when ensuring authentic software.
• Reguralr code audting, dynamic applicatyijon test, Adon metholidgy are incorrect options.

Solution to Implement

• Segmentattion is an implementation that divides the netowrk based on the security Requirement.
• Leasing privalges, pathine, encyrptions are incorrect options.

Guarantee Prtection

• Firesaty safetly mcahnism failed is needed to review the protection safety of the dataccnent stat, for for secruity contrells,
• Systems external gaterwaus,, data ascesslogs are incorrect options.

Interview Preparation & Key Areas

• Five key areas to focus on when preparing for a cybersecurity interview
• Ability to gracefully answer questions you lack experience with
• Skill to identify and address behavior-based questions like "Tell me about a time when..."
• Competence in tackling cybersecurity-specific scenario-based questions
• Developing a strong industry awareness of past and current events
• Possessing a basic understanding of core cybersecurity frameworks and regulatory bodies, like NIST 800-53 and GDPR
• Grooming and hygiene are also basic interview considerations

Addressing Unfamiliar Questions

• Crafting some response to a question is always better than "I don't know"
• Independent lab work and experimentation greatly aid in formulating answers to unexpected questions
• Labbing can include creating an environment, such as in Microsoft Azure, and applying NIST 800-53 controls to secure cloud resources

Answering Behavior-Based Questions

• Essential to recognize behavior-based questions and answer in STAR format: Situation, Task, Action, Result
• Situation: Describe the context, include needed details
• Task: Break down the task at hand
• Action: Describe what you did to solve the task
• Result: Describe the final outcome
• Initially, answering in STAR format is challenging, so practice

Handling Scenario-Based Questions

• Scenario-based questions are common and assess a candidate's grasp of incident response and holistic thinking
• Incident Response Example: In response to a user reporting malware, a novice answer is insufficient
• A well-considered answer follows the NIST 800-61 Computer Security Incident Handling Guide
• Analyze and verify the malware as a true positive
• Work to quarantine the system, eradicate the malware, recover the system, and then document everything appropriately
• Holistic Thinking Example: For a critical vulnerability, forcing an immediate patch that renders a server unusable is a bad answer, as it is equal to a DDOS on your own server
• A better approach involves asking clarifying questions, implementing compensating controls, and planning for patching without downtime

Increasing your Industry Awareness

• Interviewers often ask about breaches and industry events
• Passive learning through podcasts like CyberWire by Dave Bitner and Darknet Diaries by Jack Rhysider

Staying up to date with Cybersecurity Frameworks

• Understanding general cybersecurity frameworks and regulations
• Free resources like Professor Messer and the Google Cybersecurity Professional Certificate can help
• Important frameworks and regulations include NIST, CSF, PCI DSS, GDPR, and HIPAA
• NIST 800-61 is a Computer Security Incident Handling Guide.
• Review the 800 Cyber Security Framework, which provides a checklist to maintain security, including Identify, Protect, Detective, Respond, and Recover.
• RMF (Risk Management Framework) is part of 800-37, while 800-53 provides controls and a catalog.
• The CSF (Cybersecurity Framework) is used to increase threat detection and is used as a security plan.

Sim Rule Tuning Procedure

• Log queries can be written in SQL, KQL, SPL, or other languages, and the can be implemented and fine-tuned as needed.
• To reduce false positives, alert rules can be tuned

Examples of SIM Alert Rule Tuning

• .yar alerts were removed, specifying the string .yar.
• As a result, malware alerts will not trigger when ".yar" exists in the logs

Nist 800-61 Compliance

• Follow Nist 800-6 computer incident handling guide.

Logging Integration with SIM

• Vanilla setup pulls from identity providers like Active Directory, authentication, important servers, and shared services logs.
• It's a good idea to ingest logs from all authentication methods into the SIM.

Collaborations in Different Departments

• Security teams are responsible for remediation and scanning.
• Employee scanning can conduct scans and verify remediation.
• If a fix is understood, the vulnerability can be remediated quickly.
• Once done, a scan can be performed again to guarantee it is remediated

Security Controls for Cloud Apps

• Use a web application layer 7 firewall
• Use access control based on pre-determined roles
• Enforce continuous logging and monitoring
• Implement an identity provider for authentication purposes
• Use a backup and recovery process
• Use encryption

Monitoring Unauthorized Data Access

• Implement file system auditing
• Define the files that need to be protected
• Protect data by defining the files that need to be protected
• After scoping what needs to be protected, decide what comprises authorized versus unauthorized access

Forensic Analysis Steps

• Use an entity man within Microsoft sentinal and investigative UI to check for good accounts
• Legitmate accounts should be reviewed to ensure no indicators of compromise.

Keeping up to Date with Cyber Threats

• Listen to cyber wire daily.
• Follow CISA (Cybersecurity and Infrastructure Security Agency) on Twitter.

How to Remediate a Complicated Vulnerability

• Use private endpoints to make endpoints not accessible to the public internet
• Apply a firewall to block access from outside the access

Vulnerability Discoveries

• Setup labs to practice vulnerabilities
• Discovered that software was out of date, and then action was taken to correct

Steps to Handle Security Incident

• Follow a normal nits 800-1 incident response life cycle

Communications to Non-Technical Staff

• Communicate to different stakeholders appropriately
• Explain the exploit, and the damage that can be done, to the non-technical team
• Explain what action needs to be taken
• Communicate like a business person

How to Prioritize Security Projects

• Prioritize security projects by economics, determining processes with the most impact, and implementing the one that protects the most.
• Prioritize according to the most risk reduced.

Quick Learning Skill for the Job

• Expose everything to the internet
• Learn through "brute force" - everything is attacked in a created honeynet
• You can use Microsoft Azure to do this

The importance of User Training

• Make sure your end users have solid knowledge
• Implement great user training, use platforms such as "no before" to help the end user train themselves
• Take a more positive approach to rewarding users who complete the training

Quick steps for Handling a Situation Under Pressure

• Work through incident cycles discovered and contained
• Look calmly after the discovery process to contain, eradicate, recover and document
• Do your best to prepare for the situation
• When in doubt, go to your good instant response plan
• Likely going to have to work overtime in this job

IT Reluctancy in Security Patches

• First make sure ALL members understand importance of PATCHING!
• Members can better understand the importance of IT Reluctancy in Security Patches - Give potential examples of the results of poor practice to any department in the company, even HR.
• Could even get people in trouble, potentially

Password Policy Rejection

• Must explain risk
• Go through all details with the parties
• Explain damage due to loss or data breach

Incident Investigations

• If there is investigation to be followed, GET EVERYONE ON THE SAME PAGE no matter how small the data breach is.
• It is a HUGE organizational red flag if you don't, you need to have a discussion in the event of an incident.
• Get your manager involved, they are there to help
• The most important part of PCI DSS is data protection

Network Traffic Increase

• Determine if it is legit
• Spin up a ticket
• Start NIST 800-1 life cycle
• Quarantine device
• Look at the endpoint of the device

Unauthorized File Upload Alert

• Follow the Incident response plan with NIST 800-1
• containment --> Recovery, or delete potentially
• Document EVERYTHING!! and close ticket

When someone clicks a Link

• Start NIST 800-1 cycle
• Verify this a real phishing attack, not fake
• Containment -- temporarily, take offline
• Security may investigate the laptop

When Software Being Exploited

• Know WHO uses it and WHERE is it used that software
• Create a plan for remediation and fix all vulns
• Create GROUP for all users with the vulnerability
• Let users know in batches
• Prioritize more critical ones first.

Same Password Used

• Enforce unique passwords with SSO
• Enable Multi factor
• Enforce better security

Recent Breach and Impact

• Code repo gets compromised and production pushes compromised code to all users with the software that can be attacked.

Future Security Technology

• AI and Machine Learning will helps with threats
• Use chat in AI
• B.Y.O.D devices will see more security

Impacts of Security from Work

• Need end user training --> because if they fail the whole security system fails
• Put more energy there
• Create the right controls

Industry regulations to impact

• Must be compliant with many regulations to meet the standards
• Use GDPR regulations as per the regulations if data owned to countries.
• Hippa when HIPPA info is exposed in a hospital
• PCI DSS to have a good setup to do the best protection

Cyber Security Topics

• AI to make things up
• Misinformation in campaigns

How to keep in the loop

• Daily, listen to Cyber Wire
• watch youtubers to grow such an influence in Cyber

Bridge Security Job

• More hands on the the better

Vulnerabilities with wide impacts

• There has been impacts when using code repos.

Targeting Critical Infrastructure

• Should be proactive, NOT reactive

800-61 NIST steps to take when ransomware

• Use table top to simulate threat scenarios.

What does IOT do to widen security concerns

• Device needs to be patch often

800 Cyber Security Framework

• Framework: list the steps security personnel can take that act as checkList to keep secure.

Difference between PCI DSS AND HIPPA

• Credit card use Payment Card Industry Data Security Standard (PCI DSS); medical relies on Health Insurance Portability and Accountability Act (HIPPA)

18 HIGH LEVEL CYBER RULES THAT YOU CAN USE

• Make sure your org meets standards

CyberSecurity Implications w GDPR

• Personal security tied to individual Personal Identifiable Information (PII)

The Goal in CSF

• To Increase threat awareness
• Use Frameworks to build security procedures

SIM Alert Rule Tuning

• Configure rules in the Security Information and Event Management (SIM) to trigger alerts for unauthorized access, viewing sensitive information, or brute-force attempts.
• Ensure logs are pulled from the enterprise password management system into the SIM; rules cannot be created without.
• Global admin password access in Azure AD is highly sensitive.