Security Analyst Questions Flashcards
Interview
Black Hat
hackers are criminals who break into computer networks with malicious intent.
Also known as Ethical Hackers. They are certified hackers who learn hacking from courses. These are good hackers who try to secure our data, websites.
White Hat Hacker
A mix of both Black-Hat and White-Hat hackers. These types of hackers find vulnerabilities in systems without the permission of owners. They don’t have any malicious intent. However, this type of hacking is still considered illegal.
Grey Hat Hacker
A method of determining which ports on a network are open and could be receiving or sending data.
Port Scanning
A group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses.
Red Team
A group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and make certain all security measures will continue to be effective after implementation.
Blue Team
A device that allows or blocks the network traffic according to the rules.
Firewall
A security vulnerability caused by incomplete or incorrect misconfiguration.
Security Misconfiguration
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability
The level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Threat
Following the set of standards authorized by an organization, independent part, or government.
Compliance
A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
MITRE ATTACK
An extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information.
2FA
Share some general endpoint security product categories
Antivirus
EDR (Endpoint Detection and Response)
XDR (Extended Detection and Response)
DLP (Data Loss Prevention)
What is HIDS?
HIDS means Host Intrusion Detection System. HIDS is located on each host.
What is NIDS?
NIDS means Network Intrusion Detection System. NIDS is located in the network.
A common model that forms the basis for the development of security systems.
CIA Triad
Involves the efforts of an organization to make sure data is kept secret or private.
Confidentiality
Involves making sure your data is trustworthy and free from tampering.
Integrity
Systems, networks, and applications must be functioning as they should and when they should.
Availability
What is AAA?
Authentication
Authorization
Accounting
Involves a user providing information about who they are. Users present login credentials that affirm they are who they claim.
Authentication
A user can be granted privileges to access certain areas of a network or system.
Authorization
Keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed.
Accounting
Framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
Cyber Kill Chain
A security solution that provides the real time logging of events in an environment. The actual purpose for event logging is to detect security threats.
SIEM
Serve as forensic evidence of potential intrusions on a host system or network. These artifacts enable Information Security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities.
Indicator of Compromise (IoC)
Demonstrate the intentions behind a cyberattack and the techniques used by the threat actor to accomplish their objectives.
Indicator of Attack (IoA)
If the situation to be detected and the detected (triggered alert) situation are the same
True Positive
In short, it is a false alarm. When an IDS or IPS flags non-malicious traffic as malicious.
False Positive
A conceptual model that describes the universal standard of communication functions of a telecommunication system or computing system.
OSI Model
A method used in a TCP/IP network to create a connection between a host and a client.
Three-Way Handshake
Explain the Three-Way Handshake
- The client sends a SYN(Synchronize) packet to the server check if the server is up or has open ports
- The server sends SYN-ACK packet to the client if it has open ports
- The client acknowledges this and sends an ACK(Acknowledgment) packet back to the server
Is the default method of data communication on the Internet. It was developed by the United States Department of Defense to enable the accurate and correct transmission of data between devices.
TCP/IP Model
What is the difference between the TCP/IP Model and the OSI Model?
The TCP/IP model is a simpler, four-layer model that focuses on the actual workings of the internet, while the OSI model is a more detailed seven-layer model that provides a conceptual framework for understanding network communication.
Is a communication protocol used for discovering the Data Link Layer address, such as a MAC address, associated with a given Network Layer address, typically an IPv4 address.
Address Resolution Protocol (ARP)
Is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.
Domain Host Configuration Protocol (DHCP)
Is like the internet’s phone book, translating domain names (like google.com) into IP addresses (like 172.217.1.46) so computers can communicate with each other.
Domain Name Server (DNS)
Creates a secure, encrypted connection over a public network like the internet, allowing users to browse the web privately and securely. It masks their IP address and encrypts their data, enhancing privacy and security, particularly when accessing sensitive information or bypassing geographical restrictions.
Virtual Private Network (VPN)
Is a network segmentation technique that allows administrators to logically divide a single physical network into multiple isolated virtual networks.
Virtual Land Area Network (VLAN)
Is a networking device that forwards data packets between computer networks. Responsible for directing traffic based on IP addresses, enabling communication between devices on different networks.
Router
Is a networking device that connects multiple devices within a local area network (LAN) and forwards data packets to their intended destination based on MAC addresses. It operates at the data link layer of the OSI model and helps manage network traffic efficiently by creating direct paths between devices.
Switch
Is a connectionless protocol that provides a simple and lightweight method for sending data packets over a network. It is commonly used for applications that prioritize speed and efficiency over reliability, such as real-time streaming or online gaming.
User Datagram Protocol (UDP)
Is a connection-oriented protocol that ensures reliable and ordered delivery of data packets over a network. It establishes a virtual connection between sender and receiver, handling error correction, flow control, and congestion control to guarantee data integrity and successful transmission.
Transmission Control Protocol (TCP)
What is the difference between UDP and TCP?
UDP and TCP are transport layer protocols. TCP has error checking and guaranties that packets have been received while UDP does not.
- Close all unnecessary ports
- Patch the server so that all software is up to date
- Tightly control user access
Steps to ensure a server is secure
Is a tool used to trace the path of an IP packet as it traverses routers. It works by incrementing the TTL field until the packet reaches the destination IP.
Traceroute
Is a logical subdivision of an IP network. The practice of dividing a network into two or more networks
Subnet
Is a unique identifier assigned to a network interface controller for use as a network address in communications within a network segment.
MAC Address
Is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
Network Address Translation (NAT)
Is a network protocol that builds a loop-free logical topology for Ethernet networks.
Spanning Tree Protocol (STP)
The process of distributing a set of tasks over a set of resources, with the aim of making their overall processing more efficient.
Load Balancer
Also known as a virtual machine monitor or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines.
Hypervisor
A package of software and its dependencies — such as code, system tools, settings, and libraries — that can run reliably on any operating system and infrastructure.
Conatiner
Allow devices to connect to a network even if they are not located within the same subnet or broadcast domain.
DHCP Relay
Is a way of bundling two or more network interfaces together to act as one
Link Aggregation or Port Trunking
A system or router that provides a gateway between users and the internet.
Proxy Server
A method of detecting and assessing packet data sent over a network.
Packet Sniffing
A physical or virtual architectural approach dividing a network into multiple segments.
Network Segmentation
A security protocol that creates an encrypted link between a web server and a web browser.
SSL
Encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit.
TLS
What port is HTTP?
Port 80
What port is HTTPS?
Port 443
What port is FTP?
Port 21
What port is SSH?
Port 22
What port is Telnet?
Port 23
What port is SMTP (Simple Mail Transfer Protocol)?
Port 25
What port is DNS?
Port 53
What port is DHCP
Port 67
What port is TFTP (Trivial File Transfer Protocol)
Port 69
What port is NTP (Network Time Protocol)
Port 123
What port is LDAP (Lightweight Directory Access Protocol)
Port 389
What port is RDP
Port 3389
What port is VNC (Virtual Network Computing)
Port 5900
What port is POP3 (Post Office Protocol version 3)
Port 110
What port is IMAP (Internet Message Access Protocol)
Port 143
Is a secure network protocol used for remote access and control of devices over an unsecured network
SSH
Is a standard network protocol used for transferring files between a client and a server on a computer network.
FTP
Is an Internet-standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
SNMP
is an open and cross-platform protocol used for accessing and maintaining distributed directory information services over a network.
LDAP
Is a proprietary protocol developed by Microsoft that enables users to remotely access and control a computer desktop over a network connection.
RDP
Is meant to protect Wi-Fi transmissions by encrypting the data so outsiders who are not inside the encrypted network will not be able to read the messages or data contained within.
Wired Equivalent Privacy (WEP)
Is a security standard for computing devices with wireless internet connections.
Wi-Fi Protected Access (WPA)
General network security product names
Firewall
IDS (Intrusion Detection System)
IPS (Intrusion Prevention System)
WAF (Web Application Firewall)
What’s the difference between an IDS and IPS?
IDS only detects the traffic but IPS can prevent/block the traffic.
How can you protect yourself from Man-in-the-middle (on-path) attacks?
Caution with connecting to public Wi-Fi
Use a VPN.
What are the HTTP response codes?
1XX: Informational
2XX: Success
3XX: Redirection
4XX: Client-Side Error
5XX: Server-Side Error
Is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
OWASP Top 10
Are critical attack methods where a web application directly includes unsanitized data provided by the user in queries.
SQL Injection
Use parameterized queries or prepared statements.
Implement input validation to ensure data integrity.
Use proper access controls to limit database privileges.
Preventing SQL Injection
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Cross-Site Scripting (XSS)
Is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Cross-Site Request Forgery (CSRF)
Implement proper input validation and sanitization.
Use output encoding or escaping
Implement anti-CSRF tokens in web forms
Prevent XSS and CSRF
Is a vulnerability caused by the lack of an authorization mechanism or because it is not used properly.
Insecure Direct Object Reference (IDOR
Is the security vulnerability that occurs when a file on a different server is included without sanitizing the data obtained from a user.
Remote File Inclusion (RFI)
Is the security vulnerability that occurs when a local file is included without sanitizing the data obtained from a user.
Local File Inclusion (LFI)
Difference between LFI and RFI?
LFI differs from RFI because the file that is intended to be included is on the same web server that the web application is hosted on.
Helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
Web Application Firewall (WAF)
Is the practice and study of techniques for secure communication in the presence of third parties, typically involving encryption and decryption of data.
Cryptography
Converts the data in the desired format required for exchange between different systems.
Encoding
Maintains the integrity of a message or data. Any change did any day could be noticed.
Hashing
Ensures that the data is secure and one needs a digital verification code or image in order to open it or access it.
Encryption
Difference between hashing and encryption
Hashing transforms data into a fixed-size string of characters, while encryption encodes data with a key that can be decoded to its original form.
Added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like hash tables.
Salted Hashes
Name of the software that compiles written code?
Compiler
Name of the software that translates machine codes into assembly language?
Disassembler
It is the approach of analyzing malicious software by reverse engineering methods without running them.
Static Malware Analysis
It is the approach that examines the behavior of malicious software on the system by running it. Applications that can examine registry, file, network and process events are installed in the system, and their behavior is examined by running malicious software.
Dynamic Malware Analysis
How does malware achieve persistence on Windows?
Services
Registry Run Keys (Run, RunOnce)
Task Scheduler
Infecting to clean files
Which event logs are available default on Windows?
Security
Application
System
Is malicious software designed to disrupt, damage, or gain unauthorized access to computer systems or data.
Malware
A type of malicious software that attaches itself to other programs or files and spreads by replicating when those files are executed, often causing harm to the host system.
Virus
Virus is a specific type of malware that self-replicates by attaching to other programs or files, malware encompasses a broader range of malicious software designed to disrupt, damage, or gain unauthorized access to computer systems or data.
Difference between virus and malware
Trojan Horse
Ransomware
Spyware
Adware
Rootkit
Examples of Malware
Wannacry
Stuxnet
Code Red
Examples of Viruses
Is a cyberattack that causes the servers to refuse to provide services to genuine clients.
Distributed Denial of Service (DDOS)
Configure Firewalls and Routers
Use Load Balancing
Preventatives for DDOS
Is a type of malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible, and demands payment (usually in cryptocurrency) for the decryption key to restore access.
Ransomware
Network Segmentation
Keep Anti-Virus Software up to date
Preventatives to Ransomware
Is a cyberattack technique where attackers attempt to gain unauthorized access to multiple user accounts by using commonly used passwords or easily guessable credentials.
Password Spraying
Is a type of cyberattack where an attacker systematically tries every word in a pre-compiled list (dictionary) of potential passwords to gain unauthorized access to user accounts or systems.
Dictionary Attack
Is a cyberattack method where an attacker systematically tries every possible combination of characters until the correct password or encryption key is discovered
Brute Force Attack
Is the process of identifying, quantifying, and prioritizing vulnerabilities in computer systems, networks, and applications to determine potential security risks and take appropriate remedial actions.
Vulnerability Assessment
Is a unique name that identifies a wireless network
SSID
Network type that allows each user to act as both client or server
Peer to Peer
A computer system or software program that provides services or resources to other computers, known as clients, over a network, fulfilling requests and facilitating communication and data exchange between devices.
Server
Is a hardware component used in networking equipment, such as routers and switches, to connect to wide area networks (WANs) and provide access to remote networks or the internet.
WIC (WAN Interface Card)
Refers to information that is actively being transferred between two endpoints over a network.
Data in Transit
Information that is stored or archived in a persistent state
Data at Rest
Is the protection of critical systems and sensitive information from digital security threats.
What is Cybersecurity?
Is an intentional or unintentional transmission of data from within the organization to an external unauthorized destination.
Data Leakage
Accidental Breach
Intentional Breach
System Hack
3 Types of Data Leakage
Malware
Phishing
Password Attacks
DDoS
Man in the Middle
Common Cyber Attacks
- Ensure strong and unique password.
- Avoid sharing confidential information online, especially on social media.
- Shop from known and trusted websites
- Install advanced malware and spyware tools.
- Update anti-virus software
Prevent Identity Theft
Is a networking protocol suite that allows applications and devices on a local area network (LAN) to communicate with each other
NetBIOS
Restricting the users from accessing a set of services within the local area network
Port Blocking
