Unit 1
Describe the difference between active and passive digital footprints.
The difference between is active digital footprint is like posting on social media and a passive digital footprint is like a website logging your IP address without you knowing.
Describe data classification.
What is the process of organizing data into categories (Public, Internal, Confidential, Restricted) based on the potential impact of unauthorized access.
Describe five important command-line tools for network investigation.
netstat (shows active connections and ports), ipconfig (shows IP/MAC addresses), ping (tests connectivity/latency), traceroute (shows the path/hops to a destination), and nslookup (queries DNS for IP addresses).
Describe the difference between symmetric and asymmetric encryption.
Symmetric uses one shared key (e.g., AES for full disk encryption), while asymmetric uses a public key to encrypt and a private key to decrypt (e.g., RSA for securing an HTTPS session key exchange).
Describe the Computer Fraud and Abuse Act (CFAA).
This U.S. law prohibits intentionally accessing a computer without authorization to obtain information or transmitting malware, with penalties ranging from $250,000 fines to 20 years in prison.
Describe a passphrase.
What is a long string of random, unrelated words (like "Correct-Horse-Battery-Staple") that provides more security than a short, complex character combination.
Describe the three cloud service models and one risk for each.
IaaS (Infrastructure as a Service) gives you the hardware but you manage the OS (risk: misconfiguration); PaaS (Platform as a Service) gives you the development tools but not the underlying OS (risk: API vulnerabilities); SaaS (Software as a Service) gives you the full application (risk: data sharing misconfigurations).
Describe the difference between DAC, MAC, and RBAC access control models.
Discretionary (DAC) lets owners set permissions (risky if Malicious user owns file); Mandatory (MAC) uses system-enforced labels; Role-Based (RBAC) assigns permissions based on job function, making it scalable and harder for Malicious lateral movement.
Describe how hashing differs from encryption.
Hashing is a one-way function (cannot be reversed) used for integrity checks and password storage, while encryption is two-way (can be decrypted with a key) used for confidentiality.
Describe what must be in place before a penetration tester begins their work.
Pen testing is legal only with explicit written authorization (a signed Rules of Engagement) from the system owner and a clearly defined scope outlining exactly what systems can be tested and when.
Describe three red flags of a phishing email.
What is a suspicious sender address, urgent or threatening language demanding immediate action, and links that lead to unexpected websites when hovered over.
Describe how a simple SQL injection exploit a vulnerable login query.
The Malicious code ' OR '1'='1 entered into a username field tricks the database query SELECT * FROM users WHERE username = '[INPUT]' AND password = '[INPUT]' into returning all rows because '1'='1' is always true.
Describe the five core functions of the NIST Cybersecurity Framework.
Identify (understand risk to assets), Protect (implement safeguards), Detect (discover events promptly), Respond (take action on incidents), Recover (restore capabilities/services).
Describe the four general phases of digital forensics.
Collection (forensic image), Examination (recover deleted files), Analysis (piece together what happened), Reporting (document findings for court).
Describe 'Responsible Disclosure' and why it matters.
Privately reporting a discovered vulnerability to the software vendor or organization and giving them a reasonable amount of time (e.g., 90 days) to patch the flaw before publicly disclosing it. This prevents Malicious actors from exploiting the weakness before a fix is available.
Describe five types of malware.
What is a virus (needs user interaction, e.g., Elk Cloner), worm (self-replicates across networks), trojan (disguises as legit software, e.g., Zeus), ransomware (encrypts files for ransom, e.g., CryptoLocker), and spyware (monitors user activity, e.g., CoolWebSearch).
Describe the Principle of Least Privilege and how is it applied to a web server.
This principle states users should have only the bare minimum access necessary to perform their job functions. On a web server, you would apply it by ensuring content editors cannot install plugins, and developers cannot directly access the live database unless explicitly approved with an admin password.
Describe how ARP poisoning allow an attacker to intercept network traffic.
ARP maps IP addresses to MAC addresses. In a poisoning attack, a Malicious actor sends forged ARP replies claiming their MAC address belongs to the gateway IP. The victim updates their cache, sending all traffic to the attacker, enabling a Man-in-the-Middle attack to steal credentials or inject malware.
Describe how Public Key Infrastructure (PKI) and a Certificate Authority work to establish trust online.
PKI is a framework that manages digital certificates, which act as digital passports linking a public key to an identity. We trust Certificate Authorities (CAs) because they are trusted third parties that sign these certificates, verifying the entity's identity and creating a chain of trust rooted in well-established organizations.
Describe three distinct cybersecurity career paths and one relevant certification for each.
Answers may vary, examples: 1. Security Analyst (SOC Analyst) - CompTIA CySA+. 2. Penetration Tester - OSCP. 3. Cloud Security Engineer - CCSP. 4. GRC Analyst - CISA.
Describe the safe procedure to evaluate a suspicious text message link.
You receive a text from an unknown number with a link promising free concert tickets. You cannot hover over the link on your phone to check the URL. You should copy the link, paste it into a plaintext notes app to see the full destination, and use a link scanner service online to determine if it is Malicious before even considering clicking it. You should also verify the sender's identity through a separate channel if they claim to be someone you know.
Describe six specific security controls you would implement to secure an eCommerce website.
1. Encrypt HTTPS traffic to prevent Malicious MitM attacks. 2. Implement MFA so stolen passwords are insufficient for Malicious access. 3. Deploy a Web Application Firewall to block Malicious XSS and SQLi. 4. Use DDoS Protection to filter Malicious flood traffic. 5. Perform Regular Patching to close Malicious backdoors. 6. Hire Penetration Testers bi-annually to proactively find and fix Malicious weaknesses.
Describe the specific steps to identify the exploit, secure the system, and prevent future attacks on a compromised school network.
Identify: Check SIEM/Firewall logs for spikes in outbound traffic to unknown IPs or lateral movement (e.g., SMB connections at 2 AM). Secure: Immediately isolate the affected machine segment from the rest of the network, force password resets for all staff/students, and patch the entry point vulnerability (e.g., phishing link). Prevent: Implement MFA for staff, remove local admin rights from users, and schedule regular vulnerability scans and security awareness training with phishing simulations.
Describe how an investigator can recover files a suspect thought they deleted, and what specific types of evidence might still be found.
Even if a suspect deletes files, documents, images, and chat logs are recoverable because deletion only removes the file pointer, not the actual data. The data remains in unallocated space on the drive until it is overwritten. Investigators can create a forensic image of the drive and use software to carve out this residual data, revealing evidence of Malicious activity the user tried to hide. Additionally, metadata from these recovered files can reveal the original creation date, author, and GPS location.
You are a pen tester with a signed scope for a web server. During the test, you find a vulnerability that gives you access to an unrelated internal database server containing customer. Describe the ethical and legal next step?
If an ethical hacker discovers a secondary, unrelated system containing customer data while testing a web server (within the authorized scope), they should immediately stop any further interaction with the newly discovered system. They must not exploit or probe the new system. Instead, they must report the finding to the primary contact listed in the Rules of Engagement. Accessing or testing that system would be illegal under the CFAA because it was not explicitly authorized in the signed scope of work.