Answer Strategy: Define each pillar clearly and provide a real-world example.

• Confidentiality: Only authorized users can access data (e.g., Encryption, MFA).
• Integrity: Data hasn't been tampered with (e.g., Hashing, Digital Signatures).
• Availability: Systems are up and running when needed (e.g., Backups, Redundancy).

Pro Tip: Mention how a DDoS attack targets Availability.

• Threat: A potential danger (e.g., Hacker, Hurricane).
• Vulnerability: A weakness an attacker can exploit (e.g., Unpatched software, unlocked door).
• Risk: The likelihood of a threat exploiting a vulnerability (Risk = Threat × Vulnerability).

It segregates network functions into 7 layers (Physical to Application). In security, it helps isolate issues (e.g., is this a Layer 3 firewall issue or a Layer 7 script injection?).

Tip: Network+ students should mention "Please Do Not Throw Sausage Pizza Away" mnemonic.

• Authentication: Proving who you are (e.g., entering a password).
• Authorization: Determining what you are allowed to do (e.g., permissions to read a file).
• Accounting: Tracking what you did (e.g., logs showing you accessed the file at 2:00 PM).

MFA requires two or more types of evidence to verify identity. The types are: Something you Know (Password), Something you Have (Phone/Token), and Something you Are (Biometric). It drastically reduces the risk of compromised credentials because a hacker usually can't steal the physical token.

It means giving a user or process only the permissions necessary to do their job and nothing more. If a user account is compromised, the damage is limited to just that user's scope.

• RBAC (Role-Based): Access based on job title (e.g., "HR Manager" gets access to HR files). Simplest for corporate environments.
• ABAC (Attribute-Based): Access based on complex rules (e.g., "HR Manager" can access files only during work hours). More flexible but complex.
• DAC (Discretionary): The file owner decides who gets access (standard Windows/Linux file permissions).

SSO allows users to log in once and access multiple related systems without re-entering credentials. Pro: Better user experience and fewer passwords to manage (less writing them on sticky notes!). Con: A single point of failure; if the main account is breached, all systems are at risk (hence why MFA is mandatory with SSO).

A Firewall filters traffic based on rules (IP/Port), acting like a gatekeeper. An IDS (Intrusion Detection System) monitors for malicious patterns/signatures inside the network (like a security camera) and alerts. An IPS (Intrusion Prevention System) does the same but actively blocks the traffic.

A VPN creates an encrypted tunnel over a public network (internet) between a client and a server. It ensures confidentiality and integrity. Common protocols include IPsec (Site-to-Site), SSL/TLS (Client-to-Site, minimal client config), and WireGuard (modern, fast).

Segmentation divides a network into smaller subnets (VLANs). It prevents "lateral movement." If a hacker compromises the Guest Wi-Fi, segmentation ensures they cannot jump over to the Corporate Finance server.

• SSH: 22 (Secure Remote Access)
• HTTPS: 443 (Secure Web)
• RDP: 3389 (Remote Desktop - Monitor closely!)
• DNS: 53 (Name Resolution)
• LDAPS: 636 (Secure Directory)

A Stateless firewall (ACL) looks at each packet in isolation (e.g., "Block port 80"). A Stateful firewall remembers the connection state. If you request a website (outbound), it automatically allows the reply (inbound) because it knows it's part of an established conversation.

1. Preparation: Training, policies, tools.
2. Detection & Analysis: Monitoring logs, IDS alerts, confirming it's a real incident.
3. Containment, Eradication, & Recovery: Stopping the bleeding (disconnect cable), removing malware, restoring from backups.
4. Post-Incident Activity: The "Lessons Learned" meeting to prevent recurrence.

Immediate Action: Isolation. Disconnect it from the network to prevent data exfiltration. Then, capture volatile memory (RAM) for forensic analysis *before* turning it off (if you even turn it off).

Check the "From" header (spoofing?), hover over links (do they go to paypal-secure-login.xyz?), look for urgency/grammar errors. Check the hash of any attachments on VirusTotal.

Running a scan is easy. The hard part is prioritization (using CISA KEV or CVSS scores) and remediation (patching without breaking production). It's a continuous lifecycle, not a one-time event.

It's a knowledge base of adversary tactics and techniques. It helps us move from "blocking IP addresses" (easy for attackers to change) to "detecting behaviors" (hard for attackers to change).

1. Planning/Reconnaissance: Gathering OSINT, defining scope.
2. Scanning: Port scans, vuln scans (Nmap, Nessus).
3. Gaining Access: Exploiting vulnerabilities (Metasploit).
4. Maintaining Access: Installing persistence/backdoors.
5. Covering Tracks: Deleting logs.
6. Reporting: The most important part—documenting findings for the client.

• Black Box: Tester has zero knowledge of the system (simulates an external hacker).
• White Box: Tester has full knowledge (source code, diagrams) (simulates malicious insider or thorough audit).
• Gray Box: Partial knowledge (e.g., user credentials but no admin access).

For Network Scanning: Nmap (standard for discovery). For Vulnerability Assessment: Nessus or OpenVAS. For Web Apps: Burp Suite.

• Injection (SQLi): Sending malicious code to the database via input fields.
• Broken Access Control: Users accessing admin pages they shouldn't.
• Cryptographic Failures: Storing passwords as plain text.

Misconfiguration (S3 buckets left open) is the #1 threat. Others include IAM management, API security, and lack of visibility (logging).

The Cloud Provider (AWS/Azure) is responsible for Security OF the Cloud (Hardware, Data Centers). The Customer (You) is responsible for Security IN the Cloud (Data, IAM, Patching OS). It varies by service model.

• IaaS (Infra): You manage almost everything (OS, Apps, Data) except hardware. High responsibility.
• PaaS (Platform): Provider manages OS/Runtime. You manage App & Data.
• SaaS (Software): Provider manages everything. You just manage Access and Data config.

Example Answer Structure: "I had to explain Multi-Factor Authentication to the Finance team (Situation). My goal was to get them to adopt the new app (Task). I used the analogy of 'Two keys to open a safe' – one key is your password, the other is the code on your phone (Action). Adoption rates went up 90% in one week (Result)."