SYO-701 Threats and Mitigating Threats

Question 1

Reasons for Vulnerable Systems

Answer 1

Weak configurations:
- Open permissions
- Unsecure root accounts
- Errors
- Weak encryption
- Unsecure protocols
- Default settings
- Open ports and services

Third-Party Risks:
- Vendor Management
- Supply chain
- Outsourced code development
- Data storage

Improper patch management:
- Firmware
- Operating system (OS)
- Applications

Question 2

Impact of Vulnerabilities

Answer 2

Data loss
Data breaches
Data exfiltration
Identity theft
Financial loss
Reputational damage
Availability loss

Question 3

Common security issues (Misconfiguration, Application issues)

Answer 3

Misconfiguration:

Unencrypted credentials/clear text
Logs and event anomalies
Permissions issues
Access violations
Certificate issues
Misconfigured devices

Application issues:

Unauthorised software
Baseline deviation
Licence compliance violation
Asset management
Authentication issues

Question 4

Application whitelisting

Answer 4

Application whitelisting is configuring a system for a list of approved software that is allowed to be used on the system. If someone tries to install or run an application not on the list, they will receive an error message stating that the application is not authorized. You can use AppLocker in Windows to create a list of applications that are authorized to run on the
system

Question 5

Unified Threat Management

Answer 5

A UTM is a device that combines a number of security functions such as a firewall, IDS/IPS, gateway antivirus and gateway anti-spam, content filtering, and data loss prevention, to name a few built-in security technologies. UTM systems output an array of information, such as alerts to suspicious traffic, reports on the number of viruses and spam messages blocked, and summaries of the number of content filter violations.

Question 6

Data Loss Prevention

Answer 6

DLP is a solution that prevent users from being able to send sensitive information outside the company. When a user tries to copy data to a USB drive, they may receive an error message from the DLP solution stating they do not have permissions, or if a user attempts to send an e-mail that contains sensitive information blocked by DLP, the user will typically receive an e-mail stating that the content was not sent due to DLP violation

Question 7

Data execution prevention

Answer 7

DEP is a feature that can be enabled to prevent application code from
executing in areas of memory used to store data (known as data pages). With DEP, blocks of memory not used for executing a program are flagged as nonexecutable pages by the system so that malicious software does not run in that block of memory.

Question 8

Cloud-based Vulnerabilities

Answer 8

Open ports
Authentication methods
Conditional access policies
Too many privileges

Question 9

Privilege Escalation

Answer 9

Privilege escalation is when a hacker finds a flaw in the operating system, or in a piece of software installed on the system, that, when exploited, elevates the hacker’s privileges from normal user capabilities to administrative access. Once the hacker has gained administrative access to the system, they can make whatever changes they want to the system, including planting a back door for future access

vertical and horizontal privilege escalation, and privilege de-escalation

Question 10

Executable virus

Answer 10

Older viruses were executable viruses, where the virus was attached to an executable file but was not activated until you ran the file. This virus was typically spread from system to system by the user sharing files via floppy disks, flash drives, or a network drive.

Question 11

Boot Sector Virus

Answer 11

Is a serious virus that attacks the boot sector code and overwrites it. The boot sector is the first sector on the disk and contains operating system loader code that starts the boot sequence. When a boot sector virus overwrites this sector, it prevents the system from booting from the infected disk

Question 12

Macro VIrus

Answer 12

A macro virus is code that is written using a macro language that performs a malicious action such as deleting files or e-mailing everyone in your address book. The macro is usually created in a file and then triggered automatically when someone opens the file.

Question 13

Logic Bomb Virus

Answer 13

A logic bomb is a type of virus that is planted on the system by you
installing a piece of software that contains the logic bomb. The software application you installed acts as it is supposed to until a certain event, such as a specific date, occurs. When you run the software, it always checks for
that specific date, and if the software is run on that date, it performs its malicious act. This is a common method disgruntled employees have used

Question 14

Worm Virus

Answer 14

The worm virus is a
scary virus type because it has the unique characteristic of being able to replicate itself without needing a user to activate it. Worm viruses can
replicate themselves in a number of ways:

• Network Protocols
• E-mail
• Flash Drives

Question 15

Trojan Virus

Answer 15

A Trojan virus is a program that a user is tricked into installing because it appears to do something useful, but in reality, it is a virus that infects the system. The Trojan virus typically modifies the system by opening a TCP/IP port on the system, which allows the hacker to connect to the system and take control of it

Question 16

Rootkit

Answer 16

A rootkit is software installed on a system by a hacker that is typically
hidden from the administrator and gives the hacker privileged access to the system. There are five major types:
- Application level (i.e trojan virus)
- Library level
- Kernel level
- Virtualised

Question 17

Botnet

Answer 17

A botnet is a collection of systems that have been compromised by a hacker and that are then used to help perform other types of attacks. The systems that are under the control of the hacker in a botnet are known as zombie systems, or bots, because they have no mind of their own and will do what the hacker commands

Question 18

Remote Access Trojan

Answer 18

A RAT is malicious software that the user typically
installs without knowing it, such as by installing a game from the Internet or by running a program that was e-mailed to them. The RAT program then opens a back door for the attacker to gain access to the system remotely at a later time. The RAT malware allows the attacker to make a connection to
the system and run commands remotely on that system. If a system on a network has a RAT running, it is possible that the hacker could use that to compromise other systems, essentially creating a botnet

Question 19

Potentially Unwanted Program

Answer 19

A PUP is software that gets
installed on your system that you do not want but was installed because it was bundled with another program that you did actually want and installed. PUPs do many annoying things, such as display ads, install toolbars, potentially slow down your computer, and may collect private information about you. To help protect against PUPs, you should be careful to watch each screen when installing software to ensure that the option to install the add-on software is disabled, and be sure to run anti-malware software

Question 20

Command and Control

Answer 20

C&C is when an attacker compromises a system (or network of systems) and then loads malware on it. The attacker then uses a command-and control server to send commands to the systems running the malware so that the attacker can perform tasks such as retrieving sensitive data from the
systems and disrupting the functionality of the systems

Question 21

Protecting against malicious software

Answer 21

• Use antivirus software
• Keep virus definitions up to date
• Keep a close eye on listening ports
• Keep a close eye on running processes
• Use good surfing habits

Question 22

Bluesnarfing, Bluejacking, Bluebugging

Answer 22

Bluesnarfing:
A Bluetooth exploit that allows the hacker to connect to a Bluetooth-enabled phone and to retrieve data off the phone

Bluejacking:
The sending of unsolicited messages from one Bluetooth device to another Bluetooth device

Bluebugging:
A Bluetooth exploit that involves the hacker gaining access to the phone and leveraging its full capabilities, including making calls using the AT command set on the phone

Question 23

PBX

Answer 23

A private branch exchange (PBX) is an advanced phone system that acts as a switch for all of the phones within the corporation. The PBX allows a company to purchase a single external line and then have multiple internal phone systems (and numbers) within the company use the PBX. Each phone in the company is given a unique number, which acts as the extension number off the external line

Question 24

Embedded Systems

Answer 24

This includes any device connected to the network, such as a printer or smart TV, but also watch for devices that include Bluetooth technology.
- Raspberry PI
- Field-programmable gate array (FPGA)
- Arduino

Question 25

SCADA/ICS

Answer 25

Supervisory Control and Data Acquisition (SCADA) is a special system used in industrial environments (for example, a manufacturing plant) to monitor operations. SCADA systems are used by facility managers to handle logistics related to controlling components such as HVAC, lighting,
and refrigeration units.

Industrial control system (ICS) refers generally to any system that monitors or controls industrial equipment, including SCADA
systems. These systems can be found in many types of facilities, including industrial plants, manufacturing plants, and energy plants

Question 26

OS hardening

Answer 26

the process of removing unnecessary features of the operating system, disabling unnecessary services, and removing unnecessary accounts. The purpose of removing unnecessary features from the system is to reduce the attack surface, which comprises
the components of a system that the hacker can hack into

Question 27

OS hardening steps

Answer 27

• Uninstall unnecessary software
• Disable unnecessary services
• Protect management interfaces and applications
• Disable unnecessary accounts
• patch management
• Password protection
• Registry hardening
• Disk encryption

Question 28

Network Security Hardening

Answer 28

• Update firmware on all networking devices
• Port Security
• MAC limiting and Filtering
• Disable unused interfaces (ports)
• 802.1X (port-based access control protection)
• use secure management protocols
• Rogue machine detection

Question 29

Tools for system hardening

Answer 29

• Group policies
• Security policies
• patch management
• configuring a security baseline
  (file system, permissions, services running, network connections, protocols running, firewall rules, storage encryption, etc.)

Question 30

Security posture and reporting

Answer 30

security posture:
- initial baseline configuration
- continuous security monitoring
(of vulnerabilities and misconfigurations, antimalware
protection, patch deployment, and device configurations and statistics with SNMP)
- Remediation

Reports:
- alarms
- alerts
- trends

Question 31

Common mitigation strategies

Answer 31

• Network segmentation
• Security layers
• Application firewalls
• Manual updates
• firmware version control
• Wrappers
• Control redundancy and diversity

Question 32

solutions to ensure boot integrity

Answer 32

• Boot Security/ Unified Extensible Firmware Interface (UEFI)
• Measured Boot
• Boot attestation

Question 33

Tokenisation, Hashing, and Salting

Answer 33

Tokenisation:
Tokenization is when sensitive data is stored with a token service instead of with the application data with which the sensitive data is used.
Hashing:
Hashing is when data is run through a hashing algorithm to generate a hash value
Salting:
Salting involves taking a random value, adding it to the plaintext value, and then hashing the combination of the salted value + password and storing that in the database

Question 34

Mobile Deployment Models

Answer 34

• Bring your own device (BYOD)
• Corporate-owned, personally enabled (COPE)
• Choose your own device (CYOD)
• Corporate-owned
• Virtual desktop infrastructure (VDI)

Question 34

Sandboxing

Answer 34

Sandboxing is the process of creating separate running
environments for applications and ensuring you restrict communication between these running environments.

Question 34

stages of deployment

Answer 34

development
test
staging
production

Question 35

Types of firewalls

Answer 35

• Packet filtering firewall (stateless)
• Stateful Packet Inspection Firewall
• Application-Layer Firewall
• Web application firewall
• Next-generation firewall

Question 36

IPTables

Answer 36

A very powerful firewall feature found in Linux that has replaced the older IPChains feature. IPTables gets its name from tables of rules that control what traffic is allowed to enter or leave the system or to be forwarded on to another system. Three main tables are used with IPTables: input, output, and forwarding

Question 37

Firewall topologies

Answer 37

• Dual-homed firewall
• screened host firewalls
• screened-subnet firewalls

Question 38

DMZ

Answer 38

The demilitarized zone (DMZ) is an area between two firewalls: an external firewall and an internal firewall. The DMZ is an area on the network that you allow selected traffic from the Internet to reach. You normally place DNS servers, web servers, FTP servers, and SMTP servers in the DMZ.
The following ports are opened on the external firewall to allow communication to the appropriate services inside the DMZ:
- DNS UDP port 53
- HTTP TCP port 80
- FTP TCP port 21 (control port) and port 20 (data port)
- SMTP TCP port 25
- SSH TCP port 22

Question 39

Web security gateway

Answer 39

Is a device or software that protects your network from malicious content on the Internet. Web security gateways not only protect your employees from inappropriate content such as pornography on the Web but also scan the content for malicious code, and they can provide data loss prevention (DLP) for your company by ensuring that employees are not posting sensitive information on the Web

Question 40

VPN aggregator

Answer 40

You can centralize your virtual private network (VPN) access by having all employees go through a VPN aggregator in order to access the network. The VPN aggregator is
where you configure the authentication and encryption protocols. The VPN aggregator also supports high availability so that it is always available to answer VPN requests from clients.

Question 41

URL filters

Answer 41

Are listings of web sites that you want to allow or deny access to.

Question 42

IDS and IPS

Answer 42

Intrusion detection systems. a passive IDS only sends out notifications or logs the suspicious activity, and as a result it is considered a detective control. An intrusion prevention system
(IPS) will take corrective action. As an example, the IPS may disconnect the suspicious system from the network in order to prevent any other activity from the suspect system. An “active IDS” is now known as an IPS and is considered a prevention control

Question 43

HIPS and NIPS

Answer 43

A host-based intrusion prevention system (HIPS) is responsible for
monitoring activity on a single system, typically by looking at logs,
identifying suspicious activity on that system, and then taking corrective action. A network-based intrusion prevention system (NIPS) is responsible for monitoring all network activity (not just activity on one system) and identifying suspicious network traffic before taking corrective actions.

Question 44

security features of a switch

Answer 44

VLANs for segmentation
BPDU guard
DHCP snooping

Question 45

Network address translation

Answer 45

Network address translation, or NAT, is a network technology used for years that allows you to use a private address range on the inside of the network that is then translated to a public address used on the NAT gateway. The security benefit is that you hide the internal IP addresses used by systems surfing the Internet because all outbound traffic has the source IP address translated to that of the NAT gateway.

Question 46

Network access control

Answer 46

Network access control (NAC) is a very hot technology today and allows you to control who gains access to a wired or wireless network based on the state of the connecting system. With network access control, you can specify conditions that a system must meet to gain access to the network. If
those conditions are not met, you can then redirect the user to a restricted network from which they can remedy their system.

Question 47

WEP, WPA, WPA2, WPA3, Radius

Answer 47

Wired Equivalent Privacy (WEP)
- uses RC4 and a static key for
encryption
- easy to crack and should not be used

Wi-Fi Protected Access (WPA):
- uses a 128-bit key that is dynamically generated by TKIP.

WPA2:
-Uses CCMP with AES as the symmetric encryption algorithm for data privacy,

WPA3:
- uses a number of security features such Simultaneous Authentication of Equals (SAE)

RADIUS:
- two or more organizations who trust each other can configure their RADIUS servers for mutual authentication

Question 48

Securing wireless networks

Answer 48

• Set a password for the admin account.
• Change the SSID.
• Disable SSID broadcasting.
• Use MAC filtering.
• Configure encryption with WPA2 or WPA3.
• Place the access point in the center of the building.
• Lower the power levels to control how far a wireless signal
  can travel

Question 49

Data emanation, packet sniffing, WPS attack and replay attack

Answer 49

Data emanation:
- Electronic components always release emissions, and someone could collect emissions from electrical components and piece them together into readable data

Packet sniffing:
- Anyone with a wireless network card and a sniffer can easily capture wireless data

WPS attack:
- A vulnerability was found in WPS that allows an attacker to perform a brute-force attack on the WPS PIN

Replay attack:
- common type of attack with
wireless networking whereby the hacker tries to crack the encryption key. In order to crack the encryption key, the hacker must generate enough traffic to allow the cracking tools to perform the crack. Instead of waiting for the wireless access point to receive enough traffic, the hacker can capture traffic with a sniffer and resend, or replay, the traffic

Question 50

Authentication technologies

Answer 50

TOTP:
-Time-based one-time password is a random password code generated by an authentication system that is based on the current time and is only a valid password for a short period of time.

HOTP:
- HMAC-based one-time password is a Hash-based Message Authentication Code (HMAC) algorithm used to generate passwords.

Token Key:
- A token key is a common tool used by enterprise networks for multifactor authentication (MFA). After you enter your username and password, a random number is generated on a token key you have in your possession, and then you enter that number as a second authentication factor

Static code:
- Static codes Static codes are different from TOTP codes in the sense that TOTP codes are only valid for a short period of time before they change. A static code does not expire and therefore does not change. An example of a static code is found in Facebook and is
known as a recovery code

Question 51

MFA factors

Answer 51

Something you know:
- This is the most common authentication factor, where you know information to prove your identity. An example of this authentication factor is knowing a password or a PIN

Something you have:
- this is based on having something in your possession to gain access to the environment. For example, you use a swipe card or physical token
to enter a building. Another example is when a web site sends you a text message with an authorization code when you log in.

Something you are:
- you submit a physical characteristic of yourself, such as your retina, fingerprint, or voice, to prove your identity. Authenticating to a system using this method is known as biometrics and is considered the most secure method of authentication

Question 52

Single Sign On

Answer 52

(SSO) allows a user to authenticate to the network once and access
multiple systems without needing to provide additional credentials

Question 53

Common Authentication Protocols

Answer 53

Password Authentication Protocol:
- sends user’s credentials over network in plain text. very insecure

Challenge Handshake Authentication Protocol (CHAP):
- the server sends a challenge to the client that is then used in the authentication process. The user credentials do not get sent over the network.

Microsoft Challenge Handshake Authentication Protocol (MSCHAP):
- MS-CHAP is a variation of CHAP that uses MD4 as the hashing algorithm, versus MD5 used by CHAP. MS-CHAP also uses the Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server.

Extensible Authentication Protocol (EAP):
- The Extensible Authentication Protocol allows for multiple logon methods such as smartcard logon, certificates, Kerberos, and public-key authentication. EAP is also frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless,
and VPN solutions

Question 54

Access Control Schemes

Answer 54

Discretionary Access Control:
- DACL is a listing of users or groups (known as security principals) who are granted access to a resource, and the DACL typically determines what type of access the user has.

Mandatory Access Control:
- With the mandatory access control (MAC) model, each individual (known as a subject) is assigned a clearance level such as restricted, secret, or top secret. The data and other assets in the organization are assigned classification labels that represent the sensitivity of the information. Examples of classification labels are public, confidential, secret, top secret.

Role-Based Access Control:
- Role-based access control (RBAC) takes a different approach than MAC to controlling access to resources and privileges: the system grants special privileges to different roles. A role is a container object that has predefined privileges in the system. When you place users into the role, the user
receives the privileges or access control permissions assigned to the role.

Rule-Based Access Control:
- Rule-based access control, also known as RBAC, involves configuring rules on a system or device that allow or disallow different actions to occur. For
example, a router uses RBAC to determine what traffic can enter or leave the network by checking rules in an ACL configured on the router.

Group-Based Access Control:
- Group-based access control (GBAC) is when the security of the
environment is based on the groups the user is a member of.

Attribute-Based Access Control:
- Attribute-based access control (ABAC) is an access control model that involves assigning attributes, or properties, to users and resources and then using those attributes in rules to define which users get access to which resources. For example, you could configure a rule specifying that if the user has a Department attribute of Accounting and a City attribute of Boston, they can access the file.

Question 55

business classification labels

Answer 55

■ Confidential The highest sensitivity label. Information
classified as confidential could cause grave damage to the organization if leaked to the public.

■ Private The second-highest sensitivity label. Information
classified as private could cause serious damage to the
organization if leaked to the public.

■ Sensitive Information assigned this classification label could
cause an undesirable outcome if exposed to the public.

■ Public Information assigned this classification label is
suitable for public release.

Question 56

Cryptography:
(substitution ciphers, transportation ciphers,

Answer 56

substitution cipher replaces a character with another character, while a transposition cipher shifts the places of the characters.

Question 57

Algorithms and Keys

Answer 57

Algorithm:
- An encryption algorithm is the mathematical operation performed on the data to convert the data from plain text to cipher text (or vice versa).
Key:
- A key is a variable piece of information that is used by the encryption algorithm to perform the encryption or decryption of the
data.

Question 58

Cryptographic terms:
(key strength/ work factor/ onetime pad (OTP)/ exclusive OR (XOR)

Answer 58

Key strength:
- Also known as key space or key length, refers to how many bits are in the encryption key. The larger the key space, the better the encryption (64-bit, 128-bit, 256-bit)

Work Factor:
- The term work factor refers to a value indicating the time it would take to break the encryption.

One-Time Pads:
A one-time pad (OTP) is a very secure method of encrypting information that involves using a key only once. The key is a randomly generated value that is used to encrypt the data and then never used again.

XOR:
An exclusive OR (XOR) is a mathematical operation that is common in cryptography. With an XOR operation, if one, and only one, of two bits being compared has a value of 1, then the result is a 1 for that calculated bit. But if both of the bits being compared have a value of 1, or neither has a value of 1, then the answer for that resulting bit is a 0.

Question 59

Symmetric Encryption:
(Definition and types)

Answer 59

Symmetric encryption:
- Is a common encryption method that involves using the same key to encrypt and decrypt the message.
An example of symmetric encryption is wireless network
encryption. When you configure security on a wireless router, you specify the key, or passphrase, on the router, and then must type the same passphrase on any clients that wish to connect to the wireless network.

Types:
- Data Encryption Standard (DES) (56-bit encryption)
- Blowfish (1-448- bit encryption)
- Twofish (128 bit encryption)
- Triple DES (3DES) (x3 56 bits = 168 bit encryption)
- Rivest Cipher (RC4/RC5) (for
wireless security)
- Advanced Encryption Standard (AES) (128-bit, 192-bit, and 256-bit encryption)
- AES256 (256 bit encryption)

Question 60

Asymmetric Encryption:
(Definition and Type)

Answer 60

Asymmetric encryption involves using two mathematically related keys to perform the encryption and decryption process.
- Whatever one key in the pair does, the other key undoes that operation.
- The two keys are related, but you cannot derive one key from the other.
- With asymmetric encryption, the two keys that are generated are referred to as a public key and a private key.
- In an asymmetric encryption environment, a message is always encrypted with the recipient’s public key.

Types:
- Rivest Shamir Adleman (RSA)
- Diffie-Hellman
- Elliptic curve (ECC)

Question 61

Hashing Algorithms

Answer 61

Message Digest 5:
- MD5 generates a 128 bit hash value

Secure Hash Algorithm (SHA):
- SHA-1 creates a 160 bit hash value
- SHA -256 creates a 256 bit hash value
- SHA - 512 creates a 512 bit hash

NT LAN Manager (NTLM):
- The passwords are hashed with the NTLM, which uses MD4 instead of DES

Question 62

Encryption limitations

Answer 62

Speed
Size
Weak Keys
Time
Longevity
Predictability
Reuse
Entropy
Computational overheads
Resource vs security constraints

Question 63

Internet Protocol Security (IPSEC)

Answer 63

IPSec has two modes: transport mode and tunnel mode. With transport mode, only the payload of the packet (data portion) is encrypted. With tunnel mode, the header of the packet and the data are encrypted. IPSec uses different protocols for different cryptography services:
- Authentication Header (AH) is responsible for data integrity and authenticating the sender within IPSec.
- Encapsulating Security Payload (ESP) provides data integrity, authentication, and data confidentiality by encrypting the data, also known as the payload, within the packet.

Question 64

Cipher Suites and Perfect Forward Secrecy

Answer 64

Ephemeral key:
- A temporary key typically used to encrypt a single message within the communication instead of using the same key to encrypt all messages in the communication

Perfect forward secrecy The term used to describe a system that
generates random public keys (ephemeral key) for each session so
that secret key exchange can occur during the communication.

Key stretching:
- Also known as key strengthening, this is a technique used to ensure that a weak key, such as a password, is not victim to a brute-force attack. With key stretching, a special algorithm is used to convert the weak password into a stronger key. Two common algorithms used to strengthen a key are PBKDF2 and Bcrypt.

Question 65

Steganography

Answer 65

is a cryptography concept that involves a person hiding data
inside other files such as graphic files, audio files, or video files. For
example, a steganography application can be used to modify a graphic file and hide text documents in the graphic file.

Question 66

Digital Certificates

Definition, contents, and types

Answer 66

A certificate is an electronic file used to store the public key (and
sometimes the private key) and associates the public key with an entity such as a person or company.

contents:
Public key
Algorithm
Serial number
Subject
Issuer
Valid from
Thumbprint algorithm
Thumbprint

Types:
Wildcard
SAN
Code signing
Self-signed
Machine/computer
User
Root
Domain validation
Extended validation

Question 67

Public Key Infrastructure (hierarchy of CA’s)

Answer 67

A PKI is made up of a hierarchy of CAs. The root CA has a self-signed certificate. Also note that all objects in a PKI use object identifiers, or OIDs. An OID is a globally unique name assigned to each object.

Question 68

Certificate Life Cycle stages

Answer 68

certificate request
certificate issued
renewal
suspension and revocation
destruction/expiration

Question 69

Certificate Revocation Lists

Answer 69

The CA is responsible for creating the certificate revocation list (CRL),
which is a list of certificates that have been revoked. The CRL is published to a web site at regular intervals, and applications download the CRL to verify that a certificate has not been revoked before using the certificate

Question 70

M of N recovery

Answer 70

M of N control ensures that a minimum number of persons are required in order to recover a key. For example, you may require two out of three authorized persons to perform key recovery

Question 71

Secure Socket Layer (SSL) / Transport Layer Security (TTL) stages

Answer 71

1. The client sends a request for a web page to the secure web site using https:// in the URL. This makes a connection to port 443 by default.
2. The server sends the public key to the client.
3. The client validates the certificate and ensures it has not expired or been revoked.
4. The client creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server.
5. The encrypted information is sent to the web server. The web server
   decrypts and obtains the symmetric key (session key). The web server
   uses the symmetric key to encrypt information between the client and
   the server.

Question 72

Risk Analysis Process

Answer 72

• Identify Assets
• Identify threats to each asset (threat assessment)
• Analyse impact
• Prioritise threats
• Identify mitigation techniques
• Evaluate residual risks

Question 73

Qualitative and Quantitative Risk assessments

Answer 73

Qualitative:
- risk analysis determines the risk and mitigation techniques without actually calculating the loss as a dollar figure. With qualitative risk analysis, you create a scale of values to rate each threat based on the numbers in the scale.
Risk = Probability × Loss

Quantitative:
-With quantitative analysis, you calculate dollar amounts for each of the risks and what the impact of the threat is. This is a critical type of
assessment because upper-level management wants to see dollar figures to justify the cost of purchasing a security control to protect the asset. The resulting cost of the threat helps determine how much you should invest in a security solution to protect the asset.
single loss expectancy (SLE)
exposure factor (EF) (the percentage
of the asset’s value that is lost if the threat occurs)
first calculate:
SLE = value ($) × EF (%)
then calculate:
ALE = SLE × ARO

Question 74

Risk mitigation strategies

Answer 74

• Mitigate the risk (mitigation)
• Accept the risk (acceptance)
• Transfer the risk (transference)
• Avoid the risk (risk avoidance)
• Deter the risk (deterrence)

Question 75

Practices to mitigate risk

Answer 75

• Enforce technology security controls
• Change management
• Incident management
• User rights and permissions reviews
• Perform routine audits
• Enforce policies and procedures

Question 76

Business Continuity Plan (BCP) stages

Answer 76

• Initiate the project
• Perform Business Impact Analysis (BIA) (risk assessment)
• Develop the plan
• Test the plan
• Maintain the plan

Question 77

Backup Destination Media

Answer 77

Tape:
- The benefit of storing on tape was that you had the flexibility to back up lots of data and then decide where you wanted to store the tapes

Disk:
- Many companies today are backing up to drives instead of
tapes. Backing up to disk is typically faster than backing up to tape, and you can even use removable drives in order to store the backup at a different location.

Network-attached storage (NAS):
- NAS is an enclosure that contains multiple hard drives, and typically one or two Ethernet ports to connect the NAS device to the regular network.

Storage area network (SAN):
- A SAN is a high-speed network
designed for storage traffic that connects your servers to a storage
array of drives.

Image:
- You can back up an entire image of a system. For example, in Windows 10, the backup software has an option to do a full system
backup, which backs up the entire system to an image. You can restore the system by restoring the system image.

Online vs. offline:
- Online means you have access to it at all times, whereas offline means the backup destination is not available at all times and is typically located offsite somewhere.

Cloud

Question 78

Types of backups

Answer 78

Full backup:
- A full backup backs up every file on the specified volume or volumes (or partitions). A full backup necessitates a large storage capacity and a lot of time. Full backups are easy to restore from because you only need to perform a restore from the one backup set. when a full backup is performed is
that it backs up all the files you select (whether the archive bit is set or not), and then it clears the archive bit so that the operating system and applications know that the file has been backed up

Incremental Backup:
- An incremental backup backs up only the files that have changed or that were added since the last incremental or full backup. It does this by backing up only files that have the archive bit set (meaning the file needs to be backed up).

DIfferential Backup:
- Backs up the files that have changed or that were
added since the last full backup by looking for any files that have the
archive bit set. Differential backups back up any files that have had changes, but they do not clear the files’ archive bit. Because the archive bit is not cleared, each differential backup will back up all files changed since the last full backup

An important difference between differential and incremental backups is than incremental backups take less time to perform (because you are getting only changes since the last full or incremental backup) but more time to restore (because you are restoring multiple incremental backups). Differential backups take more time to perform but less time to restore.

Copy Backup:
- A copy backup is like a full backup but it does not clear the archive bit.
This is important because a copy backup will not disrupt the backup cycle if you run this type of backup. Copy backups are useful if you decide you need to back up the data in the middle of a backup cycle

Snapshots:
- Many organizations use virtualization technology to create virtual machines (VMs) that run their servers on the network. With virtualization software, you can create a snapshot of a virtual machine, which essentially makes a quick backup of its state and configuration. You can then quickly revert to that backup at a later time. One of the drawbacks of reverting to a snapshot is that you lose all changes since that snapshot, so you must be sure you really want to do that

Using a combination of the full backup and incremental backup is highly effective and less time consuming than running a full daily backup.

Question 79

Redundancy

Answer 79

Adding redundancy ensures that assets do not have a single point of
failure. For example, ensuring you have multiple power supplies in a server ensures there is no single point of failure in regard to the power supply. When creating redundancy, especially when it comes to the redundancy
of data and services, you need to determine whether you want to use on premises solutions for redundancy—that being a solution on your physical network—or you want to use a cloud-based solution for redundancy

Question 80

Examples of redundancy

Answer 80

Disks:
- RAID
- Multipath

Network:
- load balancers
- NIC teaming

Power:
- UPS
- generator
- dual supply
- PDUs

Replication:
- SAN
- Virtual Machines

Question 81

Redundant Array of Inexpensive Disks (RAID)

Answer 81

RAID allows you to create volumes that use multiple hard drives to provide data redundancy

RAID 0:
- RAID level 0 is called striping or striped volumes. With RAID 0, multiple disks are used to create a volume; when data is saved to the volume, the data is split up and spread across all disks in the volume. The benefit of striped volumes is that all disks are written to at the same time, giving you a
performance benefit. There is no fault tolerance in RAID 0, and is strictly for the performance benefit in the read and write operations.

RAID 1:
- RAID 1 is known as disk mirroring. Disk mirroring uses two hard drives
and duplicates the data from one drive to another. The fact that RAID 1 stores a second copy of the data on another member of the volume means that this solution does offer fault tolerance

RAID 5:
- RAID 5 is known as striping with parity because a RAID 5 volume acts as a RAID 0 volume but adds the parity information to create redundancy. RAID 5 volumes write data to all disks in the volume but store redundant information on one of the disks per stripe

Question 82

Types of investigation

Answer 82

A corporate investigation:
- Arises because an employee is suspected of violating a corporate policy or misusing a corporate asset such as e-mail or the Internet.

A public investigation:
- Arises due to suspicion that a law has been broken.

Question 83

Chain of Custody

Answer 83

A chain of custody is a document that records where the evidence is at all times. It is imperative that you have a chain of custody in place for the evidence so that you can account for the whereabouts of the evidence at all times.

Question 84

Collecting Digital Evidence

Answer 84

Seize the evidence
Acquire the evidence
Validate the integrity of evidence
Analyse the evidence
Report on findings

Question 85

Order of volatility:

Answer 85

Volatile means that the data may not be there for long, so as a forensics investigator it is critical that you collect evidence from the volatile areas first and then look
to the nonvolatile areas.

1. Cache memory
2. RAM
3. Swap file/page file
4. Hard disk
5. Logs on remote systems (network)
6. Optical discs (DVDs)

Question 86

Incident Response Plan

Answer 86

• Documented incident types/category definitions
• Roles and responsibilities
• Reporting requirements/escalations
• Computer Incident Response Team
• Exercise

Question 87

Incident Response Process

Answer 87

preparation
identification
containment
eradication
recovery
lessons learned