Table Of Contents :
1. What is RISK and how does it differ from a Vulnerability or a Threat?
Answer: RISK is the “potential” loss, impact, or measure that exists when an identified vulnerability or threat is not mitigated. Risk is often associated with a Vulnerability or Threat and is used to determine what the impacts of either pose. Think of RISK as what could happen along with the impact and cost if nothing is done to mitigate the Vulnerability or Threat. Often, the value is determined by the following RISK = VULNERABILITY x THREAT.
2. What is a VULNERABILITY?
Answer: A Vulnerability is a weakness in a system that or absence of a safeguard allowing the weakness be exploited. It could be thought of as an oversight that could allow the weakness to be used to exploit the weakness. An example would be a secured system where a user has a weak password, or no password set.
3. What is a THREAT?
Answer: A threat is any potential event that could cause an undesired outcome. For example, a zero-day exploit that targets a service running a specific version allowing unauthorized access to a system. Another example is an untrained user having excessive privileges who may intentionally or unintentionally cause an action which exposes a system and/or its data to compromise.
4. What does IDS stand for and how would you explain it?
Answer: IDS stands for “Intrusion Detection System” and it is a system that detects an intrusion by inspecting network traffic and comparing the contents to a signature, behavior, or rule. IDS systems can exist on the Network or Hosts. These are known as Network-based IDS or Host-based IDS. IDS systems only IDENTIFY intrusions, they do not take any actions.
5. What does IPS stand for and how would you explain it?
Answer: IPS stands for “Intrusion Prevention System” and it is similar to IDS in that it detects intrusions however, an IPS system can be configured to block, deny, or redirect traffic. These systems provide an action in addition to identifying intrusions.
6. What is Encryption?
Answer: Encryption is used to maintain “Confidentiality” by applying an algorithm to encode data into an unreadable format. Encryption uses a technique of applying an Encryption algorithm to the data to protect it and a Decryption to return the data into its original format. There are algorithms that are used for Encryption and Decryption. Common types of Encryption are Asymmetric, Symmetric, and Hybrid. Asymmetric uses multiple keys, Symmetric uses a single key, and Hybrid Encryption is a combination of both Asymmetric and Symmetric Encryption.
7. What are some Encryption algorithms used today?
Answer: Asymmetric Algorithms: ECC, DSA, RSA – 768, 1028, 2048, etc…
Symmetric Algorithms: AES, 3DES, Blowfish, and Twofish
8. What is Hashing?
Answer: Hashing uses an algorithm to validate “Integrity” by using a oneway algorithm to compute a value. Hashing provides a mechanism for checking whether the integrity of the data has been compromised. Some common Hashing algorithms are: MD5, SHA–1, SHA–2, Whirlpool, and others
10. What is XSS?
11. Black Hat, Grey Hat, and White Hat hackers- What are they?
Answer: Black hat hackers are unauthorized or malicious hackers. White hat hackers are authorized hackers where the target is aware of their activities. Grey hat hackers are hackers who may not have authorization, but do not intend on causing harm rather, they often inform or identify weaknesses.
12. What is a firewall?
Answer: A firewall is an appliance or software used to control, inspect, and protect networks and web applications. There are different types of firewalls that have different capabilities such as: Packet filtering firewalls, circuit-level gateways, application- level gateway or proxy, stateful inspection, and next- generation.
13. Give names of different types of firewall and describe them ?
- Packet-filtering firewalls- Network based rules to allow or deny network traffic.
- Circuit-level gateways – Firewalls that only inspect the remote and local sessions to allow or deny sessions. Application-level gateway or proxy – Single entry and exit point for a network which filter traffic along with the service and content.
- Stateful Inspection firewalls – Inspect whether network sessions have been established along with packet and in some cases application of payload data.
- Next-Generation Firewall (NGFW) – Firewalls that operate at multiple layers and provide firewall functionality with options for Malware, VPNs, IDS, IPS and other functions.
14. What are TCP and UDP?
Answer: TCP is Transmission Control Protocol and it guarantees delivery by tracking segments. UDP is User Datagram Protocol and it is a connectionless protocol and is faster and more efficient, but does not guarantee delivery. TCP is used for delivery confirmation and is slower where UDP is best effort and is used for faster communication.
15. What is a SIEM?
Answer: A SIEM is a Security Incident and Event Management and is used to consolidate network traffic detection information from multiple sources into a single configurable view. This enables data to be aggregated, consolidated, and analyzed to identify threats by using various data correlation, analytics, and other techniques to identify threats. This enables SOC Analysts to identify and mitigate threats efficiently.
16. What are some common SIEMs?
Answer: Splunk Enterprise Security, IBM QRadar, ManageEngine, McAfee Enterprise Security Manager(ESM), LogRythm, Elastic Stack, and Wasu (Open-Source)
17. What is a zero-day?
Answer: A Zero-Day is a type of Vulnerability which does not have a patch or known mitigation BEFORE vendors are aware. Due to the Threat that a zero-day poses, the term “zero” is related to the fact that no warning was indicated. These can be severe and require immediate mitigation.
18. What is Network Scanning?
Answer: Network Scanning is the process of issuing a scan to identify network hosts along with information. There are many different types of scans such as network, port, vulnerability, and enumeration. Each scan has different levels of intrusiveness and information.
20. How are these codes useful for a SOC Analyst?
Answer: The HTTP codes can provide an Analyst with information as to whether an attack received a Success, Failure, or other response. When reviewing an incident involving a web server (HTTP) it helps provide information on how the server responded to a malicious request method such as a GET, POST, PUT, HEAD, DELETE, PATCH, or OPTION.
21. What are they and what are the differences?
Answer: DoS is Denial of Service and it is the term used for an attack where the attacker sends traffic to overwhelm or consume a process hence causing the service to be unavailable. DDoS is Distributed Denial of Service and the attack is similar to a DoS attack however, involves more than one attacker source. These attacks can range from basic attacks to highly sophisticated attacks.
22. Describe a basic Web Architecture.
Answer: A Web Architecture can be comprised of a variety of components which can be on a single server or divided among several. A basic is example is a front-end web server, a web application server, and a back-end database server. In addition, these can be hosted in a company’s server environment or in a cloud-based hosted environment. The servers can be hardware, virtual, or serverless where only the application is hosted.
23. False-Positive and False-Negative - What are they and what are the differences?
Answer: The terms are related to event alerts. A False- Positive is an event which the alert was triggered but did not occur. A False-Negative is when an event does NOT trigger an alert and is allowed as a legitimate where the event is malicious.
24. What are RED and BLUE Teams?
Answer: RED Teams represent the offensive side and act as a way of testing defenses. BLUE Teams represent the defensive side and provide detection and prevention.
25.Name some of the common TCP ports an Analyst should know.
80 – HTTP: Web Server (unsecure)
443 – HTTPS: Web Server (TLS – Encrypted)
25 – SMTP
21 – FTP (Unsecure)
22 – SSH
23 – Telnet (Unsecure)
53 – DNS
135 – MSRPC (Microsoft)
139 – NetBIOS–SSN
143 – IMAP
993 – IMAPS (Secure)
445 – MS–DS (Microsoft Directory Services)
3306 – SQL
3389 – MS RPC
5900 – VNC
8080 – HTTP–Proxy
27. What is a Chain of Custody and why is it important?
Answer: A Chain of Custody is a document which provides information on the details of who, when, what, and why evidence was collected. The Chain of Custody maintains the details of information at all times and provides an accurate history of evidence handling. The Chain of Custody can also be used in legal issues, which requires detailed and accurate information. It is important to maintain detail and accuracy as any missing detail can invalidate evidence in a legal issue.
28. What is the CIA Triad?
Answer: CIA Triad represents Confidentiality, Integrity, and Availability. The represent the core areas of information security.
29. What is a VLAN?
Answer: VLAN stands for Virtual Local Area Network. It is a localized network of computers in a broadcast domain. Without a router, computers may only communicate with other computers in the same VLAN. The VLAN is a logical separation of ports on a switch.
30. What is a router? How is it different than a switch?
Answer: A router is a Layer-3 (Network) layer device which routes logical addresses such as IP Addresses. A router handles packets and can allow different networks to communicate. A router is needed for computers to communicate between different VLANs and Networks.