Rapid7 Interview - Thursday, 12/9 Flashcards
What is cybersecurity and why do companies need it?
Cybersecurity is a combination and implementation of security software, hardware, policies and procedures in IT systems to protect devices, sensitive data, and services from unauthorised access and modification.
Companies need strong cyber security strategies to prevent any damage from occurring to their valuable assets and overall business.
What do you have in your home network?
I have a modem and a router, where I have a strong user name and password set up for my router and Wi-Fi, with the broadcasting feature disabled.
I also set up a MAC address filtering on the router and I use WPA2 (Wi-Fi protected access 2) security encryption to encrypt the traffic on my Wi-Fi networks. I also have the remote access feature disabled and I use a firewall to configure security measures.
What is the CIA triad?
CIA is an acronym for Confidentiality, Integrity and Availability. These are the core elements of information security to protect from adverse impacts of incidents such as unauthorized access and any corruption. misuse, or modification.
Confidentiality is used to describe information/data privacy which means the information is not made available or disclosed to unauthorized entities.
Integrity is used to describe information/data accuracy and completeness throughout its lifecycle. That means that the data cannot be modified by an unauthorized entities.
Availability is used to describe information/data being available when needed, so these need to remain available at all times to prevent service disruptions from power outages, hardware failures or system upgrades.
Explain the difference between process, guidelines, and policies.
A process is like a step-by-step process for information that helps specify the next action and what should be implemented.
Guidelines are referred to as the recommendation that’s given to the applications or network that can be customized and these can be used while creating any procedures.
Policies are defined as the criteria for security objectives and the organization’s security framework itself.
What is the meaning of AAA?
AAA stands for Authentication, Authorization, and Accounting.
From a high level, AAA helps the system administrators and security experts to identify any malicious activity on the network.
Authentication is the process of determining if a user is authorized to use the system and the network, which is usually done using login and password. For example, you will use a username and password to access your email. The email server authenticates your username and password and provides further access.
Authorization refers to the access control rights. This implies every user on the network is allowed access to certain portions of data and information and applications according to his/her level in the organization. For example, a marketing person will not be able to record financial transactions. Hence, a user is authorized to perform only certain functions on the network system. These authorization levels are defined by the system administrator who has access to all the resources and user policies in the network.
Accounting is known as network accounting which is used to gather all activity on the network for each use. Hence, AAA is a framework for network security which is used to control user access, implement policies, audit usage and keep track of all activities in the network.
What is Risk, Threat and Vulnerability in a network?
Risk is any potential loss of, damage, or destruction of an asset as a result of threat exploiting a vulnerability. Risk is the intersection of assets, threats and vulnerabilities.
Threat: Anything that can exploit a vulnerability, intentionally or unintentionally, to obtain, damage or destroy an asset.
Vulnerability: Weaknesses or gaps in a network, software or system that can be exploited by any threats to gain unauthorized access to an asset.
What are IDS and IPS and How do you differentiate between IDS and IPS system?
IDS stands for Intrusion Detection System, which that analyzes network traffic for signatures of incidents/events that match known cyberattacks.
IPS stands for Intrusion Prevention System, which also analyzes packets, but can also stop the packet from being delivered.
The main difference between them is that IDS is a monitoring system, while IPS is a control system. IDS does not alter the network packets in any way whereas IPS prevents the packet from delivery based on the contents much like how a firewall prevents traffic by IP address. IDS requires a human or another system to look at the results.
Some tools that I know of are:
- SolarWinds Security Event Manager
- SNORT
- Security Onion
- WinPatrol
- Osquery
- Splunk
- OSSEC
What do you know about cyber security frameworks?
An information security framework is a series of documented, agreed and understood policies, procedures and processes that define how information is managed in a business to lower risk and vulnerability and increase confidence.
Some of the most common frameworks are:
- International Standards Organisation (ISO) 27K
- Australian Signal Directorate (ASD) Essential 8
- US National Institute of Standards and Technology (NIST)
- Industry-Specific Standards
- CIS (Critical Security Controls)
What is a SIEM?
SIEM is Security Information and Event Management software that provides a holistic view of what is happening on a network in real-time and help cyber security analyst to be more proactive in the fight against security threats.
SIEM security event management which carries out analysis of event and log data in real-time to provide event correlation, threat monitoring an incident response and it retrieves and analyses log data and generates reports.
SIEM collects all of these alerts in a centralized console, allowing fast and thorough analysis.
SIEM solutions are critical for organizations that want complete visibility and control over what’s happening in their network in real-time.
Some examples of SIEMs are:
- Splunk
- SIEMonster
- AlienVault
- IBM QRadar
- SolarWinds
What makes an information security policy weak?
Information security considered weak if:
- The policy has not made readily available for review by all employees
- An organisation is unable to prove that employees reviewed and understood the content of the policy
So an information security policy must be strong in distribution, review, comprehension, compliance and uniformity.
How can identity theft be prevented?
- Making a strong password with multi-factor authentication
- Avoid sharing confidential information online on social media
- Shop from known and trusted websites
- Use the latest version of browsers
- Install advanced firewalls
How can you prevent Man-in-the-middle-attack?
MITM attacks happen when a communication between two parties is intruded or intercepted by an outside entity.
The best way to prevent it is to:
- Use encryption (public key encryption) between both parties
- Avoid using open wi-fi networks.
- Use HTTPS, forced TLS or VPN.
What is a DDOS attack and how is it mitigated?
DDOS (Distributed Denial of Service) when a network is flooded with large number of requests which is not recognized to handle and making the server unavailable to the legitimate requests.
DDOS can be mitigated by analyzing and filtering the traffic using proxies or firewalls.
What is a brute-force attack and how is it mitigated?
In brute force attacks, the attacker tries to determine passwords through permutation or a fuzzing process. Attackers usually employ a software such as Fuzzer or Hydra, to automate the process of creating a bunch of passwords to be tested.
In order to avoid these kinds of attacks, organizations should follow best practices, especially on critical resources like servers, routers and also salt the passwords.
Why do you need DNS (Domain Name System) monitoring?
When you add your domain(s) to a DNS provider’s name servers, you are making those name servers authoritative for answering your domain’s incoming queries.
DNS is the first point of contact between you and your clients, so it is crucial to keep an eye on the service you trust to manage it.
DNS monitoring uses network monitoring tools to test connectivity between your authoritative name servers and local recursive servers. The queries have to ask multiple servers for the DNS information until they finally reach the name server authoritative for the domain.
We can also monitor the connection between actual clients and the authoritative name servers.
What you can control is actually the most important part of the DNS process, the performance of your authoritative name server answering the recursive name server on the return trip.
Sonar offers an automated monitoring service that checks your domain as often as every 30 seconds for performance changes. You can also set up instant alerts to email or text you when there are any significant deviations.
Inspecting DNS traffic between client’s devices and your local recursive resolver could be revealing a wealth of information for forensic analysis. DNS queries can reveal bot botnets and malware is connecting to the C&C server, so this is why DNS monitoring is very essential.
