Unit3 - Subjective Questions
INT242 • Practice Questions with Detailed Answers
Explain the concept of Zero Trust Architecture (ZTA) and list its core guiding principles.
Zero Trust Architecture (ZTA) is a strategic cybersecurity model that eliminates the concept of trust from an organization's network architecture. Unlike traditional models that assume everything inside the network perimeter is safe, Zero Trust operates on the philosophy of "Never Trust, Always Verify."
Core Guiding Principles:
- Verify Explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection to secure both data and productivity.
- Assume Breach: Minimize the blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions end-to-end.
Compare and contrast Full Backup, Incremental Backup, and Differential Backup in the context of redundancy strategies.
These are three primary strategies for data redundancy:
-
Full Backup:
- Definition: A complete copy of all data selected is made.
- Pros: Fastest recovery time (requires only the last full backup).
- Cons: Slowest backup time; consumes the most storage space.
-
Incremental Backup:
- Definition: Copies only the data that has changed since the last backup of any type (Full or Incremental).
- Pros: Fastest backup time; uses the least storage space.
- Cons: Slowest recovery time (requires the last full backup + all subsequent incremental backups).
-
Differential Backup:
- Definition: Copies data that has changed since the last Full backup.
- Pros: Faster recovery than incremental (requires last full + last differential).
- Cons: Uses more storage than incremental; backup time increases as time passes since the last full backup.
Discuss the Shared Responsibility Model in cloud computing. How do responsibilities shift between IaaS, PaaS, and SaaS?
The Shared Responsibility Model defines the security obligations of the Cloud Service Provider (CSP) versus the Customer. Security is not solely the provider's job.
Responsibilities by Service Model:
-
Infrastructure as a Service (IaaS):
- CSP: Physical security, power, cooling, network hardware, and hypervisor.
- Customer: Guest OS (patching), applications, data, Identity and Access Management (IAM), and network configuration (firewalls).
-
Platform as a Service (PaaS):
- CSP: Physical infrastructure, OS patching, and middleware/runtime environment.
- Customer: Applications deployed on the platform and data security.
-
Software as a Service (SaaS):
- CSP: Manages almost everything: Application code, database, OS, and infrastructure.
- Customer: Responsible primarily for User Identity/Access Management and Data Governance.
What are Embedded Systems, and why do they pose unique security challenges compared to traditional IT assets?
Embedded Systems are computing systems with a dedicated function within a larger mechanical or electrical system (e.g., medical devices, automotive control units, industrial controllers).
Unique Security Challenges:
- Resource Constraints: Limited processing power and memory make it difficult to run standard security software (antivirus, encryption).
- Long Lifecycle: Devices are often deployed for 10-20 years, outlasting vendor support periods.
- Patching Difficulty: Firmware updates are often difficult to apply, risk 'bricking' the device, or are physically inaccessible.
- Proprietary Protocols: Many use specialized communication protocols that standard security tools cannot monitor effectively.
- Hardcoded Credentials: Many embedded systems ship with default passwords that cannot be changed.
Explain the concept of Micro-segmentation and its role in a Secure Cloud Network Architecture.
Micro-segmentation is a network security technique that divides a network into distinct security zones down to the individual workload level. It decouples security from underlying hardware and applies policies based on logic rather than physical subnets.
Role in Secure Cloud Architecture:
- Lateral Movement Prevention: If an attacker compromises one workload, micro-segmentation prevents them from jumping to other servers or databases.
- Granular Policy Enforcement: Security policies move with the virtual machine or container. If a VM migrates to a different host, the firewall rules go with it.
- Zero Trust Enabler: It is a foundational technology for Zero Trust, ensuring that no traffic flows between applications unless explicitly allowed.
Differentiate between Vulnerability Scanning and Penetration Testing.
| Feature | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Nature | Automated process. | Manual and automated (human-driven). |
| Goal | To identify and list known vulnerabilities (width). | To exploit vulnerabilities to prove business risk (depth). |
| Frequency | Run frequently (weekly/monthly) or continuously. | Run periodically (annually/bi-annually). |
| Cost | Generally lower cost. | Higher cost (requires skilled labor). |
| Output | A list of potential vulnerabilities with severity scores. | A narrative report of how defenses were breached and data exfiltrated. |
| False Positives | High rate of false positives. | False positives are eliminated by the tester. |
Why is Asset Management considered the prerequisite for effective Vulnerability Management?
"You cannot protect what you do not know you have."
Asset Management is the foundation of vulnerability management for the following reasons:
- Scope Definition: Vulnerability scanners need an inventory list (IP addresses, domains) to know what to scan. Unmanaged assets (Shadow IT) will remain un-scanned and vulnerable.
- Context and Prioritization: Knowing the business value of an asset helps prioritize remediation. A critical database server requires faster patching than a print server.
- License and EOL Management: Asset management tracks software versions. Using End-of-Life (EOL) software is a major vulnerability that scanners might miss if the asset isn't tracked.
- Incident Response: In the event of a breach, responders need to know the asset's owner, location, and function immediately.
Describe the CVSS (Common Vulnerability Scoring System) and its three metric groups.
CVSS is an open industry standard for assessing the severity of computer system security vulnerabilities. It assigns a score from $0.0$ to $10.0$.
The Three Metric Groups:
- Base Metrics: Represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. (e.g., Attack Vector, Attack Complexity, Privileges Required, CIA Impact).
- Temporal Metrics: Represents characteristics that change over time. (e.g., Is there exploit code available? Is there a patch available?)
- Environmental Metrics: Represents characteristics that are unique to a specific user's environment. (e.g., Is the vulnerable system isolated? Is the data on it critical to this specific organization?).
Explain the four primary strategies for Vulnerability Remediation/Risk Treatment.
Once vulnerabilities are identified and analyzed, organizations must decide how to treat the risk:
- Remediation (Mitigation): Fixing the vulnerability completely. This usually involves applying a software patch, updating firmware, or changing a configuration to eliminate the flaw.
- Mitigation (Workaround): Reducing the likelihood or impact of the vulnerability without fully fixing the root cause. Example: A patch isn't available, so the firewall is configured to block the specific port used by the exploit.
- Acceptance: The organization acknowledges the risk but decides the cost of fixing it outweighs the potential loss, or it is a false positive. This must be formally documented.
- Transference: Shifting the risk to a third party, typically through cyber insurance or by outsourcing the service to a vendor who assumes the liability.
Describe SQL Injection (SQLi) and how it can be prevented in application development.
SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries an application makes to its database. It occurs when untrusted user input is directly concatenated into a SQL command.
Mechanism:
An attacker might input ' OR '1'='1 into a login field. If the code is vulnerable (e.g., SELECT * FROM users WHERE user = 'input'), the query becomes SELECT * FROM users WHERE user = '' OR '1'='1', which is always true, potentially bypassing authentication.
Prevention:
- Prepared Statements (Parameterized Queries): This is the most effective defense. It forces the database to treat user input as data, not executable code.
- Input Validation: Ensure input conforms to expected formats (e.g., email addresses).
- Least Privilege: Ensure the database user account used by the web app has only the minimum necessary permissions.
Compare Credentialed vs. Non-Credentialed vulnerability scans.
Non-Credentialed Scans:
- Perspective: Simulates an external attacker with no special access.
- Visibility: Limited to external-facing services, open ports, and banner grabbing.
- Findings: Can find missing firewalls, weak SSL/TLS, and exposed services but misses internal OS flaws.
Credentialed (Authenticated) Scans:
- Perspective: Simulates an insider or an attacker who has stolen credentials.
- Visibility: The scanner logs into the device. It can inspect the registry, file system, installed software versions, and configuration settings.
- Findings: Detects missing patches, insecure configurations, and client-side software vulnerabilities (e.g., an outdated PDF reader). It is far more comprehensive.
What is Physical Security in the context of Defense in Depth, and what are the layers of physical protection?
Physical Security protects the tangible assets (hardware, facilities, personnel) from physical actions and events that could cause serious loss or damage. In Defense in Depth, physical security is the outermost layer protecting the data center.
Layers of Physical Protection:
- Perimeter: Fencing, bollards, external lighting, motion sensors, and security guards to prevent entry onto the property.
- Facility/Building Entry: Biometric scanners, smart card access, mantraps (access control vestibules), and reception desks to control entry into the building.
- Computer Room/Data Center Floor: specific authorization to enter the server room, video surveillance (CCTV), and intrusion detection systems.
- Rack Level: Locked server cabinets that require keys or electronic badges to open, protecting individual servers from tampering.
Explain the risks associated with Cloud Misconfigurations and provide two examples.
Cloud Misconfiguration occurs when cloud resources are set up with insecure default settings or errors that expose them to the public internet or unauthorized users. It is one of the leading causes of cloud data breaches.
Risks:
- Unauthorized data access/exfiltration.
- Service disruption.
- Account hijacking.
Examples:
- Unsecured Storage Buckets: Leaving an AWS S3 bucket or Azure Blob storage set to "Public" access, allowing anyone with the URL to download sensitive customer data.
- Over-permissive IAM Roles: Assigning "Admin" or "Full Access" privileges to a temporary user or a service account instead of following the principle of Least Privilege.
What is a Buffer Overflow vulnerability, and why is it dangerous?
Buffer Overflow is a software vulnerability that occurs when a program tries to write more data to a fixed-length block of memory (a buffer) than the buffer is allocated to hold.
Mechanism:
Since buffers are created to contain a finite amount of data, the extra information has to go somewhere—it overflows into adjacent memory space.
Danger:
- System Crash: It can corrupt data structures, causing the program or OS to crash (Denial of Service).
- Code Execution: Skilled attackers can overwrite the "Return Address" pointer in the memory stack. They replace it with a pointer to their own malicious code (shellcode). When the function finishes, the CPU jumps to the malicious code, giving the attacker control over the system.
Define High Availability (HA) vs. Fault Tolerance (FT).
-
High Availability (HA):
- Goal: To minimize downtime.
- Concept: If a primary system fails, a secondary system takes over after a brief moment. There might be a slight interruption (seconds or minutes), but the service resumes quickly. It usually involves clustering and load balancing.
- Cost: Moderate.
-
Fault Tolerance (FT):
- Goal: To achieve zero downtime.
- Concept: The system continues to operate without any interruption even if a component fails. This often requires mirrored hardware running in lockstep. If one fails, the other processes the instruction instantly.
- Cost: Very high (often requires 2x hardware).
Describe the differences between Hot, Warm, and Cold disaster recovery sites.
These terms describe remote facilities used for business continuity:
-
Hot Site:
- Status: Fully operational data center with all hardware, software, and up-to-date data (real-time replication).
- Recovery Time (RTO): Minutes to hours.
- Cost: Most expensive.
-
Warm Site:
- Status: Has hardware and connectivity, but data is not real-time (data must be restored from backups). Software may need to be installed or patched.
- Recovery Time (RTO): Hours to days.
- Cost: Moderate.
-
Cold Site:
- Status: An empty facility with power and cooling. No IT hardware or data is present. Equipment must be procured and configured.
- Recovery Time (RTO): Days to weeks.
- Cost: Least expensive.
What is Containerization, and how does it differ from traditional Virtualization?
Containerization (e.g., Docker, Kubernetes) involves packaging an application and its dependencies (libraries, binaries) into a single lightweight unit called a container.
Difference from Virtualization:
-
Architecture:
- Virtual Machines (VMs): Each VM includes a full Guest Operating System running on top of a Hypervisor. This is resource-heavy.
- Containers: Share the Host Operating System's kernel but isolate the application processes. They do not need a full OS for each app.
-
Efficiency: Containers are much smaller (Megabytes vs. Gigabytes) and start up in seconds, whereas VMs take minutes to boot.
-
Portability: Containers ensure the app runs exactly the same in development, testing, and production, solving the "it works on my machine" problem.
Explain the Vulnerability Management Lifecycle.
Vulnerability Management is not a one-time event but a continuous cycle consisting of the following phases:
- Discovery (Identify): Asset inventory and vulnerability scanning to find known flaws.
- Prioritization: Ranking vulnerabilities based on severity (CVSS), asset criticality, and active threats.
- Assessment: Analyzing the root cause and determining if the vulnerability is a true positive.
- Reporting: Communicating findings to system owners and management with clear remediation instructions.
- Remediation: Patching, configuring, or mitigating the vulnerability.
- Verification: Rescanning to ensure the fix was successful and didn't break anything else.
What are Cross-Site Scripting (XSS) vulnerabilities?
Cross-Site Scripting (XSS) is a web vulnerability where an attacker injects malicious scripts into content trusted by a user.
- How it works: The application accepts untrusted input (like a comment on a blog) and displays it to other users without proper escaping or validation.
- The Impact: When a victim views the page, their browser executes the malicious script (usually JavaScript).
- Consequences: Attackers can steal session cookies (session hijacking), redirect users to phishing sites, or deface websites.
Discuss the importance of Redundancy in Network Architecture.
Redundancy is the inclusion of extra components (hardware, lines of communication, software) that are not strictly necessary to functioning, in case of failure in other components.
Importance:
- Business Continuity: Ensures operations continue during hardware failures.
- Single Point of Failure (SPOF) Removal: Eliminates choke points where one failure crashes the whole system.
- Data Integrity: RAID (Redundant Array of Independent Disks) protects against hard drive failure.
- Network Resilience: Redundant paths (e.g., Spanning Tree Protocol, multiple ISPs) ensure that if one cable is cut, traffic can reroute automatically.