Security Fundamentals & Policy

Questions and Answers

Which of the following is the primary goal of network segmentation?

• Increasing network bandwidth for all users.
• Simplifying network management and reducing administrative overhead.
• Enabling faster data backups and disaster recovery.
• Improving security by limiting lateral movement of attacks. (correct)

The principle of least privilege dictates that user accounts should have more than the necessary privileges to perform their duties, to avoid service interruption.

False (B)

Which of the following is NOT a component of the CIA Triad?

• Integrity
• Confidentiality
• Availability
• Accountability (correct)

What is the purpose of 'System Hardening'?

To reduce security vulnerabilities and limit access by adjusting system configurations

Which type of network segmentation involves physically separating segments using devices like routers and switches?

Physical Segmentation (D)

A security policy is a static document that does not need regular updates once implemented.

False (B)

Which security measure reinforces security by requiring more than just a password to access a network?

Multi-Factor Authentication (MFA) (A)

What is the purpose of Security Awareness Training?

To educate employees and users about security threats and countermeasures

In a Zero Trust model, which of the following assumptions is made?

No device or user is inherently trusted, whether internal or external. (A)

Compliance Monitoring involves occasionally checking adherence to security policies.

False (B)

Which of the following best describes 'Security Governance'?

The strategic direction and framework for securing an organization. (B)

What is the function of a 'MAC Address Table' in a network switch?

To map MAC addresses to specific ports for forwarding data frames

What is the purpose of a Virtual Private Network (VPN) in securing remote access?

To provide secure communication channels between remote users and a corporate network. (A)

OS Hardening involves using generic security guides that apply to all operating systems.

False (B)

Which of the following is an example of 'social engineering' attack?

Phishing email (A)

The process of adjusting system configurations to reduce security vulnerabilities and limit access is known as ______.

system hardening

Which type of cyber threat intelligence provides actionable indicators of compromise (IoCs)?

Technical Intelligence (A)

In Hybrid Cloud environments, the organization is fully responsible for securing all aspects of the infrastructure.

False (B)

What is the primary purpose of a 'Business Impact Analysis (BIA)' in disaster recovery planning?

Analyzing the impact of disruptions on critical business functions (C)

What is the role of log analysis in security?

To investigate security incidents by identifying threats and actors

Match the following security concepts with their descriptions:

Principle of Least Privilege = Accounts only have minimum required privileges Regular Patching = Keeps systems updated to patch known vulnerabilities Access Control = Prevents unauthorized privilege escalation Multi-Factor Authentication (MFA) = Requires multiple forms of authentication

Dividing a computer network into subnetworks to improve security and performance is known as ______.

network segmentation

What technique involves identifying anomalies in user or system behavior based on established profiles?

Profiling & Behavior Analytics (C)

The RPO (Recovery Point Objective) defines the maximum time an organization can tolerate being without critical systems.

False (B)

What is the purpose of Security Governance in an organization?

To define the strategic direction and framework for securing an organization (C)

What type of attack might MAC flooding facilitate?

Data interception

What is the purpose of a Network Access Control (NAC) system?

To ensure only compliant devices are allowed to connect to the network (D)

A Hybrid Approach refers to the combination of signature-based IDS and rule-based IPS for effective security.

False (B)

Why is log correlation essential for detecting security incidents?

It involves integration of logs from multiple sources to identify suspicious activities. (A)

Artifacts or behaviors that indicate an intrusion or attack on a system are known as ______.

Indicators of Compromise (IoCs)

Flashcards

Principle of Least Privilege

Accounts should only have the minimum required privileges to perform their duties.

Regular Patching

Keep systems updated to patch known vulnerabilities.

Access Control

Implement strict access control measures and review permissions regularly to prevent unauthorized privilege escalation.

Multi-Factor Authentication (MFA)

Require multiple forms of authentication, especially for accounts with administrative privileges.

Monitoring

Continuously monitor user behavior, especially for actions that attempt to elevate privileges or modify system configurations.

Security Policy

A formalized set of rules, guidelines, and procedures that organizations use to protect their information assets.

Policy (Document Type)

A high-level document setting expectations for security that must be enforceable by authority.

Procedure (Document Type)

Contains detailed steps on how specific tasks should be executed in line with the policy.

Standard (Document Type)

Defines the technical requirements that must be met, offering specific guidance for system configurations.

Guidelines (Document Type)

Optional but recommended practices, providing flexibility and clarity on best practices.

Best Practices (Document Type)

Recommended security practices for all or specific departments/roles to follow.

Security Awareness Training

Critical for all employees and users, including real-world examples and practice scenarios.

Social Engineering (Social Media)

Social media is a significant platform for attacks like phishing, spear phishing, and impersonation campaigns.

System Hardening

Adjusting system configurations to reduce security vulnerabilities and limit access.

Compliance Monitoring

Continuously monitor adherence to security policies and standards.

Security Governance

Defines the strategic direction and framework for securing an organization, including risk appetite and regulatory compliance.

Security Policy (vs. Governance)

Is the actionable outcome that enforces governance principles across the organization, dictating specific security measures to mitigate risks.

Network Segmentation

Dividing a computer network into subnetworks to isolate systems and improve security.

Physical Segmentation

Physically separating network segments using devices like routers and switches.

Logical Segmentation

Dividing networks into segments based on logical criteria, using VLANs or virtual segmentation.

Defense in Depth

A multi-layered security strategy designed to protect data and resources by employing different security controls at each layer of the network.

MAC Address Table

Uses MAC addresses to forward data frames between devices connected to different ports, mapping MAC addresses to specific ports.

MAC Flooding Attack

A switch malfunctions by broadcasting data to all ports, making it easier for attackers to intercept sensitive data.

VLAN (Virtual LAN)

Allows logical segmentation of a physical network into separate broadcast domains.

Network Access Control (NAC)

Used to ensure that only compliant devices (those with updated patches, antivirus, etc.) are allowed to connect to the network.

Multi-Factor Authentication (Remote)

Reinforces security by requiring more than just a password to access the network.

Vulnerability Definition

A weakness in an IT system that can be exploited by an attacker.

Threat (vs. Vulnerability)

A potential cause of an unwanted incident, which may exploit a vulnerability.

Risk

The likelihood of a threat exploiting a vulnerability and causing harm.

Log Analysis

Essential for investigating security incidents via various collected log sources.

Study Notes

Security Fundamentals

• Principle of Least Privilege ensures accounts have only the minimum privileges needed to perform their duties.
• Regular Patching keeps systems updated to address known vulnerabilities.
• Access Control involves implementing strict access control measures and reviewing permissions regularly to prevent unauthorized privilege escalation.
• Multi-Factor Authentication (MFA) requires multiple authentication forms, especially for accounts with administrative privileges.
• Monitoring involves continuously monitoring user behaviour, especially actions that attempt to elevate privileges or modify system configurations.

Security Policy

• A security policy is a formalized set of rules, guidelines, and procedures for organizations to protect their information assets.
• Security policies define how data should be handled, protected, and accessed, ensuring confidentiality, integrity, and availability (the CIA Triad).
• NIST defines a security policy as including a set of rules for security services and security-relevant system behaviours.
• Security policies define objectives/constraints for the organization's security program and serve as a guideline for decision-making and implementation.
• Key questions to ask when reviewing a security policy include whether a policy is in place, if it is regularly enforced/updated, and how often policies are reviewed for improvements.
• A security policy needs to be regularly revised and updated to reflect evolving threats, industry standards, and operational changes.
• A security policy must support daily operations and information risk management through industry standards.
• A security policy should clarify whether it applies to all employees or specific groups by having a well-defined scope.
• A policy is a high-level document setting security expectations and must be enforceable by authority.
• A procedure contains detailed steps on how specific tasks should be executed in line with the policy.
• A standard defines the technical requirements that must be met, offering specific guidance for system configurations.
• Guidelines are optional but recommended practices, providing flexibility and clarity on best practices.
• Best Practices are recommended security practices for all or specific departments/roles to follow.
• Best practices documents must be aligned with the policy, guiding staff on how to execute security tasks properly.
• NIST SP 800-53 is an example of an organization-wide security program that provides guidelines, practices, and controls for organizations to follow.
• The University of Wollongong's (UoW) policy ensures the protection of IT facilities, services, and stored data from unauthorized access and modification
• UoW's cybersecurity policy emphasizes confidentiality, integrity, and availability.
• The scope of UoW's policy applies to all users and devices of IT facilities and services, requiring compliance with statutory legislation.
• Security Awareness Training is critical for all employees and users.
• Real-world examples, demonstrating real phishing emails and spotting techniques, make training more relatable and memorable.
• Practice through simulated attacks, like phishing scenarios, builds skills in identifying and handling security threats.
• Users should acknowledge completion of security awareness training.
• Users should understand security threats and countermeasures.
• BYOD practices pose security risks due to unprotected devices on the same network as sensitive resources when users access corporate systems with personal devices.
• Some environments, especially those requiring high confidentiality, should not allow BYOD, or strict security controls must be enforced to mitigate BYOD risks.
• Social media is a significant platform for social engineering attacks like phishing, spear phishing, and impersonation campaigns.
• Employees should receive clear guidelines on using social media in a business context and avoiding sharing sensitive information.
• Guidelines prevent and address inappropriate/harmful posts by employees on social media, preventing defamation and inappropriate content.

Policy Enforcement

• Effective policy enforcement needs to consider all network endpoints, servers, and IoT devices within an organization.
• Tools such as Active Directory (AD), Group Policy Objects (GPO), and security monitoring tools ensure compliance and configuration management.
• Microsoft Active Directory provides a structure to manage users, computers, and other objects in an organization's network.
• Group Policy applies security policies/configurations across user accounts and computer systems within an organization.
• AppLocker is a security feature enforcing policies on which applications can run, ensuring only approved software is executed on company systems.

System Hardening

• System hardening adjusts system configurations to reduce security vulnerabilities and limit access.
• Tools like NIST CCE (Common Configuration Enumeration) can guide hardening processes for different systems.
• OS Hardening requires using available security guides for specific operating systems (e.g., Red Hat security guide) to minimize vulnerabilities.
• Compliance Monitoring continuously monitors adherence to security policies and standards using tools like Azure Security Center or other CSPM (Cloud Security Posture Management) tools.
• Microsoft Defender uses Secure Score as a KPI to evaluate and improve security posture.
• Security Governance defines the strategic direction/framework for securing an organization, including risk appetite and regulatory compliance, such as GDPR and HIPAA.
• Security Policy is the actionable outcome that enforces governance principles across the organization, dictating specific security measures to mitigate risks.

Security Governance Models

• Executive Leadership defines the overall security strategy in a three-tier model.
• Security Management develops policies and manages security risks in a three-tier model.
• Security Operations implements controls and handles security incidents in a three-tier model.
• A four-tier model includes Compliance & Legal Oversight in addition to the roles in the Three-Tier Model, necessary for regulated industries.
• Federated Governance Model is suitable for multinational organizations where local teams customize and implement policies while adhering to overarching global governance.
• Matrix Security Governance Model is cross-functional teams collaborate on security, particularly suitable for DevSecOps environments where security is integrated into development and operations.

Network Segmentation

• Network Segmentation divides a computer network into subnetworks called segments improving network security and helps isolate systems, improve performance, and reduce potential attack surfaces.
• The main goal of network segmentation improves security by controlling traffic flow, limiting the possibility of lateral movement during attacks.
• Physical Segmentation separates different network segments physically using devices like routers and switches.
• Physical segmentation provides strong isolation and security, limiting data flow between segments unless specifically routed.
• Efficiency and scalability issues are challenges to physical segmentation, as numerous network segments can complicate the network structure.
• Logical Segmentation divides networks into segments based on logical criteria, using VLANs or virtual segmentation.
• Logical segmentation is flexible and easier to implement than physical segmentation.
• Logical Segmentation is flexible, but may offer less security compared to physical segmentation.
• Virtual Segmentation is based on Software-Defined Networking (SDN) and virtual machines (VMs), enabling dynamically partitioning a network.
• Virtual Segmentation is easy to scale and modify with minimal changes to physical infrastructure.
• Virtual segmentation requires more advanced technical knowledge and can introduce complexity.
• Network segmentation improves performance by isolating high-bandwidth applications to ensure they don't slow down other processes.
• Network segmentation reduces network congestion by limiting broadcast traffic within each network segment.
• Network segmentation enhances security by isolating sensitive systems (like databases or servers) from general user networks to prevent unauthorized access.
• Network segmentation enhances security by limiting access to critical systems so that only authorized users/systems can communicate with them.
• Defense in Depth is a multi-layered security strategy securing data/resources by employing different security controls at each network layer.
• Key aspects of Defence in Depth include infrastructure, services security, document protection in transit, endpoint security, and microsegmentation to control granular access.
• Physical segmentation involves physically separating network segments using routers or switches, effectively preventing unauthorized access between different parts of the network.
• Challenges in physical networks include scalability when there are numerous hosts/devices.
• Challenges in physical networks include management of large numbers of physical switches and routers can be cumbersome and inefficient.
• A switch uses MAC addresses to forward data frames between devices connected to different ports by using a MAC Address Table
• MAC Flooding Attack consists of an attacker sending a large number of fake MAC addresses to a switch, causing the table to overflow, forcing the switch to broadcast data to all ports, making it easier for attackers to intercept sensitive data.
• VLAN allows logical segmentation of a physical network into separate broadcast domains.
• Department-based VLAN segments resources based on business units.
• Sensitivity-based VLAN classifies data based on its importance or sensitivity (e.g., high-risk resources isolated from low-risk ones).
• Cross-VLAN Communication requires specific rules and configurations to allow access between VLANs, which can add complexity.
• Security Zones involves combining multiple VLANs into a security zone for more controlled access.
• Remote access is important for organizations with remote workers.
• Network Access Control (NAC) is used to ensure that only compliant devices (with updated patches, antivirus, etc.) are allowed to connect to the network.
• Multi-Factor Authentication (MFA) reinforces security by requiring more than just a password to access the network.
• VPN (Virtual Private Network) provides secure communication channels between remote users and the corporate network.
• Site-to-Site VPN ensures secure communication between geographically dispersed locations.
• Microsegmentation uses policies to create isolated network segments based on the identity of resources (rather than IP addresses).
• Benefits of microsegmentation provides granular access control across individual resources.
• Benefits of microsegmentation prevents lateral movement by attackers, even if they breach one part of the network.
• The Zero Trust Model assumes no device or user, internal or external, is inherently trusted.
• Identity Management is a Key element of the Zero Trust Model which consists of verification of both user and device before granting access to network resources.
• Conditional Policies defines specific access levels based on identity, device security, and user context in the Zero Trust Model.
• Access Proxy is a control point for granting or denying access based on security policies in the Zero Trust Model.
• Zero Trust Network Design includes identifying and inventorying assets.
• Zero Trust Network Design includes defining access rules based on business needs and risk assessment.
• Zero Trust Network Design ensures continuous monitoring and evaluation of access controls.
• A Hybrid Cloud combines on-premises infrastructure with cloud services, creating unique security challenges due to different responsibilities in both environments.
• Security Responsibilities for On-Premises infrastructure requires full responsibility for securing physical and virtual network infrastructure.
• Security Responsibilities with Cloud (IaaS) services consists of cloud providers managing underlying infrastructure, but the organization is responsible for securing virtual machines and applications.
• Cloud Network Security Scanners and tools like Microsoft Defender for Cloud help manage security assessments and network security in hybrid environments.
• The traditional approach to detection systems, which often deals with a high rate of false positives, is no longer acceptable with New Approaches to Detection Systems.
• Modern detection strategies need to evolve to focus on actionable intelligence.
• Data Correlation involves techniques used for improved detection, involving aggregating data from multiple sources for a clearer picture.
• Profiling & Behavior Analytics involves techniques used for improved detection, involving identifying anomalies in user or system behavior based on established profiles.
• Anomaly Detection & Machine Learning involves techniques used for improved detection, involving leveraging these techniques to automatically identify threats without explicit signatures.
• Artificial Intelligence (AI) involves techniques used for improved detection, involving using AI to continuously learn and adapt to new threats.
• A Traditional Defender Mindset focuses only on monitoring high-profile users or critical systems.
• Modern Approach involves threat actors targeting regular users, compromise accounts, stay dormant, move laterally, and escalate privileges.
• The Blue Team needs to monitor all users and their behaviour across all devices and locations with a Modern Approach
• Indicators of Compromise (IoC) are Artifacts/behaviors that indicate an intrusion or attack on a system.
• IoCs help identify threats in their early stages and prevent full-blown breaches.
• Unusual Outbound Traffic often signals compromised systems connecting to command-and-control (C&C) servers.
• Anomalies in Privileged User Activity changes in behavior can indicate an attacker has escalated privileges.
• Geographical Irregularities consist of suspicious login activity from unexpected locations.
• Login Red Flags abnormal login attempts, especially after hours, often indicate unauthorized access.
• Database Anomalies unusual access patterns, such as a sudden increase in database read volume, can suggest an attacker probing for sensitive data.
• File Access Requests large numbers of requests for the same file or sensitive file locations could indicate a prelude to data exfiltration.
• Behavior Analytics systems track the normal behavior of users and entities, identifying anomalies that indicate potential threats.
• On-Premises analytics systems monitor internal activities and are crucial for detecting insider threats and targeted attacks.
• Hybrid Cloud allows Behavior analytics to be expanded across on-premises and cloud environments, allowing for comprehensive security coverage.
• User and Entity Behavior Analytics (UEBA) detects deviations from normal patterns of behavior to spot potential security breaches, including internal threats.
• An example of User and Entity Behavior Analytics involves a user who regularly downloads 10MB of data but suddenly downloads gigabytes of data, triggering an alert.
• Intrusion Detection System (IDS) monitors network traffic/system behavior for signs of malicious activity and alerts administrators when suspicious activities are detected.
• Host-based IDS (HIDS) runs on individual devices and monitors local activity for signs of compromise.
• Network-based IDS (NIDS) analyzes traffic across the entire network segment for potential threats.
• Intrusion Prevention System (IPS) works similarly to IDS but takes action to block or prevent detected intrusions, such as automatically isolating an infected system.
• Signature-based IDS detects known threats by comparing network traffic to predefined attack signatures.
• Anomaly-based IDS identifies deviations from normal behavior and can detect previously unknown threats.
• Hybrid Approach combines signature-based and anomaly-based methods for more effective detection.
• DMZ/Perimeter IDS Deployment Locations monitors external network traffic.
• Core Corporate Network IDS Deployment Locations monitors internal traffic for unusual patterns or intrusions.
• Critical Network Segments IDS Deployment Locations monitors such as wireless or virtualization networks.
• Rule-based IPS uses predefined rules to detect and block attacks.
• Snort uses rules to identify known threats and block them based on network traffic patterns -Anamoly-based IPS identifies potential threats by comparing incoming traffic with a baseline of normal network activity, detecting previously unknown threats by looking for abnormal behavior.
• Case Study 1: Suspicious Behavior of Administrator the system can detect when an administrator's activity is unusual, such as logging into systems that are outside their usual scope of work.
• Case Study 2: Pass-the-Ticket Attack this attack involves gaining access to network resources using compromised credentials and escalating privileges via tools like Mimikatz.
• Case Study 2: Pass-the-Ticket Attack, detection mechanisms look for abnormal behavior such as the use of administrative tools by unauthorized users.
• Case Study 3: Misconfiguration Detection if a system is exposing account credentials through insecure protocols, UEBA can detect this misconfiguration and alert security teams to take action.
• Hybrid Cloud Security requires the Blue Team to monitor and assess the hybrid environment continuously and relies on integrating threat detection systems across both on-premises infrastructure and cloud-based services.
• Azure Security Center provides security plans for specific cloud services, such as SQL databases, containers, and app services, offering specialized threat detection.

Threat Intelligence

• Threat Intelligence is the information aggregated, analyzed, and enriched to support decision-making processes.
• Threat intelligence can help organizations proactively defend against known and unknown cyber threats.
• OSINT (Open Source Intelligence), HUMINT (Human Intelligence), and SIGINT (Signals Intelligence) are examples of Intelligence Source Types.
• Operational Intelligence provides alerts on attacks in progress useful for immediate defense and response
• Tactical Intelligence provides insights into adversary tactics, techniques, and procedures (TTPs), and is used to enhance defenses and signature-based detection.
• Strategic Intelligence is High-level intelligence that informs decision-making, often for executives to understand broader trends in the threat landscape.
• Technical Intelligence provides actionable indicators of compromise (IoCs) like IP addresses, domain names, and malware samples.
• Examples of Profiling Motivation for Cybercrime is Financial gain through theft or fraud.
• Examples of Profiling Motivation for Hacktivism is being Motivated by political or social agendas.
• Examples of Profiling Motivation for Cyber Espionage/State-Sponsored is Targeted attacks for intelligence gathering.
• A challenge when Interpreting Alerts organizations often face an overwhelming number of security alerts, leading to delays in responding to incidents.
• Threat Intelligence can assist with Incident Responses by providing contextual data, which can guide investigators in determining the source and impact of an attack.
• Alert Triage consists of prioritizing alerts to focus on the most critical threats and including key questions in triage such as which systems were compromised, where did the attack start, did the attack move laterally, escalate privileges, or communicate with command and control.
• Scoping the Issue is not every system issue is security-related, so it's crucial to assess whether an incident is actually a security breach.
• If a user reports a system running slow, the investigation starts with performance troubleshooting before assuming a security incident. The above is an example of.
• Windows Systems are valuable in identifying compromise via artifacts such as user logs, Registry modifications, and malicious processes.
• Cloud Systems Tools like Microsoft Defender for Cloud can be used for monitoring and alerting suspicious behavior across cloud environments.
• A disaster recovery (DR) plan provides a documented procedure to restore IT operations after a disaster, such as natural or man-made events.
• Examples of disasters are Natural Disasters: Earthquakes, floods, and hurricanes and Man-Made Disasters such as Cyberattacks, power outages, or human errors.
• A risk assessment identifies risks and vulnerabilities that can affect IT operations.
• A Business Impact Analysis (BIA) is a key aspect of a DR Plan that analyzes the impact of disruptions on critical business functions and determines recovery priorities.
• Recovery Objectives RTO (Recovery Time Objective): The maximum time the organization can tolerate being without critical systems.
• Recovery Objectives RPO (Recovery Point Objective): The maximum time the organization can afford to lose data.
• Offsite Backups cloud storage is a popular solution for safely storing backups away from the primary operational environment.
• Having Monitoring IT Systems allows for Proactive monitoring to detect signs of disasters early, allowing for timely recovery.
• Redundant systems consists of using RAID for redundancy, ensuring data availability in case of hardware failure.
• Testing and Training involve regular testing of disaster recovery processes, as well as training employees on their roles during a disaster, ensures that the organization can respond effectively.

Vulnerability Management

• A vulnerability is a weakness in an IT system that can be exploited by an attacker for a successful attack.
• Vulnerabilities can arise from flaws, features, or user errors and are often combined to achieve malicious goals.
• A vulnerability is a weakness that can be exploited.
• A threat is a potential cause of an unwanted incident, which may exploit a vulnerability.
• Risk is the likelihood of a threat exploiting a vulnerability and causing harm.
• The goal of vulnerability management is to reduce organizational exposure, harden attack surfaces, and increase resilience.
• The vulnerability management strategy helps schedule all vulnerability mitigation efforts in an organized manner, ensuring vulnerabilities are addressed before they can be exploited.
• Asset Inventory: Identifying all the devices, hosts, and software in the network.
• Planning Information Management consists of controlling the flow of information into and out of the organization, ensuring network and data security.
• Risk Assessment consists of prioritizing vulnerabilities and assessing risks to allocate resources for mitigation effectively.
• Scope Identification defines what assets and areas will be assessed.
• Data Collection consists of Gathering information about existing policies, procedures, and the current state of security.
• Policy Analysis consists of Reviewing the effectiveness and compliance of existing policies.
• Vulnerability and Threat Analysis identifies and assesses vulnerabilities and potential threats, and determine their potential impact.
• Acceptable Risk Analysis consists of assessing whether existing controls address risks adequately or if further action is needed.
• Vulnerability Assessment consists of identifying vulnerable assets through ethical hacking and penetration testing.
• Reporing and Remediation Tracking, communicating the findings of vulnerability assessments and tracking the remediation progress.
• Insufficient documentation can lead to poor remediation and is one of the challenges to Reporting and Remediation Tracking.
• Response Planning consists of developing plans for responding to vulnerabilities and threats effectively.
• A challenge of Response Planning is Large organizations may face issues with coordination and accountability during patching and remediation.
• Peregrine Tools, LANDesk Management Suite, and StillSecure are examples of Asset Inventory Tools designed to help track devices and software and manage licenses.
• CERT Coordination Center, Security Focus and Symantec Security Response are examples of Information Management Tools designed to help disseminate information to the right personnel.
• ArcSight is an example of Risk Assessment Tools, which can automate risk analysis, while in-house checklists can tailor assessments to an organization's specific risks.
• Nessus (detailed vulnerability scanning) and Nmap (network mapping and vulnerability scanning) are examples of Vulnerability Assessment Tools.
• Foundstone's Enterprise Manager, Latis Reporting tool is an example of tools which generate reports for different audiences, from technical teams to nontechnical stakeholders.
• Vulnerability Assessment is a subset of Vulnerability Management.
• Vulnerability Assessment is a one-time project that helps identify weaknesses, while Vulnerability Management is an ongoing process that includes identifying, reporting, and fixing vulnerabilities.

Log Analysis

• Log analysis is essential for investigating security incidents.
• Logs are collected from various sources (operating systems, network devices, applications) and analyzed to identify threats and actors.
• Security professionals correlate logs from different sources (e.g., OS, firewall, web server) to detect suspicious activities or incidents by using Data Correlation
• Even Viewer can be used to access Windows security logs.
• Prefetch files reveal details about the execution of processes in Windows..
• Crash dump files can expose malware and other suspicious activities in Windows..
• /var/log/auth.log tracks authentication events in Linux.
• /var/log/secure records security-related events, such as sudo and root activity in Linux.
• /var/log/faillog stores failed login attempts.
• Firewall Logs consist of containing vital information like source and destination IP addresses, protocols, ports, and the action (allowed/denied).
• Web Server Logs (IIS Logs (Windows): Found in \WINDOWS\system32\LogFiles\W3SVC1.
• Web Server Logs Apache Logs (Linux) are Located in /var/log/apache2/access.log. These logs can help identify attacks such as SQL injection and DDoS.
• AWS CloudTrail tracks user logins, API calls, and resource changes in Cloud Logs.
• Azure Activity Logs track events at the subscription level, such as service changes in Cloud Logs.
• Google Cloud Platform (GCP): Cloud audit logs provide detailed information about who did what and when by using Cloud Logs.
• Log correlation is essential for detecting security incidents through integration of logs from multiple sources. Understanding Logs helps in identifying threats and attackers and determines the root cause of incidents.
• SIEM solutions centralize and automate log collection and analysis, making it easier to identify patterns and suspicious activities across multiple sources.
• Quality over Quantity ensures whiles its important to gather logs from various systems, the focus should be on actionable, high-quality insights rather than overwhelming volumes of data.