You are notified” and “failing which” and “legal proceedings

Posted on Dec 19, 2025 in Mathematics and Computer Science

DOMAIN 4 28%

๐Ÿ” 4.1 Security Administration on Computing Resources

๐Ÿ”น Secure Baselines

  • A baseline is a predefined configuration for a system, meant to represent a “known good state”.

  • For the exam, understand that this is often created during system deployment and updated after major patches or config changes.

  • Example questions:


    May ask about whatโ€™s considered a baseline or how itโ€™s used in hardening.

๐Ÿ”น Hardening Systems

  • Key concept:

    Reduce attack surface

    Disable anything not needed.

  • Common missed concept:


    Why we disable things like Telnet โ€” because itโ€™s unencrypted and vulnerable.

  • MDM (Mobile Device Management) = Think of it as central control over mobile policy enforcement.

  • For IoT:
    Many devices are “set-and-forget”, so they’re often outdated and unmonitored โ€” a soft target for attackers.

๐Ÿง  Tip:
Know the differences between hardening for workstations, mobile, network, and IoT devices โ€” each has unique risks and controls.

๐Ÿ–ฅ๏ธ 4.2 Asset Management and Lifecycle

๐Ÿ”น Asset Inventory

  • Youโ€™ll be expected to know that tracking what you own is the foundation of security โ€” you canโ€™t protect what you donโ€™t know exists.

  • Tagging, logging, and software inventory tools (like SCCM)


    come into play.

๐Ÿ”น Asset Lifecycle

  • Expect scenario-based questions like:
    โ€œAn organization disposes of laptops without wiping data. Whatโ€™s the risk?โ€ โžœ Data exposure.

  • Key distinction:

    • Clearing = Single overwrite (still recoverable).

    • Purging = Multiple overwrites, or tools like degaussers.

    • Destroying = Physical methods (shred, incinerate).

๐Ÿง  Tip:
Know which method is appropriate based on sensitivity of data.


๐Ÿ›ก๏ธ 4.3 Vulnerability Management

๐Ÿ”น Vulnerability Scanning

  • Authenticated vs Unauthenticated Scans


    • Authenticated = more accurate; sees inside the system.

    • Unauthenticated = sees what an outsider would.

๐Ÿ”น Managing Vulnerabilities

  • Risk = Likelihood ร— Impact

  • Prioritization is based on CVSS scores, asset value, and exploit availability.

๐Ÿ”น Penetration Testing vs Scanning

  • This is a frequently tested distinction.

  • Pen Test = Simulated attack; must have written permission (rules of engagement).

  • Vuln Scan = Passive; just lists issues.

๐Ÿง  Tip:
Always think about compliance/legal risks during testing โ€” unauthorized testing = violation.

๐Ÿ›ฐ๏ธ 4.4 Security Monitoring, Alerting, and Analysis

๐Ÿ”น SIEM

  • Focus on correlation and alerting.

  • SIEMs take logs from multiple sources and look for patterns.

๐Ÿ”น IDS vs IPS

  • IDS = Detect only.

  • IPS = Detect + Block.

  • Network-based vs Host-based IDS/IPS may come up too.

๐Ÿ”น Security Tools

  • EDR = Watches endpoints (e.G., laptops, servers).

  • UBA = Identifies unusual behavior (e.G., employee accessing thousands of files at 3 a.M.).

  • DLP = Stops sensitive data from leaving (email, USB).

  • Honeytokens = Fake data to bait attackers (e.G., a fake password.Txt file).

๐Ÿง  Tip:
Know where each tool works (endpoint, network, cloud) and what kind of threat it helps detect.


๐Ÿง‘โ€๐Ÿ’ผ 4.5 Identity and Access Management (IAM)

๐Ÿ”น Authentication Methods

  • MFA = Something you know (password), have (token), are (biometrics).

  • Kerberos = Ticket-based, used in Windows domains.

  • LDAP/LDAPS = Used for directories (like Active Directory).

  • SAML, OAuth2, OIDC = Federation/SSO. Know which ones do authN vs authZ.

๐Ÿ”น Access Control Models

  • DAC = File owner decides (most flexible, least secure).

  • MAC = Enforced by system (used in classified govโ€™t systems).

  • RBAC = Based on roles (Finance, HR, Admin).

  • ABAC = Dynamic; looks at attributes like time of day, device type, job title.

๐Ÿง  Tip:
“Least privilege” shows up everywhere โ€” make sure you know it’s about giving only whatโ€™s needed to do a job, nothing more.

โš™๏ธ 4.6 Automation and Orchestration

๐Ÿ”น Why Automate?

  • Speeds up response and reduces error (but needs oversight).

  • Example tools:

    SOAR (Security Orchestration Automation and Response)

  • DevSecOps = Security embedded into software development lifecycle.

    • Think: Code analysis tools, automated security tests.

๐Ÿง  Tip:
Know examples like:

  • Auto-disabling accounts after termination.

  • Auto-patching on schedule.

  • Auto-response to alerts (e.G., isolate infected machine).

๐Ÿšจ 4.7 Incident Response (IR)

๐Ÿ”น IR Process

  1. Preparation โ€“ Have a plan, tools, and people in place.

  2. Detection & Analysis โ€“ Recognize and classify the incident.

  3. Containment โ€“ Short-term (isolate system) vs Long-term (segment network).

  4. Eradication โ€“ Remove malware, backdoors.

  5. Recovery โ€“ Restore systems to normal.

  6. Lessons Learned โ€“ Post-incident review and documentation.

๐Ÿ”น Containment Tips

  • Don’t immediately wipe systems โ€” first gather forensic data.

  • Common containment:
    Disable accounts, block IPs, disconnect systems.

๐Ÿง  Tip:
On the test, containment comes before eradication โ€” control the damage first.

๐Ÿ”Ž 4.8 Digital Forensics and Investigations

๐Ÿ”น Chain of Custody

  • Every handler and action must be documented to ensure evidence integrity.

๐Ÿ”น Order of Volatility

  1. CPU/Cache

  2. RAM

  3. Network connections

  4. Disk

  5. Backups

  • You must collect data in this order during forensics.

๐Ÿ”น Forensic Best Practices

  • Always use a bit-for-bit image โ€” never work on the original drive.

  • Log timestamps and findings โ€” may be used in legal proceedings.

๐Ÿง  Tip:
If you mess with evidence or donโ€™t follow procedure, it becomes inadmissible in court.


๐Ÿšจ 4.7 Incident Response (IR)

๐Ÿ”น IR Process

  1. Preparation โ€“ Have a plan, tools, and people in place.

  2. Detection & Analysis โ€“ Recognize and classify the incident.

  3. Containment โ€“ Short-term (isolate system) vs Long-term (segment network).

  4. Eradication โ€“ Remove malware, backdoors.

  5. Recovery โ€“ Restore systems to normal.

  6. Lessons Learned โ€“ Post-incident review and documentation.

๐Ÿ”น Containment Tips

  • Don’t immediately wipe systems โ€” first gather forensic data.

  • Common containment: Disable accounts, block IPs, disconnect systems.

๐Ÿง  Tip:
On the test, containment comes before eradication โ€” control the damage first.

๐Ÿ”Ž 4.8 Digital Forensics and Investigations

๐Ÿ”น Chain of Custody

  • Every handler and action must be documented to ensure evidence integrity.

๐Ÿ”น Order of Volatility

  1. CPU/Cache

  2. RAM

  3. Network connections

  4. Disk

  5. Backups

  • You must collect data in this order during forensics.

๐Ÿ”น Forensic Best Practices

  • Always use a bit-for-bit image โ€” never work on the original drive.

  • Log timestamps and findings โ€” may be used in legal proceedings.

๐Ÿง  Tip:
If you mess with evidence or donโ€™t follow procedure, it becomes inadmissible in court.