Security Operations Part I Flashcards

1
Q

TPM

A

Trusted Platform Module:
- build into motherboard
- stores encyrption keys locally (some keys)
- supports BitLocker, Secure Boot
- Keys never leave the chip
- not scalabe
- used on 1 device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

HSM

A

Hardware Security Module:
- Used in data centers, clouds
- stores millions of encrypted keys
- scalable
- used in banks, enterprises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

UEFI

A

Unified Extensible Firmware Interface:

+ replacement for BIOS
+ faster boot times
+ supports Secure Boot
+required for BitLocker with Security Boot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Secure Boot

A

*UEFI feature
*allows only trusted software to run during setup
*verifies drives using digital signatures
* blocks rootkits, bootkits (malware)
* cryptographics keys (PK, KEK< db, dbx)
*works with TPM for Measured Boot & Attestation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Whitelisting✔️

A

Only approved apps can run ✔️

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Blacklisting❌

A

blocks untrusted apps ❌

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Application hardening🤷

A

removing unnecessary features, code, access so attackers have less things to target. 🤷

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Antimalware🦠

A

Antyvirus 2.0
basic protection, blocks known threats🦠

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

EDR 🦠

A

Endpoint Detenction and Response:
Advanced security detects, responds, analizes, even if threat is unknown 🦠

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Network segmentation

A

Isolate critial systems with VLANs, firewalls, DMZs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NAC

A

Network Access Control

Network gatekeeper :)

= checks device identity and security posture✅
= allows or blocks access✅

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Degaussing 💿

A

data destruction method to wipe magnetic storage (HDDs, tapes) 💿

  • does not work on SSDs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Asset inventory 💻🖥️

(what is does?)

A

Tracks all assets in a company. Hardware & Software, people. 💻🖥️

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CMDB 🧑‍🤝‍🧑

A

Configuration Management Database:

Tracks configurations, owners, relatioships between devices, dependencies, change history, etc. 🧑‍🤝‍🧑

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Assets (?)

A

Everything valuable to company that needs protection:
- IT devices
- data
- cloud services (VMs)
- people
- certificates, keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CVSS

A

Common Vulnerability Scoring System (0 -10)

+ scores how big vulnerability is
+ 9-10 is critical
+ helps prioritize patching

0.1-3.9 - low
4.0-6.9 - medium
7.0-8.9 - high
9.0-10.0 - critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Remediation

A

You found the vulnerability now eliminate it :))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Compensate, Mitigation

A

buy time or limit damage cuz you cant fix the issue directly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

penetration test

A

simulating real world cyberattack (hiring ethical hackers to hack their company)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

WAF

A

Web Application Firewall

21
Q

Endpoints

A

user devices connected to the network (laptop, phone, printer)

22
Q

SIEM 🧠

A

Security Information and Event Management:

  • Central Brain 🧠
  • stores, collects, analizes logs from everywhere (firewalls, endpoints, servers)
    *sends allerts
  • “Log centralization” + detection + analysis + alerting
23
Q

EDR 💻

A

Can isolate infected devices and roll back damage

Endpoint Detection and Response: 💻

  • “Endpoint Bodyguard”
    Watches Endponts (laptops, desktops, servers) for malware and sus activity
24
Q

NDR 🌐

A

Network Detection and Response: 🌐

@ Network Watchtower
@ Watches the network for threats and lateral movement
@ east-west network traffic surveillance

25
Q

HIDS/HIPS 🕵️

A

Host-Based/Network-based Intrustion Detection/Prevention Systems: 🕵️

|OLD but uself for known threats

| “Classic Detectives”

HIDS monitores files, logs on a SINGLE device
| NIDS analyzes network traffic in real time

26
Q

SOAR🤖

A

Security Orchestration, Automation and Response: 🤖

~ “The Automation Hero”
~automates responses across multiple tools
~ isolating endpoints, sending alerts
~SIEM detects, SOAR acts ‼️

27
Q

UEBA 🧍

A

User and Entity Behavior Analytics:🧍

🧷 “Sus user behavior
🧷 “whos acting weird???”
🧷 Uses AI/ML to find behaviour anomalies - user logging at 3 am

28
Q

Automation

A

Individual tasks performed by system without human interaction do humans can do focus on other things.

🧷blocks IP after 5 failed login attempts
🧷 remove human error, improve efficency

29
Q

Orchestration ⭐

A

Coordinating multiple automated tasks across different systems into a unified workflow ⭐

⭐ Focus on hard, multi-steps problems from start to finish
⭐ Malware is detected → system isolates the host → forensics tool collects evidence → alert sent to SOC team → IR ticket created
⭐ SOAR = Automation + Orchestration + Response
⭐ chain of actions, workflow

30
Q

IR steps (6 steps) 📢

A

Incident Response steps:

  1. Preparation
  2. Detection and Analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned (Post-Incident Acticity)
31
Q
  1. Preparation 🥒
A

🥒 Be ready. Before the attack occurs
🥒 Develop IR team (IRT or CSIRT)
🥒 communication protocols
🥒 security tools - SIEM, IDS/IPS, EDR
🥒 Create IRP (IR plan)
🥒logging and monitoring

32
Q
  1. Detection and Analysis 🪐
A

🪐Recognize and confirm the incident ❗
🪐SIEM alerts, IDS/IPS logs, Antivirus, user reports, monitoring dashboards
🪐 validate the incident (false or positive)
🪐 determine the scope of it
🪐document it
🪐 Categorize severity (low or high)
🪐start the incident ticket

33
Q
  1. Containment 🔒
A

🔒 stop the SPREAD ❗
🔒isolate infected devices
🔒 block malicious IPs
🔒 disable compromised accounts
🔒 take systems offline

34
Q
  1. Eradicatoin ☠️
A

☠️ELIMINATE the threat completely ❗
☠️remove malware
☠️ patch systems
☠️remove backdoors
☠️ reimage systems

35
Q
  1. Recoverty 🎗️
A

🎗️ bring systems back to safety❗
🎗️ clean backups
🎗️ monitor for re-infection

36
Q
  1. Lessons Learned 👩🏿‍🏫
A

👩🏿‍🏫Post Incident review and documentation❗
👩🏿‍🏫Incident report
👩🏿‍🏫 Update IRP

37
Q

Forensics (whats that)

A

Identifying, collecting, analyzing evidence post indicent(attack)

38
Q

Key Goals of Forensic Investigation 🔑

A
  1. identify 🔑
  2. preserve ( the integrity of the evidence)
  3. analyze (the data to find the root cause)
  4. report ( findings in a legally defensible manner)
39
Q

Chain of Custody ⛓️

A

⛓️ Detaild log of who handled the evidence, when and what they did, to prove it wasn’t tampered with - so it can be legally valid in court.

⛓️‍💥 who touched the evidence
⛓️‍💥 when and where
⛓️‍💥 why it was accessed
⛓️‍💥 how it was secured

40
Q

DNS logs🫧 (what it shows?)

A

🫧 sus domain lookups
🫧identify connections to malicious domains

41
Q

Firewall logs 🔥 (what it shows?)

A

🔥blocked/allowed traffic, ports, IPs
🔥detect port scanning

42
Q

IDS/IPS logs🚒 (what it shows?)

A

🚒 detected attacks or anomalies
🚒 detected SQL injection or buffer overflow

43
Q

NetFlow /SFlow data🛜 (what it shows?)

A

🛜 metadata about traffic (IP pairs, ports, bytes)
🛜 who talked to who on the network
🛜 how much data was transfered

44
Q

Application logs 🤳🏿 (what it shows?)

A

🤳🏿app specific behavior
🤳🏿help debug software
🤳🏿catch errors
🤳🏿 track app misuse

45
Q

SIEM logs 📶 (what it shows?)

A

📶 correlate all logs for broader context
📶 aggregates logs
📶 supports automated responses
📶 correlates events

46
Q

System logs (Event logs)⌨️
(what it shows?)

A

⌨️ login attempts
⌨️ logouts
⌨️ policy changes
⌨️ system crashes

47
Q

EDR logs 🖥️ (what is shows)

A

🖥️ malware infections
🖥️ransomware
🖥️ endpoint threats

48
Q

System Performance Logs 👺
(what is shows)

A

👺 detect DDoS
👺hardware-related performance issues