4. Security Operations

Question 1

4.1 Mobile device hardening

Answer 1

use strong authentication password, biometrics, regular updates, enable remote-wipe capabilities

Question 2

4.1 Hardening for workstations

Answer 2

Patch management, antivirus, access controls, firewalls

Question 3

4.1 Hardening for switches

Answer 3

Change default credentials, ACLs, Firmware updates, network segmentation, logging

Question 4

4.1 Hardening for routers

Answer 4

change default credentials, encrypted communication, firmware updates, disable unused services

Question 5

4.1 Hardening for cloud infrastructure

Answer 5

IAM, conduct regular security audits, MFA, IRPs

Question 6

4.1 Hardening for Servers

Answer 6

Firewalls, disable unnecessary services, strong authentication methods, monitoring, logging

Question 7

4.1 Hardening for ICS/SCADA

Answer 7

SCADA: Supervisory Control and Data Acquisition

ICS: Industrial Control Systems

Segment to isolated part of the network, regular patching, IDS, backup and recovery

Question 8

4.1 Hardening for Embedded Systems

Answer 8

They don’t get patch updates often. Install updates as soon as possible, network segmentation for these devices is encouraged.

Question 9

4.1 Hardening for IoT

Answer 9

Update regularly

Question 10

4.1 Mobile Deployment Models and their hardening techniques

Answer 10

MDM: mobile device management, implement access controls and remote wipe

BYOD: use containerization to separate corporate and personal data, endpoint security, user training

COPE (corporate owned, personally enabled): Fully manage and control these devices, app installation management, data protection for corporate data, regular audits.

CYOD (choose your own device): Identify a list of pre-approved devices, apply baselines, implement access controls, regular updates.

Question 11

4.1 Wireless Hardening

Answer 11

WPA3, AAA/RADIUS, Cryptographic Protocols, Authentication Protocols

Question 12

4.1 Authentication Protocols

Answer 12

RADIUS: centralized authentication, implement access control, maintain logs, encrypt RADIUS communications

Kereberos, OAuth2, SAML

Question 13

4.1 Application Hardening

Answer 13

Input Validation, Secure Cookies (HTTPOnly flags), static code analysis, Code Signing

Question 14

4.2 Procurement considerations for hardware, software, and data

Answer 14

Hardware: Evaluate vendors, ensure compatibility and scalability

Software: Acquire licenses/subscriptions or create custom software solutions. Review licensing agreements.

Data: Acquire data sources, databases, and services to interact with databases. Ensure protection standards.

Question 15

4.2 Assignment/Accounting considerations for hardware, software, and data

Answer 15

Hardware: track ownership with individuals and departments. Classify hardware based on function and lifecycle stage.

Software: Assign licenses, classify software based on purpose and criticality.

Data: classify data based on sensitivty, confidentiality, and regulatory requirements. Ensure access controls.

Question 16

4.2 Monitoring/Tracking considerations for hardware, software, and data

Answer 16

Hardware: up-to-date inventory, track asset locations, usage, and maintenance schedules.

Software: monitor usage and performance. track installations, updates, and patches. Ensure optimization.

Data: monitor data usage and access integrity. Track data flows and perform regular audits.

Question 17

4.2 Disposal considerations for hardware, software, and data.

Answer 17

Hardware: properly dispose, including sanitizing data and physicall destroying hardrives. Obtain certificate of destruction.

Software: Decommission software that is no longer needed. Revoke licenses as needed. Ensure no residual data or configurations remain on devices.

Data: Sanitize and securely delete.

Question 18

4.3 Application Vulnerability Management Techniques

Answer 18

Static Analysis
Dynamic Analysis
Package Monitoring

Question 19

4.4 SCAP

Answer 19

Security Content Automation Protocol. Standardizes the way security software communicates.

Question 20

4.4 Agent/Agentless tools

Answer 20

Agentless does not require installing a software.

Question 21

4.4 Signature-based vs. Heuristic-based antivirus

Answer 21

signature-based usually identifies previously known threats. Heuristic-based uses rulesets and pattern recognition to identify threats.

Question 22

4.4 NetFlow

Answer 22

Network protocol developed by Cisco for collecting IP traffic and analyzing traffic flow and unusual activity.

Question 23

4.5 Screened Subnet

Answer 23

AKA DMZ, used for public-facing applications. Establish proper firewall rules to allow specific traffic through.

Question 24

4.5 URL Scanning

Answer 24

A web filter should use URL scanning to inspect URLs before allowing users to access them or users to pass them to the application.

On-demand inspection: URL Scanning ocurs in real-time when a user enters a URL or clicks a link.

URL is checked against known databases.

Question 25

4.5 Centralized Proxy

Answer 25

Forward and Reverse proxies are both types of centralized proxies. Centralized proxies are intermediaries between end users and the internet.

Question 26

4.5 DNS Filter

Answer 26

Uses specialized DNS resolvers to compare queries against a blocklist of domains or IP addresses. Used to block broad categories of internet content. Prevents address resolution for these sites.

Question 27

4.5 DLP

Answer 27

data loss prevention

Question 28

4.5 NAC

Answer 28

Network Access Control. Allows policy enforcement for devices trying to connect to a network. Rules might include checking credentials (MAC Filtering), checking for up-to-date antivirus software, required configurations, etc.

Question 29

4.5 DEMARC

Answer 29

Domain-based message authentication reporting and conformance. Only allows email traffic from approved domains. Checks SPF and DKIM records and reports occurrences to domain owners.

Question 30

4.5 DKIM

Answer 30

DomainKeys Identified Mail, adds digital signatures to emails, making it possible to verify that an email came from a certain domain.

Question 31

4.5 SPF

Answer 31

Sender Policy Framework. Email validation system, it is a published list of IP addresses that can send email on behalf of a domain.

Question 32

4.5 EDR vs. EXR

Answer 32

EDR is classic endpoint protection and response. EXR is extended; it integrates data from multiple security tools such as network and cloud security.

Question 33

4.6 SSO

Answer 33

Single Sign On. An authentication process that allows users to log in once and access multiple applications and services. LDAP, OAuth, SAML are examples

Question 34

4.6 LDAP

Answer 34

Lightweight Directory Access Protocol. Manages directory information over a network and allows users to take advantage of SSO. OpenVPN, Docker, and Jenkins are all examples.

Question 35

4.6 OAuth

Answer 35

Open Authorization. Standard protocol that allows third-party applications to obtain limited access to an HTTP service. Some examples are Google APIs, or other websites that allow you to create an account or login using a different service’s credentials.

Question 36

4.6 SAML

Answer 36

Security Assertion Markup Language. XML based standard for exchanging authentication data (web-based). Some examples are Office 365 and AWS. SAML is within a single entity such as Microsoft, unlike OAuth.

Question 37

4.6 Password Vaulting, JIT Permissions, and Ephemeral Credentials

Answer 37

All used as privileged access management tools

Password vaulting is like NordPass

Just-in-time permissions is only granting access for a specific duration (think automatic login session timeouts on NSIPS)

Ephemeral Credentials: Temporary authentication tokens, such as OTPs