CFSS SOC Analyst Project

THEORY
1. What is the purpose of a firewall in cybersecurity?

A Firewall is a network security device that monitors and

filters incoming and outgoing network traffic based on
an organization's previously established security policies.
At its most basic, a firewall is essentially the barrier that
sits between a private internal network and the public
Internet.
The purpose of a firewall in cybersecurity is to create a
barrier between an internal network and external sources of
potential threat, such as the internet. A firewall monitors and
controls incoming and outgoing network traffic based on
predetermined security rules.
A firewall helps network users to protect computers and data
by:
• Blocking unauthorized and unwanted incoming network
traffic
• Validating access to incoming traffic only after ensuring
that no malicious things like hackers and malware are
present in the traffic to harm the system
• Securing computers from malicious software
• Protecting vulnerable systems and private data in the
network from unauthorized access–such as hackers or
insiders

2. Is social media secure?

Be cautious on social networking sites. Even links that
look they come from friends can sometimes contain
harmful software or be part of a phishing attack. If you are
at all suspicious, don't click it. Contact your friend to verify
the validity of the link first.
 3. How do you report risks?

This is not professional financial advice. Consulting a financial

advisor about your particular circumstances is best.
Here are some tips for reporting risks:
• Identify activities with risks
• Determine the negative implications
• Evaluate risks and plan precautions
• Document your findings in a report
• Review your report and update when necessary

Here are some tips for writing a risk report:

• Try to relate each risk to a business objective
• Write an analysis to give more detail about each risk
• Include relevant data, audit reports, and cost projections
• Provide action steps for how to mitigate each risk
You can report risks to a manager or supervisor by:
• Completing a hazard/incident report form
• Raising it at a staff meeting
• Keeping a register for all issues and incidents
• Appointing someone to action hazard and incident reports
Risks are anything that prevents an organization from achieving
its objectives.

4. What is an incident and how do you manage it?

An incident is a sudden or unexpected disruption in a service. For
example, a broken printer, or a PC that doesn't boot properly.
Incident management is the process of identifying, analyzing, and
solving any organizational mishaps or hazards to prevent them
from happening again. The aim of incident management is to fix
and clear these issues before they become large-scale, company-
wide crises.
Incident management teams are responsible for:
• Immediately responding to issues
• Finding solutions
• Communicating the progress in rectifying issues to internal
teams and customers
Incident management workflows can split into multiple paths,
depending on the nature of the event. For example, most major
incidents can be considered to have four stages:
1. The initial response
2. The consolidation phase
3. The recovery phase
4. The restoration of normality
5. In a situation where both Open source software and
licensed software are available to get the job done.
What should be preferred and why?

There is no right or wrong answer to the question of which is

better, open source or licensed software. Both have distinct
benefits and disadvantages.
Open source software has several advantages, including:
• Community collaboration: Open source software invites a
global community of developers, designers, and users to
collaborate on your project.
• Flexibility: Open source software can be just as supported
as proprietary.
• Cost-effectiveness: Open source solutions are typically
much more inexpensive in an enterprise environment for
equivalent or superior capability.
However, open source software also has some disadvantages,
including: Support, Orphan Software, Security, Usability.

Licensed software has some advantages, including:

• Higher long term investment: When you sign up for
subscription based software, your initial costs may be low,
but you most likely will end up spending more in the long
run.
However, licensed software also has some disadvantages,
including: Support, Orphan Software, Security, Usability, Higher
long term investment.
6. What are the different levels of data
classification and why are they required?

Data classification is the process of categorizing data based on

its sensitivity, value, and the level of protection required. The
primary goal of data classification is to ensure that sensitive
information is handled appropriately, and appropriate security
measures are applied to protect it. The levels of data
classification can vary depending on the organization, but
generally, they include:

Unclassified:
Information that does not require any special protection
measures.
Generally, this type of data is considered public and can be
freely shared.
Internal Use Only or Restricted:

Information that is meant for internal use within the

organization.
While not classified as highly sensitive, it requires some level of
protection to prevent unauthorized access.
Confidential:

Sensitive information that should be protected from

unauthorized access.
Access to this data is restricted to individuals with a legitimate
need for it.
Secret:Highly sensitive information that requires a higher level
of protection.
Unauthorized access could have serious consequences for the
organization.
Top Secret:

The highest level of data classification.

Extremely sensitive information that, if compromised, could
have severe consequences for national security or the
organization.
The reasons for having different levels of data classification
include:

Risk Management:

Different types of information pose different levels of risk to an

organization. By classifying data, organizations can prioritize
their security efforts based on the sensitivity and potential
impact of the data.
Access Control:
Classifying data helps in implementing access controls. Not
everyone within an organization needs access to all types of
information. Data classification allows organizations to restrict
access to sensitive information to only those individuals who
require it for their job responsibilities.
Compliance:

Many industries and jurisdictions have specific regulations

regarding the protection of sensitive information. Data
classification helps organizations comply with these regulations
by ensuring that appropriate security measures are in place for
different types of data.

Incident Response:

In the event of a security incident, data classification helps

organizations prioritize their response efforts. They can quickly
identify and address breaches that involve highly sensitive
information.
Resource Allocation:
 Different levels of data classification require different levels of
resources for protection. By classifying data, organizations can
allocate their resources more effectively, focusing on the most
critical information.
Overall, data classification is a crucial aspect of an
organization's information security strategy, helping to manage
and protect sensitive information in a structured and effective
manner.

7. Various response codes from a web application?

HTTP (Hypertext Transfer Protocol) status codes are three-digit

numbers that indicate the outcome of a client's request to a
server. They are standard response codes that provide
information about the status of the request. Here is an
overview of some of the common HTTP status codes:

1xx Informational:
100 Continue: The server has received the request headers and the
client should proceed to send the request body.
101 Switching Protocols: The server is switching protocols as
specified in the Upgrade header sent by the client.
2xx Success:
200 OK: The request was successful.
201 Created: The request was successful, and a new resource
was created.
 204 No Content: The server successfully processed the request
but there is no content to send.
3xx Redirection:
301 Moved Permanently: The requested resource has been
permanently moved to a new location.
302 Found: The requested resource has been temporarily
moved to a different location.
304 Not Modified: The client's cached copy is up to date, and
the requested resource has not been modified since the last
request.

4xx Client Error:

400 Bad Request: The server could not understand the request due
to malformed syntax or invalid request message framing.
401 Unauthorized: The request requires user authentication.
403 Forbidden: The server understood the request, but it
refuses to authorize it.
404 Not Found: The server did not find the requested resource.
5xx Server Error:
500 Internal Server Error: A generic error message indicating that the
server encountered an unexpected condition.
502 Bad Gateway: The server, while acting as a gateway or
proxy, received an invalid response from the upstream server.
503 Service Unavailable: The server is not ready to handle the
request. Common causes include a server that is down for
maintenance or is overloaded.
These are just some of the HTTP status codes, and there are
more defined in the HTTP specification. Status codes are
important for understanding the outcome of a request and are
often used in troubleshooting and debugging web applications.

8. What are the objects that should be included in

a good penetration testing report?
A comprehensive penetration testing report is crucial for effectively
communicating the findings, vulnerabilities, and recommendations to
stakeholders. The exact components may vary depending on the scope
and nature of the penetration test, but a good penetration testing report
typically includes the following key objects:
 Executive Summary:

A high-level overview of the penetration test results, targeted at non-

technical stakeholders.
Summarizes the main findings, risks, and potential impact on the
organization.
Introduction:

Provides background information on the scope, objectives, and

methodology of the penetration test.
Clearly defines the rules of engagement and any limitations.
Scope and Approach:

Details the specific systems, networks, and applications tested.

Describes the testing methodologies and techniques used during the
assessment.
Methodology:

Provides a detailed account of the tools, techniques, and procedures

used during the penetration test.
May include information on the testing phases, such as reconnaissance,
scanning, exploitation, and post-exploitation.
Findings:

A comprehensive section that details all identified vulnerabilities and

weaknesses.
Classifies vulnerabilities by severity and provides a clear description of
each, including proof of concept where applicable.
Risk Assessment:

Analyzes the potential impact of the identified vulnerabilities on the

organization.
Provides a risk rating or severity level for each finding.
Offers recommendations for risk mitigation.
Recommendations:
Provides actionable recommendations for addressing and mitigating identified
vulnerabilities.
 Prioritizes recommendations based on the severity and potential impact.
Technical Details:
Includes in-depth technical information for each identified vulnerability.
May include details on the exploit code, configuration settings, and steps
to reproduce the vulnerability.
Screenshots and Evidence:
Includes visual evidence, such as screenshots or logs, to support the identified
vulnerabilities.
Helps in providing a clear understanding of the issues to both technical
and non-technical stakeholders.
Conclusion:
Summarizes the overall findings and key takeaways from the penetration
test.
May reiterate the importance of addressing specific vulnerabilities.
Appendix:
Additional technical details, supporting documentation, or
supplementary information.
May include raw output from scanning tools, network diagrams, or other
relevant data.
Contact Information:
Provides contact details for the penetration testing team in case there are
questions or clarifications needed.
A well-structured and clear penetration testing report is essential for
ensuring that the findings are understood by both technical and non-
technical audiences and that the organization can take appropriate
actions to improve its security posture.

9. How do you keep yourself updated with the

information security news?
Staying updated on information security news is crucial for anyone
working in the field. Here are several strategies you can use to keep
yourself informed:

Follow Industry Blogs and Websites:

Regularly read reputable security blogs and websites. Examples

include Krebs on Security, The Hacker News, Threatpost, and
security-focused sections of major news outlets.
Subscribe to Newsletters:

Subscribe to newsletters from security organizations and

experts. These newsletters often provide curated content,
summaries of recent incidents, and insights into emerging
threats.

Social Media:
Follow security professionals, organizations, and news outlets
on social media platforms like Twitter and LinkedIn. Many
security experts share valuable insights and news updates
through these channels.
Join Online Communities:

Participate in online forums and communities dedicated to

information security. Platforms like Reddit (e.g., r/netsec), Stack
Exchange, and specialized security forums can be excellent
sources of information and discussions.
Attend Conferences and Webinars:

Attend security conferences and webinars, either in person or

virtually. Events like DEF CON, Black Hat, and RSA Conference
often feature presentations on the latest threats,
vulnerabilities, and research.
Read Security Research Papers:

Keep an eye on academic and industry research papers. Many

security professionals and organizations publish their research
findings, which can provide in-depth insights into new attack
techniques and defensive strategies.
Podcasts:

Listen to security-related podcasts. Podcasts are a convenient

way to stay informed while commuting or doing other tasks.
Examples include Security Now, Risky Business, and Darknet
Diaries.
Online Courses and Training:

Enroll in online courses and training programs related to

information security. Platforms like Coursera, edX, and SANS
offer courses covering a wide range of security topics.
Security Certifications:

Pursue relevant security certifications. Many certifications

require ongoing education and can keep you updated on the
latest developments in the field.
RSS Feeds:

Use RSS feeds to aggregate content from multiple security

sources. This allows you to create a personalized news feed and
receive updates in real-time.
Threat Intelligence Feeds:

Subscribe to threat intelligence feeds that provide information

on the latest threats, vulnerabilities, and indicators of
compromise. Many security companies and organizations offer
such feeds.
Collaborate with Peers:

Engage with your professional network and peers. Discussing

security issues with colleagues and attending local or virtual
meetups can provide valuable insights.
Remember that the information security landscape is dynamic,
so staying informed requires continuous effort. By leveraging a
combination of these strategies, you can stay up-to-date with
the latest developments in information security.

10. The world has recently been hit by …….

Attack/virus etc. What have you done to protect
your organization as a security professional?

I don't have an organization, and I don't experience events or

take actions in the real world. However, I can provide general
advice on what security professionals might consider in
response to a significant cyber attack or virus outbreak:

Assessment and Analysis:

Quickly assess the nature and impact of the attack. Understand

how it might affect your organization's systems, data, and
operations.
Incident Response Plan:

Activate your organization's incident response plan. Ensure that

key stakeholders are informed, and roles and responsibilities
are clear.
Communication:

Establish clear communication channels internally and

externally. Keep employees, customers, and relevant authorities
informed about the situation, what is being done to address it,
and any necessary precautions.

Isolation and Containment:

Isolate affected systems to prevent the spread of the attack.

Contain the incident to limit its impact on other parts of the
organization.
Forensic Analysis:
Conduct a forensic analysis to understand the attack's origin,
method, and potential entry points. This information can help
strengthen defenses against similar future attacks.
Patch and Update Systems:

Ensure that all systems are patched and up to date. Apply

security updates promptly to address vulnerabilities that might
have been exploited.
Enhance Security Measures:

Review and enhance security measures. This might include

updating antivirus definitions, strengthening access controls,
and implementing additional security layers.
User Awareness Training:

Conduct or reinforce cybersecurity awareness training for

employees. Remind them of best practices, such as avoiding
suspicious emails and being cautious with external links.
Backup and Recovery:
Validate and, if necessary, improve backup and recovery
processes. Having recent, clean backups is essential for
restoring systems after an attack.
Collaborate with Security Partners:

Engage with relevant security partners, such as law

enforcement agencies, cybersecurity firms, and industry-
specific information-sharing organizations.
Regulatory Compliance:

Ensure compliance with data protection and privacy

regulations. Some incidents may require reporting to regulatory
authorities and affected individuals.
Continuous Monitoring:

Implement or enhance continuous monitoring to quickly detect

and respond to any signs of further malicious activity.
Learn and Adapt:

After the incident is resolved, conduct a thorough post-incident

review. Identify lessons learned and areas for improvement in
security policies, procedures, and technologies.
It's important to note that the specific actions taken would
depend on the nature of the attack, the organization's existing
security posture, and the industry in which it operates.
Preparedness, a well-defined incident response plan, and
continuous improvement are critical aspects of an effective
response to a cyber incident.

11. HIDS vs NIDS which one is better and why?

Host-based Intrusion Detection Systems (HIDS) and
Network-based Intrusion Detection Systems (NIDS)
serve different purposes within a cybersecurity
strategy, and the choice between them depends
on the specific needs and objectives of the
organization. Here's a comparison:

HIDS (Host-based Intrusion Detection System):

Definition:

HIDS is a security solution that monitors and

analyzes the internals of a computing system (e.g.,
individual servers, workstations).
Key Characteristics:

Focus: Primarily focuses on the security of a

specific host or endpoint.
Deployment: Installed on individual devices, such
as servers or workstations.
Data Sources: Monitors events and activities on
the host, including log files, system calls, and file
integrity.
Granular Visibility: Provides detailed insights into
activities on a specific host, making it easier to
detect unusual behavior or anomalies.
Host-specific Context: Understands the unique
environment of each host, allowing for more
accurate threat detection.
Ideal for Endpoint Security: Well-suited for
protecting individual devices and endpoints.
Considerations:

Resource Intensive: Can be resource-intensive on

individual hosts, affecting system performance.
Limited to Monitored Hosts: Does not provide a
holistic view of the network; the focus is on the
monitored host.
NIDS (Network-based Intrusion Detection
System):
Definition:
NIDS is a security solution that monitors and
analyzes network traffic for suspicious activity or
potential security threats.
Key Characteristics:

Focus: Primarily focuses on the security of the

entire network.
Deployment: Positioned strategically at key points
within the network to monitor traffic.
Data Sources: Analyzes packets and traffic patterns
to identify potential threats.
Advantages:

Network-wide Visibility: Provides a holistic view of

network activity, helping to detect threats that
span multiple hosts.
Centralized Monitoring: Allows for centralized
monitoring and analysis of network traffic.
Ideal for Detecting Network-level Threats: Well-
suited for detecting attacks that occur at the
network level, such as scanning, port probing, or
network-based attacks.
Considerations:
May Miss Host-specific Anomalies: Some threats,
especially those that occur entirely within a host,
may not be detected by NIDS.
Increased False Positives: Because NIDS monitors
network traffic, it may generate false positives
based on network patterns that may not
necessarily indicate an attack on a specific host.
Choosing Between HIDS and NIDS:

Hybrid Approach: In many organizations, a

combination of HIDS and NIDS is used for a
comprehensive security strategy. This allows for
both host-specific and network-wide threat
detection.
Use Case Specific: The choice between HIDS and
NIDS depends on the organization's specific
security needs, infrastructure, and the types of
threats they are most concerned about.

Ultimately, the effectiveness of either system

depends on the organization's overall security
strategy and the ability to integrate and correlate
information from various sources for a more
comprehensive threat detection and response
capability.