SOC Cybersecurity Analyst Build Book
SOC Cybersecurity Analyst Build Book
SOC Cybersecurity Analyst Build Book
Nov 2022
1|Page
Contents
1. Security Overview ........................................................................................................................................... 4
2. About the Program .......................................................................................................................................... 6
2.1 Lab Design.................................................................................................................................................. 6
2.2 Hardware requirements for host .............................................................................................................. 6
3.Virtualization .................................................................................................................................................... 7
3.1 Oracle’s VM Virtual Box ............................................................................................................................ 9
3.2 Installing Oracle VM VirtualBox .............................................................................................................. 10
4. Installing Windows 2016 Server on VirtualBox ............................................................................................ 13
4.1 Download ISO Windows 2016 ................................................................................................................ 13
4.2 Download ISO Windows 10 Pro .............................................................................................................. 14
4.3 Windows 2016 Server Installation .......................................................................................................... 21
5. Installing Windows Client (Windows 10 Pro) ............................................................................................... 29
5.1 Virtual machine configuration ................................................................................................................ 29
5.2 Windows 10 Pro Installation ................................................................................................................... 31
6. Active Directory (AD)..................................................................................................................................... 37
6.1 Why do we need AD? .............................................................................................................................. 37
6.2 Active Directory setup ............................................................................................................................. 39
6.3 Creating a new user in Active Directory ................................................................................................. 42
7. Event Viewer ................................................................................................................................................. 47
8. Security Information & Event Management (SIEM) .................................................................................... 53
8.1 SIM vs SEM vs SIEM ................................................................................................................................. 53
8.2 Setting up Sumo Logic ............................................................................................................................. 55
8.3 Downloading and Installing Sumo Logic Collector ................................................................................. 57
8.4 Collect Windows Logs.............................................................................................................................. 59
8.5 Searching Event Logs ............................................................................................................................... 61
8.6 Parse the Event Code .............................................................................................................................. 62
8.7 Creating Alert for Windows Event .......................................................................................................... 63
9. Firewalls ......................................................................................................................................................... 65
9.1 What is firewall?...................................................................................................................................... 65
Advantages of Firewall........................................................................................................................... 65
Disadvantages of Firewall ..................................................................................................................... 65
9.2 Installing pfSense on VirtualBox ....................................................................................................... 66
9.3 Installing Snort Package .................................................................................................................... 81
10. Endpoint Security .................................................................................................................................. 85
Why Is Endpoint Security Important? ....................................................................................................... 86
10.1 SOPHOS installation .............................................................................................................................. 87
11. Incident Response ....................................................................................................................................... 95
2|Page
12. Importance of Vulnerability scan ............................................................................................................. 100
Vulnerability Examples .................................................................................................................................. 100
1. Hardware.............................................................................................................................................. 100
2. Software .............................................................................................................................................. 100
3. Network ............................................................................................................................................... 101
4. Personnel ............................................................................................................................................ 101
5. Physical site......................................................................................................................................... 101
6. Organizational...................................................................................................................................... 101
12.1 NESSUS Installation ............................................................................................................................. 101
12.2 Deploying a dummy web server (BadStore)....................................................................................... 108
13 CIS Critical Security Controls ...................................................................................................................... 115
CIS Control 1 - Inventory and Control of Enterprise Assets .............................................................. 115
CIS Control 2 - Inventory and Control of Software Assets ................................................................ 115
CIS Control 3 - Data Protection .............................................................................................................. 115
CIS Control 4 - Secure Configuration of Enterprise Assets and Software...................................... 115
CIS Control 5 - Account Management ................................................................................................... 116
CIS Control 6 - Access Control Management ....................................................................................... 116
CIS Control 7 - Continuous Vulnerability Management ...................................................................... 116
CIS Control 8 - Audit Log Management ................................................................................................. 116
CIS Control 9 - Email and Web Browser Protections ......................................................................... 116
CIS Control 10 - Malware Defenses ....................................................................................................... 116
CIS Control 11 - Data Recovery................................................................................................................ 116
CIS Control 12 - Network Infrastructure Management ....................................................................... 116
CIS Control 13 - Network Monitoring and Defense .............................................................................. 117
CIS Control 14 - Security Awareness and Skills Training ................................................................... 117
CIS Control 15 - Service Provider Management ................................................................................... 117
CIS Control 16 - Application Software Security .................................................................................... 117
CIS Control 17 - Incident Response Management ................................................................................ 117
CIS Control 18 - Penetration Testing ...................................................................................................... 117
14. Cyber Security Questions & Answers ....................................................................................................... 118
3|Page
1. Security Overview
Cyber Security is a process that’s designed to protect networks and devices from external
threats. Businesses typically employ cyber security professionals to protect their
confidential information, maintain employee productivity, and enhance customer confidence
in products and services.
The world of Cyber Security revolves around the industry standard of confidentiality,
integrity, and availability, or CIA. Privacy means data can be accessed only by authorized
parties; integrity means information can be added, altered, or removed only by authorized
users; and availability means systems, functions, and data must be available on-demand
according to agreed-upon parameters.
Cyber security is the practice of defending computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks. It's also known as information
technology security or electronic information security. The term applies in a variety of
contexts, from business to mobile computing, and can be divided into a few common
categories.
Network security is the practice of securing a computer network from intruders, whether
targeted attackers or opportunistic malware.
4|Page
Application security focuses on keeping software and devices free of threats. A
compromised application could provide access to the data its designed to protect.
Successful security begins in the design stage, well before a program or device is deployed.
Information security protects the integrity and privacy of data, both in storage and in
transit.
Operational security includes the processes and decisions for handling and protecting
data assets. The permissions users have when accessing a network and the procedures
that determine how and where data may be stored or shared all fall under this umbrella.
5|Page
2. About the Program
Cybersecurity is one of the fastest growing segments in IT. Through practical training, skill
development and employment support, this program will prepare you for a career as a SOC
Cybersecurity Analyst in this high demand field. Professional training by Cyberwall. SOC
Cybersecurity Analyst Certificate (upon successful completion).
6|Page
3. Virtualization
What is Virtualization?
Put simply, we can build a virtual computer out of software, and use that to run a different
operating system on top of our main operating system. Imagine running Windows at the
same time as running Mac OS X for example. Or even running Windows while running
Linux. All this and more are possible with virtualization.
Here we have a Linux system running VMware (a popular virtualization software); the
operating system inside the virtual machine is Windows 10.
We call the operating system that runs the virtualization software the host operating
system. It is the master, the operating system that loads when you first turn on your
7|Page
physical computer.
We call the operating system that runs inside the virtual machine the 'guest operatingsystem'.
The Guest operating system is separate from the host operating system cannot directly access the
resources on the host. For example, if you were running Windows as the host operating system and
Linux as the guest, the Linux guest is not able to access files on your Windows desktop directly.
This separation is a key use case for virtualization. If you are analysing a computer virus, you will
want to be doing it in a virtual machine to prevent it from spreading to your host operating system
and potentially escaping out onto the internet from there.
Before we talk about the different types of virtualizations, we have to talk about the
hypervisor. The hypervisor is the layer of code that allows multiple operating systems to
share the same hardware resources. Essentially, it's the bit of code that directs traffic,
deciding which bits of memory are used for which virtual machines, where the hard disk
for that virtual machine is kept in storage, and so on.
The first type of virtualization we'll talk about is the type 2 hypervisor. This type of
virtualization is where the virtualization is done by a software program that runs on an
operating system. This is the kind of virtualization we'll be using throughout this course.
Several software programs can be used to perform this; the most popular ones are
VMware Workstation and VirtualBox.
Type 1 Hypervisor
The second type of virtualization is the type 1 hypervisor. This type of virtualization is
where the virtualization occurs at the firmware level. This is still software, but there is
nohost operating system. The virtualization software in effect is the host operating
system. This is commonly used in server environments such as data centers,
particularly ones thatform 'the cloud'. It is a more efficient setup than a type 2
hypervisor, but it isn't convenient for people to use on their personal computers.
Some examples are VMware vSphere and Proxy
Uses of Virtualization
Virtualization sounds pretty niche, so why is it so important? Well, you might be surprised
to learn that a large proportion of the internet runs on virtualised servers. Ever heard of
the cloud? Well, most of that is run off of Type 1 hypervisors. The fact of the matter is
virtualization offers huge efficiency improvements for large-scale applications.
8|Page
Imagine if you have a website which is usually quiet, but often it will suddenly get a huge
deluge of users accessing it all at once. You need a server that can handle the maximum
number of users, but that will leave your server doing nothing most of the time when it's
quiet. With virtualization, you can run the site off one small virtual machine, and have
new virtual machines come online during peak times to load balance your traffic across
the multiple servers. When it becomes quiet again, you can delete some of the virtual
machines and go back to having only one serving the website. Cloud hosting providers
such as Amazon AWS offer this functionality using virtualization.
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and Innotek VirtualBox)
is a type-2 hypervisor for x86 virtualization developed by Oracle Corporation.
VirtualBox was originally created by Innotek GmbH, which was acquired by Sun
Microsystems in 2008, which was in turn acquired by Oracle in 2010.
VirtualBox may be installed on Microsoft Windows, macOS, Linux, Solaris and OpenSolaris.
there are also ports to FreeBSD and Genode. It supports the creation and management of
guest virtual machines running Windows, Linux, BSD, OS/2, Solaris, Haiku, and OSx86, as
well as limited virtualization of macOS guests on Apple hardware.
Version 6.1
• Added nested virtualization support for Intel CPUs (it was already available
for AMD CPUs) starting with Intel Core i5 Broadwell
• Experimental support for file transfers via drag-n-drop only for Windows
host and guests (disabled by default, must be enabled using VBoxManage)
• Support for virtio-scsi for hard disks and optical drives, including boot support
• NVRAM support for EFI which improves compatibility with many guest OSes
9|Page
Hypervisor
A hypervisor is a computer software, firmware or hardware that creates and runs Virtual
Machines. A computer on which a hypervisor runs one or more virtual machines is called
a host machine, and each virtual machine is called a guest machine.
Select “Windows hosts”. It’ll give you the option to Run or Save. Click Run.
10 | P a g e
The installation window will appear. Click “Next”
Click Select options which you want and then click “Next”
It’ll warn you about the temporary network disconnection. Click “Yes”
11 | P a g e
Click “Install” on next screen.
12 | P a g e
4. Installing Windows 2016 Server on VirtualBox
Go to https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 in your
computer’s internet browser. Select ISO and click “Continue”.
It’ll ask for your details. Fill in all the required information and click Continue
13 | P a g e
Next select language from drop down and click “Download”. Save the file on your hard drive.
In our lab, we are going to use Windows 10 as client machine. Download Windows 10 Image from
https://www.microsoft.com/en-ca/software-download/windows10
14 | P a g e
The installation window will appear. Click “Accept”
Custom setup screen will come up. Click “Create installation media…” and after Click “Next”
15 | P a g e
Finally, we have 2 Optical disc image (ISO) files that we use to install OC
Check the available resources to set up the virtual machine with the optimal parameters for good
work.
16 | P a g e
Start VirtualBox from start menu. Click on “New”
Put in desired name. We’ll use “Windows 2016 Server”. It’ll change the version automatically, if
not, select Windows 2016 (64-bit). Click “Next:
Next, it’ll ask for memory size allocation, leave it default and click “Next”.
17 | P a g e
Next option is about storage on physical drive. Select “Dynamically allocated” option and then
click “Next”. File location and size is next. Default is 50.00 GB. We’ll use the default option. Click
“Create”
Windows 2016 Server will appear under Tools. Click “Settings” button.
Windows 2016 Server settings will popup
18 | P a g e
Go to General ---- > Advanced. Change “Shared Clipboard” and “Drag’n’Drop” options from Disabled to
Bidirectional Select Network. Under Adapter 1, go to “Attached to” option and from drop down box
select “Host-only Adapter
Now go to Storage option. Under Controller: SATA, select Empty. Then click on CD icon on far rig
Select “Choose a disk file…..” option
19 | P a g e
Select the folder where you have downloaded Windows 2016 Server ISO file. Select the file and
click “Open”.
20 | P a g e
4.3 Windows 2016 Server Installation
If an error occurs at Startup, then the computer is turned off then the bios menu is accessed and
virtualization is activated.
Click “Start” on next screen. If it doesn’t have Windows Server 2016 option, click drop down menu
and select it.
Select Language, Time & Currency, and input method from drop down. Click “Next”. Click “Install Now”
21 | P a g e
Select “Windows Server 2016 Standard Evaluation (Desktop Experience)”. Click “Next”
Select “I accept the license terms” check box and click “Next”.
22 | P a g e
Click “New”. Click “Apply”.
23 | P a g e
Once done, it’ll reboot.
Create Administrator password and click “Finish”.
24 | P a g e
After logging in, it’ll open the Server Manager. This screen means server is installed.
We do not allow other PCs to find this one. Right click on small monitor icon on right bottom side
of screen, beside clock. Select “Open Network and Sharing Center”.
25 | P a g e
Select “Use the following IP address:”
radio button and fill in the required information. We used the following information. Click “OK”.
Select “Close” on next 2 screens.
Through the command line we check if the network settings have been applied using the
"IPCONFIG" command.
We apply the "ping" command to the google.ca site to check the internet access.
The settings for the top network are used to connect to the firewall. But now I am temporarily
activating the second adapter with NAT (Network Address Translation) settings for temporary
internet access. We shut down the operating system and change the system settings. Activate
the 2nd adapter
26 | P a g e
Install Google Chrome browser
We access the Internet Explorer browser, and enter the site
https://www.google.com/intl/en_us/chrome/ Then in the internet settings it allows you to download
the files
27 | P a g e
Final Browser is installed. We use this browser because it is faster and has the necessary
extensions to open most sites.
28 | P a g e
5. Installing Windows Client (Windows 10 Pro)
Put in desired name. We’ll use “Windows 10”. It’ll change the version automatically, if not, Select
Windows 10 (64-bit). Click “Next:
Next, it’ll ask for memory size allocation, leave it default and click “Next”.
VHD and VMDK options are there if you want to use this space with other virtualization software.
We are not going to use other software, so we’ll select “VDI (VirtualBox Disk Image)” option.
Click “Next”.
29 | P a g e
Next option is about storage on physical drive. Select “Dynamically allocated” option and
then click “Next”.
File location and size is next. Default is 50.00 GB. We’ll use the default option. Click “Create”
30 | P a g e
Now go to Storage option. Under Controller: SATA, select Empty. Then click on CD icon on far-
right side. Select “Choose a disk file….” option.
Select the folder where you have downloaded Windows 10 ISO file.
Select the file and click “Open” Press “OK” on main settings window.
31 | P a g e
Click “Install now”
Select “I don’t have a product key” and click “Next”
Click on “Custom: Install Windows only (advanced)”. Click “New”. Click “Apply”.
32 | P a g e
Windows pop will appear. Click “OK”
33 | P a g e
Complete the optional items on next screens
Select "Domain join instead" for offline account. Enter the default username.
34 | P a g e
Deny all features for optimal OC work
Once completed it’ll show you the Welcome screen. Windows 10 installation is completed.
Windows 10 will appear under Machine. Click “Settings” button. Select Network.
Under Adapter 1, go to “Attached to” option and from drop down box select “Host-only Adapter”
Right click on small monitor icon on right bottom side of screen, beside clock. Select “Open
Network and Sharing Center”.
Network and Sharing Center screen will appear. Click “Change adapter options”. Click “Ethernet”
35 | P a g e
Ethernet Status screen will popup. Click “Properties” button.
Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.
Select “Use the following IP address:” radio button and fill in the required information.
We used the following information. Click “OK”.
Select “Close” on next 2 screens.
36 | P a g e
6. Active Directory (AD)
A directory is a hierarchical structure that stores information about objects on the network. A
directory service, such as Active Directory Domain Services (AD DS), provides the methods for
storing directory data and making this data available to network users and administrators. For
example, AD DS stores information about user accounts, such as names, passwords, phone
numbers, and so on, and enables other authorized users on the same network to access this
information.
Active Directory stores information about objects on the network and makes this information
easy for administrators and users to find and use. Active Directory uses a structured data store
as the basis for a logical, hierarchical organization of directory information.
This data store, also known as the directory, contains information about Active Directory objects.
These objects typically include shared resources such as servers, volumes, printers, and the
network user and computer accounts. For more information about the Active Directory data
store, see Directory data store.
Security is integrated with Active Directory through logon authentication and access control to
objects in the directory. With a single network logon, administrators can manage directory data
and organization throughout their network, and authorized network users can access resources
anywhere on the network. Policy-based administration eases the management of even the most
complex network. For more information about Active Directory security, see Security overview.
There are several benefits to using AD DS for your basic network user and computer
management.
You can customize how your data is organized to meet your companies needs
You can manage AD DS from any computer on the network, if necessary
AD DS provides built in replication and redundancy: if one Domain Controller (DC) fails,
another DC picks up the load
All access to network resources goes through AD DS, which keeps network access rights
management centralized
37 | P a g e
Even if you don’t know what Active Directory (“AD”) is, you’ve probably seen it in action at some
point in your career. You’ve also, perhaps wondered how specific tasks occur. There are many
benefits to implanting Active Directory in your office, even if you don’t think you are big enough to
utilize it.
Precisely, with Active Directory, employees must adhere to password security protocols. These
include the complexity, length, and how often they must update their password within the system.
By setting this at a system-wide level, you can be sure that it is happening, not just being an
overlooked policy.
Ever wondered how users can log in to any computer at an organization? Active Directory. When
all the users are loaded, they have access to the network. Meaning, they can log into the conference
room computer and find all their information without having to use USB drives to transport data.
All the data is stored in one location and allows all devices registered to the network access to the
files, based on the permission level you set.
Security Controls
If you’re tired of manually setting up files that some people have access to and others don’t, “AD”
is the solution for you! It allows you to stick people in groups and then apply the security access
to the entire team, rather than just a single person at a time.
Protection
When configured correctly, users only have access to data that is pertinent to them. What this
means is your company files are more protected. People without access can’t accidentally delete
data they shouldn’t. If a virus gets into a network, that virus (typically) won’t be able to infect a file
that it can’t access.
Instead of installing antivirus one-by-one on each computer, you can send that installation out via
Active Directory. “AD” will keep your equipment protected without having to remember which
machines got what programs.
Smart all-in-one printers are great, except when you have to set them up. Active Directory speaks
to the LDAP (Lightweight Directory Access Protocol) allowing your user’s email addresses to be
synced with your new printer so users can quickly scan to themselves.
38 | P a g e
6.2 Active Directory setup
Informs you about creating Active Directory Domain on Windows Server 2016
https://support.cloudshare.com/hc/en-us/articles/360035332172-Active-Directory-Domain-
Creation-in-Windows-Server-2016-Standard-
#:~:text=Create%20an%20Active%20Directory%20Domain%20on%20Windows%20Server%202016&t
ext=Navigate%20to%20the%20Local%20Server,to%20the%20Installation%20Type%20option.
39 | P a g e
Select “Role-based or feature-based installation” radio button and click “Next”.
Select the server you installed in previous slides. Click “Next”
Select “Active Directory Domain Services” and “DNS Server” from the list. Click “Add Features”.
40 | P a g e
Click “Next” to confirm DNS Server. Click “Install” to begin AD installation.
Once completed, it’ll show Installation succeeded. Click “Promote this server to a domain controller”.
A new Deployment Configuration Window will open. Select “Add a new forest” radio button and
put in Root domain name. It could be any name which you like to use. Click “Next”
Leave all default option. Type in a new DSRM password. Remember this is not the administrator
password. This is to recover the Directory Services. Click “Next”
41 | P a g e
Leave default values on DNS Options and click “Next”. Click “Next” on next 3 screens leaving default
values.
Let’s create a new user on AD. Open Server Manager Dashboard. Click “Tools” on top right corner
and select “Active Directory Users and Computers”.
In left Panel, select your newly created Domain.
Under domain click “Users”. On right panel, right click, go to “New” and then select User.
42 | P a g e
A new popup will appear. Fill in the details and click “Next”.
Create a new password for that user. Select the desired boxes as per your policies.
Just for the sake of lab, we didn’t select any option. Click “Next”.
43 | P a g e
Then activate both virtual machines and access the command line. Enter the "Ping" command from
server to client at 192.168.1.3. Then from client to server at 192.168.1.2. We notice that we cannot
access the data packets from the client. The internal firewall installed in the client blocks access
from foreign sources. Must be disabled
Search for Firewall on client. in our case it is Windows 10. And we disconnect the firewall
Check the transfer and reception correspondence between the server and the client. You notice
that the packets are sent and received successfully. The result is that the connection is accessed.
44 | P a g e
We hang the "This PC" icon on the desktop for quick access to the properties.
In the command line we send the "ping" command to the domain name.
Domain is not recognized because we do not have access to the Domain Name System (DNS).
45 | P a g e
Ethernet Status screen will popup. Click “Properties” button.
Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.
Select “Use the following IP address:”
Radio button and fill in the required information.
We used the following information. Click “OK”. Select “Close” on next 2 screens.
Welcome domain popup will appear. You might need to reboot the PC. Log on Client.
46 | P a g e
7. Event Viewer
The Windows Event Viewer shows a log of application and system messages, including errors,
information messages, and warnings. It’s a useful tool for troubleshooting all kinds of different
Windows problems.
Note that even a properly functioning system will show various warnings and errors in the logs
you can comb through with Event Viewer. Scammers even use this fact on occasion to deceive
people into believing their system has a problem only the scammer can fix. In one infamous scam,
a person claiming to be from Microsoft phones someone up and instructs them to open the Event
Viewer. The person is sure to see error messages here, and the scammer will ask for the person’s
credit card number to fix them.
As a rule of thumb, assuming your PC is working properly, you can pretty much ignore the errors
and warnings that appear in the Event Viewer. That said, it’s worth having a basic working
knowledge of the tool and knowing when it can be useful to you.
Open Control Panel and search for Windows Tool, then open Event Viewer. Or search for "Event
Viewer"
47 | P a g e
Access Windows Logs, and look at Security Logs
Next identify the Log IDs and their meaning. Depending on the ID, the user's activity can be seen
in the description.
48 | P a g e
Delete the created user
49 | P a g e
50 | P a g e
51 | P a g e
52 | P a g e
8. Security Information & Event Management (SIEM)
Simply put, they refer to a type of tool that will store and process logs or event data. The quick
difference is that SIM deals with storing log data for long term analysis, whereas SEM is
concerned with live-action processing. Combined and you get one neat tool that deals with both,
SIEM.
SIM
SIMs are tools or platforms used to collect and store all the security data that is logged within an
organization. There is a considerable amount of data ranging across the entire IT platform.
Depending on your technology choices and how well configured the collection process is, they
would collect data from things such as:
Basically, all the information from any software and how it's being used, including changes to
the operating system. This could get very big very quickly! It is therefore not uncommon for
collection to be a little more selective. All of these stored log’s amount tofar too much data for
any human to process. Enter SEM.
SEM
These tools provide real-time analysis of all the SIM data with the added benefit of sending alerts
about any security anomalies. Imagine combing and sorting through all the data listed above and
then parsing it. This would then output to a console so that a human gets an alert to be investigated.
This can be used to trip alerts, but also provide bigger picture insights in to the network and trends.
The console tends to have displays such as charts and pictorial representation of the data to make
it easy for the network administrators to see what is happening. Log data can provide an invaluable
insight into what attackers are doing on the network. The ability to analyse this data quickly as
opposed to in 30 days, could make the difference between stopping an attacker quickly, or giving them
significant dwell time in your network!
SIEM
Rather than having two separate tools that do practically the same thing, why not combine them
into one platform? This is precisely what a SIEM does and has become quite the default. These
53 | P a g e
SIEM systems automate much of this process and come pre- packaged with rules and hows
designed to make processing data and reacting to it mucheasier.
This integrated platform is useful to security but can also be very beneficial when auditors come
and check how compliant the company has been. This is for things likeInformation Security
management systems and ISO 27000 certificates. Demonstratingcontrol over your logs and
understanding of events in your network is key to such processes.
As mentioned, before you can process a huge volume of data with these systems. Simply
imagine every endpoint streaming continuous log data about a given software update or
configuration change! Retention policies to limit what matters and filtering rules that focus on
the data of consequence is key, or data can become a gigantic monolith.
In most businesses there are typical things you want to log, so there are default setups to arrange
collection for common technology or platforms. However, some configuration is often needed.
SIEM tools do often come with a set of rules or triggers butcustomizing them for your environment
is typically required. SIEM platforms are not just installed in the network, they can be cloud based
too! In this setup you can benefit from management by a vendor, and continual software updates
or features, but there can be atradeoff of handing your event data to a third party.
These platforms include more and more clever techniques to react to data, and baselining with
machine learning or heuristic mechanisms is finding more suspiciousentries than ever before.
In short, this means that if a hacker wants to get through thenetwork, they will have to look like
regular traffic.
A great SIEM setup will help organizations react to breaches, but also understand whathappened
and investigate retrospectively.
54 | P a g e
8.2 Setting up Sumo Logic
For this lab, first we need to register for the free trial. On your Windows server 2016, go to
https://www.sumologic.com/ and click on Start free trial.
55 | P a g e
Put in your business email, select the region, select “I agree to the Service License
Agreement”, and click sign up.
It’ll as you for some details. Put in all the required details and click “Activate”
56 | P a g e
8.3 Downloading and Installing Sumo Logic Collector
Select "Windows Events" Download and install the application following the
steps below. Copy Token key.
Select “I accept the agreement” and click “Next”. Leave the default value on next two
screens and select “Next >”
57 | P a g e
Select token and put pasta in the next window. Then click "nex
58 | P a g e
It’ll initialize collector. Once completed, click “Finish”
Check in the task manager if the sumo-collector process is running.
Under Collection, go to the right-hand side of screen and click “Edit” in front of your server
and change the collector’s name to be easily identified.
59 | P a g e
Under Collection, go to the right-hand side of screen and click “Add” in front of your
server. Select “Add source”
It’ll give you some options. Click on “Windows Event Log” icon.
Put in a Name. We used “Server2016”. In description write “Windows Event Logs from Server
2016” or you can use your own. Assign a Source Category, in our case we used Windows.
Types we selected only “Security” so we won’t run out of free trial space. Select “All time”
for Collection should from drop down. Leave other options as default. Click “Save”
60 | P a g e
8.5 Searching Event Logs
Now go back to Server Manager and create a new user and delete it. You can follow the
procedure to create user defined before. Go to Sumo Logic portal. Under Collection, hover
mouse over your server’s name. There’ll appear a blue icon (pointed by red arrow), click
that icon.
It’ll open the Collector window. In search bar, in front of the existing query select the
length of time (“Use Receipt Time” ) to display the logs. Press the search magnifier button.
In search bar, in front of the existing query type keywords such as “user test and deleted”
Select “Use Receipt Time” and click “Magnifier” button.
In the active directory application, in left Panel, select your newly created Domain. Under
domain click “Users”. On right panel, right click, go to “New” and then select User.
61 | P a g e
8.6 Parse the Event Code
We are going to parse a field such as Event Code. Select the field and value and right click.
Click “Parse selected text”.
Double click the value and select “Click to extract this value” it’ll change the value to star.
Give that field a name. We are going to use “Event Code”. Click Submit. Start the query again.
62 | P a g e
You’ll see a new field “EventCode” and at the same time we can add “Msg”
We’ll create search a security-enabled global group was created. We’ll create the same
search script for Event ID7036. After that click Save As.
We’ll create an email alert to be send whenever a user is deleted. We’ll create the same
search script for Event ID7036. After that click Save As. Assign a Name and Description to
this alert. Change Time range to 15 minutes. We’ll save this to Personal folder. Click on
“Schedule this search >”.
63 | P a g e
Select “All time” from drop down box. This is lab so we can select this option. Otherwise,
this is slow down the whole process. Change Time range for scheduled search to “Last 5
minutes”. Change “Alert condition” to Greater than or equal to >=” and Number of results to
“1”. Alert Type should be Email and put your email address in Recipients. Click “Update”. In
15 minutes if the user has been deleted, we will receive a corresponding email with an alert.
64 | P a g e
9. Firewalls
9.1 What is firewall?
A Firewall is a network security device that monitors, and filters incoming and outgoing
network traffic based on an organization's previously established security policies. At its
most basic, a firewall is essentially the barrier that sits between a private internal network
and the public Internet.
Firewalls provide protection against outside cyber attackers by shielding your computer or
network from malicious or unnecessary network traffic. Firewalls can also prevent
malicious software from accessing a computer or network via the internet. Firewalls can
be configured to block data from certain locations (i.e., computer network addresses),
applications, or ports while allowing relevant and necessary data through.
Advantages of Firewall
A Firewall prevents hackers and remote access.
It protects data.
It ensures better privacy and security.
It protects from Trojans.
A network-based Firewall, like a router, can offer protection to multiple systems,
while an OS-based Firewall can protect individual systems.
Disadvantages of Firewall
Cost: Installation of a Firewall can be costly depending on the sophistication
required.
Performance: This is affected as each packet has to be verified for authenticity
before it is allowed into the network.
Virus and Malware: There are a few limitations in a Firewall like its inability to
prevent virus and malware attacks for which separate applications would be
required, at the individual system level.
A network-level Firewall might bring in a false sense of security in employees and
make them slacken on securing individual systems. Companies need to make all
employees understand the concept of a Firewall and the importance of a Firewall
for information security and their responsibility.
Firewall maintenance and up-gradation require extra manpower and resources.
65 | P a g e
9.2 Installing pfSense on VirtualBox
pfSense is a free and open-source operating system for routers and firewalls. pfSense can
be installed on most commodity hardware, including old computers and embedded systems.
pfSense is typically configured and operated though a user-friendly web interface, making
administration easy even for users with limited networking knowledge. Generally,
one never needs to use terminal or edit config files to configure the router. Even software
updates can be run from the web UI.
First off, download the pfSense ISO image file. Once downloaded, make sure you have 7-Zip
installed. Head to your Downloads folder and right-click the pfSense-amd64.iso.gz file.
Now choose 7-Zip (if you are on Windows 11, you must select Show More Options first!) and
select Extract Here.
The hardware settings are your personal preference. Just make sure to adhere to
pfSense’s minimum hardware requirements. You should assign at least 1024 MB of
memory and 1 CPU. We will assign a little bit more:
Next, we need to set up the Virtual Hard Disk. 10 GB is sufficient for pfSense. If you plan to
install a lot of packages, choose more:
67 | P a g e
In the final screen, make sure everything is according to your preferences and click
on Finish
Leave default value for File location and size. You can change to different folder. Click
“Create”. Select pfSense from left panel and click “Settings”
Select Storage then select “Empty” under Controller: IDE. Click on “CD” on right corner.
Select “Chose a disk file”. Select pfSense ISO file which we have extracted earlier.
68 | P a g e
Select “Network” from left panel. Under Adapter 1, select NAT from drop down box. Click
on “Adapter 2”. Select “Enable Network Adapter”. Click on “Host-only Adapter” from drop
down. Click “OK”.
69 | P a g e
Click “Start” from VirtualBox main screen. It’ll start the pfSense VM. Press enters
“Accept” on first screen. Using arrow keys, select “Install pfSense” and press enter.
Press “Enter” on next screen. Using arrow keys, select “Auto (UFS) BIOS” and press
enter.
It’ll start the installation Press “No” on next screen and exiting the installer.
70 | P a g e
Press “Reboot” on next screen and restart system.
Next, we need to remove the disk from the virtual optical drive to run the Linux
operating system.
Runs the Linux operating system and the pfSense application.Once done it’ll be on
following Menu
71 | P a g e
Enter 2 to assign IP.
Again enter 2 to change LAN IP.
72 | P a g e
We used 192.168.1.10, you can use any private IP.
Enter 24 for subnet:
Then press “n” for DHCP option. Then press “n” for HTTP option.
73 | P a g e
Press enters to continue.
Open browser on Server or Windows 10 and put 192.168.1.10 (or pfSense IP which you
have assigned.) Allow unsafe access to this page press “Proceed to 192.168.1.10 (unsafe)”.
Enter “admin” as username and “pfSense” as password. (Default value)
It’ll take you to home screen. It shows warning to change default admin password.
Select Systems ---- > User Manager. Under it select Users. Change Password and
press save.
74 | P a g e
Next in the setup wizard we do the basic configurations for the firewall
75 | P a g e
We complete all the configurations and then check the latest updates of the pfSense
application
Now let’s create the rule. Click “Firewall” and select “Rules” from drop down.
76 | P a g e
There’ll be three options, Floating, WAN, LAN. Click on WAN and then then click “Add”
button with arrow pointing upwards. We create a new rule for the wan and save. We
open the client and check if we have internet access. It is noticed that we do not have
access to the internet. Something is wrong…
destination outside the current network. So, the IP address of the firewall must be set
in the default gateway in the client's network settings
After checking the browser again, we delete the default rules from the LAN section.
77 | P a g e
After deleting the rules, we usually no longer have access to the internet. because these
rules allow full internet access.
Firewall rules are the one of the fundamentals of networking. They are a set of rules
that a firewall will follow when data flows through the firewall. The firewall can reject,
block, or accept data according to the rules. To add an firewall rule, go to the interface
that you want to add the firewall rule to, and select the Add button. The left Add button
will create the firewall rule to the top of the firewall list and the right Add button will
create the firewall rule to the button of the list.
The Action field have the options Pass, Block, or Reject. Pass allows traffic to pass
through the firewall interface. The Interface field will show all the possible interface that
the firewall rule can be placed on. The Address Family may be IPv4 or IPv6 or IPv4+IPv6.
Currently, most network out there are still on IPv4, so this will be more applicable in
most cases. You can always default to IPv4+IPv6 to cover both IPv4 and IPv6 traffic.
The Protocol is what kind of protocol the traffic you want to Pass/Block/Reject is.
Typically, the most used options will be TCP or UDP.
78 | P a g e
The Source section is where the traffic is coming from.
The Destination section is where the traffic is heading toward to.
Firewall rules ordering are very important in pfSense. pfSense follows the first-match
behavior when determining which firewall rule to follow and enforce. It will process
rules from top to bottom and stop processing more rules once the first matching rule is
found.
We add the typical rules for accessing web pages. These rules are for HTTP and HTTPS
protocols.
79 | P a g e
We don't have internet access anyway ... We check the logs to identify the problem
Note that we have the problem at the destination port 53. DNS port is the port number
assigned to the domain name system. DNS uses UDP port 53 and TCP port 53. DNS query
uses UDP port 53. It’s lightweight and faster than TCP. This can reduce performance
overhead on DNS servers. DNS zone transfers rely on TCP port 53 because TCP is more
reliable.
80 | P a g e
9.3 Installing Snort Package
Snort is the foremost Open-Source Intrusion Prevention System (IPS) in the world. Snort
IPS uses a series of rules that help define malicious network activity and uses those
rules to find packets that match against them and generates alerts for users.
Snort can be deployed inline to stop these packets, as well. Snort has three primary
uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network
traffic debugging, or it can be used as a full-blown network intrusion prevention system.
Snort can be downloaded and configured for personal and business use alike.
Select System ---- > Package Manager. Under Package Manager select Available
Packages:
You can search for “snort” in search term or can scroll down to select snort. Press
Install.
81 | P a g e
It’ll ask for confirmation. Press Confirm. Once completed it’ll show the completion
message.
Next, we register a new Snort account and get a key for new free protection rules.
82 | P a g e
Copy the obtained key and apply the new settings
83 | P a g e
We test the installed rules. For safe tests we use an EICAR test virus.
The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by
the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus
Research Organization (CARO), to test the response of computer antivirus (AV) programs.
Instead of using real malware, which could cause real damage, this test file allows people
to test anti-virus software without having to use a real computer virus.
84 | P a g e
10. Endpoint Security
Endpoint security is the process of protecting devices like desktops, laptops, mobile
phones, and tablets from malicious threats and cyberattacks. Endpoint security
software enables businesses to protect devices that employees use for work purposes
either on a network or in the cloud from cyber threats.
In the face of this, it is imperative for businesses to deploy solutions that can analyze,
detect, then block and contain cyber attacks as they happen. Organizations also need to
collaborate with one another and utilize technologies that provide their IT and security
teams with visibility into advanced threats, enabling them to quickly detect security risks
for swift remediation of potential issues.
85 | P a g e
Why Is Endpoint Security Important?
Endpoint security technology plays a vital role in protecting organizations from the
increasingly dangerous threat landscape. Some of the key benefits of an endpoint
security approach include:
1. Protecting all endpoints: As employees now connect via not only a growing
number of endpoints but also different types of devices, it is vital for organizations
to ensure they do so securely. They also need to ensure that the data on those
devices is secure and cannot be lost or stolen.
2. Securing remote working: The rise in device usage is linked to new ways of
getting work done, such as bring your own device (BYOD) and remote working
policies. These policies enable employees to be as effective as possible wherever
they are and on any device. However, they also make it more difficult to ensure
users are working securely, thus creating vulnerabilities for hackers to exploit.
Protecting the device with an endpoint security platform is crucial.
3. Sophisticated threat protection: Hackers are deploying more sophisticated attack
methods that see them come up with new ways of gaining access to corporate
networks, stealing data, and manipulating employees into giving up sensitive
information. Endpoint protection is critical to securing the modern enterprise and
preventing cyber criminals from gaining access to their networks.
4. Protecting identity: As employees connect to business systems via various
devices and from different networks and locations, the traditional process of
protecting the business perimeter is no longer viable. Endpoint security ensures
that the business puts security on employees’ devices, enabling them to work
safely regardless of how and where they connect to corporate data and
resources.
86 | P a g e
10.1 SOPHOS installation
Sophos Intercept X Endpoint —a cloud-based solution that builds on top of the Sophos
Endpoint Protection features and offers additional capabilities. Notable features include
deep learning analysis, advanced ransomware protection, EDR, XDR, and MTR.
87 | P a g e
We enter the security key obtained through the Google Authenticator application
installed on the smartphone.
Select “Protected Devices” from menu on left. We’ll download “Endpoint Protection”.
You install “Server Protection” too. Click on “Download Complete Windows Installer”
under Endpoint Protection.
88 | P a g e
It’ll start downloading the client on local machine. Once completed, go to the directory
where client is downloaded and double click “SophosSetup.exe”. Click “Run” on first
screen.
Click “Install”
89 | P a g e
After the application is installed, run the application, and see if the program is
active and functional for our server to be easily identified in the device list, the
computer name must be changed.
Access system properties and change settings. We change the name of the computer for
Windows Server.
After login, click “Endpoint Protection” from menu on left. Click “Policies”. After click
“Add Policy”
90 | P a g e
To create or edit a Threat Protection policy:
Open Sophos Central and go to Server Protection > Policies.
Click on a Threat Protection policy or click Add Policy to create a new one.
On the Servers tab, select the Security VMs you want to apply the policy to.
On the Settings tab, enter the settings you want
91 | P a g e
Go to Server Protection > Policies to apply web control.
To set up a policy, do as follows:
Create a Web Control policy. See Create or Edit a Policy.
Open the policy's Settings tab and configure it as described below. Make sure the
policy is turned on. For more information on how we assess threats see Sophos
Web Security and Control Test Site. Additional security options
92 | P a g e
You can manually set up sites that are at risk and are not noticed by the Sophos
system.
You can check logs from Sophos client. Open Sophos client and click “Events”.
93 | P a g e
94 | P a g e
11. Incident Response
95 | P a g e
96 | P a g e
97 | P a g e
98 | P a g e
99 | P a g e
12. Importance of Vulnerability scan
A vulnerability is a weakness that can be exploited by cybercriminals to gain
unauthorized access to a computer system. After exploiting a vulnerability,
a cyberattack can run malicious code, install malware, and even steal sensitive data.
Many vulnerabilities impact popular software, placing the many customers using the
software at a heightened risk of a data breach, or supply chain attack. Such zero-day
exploits are registered by MITRE as a Common Vulnerability Exposure (CVE).
Vulnerability Examples
1. Hardware
2. Software
Insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer
overflows, over-reads, dangling pointers), input validation errors (code injection, cross-
site scripting (XSS), directory traversal, email injection, format string attacks, HTTP
header injection, HTTP response splitting, SQL injection), privilege-confusion bugs
100 | P a g e
(clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink
races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and
user interface failures (blaming the victim, race conditions, warning fatigue).
3. Network
4. Personnel
Poor recruiting policy, lack of security awareness and training, poor adherence to
security training, poor password management, or downloading malware via email
attachments.
5. Physical site
Area subject to natural disaster, unreliable power source, or no key card access.
6. Organizational
Improper internal controls, lack of audit, continuity plan, security, or incident response
plan.
• Denial-of-service vulnerabilities
101 | P a g e
Nessus scans cover a wide range of technologies including operating systems,
network devices, hypervisors, databases, web servers, and critical infrastructure.
The results of the scan can be reported in various formats, such as plain text, XML, HTML
and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX,
scanning can be automated using a command-line client. There exist many different
commercial, free, and open-source tools for both UNIX and Windows to manage
individual or distributed Nessus scanners.
We access the Tenable.com site and register to be able to use the application, as a demo
free version. We follow the following steps to register and obtain the access key to the
application.
102 | P a g e
Go to https://www.tenable.com/downloads/nessus Search for the file ending with
x64.msi and click it. It’ll start downloading the file.
Once it’s done downloading the file, double click on file name at bottom left corner. It’ll
start the installation. Click next. Read the License agreement and select “I accept the
terms in the license agreement”. Click Next.
103 | P a g e
Next, it’ll ask for the destination folder to install Nessus. If you like to change the
destination, click Change or continue with default path. Click Next. Click “Install” on next
screen.
104 | P a g e
Select Nessus Professional and click Continue.
Type your activation code
Once completed, it’ll take you to the login screen. Enter Username and Password
which was created earlier.
We remember used ip, accessing the IPCONFIG command line. After logging in, it’ll
show you a welcome screen. Open New Scan and choose Advanced Scan.
105 | P a g e
Put in IP address of targeted PC/Server and press submit. You can scan using
xxx.xxx.xxx.xxx format and range. (192.168.1.0-192.168.1.10) Click “Save”
Go to My Scans to see the scanning progress. Click “run” Click on “My Basic Network
Scan”. It’ll show the status on right hand side of the screen.
It’ll show all the vulnerabilities of that host. Click each one to see the details.
106 | P a g e
107 | P a g e
12.2 Deploying a dummy web server (BadStore)
Type in name “Web Application” and select folder. It’ll automatically assign Type and
Version. Click “Next” Set memory size i.e. 512 MB.
108 | P a g e
Select “Create a virtual hard disk now” and click “Create”.
Leave default value for next 2 screens and click “Next” on each option.
Leave default value for File location and size. You can change to different folder. Click
“Create”.
109 | P a g e
Press “Enter”
We change the type of interface. Select “Network” from left panel. Under Adapter 1,
select NAT from drop down box. Then apply the ifconfig command and set the local ip
and subnet mask
In the command line from the server and from the client we access the ping command
to the web application at the address 192.168.1.4. and vice versa from the web application
to the server and client we check the access
In Windows Server we open a browser and access the Bad store
page at 192.168.1.4 We are viewing the full functionality of this page.
110 | P a g e
Access Nessus application. Open New Scan and choose Web application Tests.
Put in IP address of targeted Web Application and press Save. Then run the scan
process.
Once done, it’ll show Status “Completed”. Under Host you’ll see the scanned hosts and
their vulnerabilities.
Click on host IP address.
111 | P a g e
In the next step we export the report in one of the HTML or CSV formats which is
opened with the help of Microsoft Excel.
These report files can be saved and sent for detailed study of site vulnerabilities.
112 | P a g e
Credentialed scans are scans in which the scanning computer has an account on the
computer being scanned that allows the scanner to do a more thorough check looking
for problems that can not be seen from the network. Examples of the sorts of checks
that a credentialed scan can do include checks to see if the system is running insecure
versions of Adobe Acrobat or Java or if there are poor security permissions governing
a service. Information Security Office (ISO) runs Nessus scanners that can run these
credentialed scans; however, without accounts on the local machines, we are unable to
use this functionality. ISO will create accounts on one of the Nessus scanners for
departmental security administrators to do their own credentialed scans.
Configure a Domain Account for Authenticated Scanning
To create a domain account for remote host-based auditing of a Windows server, the
server must first be a supported version of Windows and be part of a domain.
Create a Security Group called Nessus Local Access
Log in to a Domain Controller and open Active Directory Users and Computers.
To create a security group, select Action > New > User.
Name the User Scanner. Set Member Of to add Select Groups and type Domain
Admins.
Add the account you will use to perform Nessus Windows Authenticated Scans to the
Nessus Local Access group.
113 | P a g e
In the Nessus application, go to the server address, 192.168.1.2, and
click Configure Initialize the credentials in the required fields and
click Save
114 | P a g e
13 CIS Critical Security Controls
The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to
mitigate the most prevalent cyber-attacks against systems and networks. They are
mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS
Controls v8 has been enhanced to keep up with modern systems and software.
Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-
Home, and changing attacker tactics prompted the update and supports an enterprise’s
security as they move to both fully cloud and hybrid environments .
115 | P a g e
CIS Control 5 - Account Management
Use processes and tools to assign and manage authorization to credentials for user
accounts, including administrator accounts and service accounts, to enterprise assets
and software.
116 | P a g e
CIS Control 13 - Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network
monitoring and defense against security threats across the enterprise's network
infrastructure and user base.
117 | P a g e
14. Cyber Security Questions & Answers
2. What is the difference between Asymmetric and Symmetric encryption, and which one is
better?
TIP: Keep the answer simple as this is a vast topic. Symmetric encryption uses the same key
for both encryption and decryption, while Asymmetric encryption uses different keys for
encryption and decryption. Symmetric is usually much faster but the key needs to be
transferred over an unencrypted channel. Asymmetric on the other hand is more secure
but slow. Hence, a hybrid approach should be preferred. Setting up a channel using
asymmetric encryption and then sending the data using a symmetric process.
118 | P a g e
automate tasks, exploit development etc. A little knowledge of the three can be of great
advantage – both in the interview and on the floor.
7. What is CSRF?
Cross-Site Request Forgery is a web application vulnerability in which the server does
not check whether the request came from a trusted client or not. The request is just
processed directly. It can be further followed by the ways to detect this, examples, and
countermeasures.
9. What is a Black hat, white hat, and grey hat hacker? Black hat hackers are those who
hack without authority. White hat hackers are authorized to perform a hacking attempt
under a signed NDA. Grey hat hackers are white hat hackers who sometimes perform
unauthorized activities.
10. What is a firewall? A firewall is a device that allows/blocks traffic as per the defined
set of rules. These are placed on the boundary of trusted and untrusted networks.
11. How do you keep yourself updated with the information security news?
Be sure to check and follow a few security forums so that you get regular updates on
what is happening in the market and about the latest trends and incidents.
12. The world has recently been hit by ……. Attack/virus etc. What have you done to protect
your organization as a security professional?
Different organizations work in different ways, and the ways to handle an incident are
different for all. Some take this seriously and some do not. The answer to this should be
the process to handle an incident. Align this with the one you had and go on… just don’t
exaggerate.
119 | P a g e
15. What is port scanning?
Port scanning is the process of sending messages to gather information about the
network, system, etc. by analyzing the response received.
17. What are the objects that should be included in a good penetration testing report?
A VAPT report should have an executive summary explaining the observations on a high
level along with the scope, period of testing etc. This can be followed by no of
observations, category-wise split into high, medium, and low. Also include detailed
observation along with replication steps, and screenshots of proof of concept along the
remediation.
120 | P a g e
centralized data cleansing stations wherein the traffic to a website is analyzed and the
malicious traffic is removed.
26. What is a false positive and false negative in the case of IDS?
When the device generated an alert for an intrusion that has not happened: this is a false
positive and if the device has not generated any alert and the intrusion has happened,
this is the case of a false negative.
29. What are your thoughts about the blue team and the red team?
A red team is an attacker, and a blue team is a defender. Being on the red team seems
fun but being in the blue team is difficult as you need to understand the attacks and
methodologies the red team may follow.
121 | P a g e
32. 2 quick points on Web server hardening?
Web server hardening is the filtering of unnecessary services running on various ports
and the removal of default test scripts from the servers. Although web server hardening
is a lot more than this and usually organizations have a customized checklist for
hardening the servers. Any server getting created must be hardened and hardening
must be re-confirmed on a yearly basis. Even the hardening checklist must be reviewed
on a yearly basis for new add-ons.
33. What is data leakage? How will you detect and prevent it?
Data leak is when data gets out of the organization in an unauthorized way. Data can get
leaked through various ways – emails, prints, laptops getting lost, unauthorized upload
of data to public portals, removable drives, photographs, etc. There are various controls
which can be placed to ensure that the data does not get leaked, a few controls can be
restricting upload on internet websites, following an internal encryption solution,
restricting the mails to the internal network, restriction on printing confidential data, etc.
34. What are the different levels of data classification and why are they required?
Data needs to be segregated into various categories so that its severity can be defined,
without this segregation a piece of information can be critical for one but not so critical
for others. There can be various levels of data classification depending on organization
to organization, in broader terms data can be classified into:
Top secret – Its leakage can cause drastic effect to the organization, e.g., trade secrets
etc.
Confidential – Internal to the company e.g., policy and processes.
Public – Publicly available, like newsletters etc.
35. In a situation where a user needs admin rights on his system to do daily tasks, what should
be done – should admin access be granted or restricted?
Users are usually not provided with admin access to reduce the risk, but in certain cases,
the users can be granted admin access. Just ensure that the users understand their
responsibility. In case any incident happens, the access should be provided for only a
limited time post senior management approval and a valid business justification.
36. What are your views on the usage of social media in the office?
Social media is acceptable, just ensure content filtering is enabled and uploading
features are restricted. Read-only mode is acceptable till the time it does not interfere
with work.
37. What are the various ways by which the employees are made aware of information
security policies and procedures?
There can be various ways in which this can be done:
Employees should undergo mandatory information security training post joining the
organisation. This should also be done on yearly basis, and this can be either a
classroom session followed by a quiz or online training.
122 | P a g e
Sending out notifications on regular basis in the form of slides, one-pagers, etc. to
ensure that the employees are kept aware.
38. In a situation where both Open-source software and licensed software are available to
get the job done. What should be preferred and why?
For an enterprise, it is better to go for the licensed version of the software as most of
the software have an agreement clause that the software should be used for individual
usage and not for commercial purpose. Plus, the licensed version is updated and easy
to track in an organization. It also helps the clients develop confidence in the
organization’s software and practices.
40. What all should be included in a CEO level report from a security standpoint?
A CEO level report should have not more than 2 pages:
A summarized picture of the state of the security structure of the organization.
Quantified risk and ALE (Annual Loss Expectancy) results along with countermeasures.
123 | P a g e
44. Chain of custody?
For legal cases the data/device (evidence) needs to be integrated, hence any access
needs to be documented – who, what when, and why. Compromise in this process can
cause legal issues for the parties involved.
124 | P a g e