A cloud-based SIRT is a team of security professionals that responds to security incidents in cloud environments to contain and mitigate the impact of the incident.

IoT devices often have limited built-in security features and may be vulnerable if not configured correctly. Securing these devices requires robust authentication, encryption, and monitoring to prevent unauthorized access and exploitation.

TCP uses a three-way handshake to establish reliable connections. The connection is full-duplex, with synchronization (SYN) and acknowledgment (ACK) on both sides. The exchange of these four flags is done in three steps: SYN, SYN to ACK and ACK.

- Verify the alert — Is this a true positive? Check the SIEM for context: is the user known to work late? Is the external IP on a threat intelligence list? What type of data is being transferred? - Assess severity — If the destination is a known malicious IP or the data volume is far outside normal behavior, escalate immediately. - Contain — Disable the user account or block the external IP at the firewall. Do not shut down the machine yet — you may need forensic evidence. - Investigate — Check for signs of compromise: unusual login locations, new processes on the endpoint, credential theft indicators. Was the account phished? Is malware present? - Communicate — Notify the incident response lead and follow your organization's escalation procedures. - Document — Log every action and finding in your incident tracking system with timestamps.

I assess new risks associated with growth, such as increased attack surfaces, and implement scalable solutions like cloud-based security tools. I also hire additional staff and update policies.

A strong password is at least 12 characters long, includes a mix of uppercase and lowercase letters, numbers, and special characters, avoids common words or personal information, and is unique for each account.

Decrypting and scanning encrypted traffic for malware.

A traceroute, or tracert, can help you see where a breakdown of communications occurred. It shows what routers you touch as you move along to your final destination. If there is somewhere you cannot connect, you can see where it happened.

A man-in-the-middle attack is an attack where the attacker secretly intercepts and relays messages between two parties, allowing them to eavesdrop, alter, or steal sensitive information. Common prevention methods include using encryption and secure communication protocols to protect data integrity and confidentiality.

Disaster recovery planning questions address business continuity, backup strategies, recovery time objectives (RTO), recovery point objectives (RPO), and testing plans to restore operations after a disaster.

Data Leakage is the illegitimate sending of data to an external destination or an unauthorized person within an enterprise. It has the ability to transport data both physically and electronically. It often happens through the internet, emails, and mobile data storage devices. Data Leakage Types: 1) The Accidental Breach Most data breaches are unintentional. What happens when delivering confidential data, for example, an entity may select the incorrect recipient. 2) Malicious Intent in Electronic Communications The issue is that all electronic media are capable of file transmission and outside access sources across the internet. 3) Disgruntled Employee The authorized employee sends confidential data to an unauthorized entity.

The three-way handshake establishes a TCP connection: (1) Client sends SYN with an initial sequence number. (2) Server responds with SYN-ACK, acknowledging the client's sequence number and providing its own. (3) Client sends ACK, completing the connection. Exploitation — SYN flood attack: An attacker sends a massive volume of SYN packets with spoofed source IP addresses. The server allocates resources for each half-open connection and sends SYN-ACK to the spoofed addresses, which never respond. The server's connection table fills up, denying service to legitimate users. Mitigations: SYN cookies (the server does not allocate resources until the handshake completes), rate limiting, firewall rules to detect and block SYN floods, and upstream DDoS mitigation services.

Cloud-based cloud security analytics is a solution that provides real-time insights into cloud security threats and risks using advanced analytics and machine learning.

- SIEM systems collect and analyze log data from various sources within a network, offering a holistic view of security events. - By correlating information and providing real-time alerts, SIEM systems assist in detecting and responding to security incidents promptly, enhancing overall network security posture.

Segmenting networks (VLANs, firewalls) reduces attack spread and improves control.

WANs, also known as wide area networks, connect LANs over telephone lines and radio waves to form computer networks that cover a large area, even though they might be confined to a single country or state. Enterprises, governmental agencies, and other organizations may connect to WANs. WANs are fast and costly to operate. WANs are difficult to design and maintain, with switched WAN and point-to-point WAN being the two types. A WAN is less fault-tolerant and has more congestion in the network than a MAN. Telephone lines or satellite links are used for communication. WANs are prone to long-distance noise and errors. WAN data rates are slower than LAN data rates, because of the increased distance and increased number of servers and terminals involved, plus slower speeds. WAN speeds range from Kbps to Mbps, whereas LAN speeds typically range from Mbps to Gigabits per second (Gbps). The biggest obstacle is the propagation delay. Devices are utilised for WAN transmission in addition to Optic wires, microwave emissions, and satellites. Switched WANs include Asynchronous Transfer Mode (ATM) networks and Point-to-Point WANs, which connect a home computer to the Internet via a telephone line.

A vulnerability assessment scans for known issues like outdated software or misconfigurations. It is broad but passive. Penetration testing is active – it simulates real attacks to find how deep someone could go. Both are useful but serve different purposes.

To check if a given IP address is reachable, you can use the subprocess module in Python to execute the ping command and parse the output. Here's a simple script to achieve this: import subprocess def is_reachable(ip): try: output = subprocess.check_output(['ping', '-c', '1', ip]) return True except subprocess.CalledProcessError: return False

A vulnerability assessment is a systematic process of identifying and assessing potential vulnerabilities in a system or network. Its purpose is to proactively discover weaknesses and security flaws that could be exploited by attackers. By conducting regular vulnerability assessments, organizations can identify and prioritize security vulnerabilities, implement appropriate security controls, and reduce the risk of successful cyber attacks.

This question should inspire a short conversation about encryption, which gives you the chance to explain your knowledge of it. Though you're often going to be implementing and choosing between encryption systems rather than building them, it should be something that you know about in theory.

An Intrusion Detection System (IDS) monitors network traffic for suspicious activity and alerts administrators, while an Intrusion Prevention System (IPS) not only detects but also prevents and blocks potential threats in real-time. Both systems are crucial for maintaining network security by identifying and mitigating threats.