Security Operations – Comprehensive Study Guide (28%)

Security Operations is the largest domain in the Security+ exam. This section covers incident
response, vulnerability management, security automation, forensic investigation, identity
access management, and risk mitigation techniques. Mastering these concepts is crucial for
preventing, detecting, and responding to cybersecurity threats.

1. Security Hardening & Baseline Configurations

1.1 System Hardening (Reducing the Attack Surface)

System hardening means securing hardware, software, networks, and applications to reduce
vulnerabilities.

Hardening Steps for Different Environments

Operating Systems:

• Apply patches and updates regularly.

• Remove bloatware and unnecessary services.

• Implement least privilege access (remove admin rights for users).

• Enable firewall rules (restrict inbound/outbound traffic).

• Use secure boot and BIOS/UEFI password protection.

Network Hardening:

• Disable unused ports and protocols (e.g., Telnet, SMBv1).

• Enable Access Control Lists (ACLs).

• Use intrusion detection and prevention systems (IDS/IPS).

• Implement 802.1X authentication (network access control).

• Use VPNs for secure remote access.

Database Hardening:

• Change default database accounts/passwords.

• Enable database encryption (TDE – Transparent Data Encryption).

• Monitor SQL injection attempts.

• Restrict direct database access.

Cloud & Virtualization Hardening:

• Use IAM policies to restrict access.

 • Implement Security Groups & Network ACLs in cloud environments.

• Apply role-based access control (RBAC).

1.2 Secure Configuration Baselines

A secure baseline is a predefined security configuration that helps maintain consistency and
compliance.

• Use CIS Benchmarks for baseline recommendations.

• Regularly audit system configurations.

• Implement configuration management tools (Ansible, SCCM, Chef).

2. Vulnerability Management & Threat Intelligence

Vulnerability management ensures that organizations detect, analyze, and mitigate security
flaws.

2.1 Vulnerability Scanning

Automated scans detect software and network weaknesses.

Common tools:

• Nessus – Network vulnerability scanner.

• OpenVAS – Open-source vulnerability scanner.

• Qualys – Cloud-based security scanner.

Scan Types:

• Credentialed scans (authenticated) – Deeper system inspection.

• Non-credentialed scans – External vulnerability discovery.

• External vs. Internal scans – Detect threats inside/outside the network.

• Compliance scans – Ensure adherence to industry standards (PCI-DSS, NIST).

2.2 Threat Intelligence

Threat intelligence helps predict cyberattacks using real-time data and research.

Threat Intelligence Sources

• OSINT (Open-source intelligence): Blogs, research papers, forums.

• Dark Web monitoring: Identifies leaked credentials and threats.

• MITRE ATT&CK Framework: Catalogs real-world attack techniques.

 • Threat Feeds & SIEM Logs: Provide real-time alerts on attacks.

Types of Threat Actors

• Hacktivists – Attack organizations for political reasons.

• Insiders – Employees or contractors misusing access.

• Nation-state actors (APTs) – Government-sponsored cyber espionage.

• Script kiddies – Inexperienced attackers using pre-built tools.

3. Incident Response & Digital Forensics

Incident response is the structured process for detecting, analyzing, and mitigating security
incidents.

3.1 Incident Response Lifecycle (NIST Framework)

1. Preparation: Create policies, train employees, deploy security tools.

2. Detection & Analysis: Use SIEM, log monitoring, IDS/IPS, and honeypots.

3. Containment: Isolate infected systems (short-term/long-term containment).

4. Eradication: Remove malware, close exploited vulnerabilities.

5. Recovery: Restore systems, validate security controls.

6. Lessons Learned: Review root causes, improve policies.

Key Terms to Know

• Indicators of Compromise (IoCs): Evidence of a security breach (e.g., unusual login activity,
privilege escalation).

• SIEM (Security Information and Event Management): Centralized logging and correlation
tool.

• Playbooks: Step-by-step guides for responding to different attack types.

3.2 Digital Forensics

Forensic investigations collect and analyze digital evidence after an incident.

Forensic Principles

• Chain of Custody: Documents handling of evidence.

• Data Volatility: Capture most volatile data first (RAM, running processes).

• Write Blockers: Prevent modification of forensic evidence.

 Forensic Data Acquisition

• Live Forensics: Examining running system memory.

• Dead Forensics: Analyzing disk images and logs.

Forensic Tools:

• Autopsy & FTK Imager: File recovery & disk analysis.

• Volatility Framework: Memory forensics.

• Wireshark: Packet capture and analysis.

4. Security Monitoring & SIEM

Security monitoring ensures continuous observation of systems for suspicious activity.

4.1 SIEM (Security Information and Event Management)

SIEM solutions aggregate, analyze, and correlate logs for threat detection.

• Examples: Splunk, IBM QRadar, ArcSight, ELK Stack

• Uses: Detecting anomalies, compliance reporting, log management.

4.2 Endpoint Detection & Response (EDR)

EDR solutions actively monitor endpoints (workstations, servers) for real-time attack detection.

• CrowdStrike Falcon, SentinelOne, Carbon Black

4.3 Network Security Monitoring

• Intrusion Detection Systems (IDS): Alerts on suspicious traffic.

• Intrusion Prevention Systems (IPS): Blocks detected threats.

• Honeypots: Decoy systems used to detect attacks.

5. Identity & Access Management (IAM)

IAM ensures only authorized users have access to resources.

5.1 Authentication Methods

• Single Sign-On (SSO) – One login for multiple systems.

• Multifactor Authentication (MFA) – Combines at least two authentication factors.

• Biometric Authentication – Fingerprint, facial recognition.

5.2 Privileged Access Management (PAM)

 • Just-in-Time (JIT) Access – Grants temporary elevated permissions.

• Session Monitoring – Tracks administrative activity.

6. Security Automation & Orchestration

Automation reduces human effort and enhances security efficiency.

SOAR (Security Orchestration, Automation, and Response)

• Automates security workflows (threat detection, response).

• Integrates with SIEM, EDR, and firewalls.

Use Cases

• Automated phishing email analysis.

• Automatic firewall rule updates.

• Real-time threat intelligence integration.

Conclusion

Security Operations is a broad domain covering hardening, vulnerability management, threat

intelligence, incident response, digital forensics, monitoring, IAM, and automation.

1. Security Techniques for Computing Resources

Understanding how to secure different types of computing resources is crucial for passing the
Security+ exam.

1.1 Secure Baselines

• Definition: A secure baseline is a pre-configured security setting for systems, ensuring they
operate securely.

• Steps:

1. Establish a security baseline by configuring recommended settings.

2. Deploy these settings across systems.

3. Maintain and update baselines as threats evolve.

1.2 Hardening Techniques

Hardening refers to reducing a system's attack surface by disabling unnecessary services,

restricting access, and improving system configurations.

• Targets of Hardening:
 o Mobile Devices – Enforce MDM (Mobile Device Management), disable unnecessary
apps.

o Workstations & Servers – Apply patches, disable unnecessary ports/services.

o Switches & Routers – Enable access control lists (ACLs), secure remote access.

o Cloud Infrastructure – Implement IAM (Identity and Access Management) controls.

o IoT & Embedded Systems – Use network segmentation and device authentication.

1.3 Wireless Security Best Practices

• Wi-Fi Security Protocols: WPA3 > WPA2 > WEP (Weak)

• Authentication Mechanisms:

o RADIUS (Remote Authentication Dial-In User Service)

o AAA (Authentication, Authorization, and Accounting)

o EAP (Extensible Authentication Protocol)

• Securing Wireless Devices: Use site surveys and heat maps for optimized placement.

2. Vulnerability Management

Vulnerability management is a proactive approach to identifying, evaluating, and mitigating security

risks.

2.1 Identification Methods

• Vulnerability Scanning – Uses automated tools to detect weaknesses.

• Penetration Testing – Simulates cyberattacks to identify security gaps.

• Threat Intelligence Feeds:

o Open-source intelligence (OSINT)

o Dark Web monitoring

o Common Vulnerabilities and Exposures (CVE) Database

2.2 Analysis & Prioritization

• False Positives vs. False Negatives: Ensure that detected threats are valid.

• Risk Scoring: Uses the Common Vulnerability Scoring System (CVSS).

• Environmental Impact: Consider organizational risk tolerance.

2.3 Response & Remediation

 • Patching: Keep software up-to-date to fix vulnerabilities.

• Compensating Controls: Implement alternative security measures.

• Validation: Perform rescanning, auditing, and verification.

3. Security Alerting and Monitoring

Real-time monitoring of security events is essential for preventing and mitigating cyberattacks.

3.1 Log Management & Security Monitoring

• Security Information and Event Management (SIEM) – Aggregates and analyzes logs.

• Antivirus & Endpoint Detection and Response (EDR) – Detects and mitigates malware.

• Data Loss Prevention (DLP) – Prevents unauthorized data exfiltration.

3.2 Alert Response & Remediation

• Quarantine infected systems to prevent spread.

• Alert Tuning: Reduce false positives while improving detection accuracy.

• Network Traffic Analysis: Tools like NetFlow monitor traffic patterns.

4. Identity & Access Management (IAM)

Proper IAM implementation ensures secure access control within an organization.

4.1 Authentication & Access Controls

• Multifactor Authentication (MFA) – Combines two or more authentication factors:

o Something you know (password)

o Something you have (smart card)

o Something you are (biometrics)

• Access Control Models:

o Role-Based Access Control (RBAC) – Based on job roles.

o Discretionary Access Control (DAC) – Owner controls access.

o Mandatory Access Control (MAC) – Access is enforced based on classification.

4.2 Privileged Access Management (PAM)

• Just-in-Time (JIT) Access – Temporarily grants admin rights.

• Password Vaulting – Secures privileged credentials.

 • Identity Federation – Allows single sign-on across multiple systems.

5. Incident Response & Forensics

Incident response is the structured approach to managing security breaches.

5.1 Incident Response Process

Preparation: Develop policies and playbooks.

Detection: Identify security incidents using SIEM tools.
Analysis: Investigate logs, indicators of compromise (IoCs).
Containment: Isolate affected systems.
Eradication: Remove malware and eliminate root cause.
Recovery: Restore normal operations.
Lessons Learned: Conduct a post-incident review.

5.2 Digital Forensics

• Chain of Custody: Maintain integrity of digital evidence.

• Legal Hold: Preserve evidence for litigation.

• Data Acquisition: Use write blockers to prevent data alteration.

6. Automation & Orchestration in Security

Security automation reduces response times and eliminates human errors.

6.1 Use Cases for Security Automation

• User & Resource Provisioning – Automatically assign security permissions.

• Security Orchestration, Automation, and Response (SOAR) – Automates incident

response.

• Threat Hunting & Response – Uses AI-driven detection techniques.

6.2 Benefits of Automation

Time-saving – Reduces manual effort.

Consistency – Enforces security baselines.
Scalability – Secures large environments efficiently.

Conclusion
Security Operations is a critical domain in the Security+ exam. It involves hardening systems,
managing vulnerabilities, implementing identity controls, responding to incidents, and
automating security tasks.

Security Operations Acronyms List

1. Security Hardening & Baseline Configurations

Acronym Meaning

ACL Access Control List

CIS Center for Internet Security

MDM Mobile Device Management

RBAC Role-Based Access Control

MAC Mandatory Access Control

DAC Discretionary Access Control

NGFW Next-Generation Firewall

UTM Unified Threat Management

EAP Extensible Authentication Protocol

WPA3 Wi-Fi Protected Access 3

IDS Intrusion Detection System

IPS Intrusion Prevention System

NAC Network Access Control

VLAN Virtual Local Area Network

VPN Virtual Private Network

MFA Multi-Factor Authentication

SSO Single Sign-On

2. Vulnerability Management & Threat Intelligence

 Acronym Meaning

OSINT Open-Source Intelligence

CVE Common Vulnerabilities and Exposures

CVSS Common Vulnerability Scoring System

NVD National Vulnerability Database

IOC Indicator of Compromise

SIEM Security Information and Event Management

APT Advanced Persistent Threat

MITRE ATT&CK Adversarial Tactics, Techniques, and Common Knowledge

SOC Security Operations Center

SOAR Security Orchestration, Automation, and Response

HIDS Host-based Intrusion Detection System

NIDS Network-based Intrusion Detection System

EDR Endpoint Detection and Response

XDR Extended Detection and Response

3. Incident Response & Digital Forensics

Acronym Meaning

NIST National Institute of Standards and Technology

IR Incident Response

DFIR Digital Forensics and Incident Response

RC Root Cause

BIA Business Impact Analysis

SLA Service Level Agreement

 Acronym Meaning

RPO Recovery Point Objective

RTO Recovery Time Objective

MTTR Mean Time to Repair

MTBF Mean Time Between Failures

FIM File Integrity Monitoring

TPM Trusted Platform Module

HSM Hardware Security Module

4. Security Monitoring & SIEM

Acronym Meaning

SIEM Security Information and Event Management

DLP Data Loss Prevention

SNMP Simple Network Management Protocol

NTP Network Time Protocol

Syslog System Logging Protocol

NetFlow Network Flow Monitoring

SCAP Security Content Automation Protocol

IDS Intrusion Detection System

IPS Intrusion Prevention System

HIDS Host-based Intrusion Detection System

NIDS Network-based Intrusion Detection System

5. Identity & Access Management (IAM)

 Acronym Meaning

IAM Identity and Access Management

SSO Single Sign-On

MFA Multi-Factor Authentication

LDAP Lightweight Directory Access Protocol

OAuth Open Authorization

SAML Security Assertion Markup Language

ABAC Attribute-Based Access Control

RBAC Role-Based Access Control

PAM Privileged Access Management

JIT Just-In-Time Access

6. Security Automation & Orchestration

Acronym Meaning

SOAR Security Orchestration, Automation, and Response

API Application Programming Interface

AI Artificial Intelligence

ML Machine Learning

CTI Cyber Threat Intelligence

TTP Tactics, Techniques, and Procedures

Key Acronyms for Quick Memorization

1. SIEM, IDS, IPS – Security Monitoring

2. CVE, CVSS, IOC – Vulnerability & Threat Intelligence

3. IR, DFIR, RC – Incident Response & Forensics

 4. IAM, SSO, MFA, RBAC – Identity & Access Management

5. SOAR, AI, ML – Security Automation

Absolutely! Below is a list of 100 quick one-liner preparation bits covering key Security Operations
concepts for fast revision. The answers are highlighted in bold to make it easy for you to remember.

1 System Hardening & Secure Configurations

1. What does system hardening aim to achieve? → Reduce the attack surface

2. What is the best way to protect unused services and ports? → Disable them

3. What is the purpose of a secure baseline? → Ensures consistent security settings

4. What tool is used for configuration management and automation? → Ansible / SCCM /
Chef

5. Which security model enforces mandatory access control (MAC)? → Government and
military

6. What is the most secure wireless authentication method? → WPA3 + EAP-TLS

7. What network security measure isolates traffic between VLANs? → Access Control List
(ACL)

8. What is the default security setting for routers and switches? → Allow all traffic

9. Which protocol encrypts remote administrative access? → SSH

10. What security measure prevents unauthorized devices from connecting to a network? →
Network Access Control (NAC)

2 Vulnerability Management & Threat Intelligence

11. What is a vulnerability scan used for? → Detect security weaknesses

12. What is a credentialed vulnerability scan? → Uses admin privileges for deeper scanning

13. What database tracks publicly disclosed security vulnerabilities? → Common

Vulnerabilities and Exposures (CVE)

14. What scoring system ranks vulnerability severity? → Common Vulnerability Scoring
System (CVSS)

15. What is the purpose of penetration testing? → Simulate real-world cyberattacks

 16. What type of scan identifies missing security patches? → Compliance scan

17. What is an indicator of compromise (IoC)? → A sign of malicious activity

18. What is an APT (Advanced Persistent Threat)? → A state-sponsored or highly skilled

attacker

19. What tool is used to monitor network traffic anomalies? → SIEM (Security Information and
Event Management)

20. What attack uses previous breach credentials to gain unauthorized access? → Credential
stuffing

3 Incident Response & Digital Forensics

21. What is the first step in the Incident Response Lifecycle? → Preparation

22. What phase of Incident Response contains the damage? → Containment

23. What forensic principle ensures evidence integrity? → Chain of Custody

24. What should be collected first in forensic investigations? → RAM (volatile memory)

25. What is the purpose of a honeypot? → Lure attackers for analysis

26. What tool is used to capture network packets? → Wireshark

27. What is a root cause analysis (RCA)? → Identifies why an incident occurred

28. What is the final phase of incident response? → Lessons learned

29. What is an on-path attack (Man-in-the-Middle - MitM)? → Intercepts network

communication

30. What is data exfiltration? → Unauthorized transfer of sensitive data

4 Security Monitoring & SIEM

31. What does SIEM (Security Information and Event Management) do? → Aggregates and
analyzes security logs

32. What does EDR (Endpoint Detection and Response) monitor? → Endpoints like servers
and workstations

33. What system detects unauthorized USB drive usage? → DLP (Data Loss Prevention)

34. What network security tool alerts on suspicious traffic but doesn’t block it? → IDS
(Intrusion Detection System)

35. What is the difference between IDS and IPS? → IPS (Intrusion Prevention System) actively
blocks threats
 36. What tool monitors network device logs and alerts on suspicious behavior? → SIEM

37. What security monitoring tool uses statistical models to detect anomalies? → UEBA (User
and Entity Behavior Analytics)

38. What is the most common way attackers cover their tracks? → Log tampering

39. What security feature prevents malware from running on a system? → Application Allow
Listing

40. What type of logging records failed authentication attempts? → Security logs

5 Identity & Access Management (IAM)

41. What authentication method requires two or more factors? → Multi-Factor Authentication
(MFA)

42. What is an SSO (Single Sign-On)? → Allows one login for multiple services

43. What access control method assigns roles based on job responsibilities? → RBAC (Role-
Based Access Control)

44. What is the least privilege principle? → Users get the minimum permissions needed

45. What prevents privileged account abuse? → Privileged Access Management (PAM)

46. What is the strongest form of authentication? → Biometrics + MFA

47. What authentication protocol is commonly used for network logins? → LDAP (Lightweight
Directory Access Protocol)

48. What security mechanism limits access based on attributes like location and device
type? → ABAC (Attribute-Based Access Control)

49. What method prevents reusing old passwords? → Password history enforcement

50. What protocol allows third-party authentication (e.g., logging in via Google/Facebook)? →
OAuth

6 Security Automation & Orchestration

51. What is the purpose of SOAR (Security Orchestration, Automation, and Response)? →
Automates security incident handling

52. What tool is used for automated threat detection and response? → EDR (Endpoint
Detection and Response)

53. What type of scripting helps automate security tasks? → Python or PowerShell

54. What is a benefit of security automation? → Reduces human errors

 55. What protocol is used for automated system updates? → SCAP (Security Content
Automation Protocol)

56. What does machine learning (ML) do in security monitoring? → Detects anomalies in real-
time

57. What is the main benefit of security automation for incident response? → Faster threat
containment

58. What is a common risk of automation? → False positives triggering unintended actions

59. What is the primary advantage of SOAR over SIEM? → SOAR automates responses

60. What is an automated security response to phishing emails? → Quarantining or deleting

malicious emails

7️ Security Hardening & System Configurations

61. What is the primary goal of security hardening? → Reduce attack surface

62. What security principle ensures only necessary services run on a system? → Least
functionality

63. What is the best way to secure admin accounts on a system? → Use separate privileged
accounts

64. What should be done before deploying a new server? → Apply security patches &
configure baseline

65. What protocol is used to encrypt web traffic? → TLS (Transport Layer Security)

66. What does a host-based firewall do? → Filters traffic at the endpoint level

67. What is the best way to secure IoT devices? → Network segmentation & strong
authentication

68. What tool hardens Windows systems automatically? → Group Policy (GPO)

69. What security feature prevents execution of unauthorized scripts? → Application Control
(Allow List)

70. What is the purpose of a jump server? → Provides a secure gateway for admin access

8 Threat Intelligence & Vulnerability Management

71. What is a zero-day vulnerability? → An undiscovered security flaw

72. What does a SOC (Security Operations Center) do? → Monitors and responds to security
threats
 73. What does MITRE ATT&CK provide? → Tactics & techniques of real-world attackers

74. What tool scans enterprise networks for security weaknesses? → Nessus / Qualys

75. What does a SIEM solution analyze? → Logs and security events

76. What type of scan simulates real-world cyberattacks? → Penetration testing

77. What is the purpose of a dark web monitoring service? → Detect stolen credentials &
threats

78. What kind of scan is performed without credentials? → Unauthenticated scan

79. What is a risk register? → A documented list of security risks

80. What security concept identifies threats before they occur? → Threat intelligence

9️ Incident Response & Forensics

81. What is the first step in an incident response plan? → Preparation

82. What forensic principle ensures evidence is not tampered with? → Chain of Custody

83. What type of malware encrypts files and demands payment? → Ransomware

84. What is the final phase in incident response? → Lessons learned

85. What tool is used for capturing and analyzing network packets? → Wireshark

86. What is an on-path attack (MitM - Man-in-the-Middle)? → Intercepting network

communication

87. What is the purpose of a sandbox in security? → Isolate and analyze malware safely

88. What type of evidence should be collected first in a forensic investigation? → Volatile data
(RAM, processes)

89. What does an incident response playbook contain? → Step-by-step response procedures

90. What is the best way to detect data exfiltration attempts? → Monitor outbound traffic with
SIEM

Security Monitoring & SIEM

91. What security tool correlates logs for threat detection? → SIEM

92. What tool detects unauthorized file access? → File Integrity Monitoring (FIM)

93. What does EDR (Endpoint Detection & Response) monitor? → End-user devices like PCs &
servers
94. What is the purpose of User Behavior Analytics (UEBA)? → Detects abnormal activity
based on user behavior

95. What kind of IDS requires updates for new attack signatures? → Signature-based IDS

96. What is the advantage of a behavior-based IDS? → Detects new & unknown threats

97. What does NetFlow analysis help with? → Detects suspicious network traffic patterns

98. What security tool tracks user logins and failed authentication attempts? → Audit logs

99. What type of monitoring is used for detecting malicious insider threats? → User Behavior
Analytics (UBA/UEBA)

100. What security tool automates data collection from multiple logs? → SIEM (Security
Information & Event Management)

Identity & Access Management (IAM)

1. What IAM concept grants only necessary permissions? → Principle of Least Privilege
(PoLP)

2. What protocol is used for centralized authentication in Active Directory? → LDAP

(Lightweight Directory Access Protocol)

3. What authentication method uses biometrics, passwords, and security tokens? → Multi-
Factor Authentication (MFA)

4. What prevents multiple failed logins from a single IP? → Account lockout policy

5. What type of access control assigns permissions based on job roles? → RBAC (Role-Based
Access Control)

6. What authentication technology is used in federated identity management? → SAML

(Security Assertion Markup Language)

7. What prevents users from reusing old passwords? → Password history policy

8. What is Just-in-Time (JIT) Access? → Temporary privilege escalation

9. What prevents privileged account abuse? → Privileged Access Management (PAM)

10. What type of authentication requires a user to scan their fingerprint? → Biometric
authentication

Security Automation & Orchestration

11. What is SOAR (Security Orchestration, Automation, and Response) used for? →
Automating security workflows
 12. What does machine learning (ML) help with in security monitoring? → Detects patterns in
threat behaviors

13. What is the advantage of security automation? → Reduces human errors & speeds up
response

14. What does threat intelligence automation do? → Identifies & responds to attacks in real-
time

15. What scripting language is commonly used for security automation? → Python / PowerShell

16. What does automated phishing email analysis help prevent? → Business Email
Compromise (BEC) scams

17. What is the risk of excessive automation in security? → False positives triggering
unintended actions

18. What tool automates system patching & updates? → Configuration Management Tools
(e.g., Ansible, SCCM)

19. What type of log analysis uses AI to detect anomalies? → Behavioral analytics

20. What system automatically blocks IPs associated with attacks? → Intrusion Prevention
System (IPS)

Here are 100 more one-liner practice questions specifically designed to help you quickly recognize
and answer questions easily in the Security+ certification exam.

100 Quick One-Liner Practice Questions & Answers

(Answers are in bold for easy memorization.)

1 Security Hardening & System Configurations

1. Best way to reduce the attack surface on a system? → Disable unnecessary services

2. What ensures secure software installation? → Code signing

3. What security model enforces strict access based on labels? → Mandatory Access
Control (MAC)

4. Which firewall type filters packets based on rules? → Stateful firewall

5. Which feature prevents malware from running in memory? → Data Execution Prevention
(DEP)

6. What is a secure way to authenticate SSH logins? → Key-based authentication

7. Which system ensures only allowed applications run on a host? → Application Allow List
 8. Best practice for securing IoT devices? → Change default credentials & segment network

9. What prevents brute-force login attempts? → Account lockout policy

10. What security feature verifies if software is tampered with? → Checksums & hashes

2 Vulnerability Management & Threat Intelligence

11. What type of vulnerability scan uses administrator privileges? → Credentialed scan

12. What vulnerability scoring system helps assess risk? → CVSS (Common Vulnerability
Scoring System)

13. Which database tracks publicly disclosed vulnerabilities? → CVE (Common

Vulnerabilities and Exposures)

14. What is an indicator of a possible security breach? → Indicators of Compromise (IoC)

15. What is the most common remediation for software vulnerabilities? → Patching

16. What does OSINT stand for in threat intelligence? → Open-Source Intelligence

17. What is an example of an APT (Advanced Persistent Threat)? → State-sponsored

cyberattacks

18. What is the first step in vulnerability management? → Asset inventory

19. Which tool is used for automated network scanning? → Nmap

20. What ensures vulnerabilities are prioritized based on risk? → Risk-based vulnerability
management

3 Incident Response & Digital Forensics

21. What is the first phase of incident response? → Preparation

22. Which forensic principle ensures evidence is handled properly? → Chain of Custody

23. What forensic tool captures and analyzes RAM memory? → Volatility

24. What attack involves unauthorized encryption of user files? → Ransomware

25. Which attack involves an attacker intercepting network traffic? → On-path attack (MitM)

26. What is the final phase of incident response? → Lessons learned

27. Which forensic tool captures network traffic? → Wireshark

28. What type of malware is activated on a specific event or date? → Logic bomb

29. What is the best way to detect insider threats? → User Behavior Analytics (UEBA)
 30. What does an attacker achieve in privilege escalation? → Gains higher system access

4 Security Monitoring & SIEM

31. Which tool aggregates and analyzes security logs? → SIEM (Security Information and
Event Management)

32. What system detects security incidents on endpoints? → EDR (Endpoint Detection &
Response)

33. Which security system monitors failed logins? → Audit logs

34. Which security tool alerts on suspicious network activity? → IDS (Intrusion Detection
System)

35. Which IDS method requires frequent updates? → Signature-based IDS

36. Which security tool tracks unauthorized USB usage? → DLP (Data Loss Prevention)

37. What does NetFlow analysis help with? → Detecting unusual network traffic patterns

38. What is the main difference between IDS and IPS? → IPS actively blocks threats

39. What security measure prevents tampering with logs? → Immutable logging

40. Which security tool detects unauthorized file modifications? → File Integrity Monitoring
(FIM)

5 Identity & Access Management (IAM)

41. What is the principle of least privilege (PoLP)? → Users get only the access they need

42. Which authentication method requires two or more factors? → MFA (Multi-Factor
Authentication)

43. What is an advantage of Single Sign-On (SSO)? → Reduces password fatigue

44. Which protocol is used for centralized authentication in AD? → LDAP (Lightweight
Directory Access Protocol)

45. Which attack attempts commonly used passwords across many accounts? → Password
spraying

46. Which access control model assigns roles based on jobs? → RBAC (Role-Based Access
Control)

47. What prevents users from reusing old passwords? → Password history policy

48. Which protocol allows federated authentication across organizations? → SAML (Security
Assertion Markup Language)
 49. Which tool manages privileged accounts securely? → Privileged Access Management
(PAM)

50. What type of authentication uses fingerprint or face recognition? → Biometric

authentication

6 Security Automation & Orchestration

51. What does SOAR stand for? → Security Orchestration, Automation, and Response

52. Which tool is used to automate security workflows? → SOAR platform

53. Which security automation reduces phishing threats? → Automated email analysis &
quarantine

54. Which scripting language is common in security automation? → Python

55. What is a major benefit of security automation? → Faster response time

56. What type of analytics uses AI for security monitoring? → Behavioral analytics

57. Which process automatically removes unnecessary access rights? → Just-in-Time (JIT)
Access

58. What type of firewall uses AI for automated threat detection? → Next-Generation Firewall
(NGFW)

59. What does automatic sandboxing help with? → Isolating and analyzing malware

60. Which security tool correlates threat intelligence with real-time data? → SIEM

7️ Additional Security Concepts

61. Which policy ensures security updates are applied on time? → Patch management policy

62. What is the purpose of a business impact analysis (BIA)? → Identify critical business
functions

63. Which attack targets CEOs or executives with phishing emails? → Whaling

64. What prevents malware from modifying boot files? → Secure Boot

65. Which cloud security model places most responsibility on the user? → IaaS
(Infrastructure as a Service)

66. What security measure helps detect unauthorized database access? → Database
Activity Monitoring (DAM)

67. Which cryptographic algorithm is asymmetric? → RSA

68. Which security measure prevents phishing attacks? → Email security gateway
69. What helps prevent unauthorized app installation on mobile devices? → Mobile Device
Management (MDM)

70. What is the best way to secure remote access for employees? → VPN + MFA