Chapter 1: Understanding Security Fundamentals

Question 1

A concept used that has multiple protective layers so that if one layer of protection goes down, other layers will be in place to guard against hacking a company’s data.

Answer 1

Defense in Depth

Question 2

Managers write these as sort of an organizational policies and procedures to help mitigate risks within companies.

Answer 2

Managerial Controls

Ex: Annual Risk Assessment,
Pentesting/vulnerability scanning.

Question 3

Policies and procedures executed by personnel on a day-to-day basis.

Answer 3

Operational Controls

Ex: Annual Security Awareness Training, Change management, Business Continuity Plan

Question 4

Policies and procedures implemented by the IT Team to reduce the risk of breaches to cyber security

Answer 4

Technical Controls

Ex: Firewall Rules, Antivrus, Screen savers, Screen filters, IPS/IDS

Question 5

CCTV (Camera that captures crimes) and motion sensors

Answer 5

Deterrent Controls

Question 6

Used when investigating an incident that has happened.

Answer 6

Detective Controls

Question 7

Text files that record events that take place on devices like servers, desktops, and firewalls with details of what happened. Timestamps provide the time of attack. WORM helps to avoid tampering.

Answer 7

Log Files

Question 8

The actions taken to correct and help guard against future attacks of the same nature.

Answer 8

Corrective Controls

Question 9

Used when Primary controls are not available

Answer 9

Compensating Controls (Alternative or Secondary Controls)

Question 10

Used to prevent any potential problems from occurring in the first place like a former employee getting onto a company server and tampering with data.

Answer 10

Preventative Controls

Question 11

Consists of three main parts:

Identification, Authentication, and Authorization.

Answer 11

Access Controls

Question 12

Examples include a smart card, Security Identifier, fingerprint reader

Answer 12

Identification

Question 13

Used to verify access. Examples include a PIN, or password.

Answer 13

Authentication

Question 14

This is the least amount of privilege given in order to have access to data needed to perform your job.

Answer 14

Authorization

Question 15

Involves New Technology File System(NTFS) file permissions that give the bare minimum amount of privilege needed to perform your job.

Answer 15

Discretionary Access Control

Full Control
Modify
Read and Execute
List Folder Contents
Read
Write

Question 16

Access based on the label/level of the data.

Ex: Top Secret, Secret, Classified

Answer 16

Mandatory Access Control(MAC)

Question 17

A rule that only applies to the people in that department and no one else can have access to that data because the rule doesn’t apply to them.

Answer 17

Rule-Based Access Control (RBAC)

Question 18

Access is restricted based on an attribute in the account.

Answer 18

Attribute-Based Access Control

Question 19

Individuals may be put into groups that have certain privileges so that simplifies access.

Answer 19

Group-Based Access Control

Question 20

1. Collection
2. Examination
3. Analysis
4. Reporting

Answer 20

Forensic Cycle

Question 21

The data is looked at, then pulled from the media that it is on, and changed to a format that it can then be examined by forensic tools.

Answer 21

Collection

Question 22

Prior to being examined by a forensics tool, The data is hashed to ensure integrity so that once the investigation is over with, the data will have the same hash. This helps with it being used as evidence in court cases.

Answer 22

Examination

Question 23

data that is analyzed and formatted so that it can be used as evidence.

Answer 23

Analysis

Question 24

The evidence from the investigation is then used for a conviction.

Answer 24

Reporting

Question 25

All evidence is admissible only if it pertains to the case and does not violate any laws or statutes.

Answer 25

Admissibility

Question 26

Decisions have to be made to decide what evidence is the most perishable and needs to be secured first. We don't stop the attack until we have secured the evidence and can identify the attack.

Answer 26

Order of Volatility

Question 27

Companies may be subpoenaed so that evidence can be collected, reviewed, and interpret files on hardware devices or other forms of storage.

Answer 27

E-Discovery

Question 28

Ensures that the evidence collected has not been tampered with or break the chain.

Answer 28

Chain of Custody

Question 29

Evidence presented to the court that has not been tampered with.

Answer 29

Provenance

Question 30

The process of protecting data that can be used as evidence.

Answer 30

Legal Hold

Question 31

Evidence that has a time offset associated with it so that a time sequence can be made in a case that is multinational.

Answer 31

Time Offset

Question 32

Evidence that is collected from multiple time zones will also be collected in a common time zone to establish time normalization.

Answer 32

Time Normalization

Question 33

A copy of the evidence is made so that it can be tampered with while the original data is intact and not tampered.

Answer 33

Forensics Copy

Question 34

System images are taken from laptops and desktops so that the original is left not tampered with and these copied images can be analyzed for criminal activity.

Answer 34

Capturing System Images

Question 35

Attackers can reverse engineer this code, so it is important that we compare the evidence to the current source code to see if it was tampered with.

Answer 35

Firmware

Question 36

If the evidence is from a machine, then a snapshot is taken for the investigation.

Answer 36

Snapshots

Question 37

Mobile devices can geotag the evidence of breached applications or viruses.

Answer 37

Screenshots

Question 38

System images and forensic copies are hashed at the beginning to compare to the end result hash to ensure integrity.

Answer 38

Hashing Forensic Evidence

Question 39

Mostly involving a web-based or remote attack, we want to first capture the volatile network traffic before we stop the attack. By doing this, we can get a great idea of where the attack originated from. Logs also will help with time, what exactly was changed and give an overall grasp on the nature of the attack.

Answer 39

Network Traffic and Logs