Question1

What are the advantages of using NTFS over FAT file systems in Windows?

Describe at least three key features that make NTFS a preferred choice.

Answer text Question 1

NTFS provides comprehensive features and security measures that are not available in FAT file systems.

You can set permissions to files and folders and restrict which users can access them.

It can encrypt files to be more secure.

It can supports partition size up to 256TB and file size up to 16TB

Can compress files to save space.

Can allocate quota size to each user to allow certain storage for each user.

Question2

Describe the Encrypting File System (EFS) feature in NTFS.

What advantages does it offer for protecting sensitive data on Windows systems?

Answer text Question 2

The Encrypting File System (EFS) is a feature integrated into the NTFS file system. IT protects individual files or folders to ensure that only authorized users can access the encrypted content. EFS is useful for securing sensitive data on computers that might be lost, stolen, or accessed by unauthorized users.

Question3

Explain the purpose of the Windows registry?

Answer text Question 3

The Windows Registry is a critical component of the Windows operating system.

Centralized Configuration:

The Registry provides a central place for storing configuration settings which are used by the operating system and all applications that run on Windows.

System and Application Settings:

It stores preferences and settings for both the operating system and third-party applications. These settings can include system policies, file associations, system services settings, user preferences, and much more.

User Profiles Management:

Each user on a Windows system can have their own set of registry settings that define the environment of their desktop

Question4

How does the registry support configuration management in Windows operating systems?

Answer text Question 4

The Registry serves as a centralized repository where all configuration settings are stored. This includes information about the system setup, installed applications, attached devices, and user-specific settings.

The Registry is organized in a hierarchical structure with keys and subkeys.

HKEY_CLASSES_ROOT: Deals with file type associations.

HKEY_CURRENT_USER: Stores settings that are specific to the currently logged-in user.

HKEY_LOCAL_MACHINE: Contains settings that apply to all users on the machine.

HKEY_USERS: Contains settings for all user profiles on the computer.

HKEY_CURRENT_CONFIG: Stores information about the hardware profile that is used by the local machine at system startup.

Question5

What are the main root keys in the Windows registry, and what type of information is stored in each?

Answer text Question 5

HKEY_CLASSES_ROOT: Deals with file type associations.

HKEY_CURRENT_USER: Stores settings that are specific to the currently logged-in user.

HKEY_LOCAL_MACHINE: Contains settings that apply to all users on the machine.

HKEY_USERS: Contains settings for all user profiles on the computer.

HKEY_CURRENT_CONFIG: Stores information about the hardware profile that is used by the local machine at system startup.

Question6

Explain the concept of a process.

Include the steps involved in process creation and termination.

Answer text Question 6

Every time you launch your programme:

Windows will create a new programme process and execute it and then break it down.

It created process ID (pid), allocate a virtual address for the pid which is: code, data, and resources required by that program.

Then loads the files in the memory for execution.

Start the program environment andexecute it.

After the process is finished:

the execution is complete.

the process calls the exit routine to terminate.

If there is an error:

The process encounters an error and terminates itself early.

Question7

Describe the role of threads in program execution.

Discuss thread creation, termination, and synchronization within a process.

Answer text Question 7

A thread is a unit of execution nested within a process.

Threads are important because they provide a process with functionality and are the basic units to which an operating system will allocate processor time.

Thread createion process:

The thread is created, and assigned a unique thread identifier (TID).

The thread is allocated a stack that stores local variable and function call information.

The thread is associated with its parent process, which establishes a hierarchical relationship.

The initial execution context which includes the program counter, registers, and stack pointer is set up for the thread.

A thread control block (TCB) is created to store information about the thread.

Thread execution:

Once the thread has been created, it is executed.

Multiple threads can be executed at the same time by using the same memory space.

Termination:

The thread completes its task and terminates naturally.

The thread explicitly calls an exit routine to terminate itself.

If there is an error:

The thread encounters an error and terminates itself early.

The parent process terminates, destroying all the threads it contains.

Thread Synchronization

Thread synchronization is crucial to ensure that threads coordinate correctly and avoid issues like deadlocks, and inconsistent data states. Some examples of the synchronization mechanisms are:

Mutexes (Mutual Exclusion Locks): Mutexes ensure that only one thread can access a critical section of code or data at a time.

Semaphores: Semaphores can control access to resources by multiple threads.

Condition Variables: Used to block a thread until a particular condition is met, allowing threads to wait for certain events.

Barriers: Synchronization points where threads wait until all threads reach a certain point in execution before proceeding.

Question8

Explain the concept of dynamic linking and how DLLs contribute to code reusability in Windows applications.

Discuss the security implications associated with using DLLs.

Answer text Question 8

DLLs are shared libraries that contain code and data that can be used by multiple programs simultaneously. They enable applications to be split into modules so they can be updated and reused easily. By separating the code in applications into DLLs, you can create libraries that can be shared by multiple applications.

Advantages of the DLLs:

Reduces code duplication. Functions related to specific functionality can be compiled into a DLL and used by any application that requires them

Simplifies maintenance. This makes maintenance and updates easier because only the DLL needs to be updated rather than the applications that use it.

Since DLLs are shared among various applications, the same code base serves multiple applications, thus saving disk space.

Improves development efficiency. Applications can load DLLs when needed during runtime, which can be more efficient in terms of resource utilization. An application can choose to load a library as needed, perform required tasks, and unload the DLL to free resources.

DLLs can be vulnerable to cyberattacks if you do not work to secure them.

Some vulnerabilities and security Implications of Using DLLs:

DLL Backdooring:

This involves modifying a legitimate DLL to include malicious code. When the application loads the backdoored DLL, the malicious code is executed. This can be used by attackers to gain unauthorized access.

DLL Injection:

This technique involves injecting a malicious DLL into the address space of another process. It’s a common method used by malware to run malicious code within the context of another application bypassing security measures that protect the system from running unauthorized executables.

DLL Hijacking:

This occurs when an attacker places a malicious DLL with the same name as a legitimate DLL in a path that the application searches before the legitimate library. If the application loads the malicious DLL and the attacker’s code is executed.

DLL Sideloading:

This exploits the legitimate processes of an application to load an unauthorized DLL. It typically involves tricking an application into loading a malicious DLL disguised as a legitimate one.

Question9

Define DLL hijacking and explain the risks associated with this technique.

Describe the security mechanisms implemented by Windows to prevent DLL hijacking and protect applications from loading malicious DLLs.

Answer text Question 9

DLL Hijacking is a security vulnerability that occurs when an application loads a malicious Dynamic Link Library (DLL) in place of a legitimate one.

Risks Associated with DLL Hijacking

Unauthorized Code Execution:

The primary risk is that the hijacked DLL allows execution of unauthorized code.

Data Theft and Corruption:

Malicious DLLs can be used to intercept and manipulate data leading to information theft data corruption, or loss.

System Compromise:

Once a malicious DLL is loaded, it can act as a gateway for further exploitation, such as installing additional malware, creating backdoors, and so on.

Windows Security steps to Prevent DLL Hijacking

Microsoft has implemented several security mechanisms within Windows to mitigate the risks of DLL hijacking.

Safe DLL Search Mode:

When enabled, the system directories are searched before the application directory. This makes it harder for an attacker to trick an application into loading a malicious DLL.

Windows Code Integrity:

This feature is designed to ensure that only trusted, digitally signed DLLs are loaded into critical system processes. It checks the integrity and the digital signature of DLLs before they are loaded to verify that they have not been tampered with.

User Account Control (UAC):

UAC can mitigate the impact of a DLL hijacking by preventing unauthorized changes to the system unless elevated privileges are granted.

Question10

Discuss the role of digital signatures in DLL loading.

Explain how digital signatures are used to verify the authenticity and integrity of DLLs.

Highlight the importance of using trusted sources for DLL updates and patches.

Answer text Question 10

Digital signatures are used to verify that a DLL has not been tampered with and that it originates from a trusted source.

Authenticity:

A digital signature confirms that the DLL comes from the entity that signed it which is typically the software developer or vendor.

Integrity:

When a DLL is signed, the digital signature is generated based on the DLL’s contents. This signature includes a cryptographic hash of the DLL, which is a unique representation of its data. When a DLL is loaded, Windows recalculates the hash and compares it with the hash stored in the signature. If the hashes match, it confirms that the DLL has not been altered since it was signed.

Importance of Using Trusted Sources for DLL Updates and Patches:

By ensuring that DLLs come from a trusted source and are digitally signed, users and administrators can prevent malicious code from being introduced into the system.

Trusted sources are likely to provide DLLs that are compatible with existing systems and software. This reduces the risk of system instability or crashes that can occur when using DLLs from unverified or unknown sources.

Trusted sources provide regular updates and patches for their DLLs, which are crucial for closing security vulnerabilities and enhancing functionality.

Question11

Explain the role of the Task Scheduler in enhancing Windows security.

Provide at least two (2) examples of security-related tasks that can be scheduled using the Task Scheduler.

Answer text Question 11

automated tool to execute scripts and programs at specified times or under specific conditions.

examples:

Automated Security Updates and Patch Management:

Task Scheduler can be configured to automatically run security updates or patch management tools at regular intervals. This ensures that the system remains up-to-date with the latest security patches

Regular System Scans and Monitoring:

Task Scheduler can automate the process of running antivirus or anti-malware scans at regular intervals.

Question12

Explain how the Task Scheduler can be utilised to automate security scans and enhance system security.

Answer text Question 12

Task Scheduler is a powerful tool in Windows that allows users to automate various tasks, which can significantly enhance system security. Here are some ways:

1. Automatic Regular Scans of Antivirus Software:

• Setup: Configure Task Scheduler to run antivirus scans at regular intervals (e.g., daily or weekly).
• Enhancement to Security: Regularly scheduled scans help in the early detection and removal of malware, preventing potential breaches and maintaining the integrity of the system. This proactive approach ensures that any malicious software is identified and dealt with promptly.

Automatic Windows and Software Updates:

• Setup: Schedule tasks to automatically check for and install Windows updates and updates for other critical software.
• Enhancement to Security: Keeping the operating system and software up to date is crucial for security. Regular updates patch vulnerabilities that could be exploited by attackers.

Execution of Security Scripts (e.g., PowerShell Scripts):

• Setup: Use Task Scheduler to run custom PowerShell scripts at specified times to perform various security-related tasks, such as checking for unusual activity, configuring security settings, or backing up important data.
• Enhancement to Security: Automated scripts can enforce security policies consistently and regularly. They can also be used to perform complex security checks and actions that would be time-consuming or prone to human error if done manually.

By implementing these automated tasks, organizations can ensure that security measures are consistently applied, reducing the risk of vulnerabilities and improving overall system security.

Question13

Describe the role of the Task Scheduler in automating system updates and patches.

Explain how scheduled updates contribute to the overall security of a Windows system.

Answer text Question 13

Role of Task Scheduler in Automating Updates and Patches

By setting up scheduled tasks to automatically check for and install updates, administrators can ensure that every system is consistently updated.

Updates can be scheduled during off-peak hours such as late at night or on weekends to minimize the impact on system performance and user productivity.

Updates can also be configured to initiate at system startup

Contribution to Overall Security

Regular and automatic updating ensures that any discovered vulnerabilities are patched as soon as fixes are available, significantly reducing the risk of exploitation.

By keeping the system updated, Task Scheduler helps in preventing infections that exploit old vulnerabilities.

Question14

What are the three primary event logs in Windows Event Logging?
Describe the purpose and types of events stored in each log.

Answer text Question 14

Application, Security, and System.

Application:

Purpose: This log records events related to software and applications running on the system.

Types of Events Stored: errors, warnings, and informational messages from applications such as crashes.

Security Log:

Purpose: monitoring and identifying security-related activities specified by the system’s audit policy.

Types of Events Stored: successful and failed login attempts, resource access, account management events – example: user creation, deletion, or modification -, and policy changes.

System Log:

Purpose: events logged by the operating system components. These events are often essential for diagnosing hardware and software problems.

Types of Events Stored: system errors, warnings, and informational messages related to system operations, driver failures, hardware issues, and other system-level notifications.

Question15

What is the purpose of Event IDs in Windows Event Logging?

Explain their significance in event log analysis.

Answer text Question 15

Purpose of Event IDs

Each Event ID is unique to a particular event message or type. This allows for precise identification and categorization of events making it easier to understand logs.

Administrators can quickly filter and search for specific events within the event logs.

Significance in Event Log Analysis

Troubleshooting by referring to a specific ID, administrators can quickly find detailed descriptions and common resolutions related to the event.

Question16

What is the purpose of the Windows Management Interface (WMI)?

Answer text Question 16

WMI allows administrators to manage local and remote systems by providing access to information about system status, configuration, hardware, installed software, and operating system.

WMI supports automation and scripting enabling system administrators to automate tasks across using PowerShell, VBScript, or other scripting languages.

Question17

Name at least two scripting languages that can be used to interact with WMI and perform management tasks.

Answer text Question 17

Powershell

VB scripts

Question18

What is fileless malware, and how does it operate?

Answer text Question 18

Fileless malware is a type of malicious software that uses legitimate programs to infect a computer.

Fileless malware does not rely on files and does not write any content to the disk making it difficult to detect with standard anti-virus

How Fileless Malware Operates

Fileless uses software that is already installed on the victim’s computer, such as PowerShell, WMI, or other scripting environments. These tools are generally trusted components of the operating system, which allows the malware to operate without being detected.

Instead of dropping files on the disk, fileless malware executes directly in the system’s memory (RAM).

Fileless malware might manipulate registry keys or scheduled tasks. By setting itself up as a task that executes every time the system boots, the malware can reload into memory without ever having to store its components on the disk.

Question19

What is DLL injection, and how does it allow malware to hide?

Answer text Question 19

What is DLL Injection?

DLL injection is loading a dynamic link library (DLL) of a known process. Once injected, the DLL code becomes part of the targeted process and can execute with the same privileges as the process.

How DLL Injection Allows Malware to Hide

By injecting into a legitimate process, malware can hide its presence.

The process appears normal and legitimate to the system and the user making it less likely to be found.

Question20

Explain the concept of steganography in the context of malware hiding techniques.

Answer text Question 20

Steganography is a technique used to hide information within another file or message such as hiding a secret note inside a drawing.

Attackers can use steganography to hide malicious code or data within digital content such as images, audio files, or videos.

Question21

How do malicious macros contribute to malware hiding and distribution?

Answer text Question 21

Macros are embedded within standard document files such as word and excel. These documents appear harmless and legitimate which hide the malicious code.

The code might claim that enabling macros is necessary to view the content of the document correctly. Once enabled, the macro executes its hidden code.

When macros are enabled, they can automatically execute the embedded script as soon as the document is opened. This script can install malware, create backdoors, or connect to a remote server to download further malicious payloads.

Documents with macros can be easily distributed through email attachments, downloads from the internet, or even shared via cloud storage.

Question22

What is Windows Defender, and how does it contribute to Windows security?

Answer text Question 22

Originally launched as a standalone anti-spyware program, Windows Defender has evolved into an antivirus product included by default in Windows 8, Windows 10, and Windows 11.

It provides real-time protection, a monitoring system that acts to prevent infection, automatically scanning applications and files as they are accessed just like any other antivirus solution.

Windows Defender monitors behavior on the machine to detect and respond to unusual behavior that might signal the presence of a new or unidentified threat.

Question23

Name a third-party tool commonly used for detecting and removing malware on Windows systems, and briefly describe its features.

Answer text Question 23

Malwarebytes.

Specializes in detecting and removing malware that many traditional antivirus products may miss.

Offers real-time protection such as web protection, malware protection, ransomware protection, and exploit protection.

Question24

How can the Sysinternals Process Explorer tool aid in identifying and isolating malware?

Answer text Question 24

Sysinternals Process Explorer is a powerful tool designed by Microsoft that can be used to provide detailed information about the processes running on a computer and the resources they utilize.

How Process Explorer Aids in Identifying and Isolating Malware

By using the detailes of resource consumption, network activity, and loaded modules (DLLs), analysts can spot strange process may be malicious.

It Watches the behavior of a process over time to detect potentially harmful activities.

it can terminate any suspicious process and stop its associated services.

Question25

What is the significance of the Sysinternals Autoruns tool in malware detection and mitigation?

Answer text Question 25

It provides an extremely detailed view of all programs, services, and components configured to run automatically with system startup or login.

Many types of malware including viruses, worms, and spyware attempt to configure themselves to start automatically to ensure they remain active or can re-infect the system after reboot. Autoruns can spot these entries.

The detailed output from Autoruns can help analysts perform a comprehensive analysis of all executables and scripts configured to run at system start.

Question26

How does the Sysinternals Process Monitor tool contribute to the identification of malware activities?

Answer text Question 26

Malware often modifies system files and Registry settings to execute malicious payloads. Process Monitor can capture these modifications which might include changes to auto-run Registry keys or unusual files being written to sensitive directories.

It can log the loading of network-related DLLs and other system components used by malware.

It can help trace the origin of suspicious processes. This includes identifying potentially malicious processes that were hidden by other applications — a common technique used by malware to hide its presence.

Question27

What is the principle of least privilege (PoLP) and how does it contribute to Windows security?

Answer text Question 27

The Principle of Least Privilege (PoLP) is a security concept that involves restricting access rights for users, accounts, and processes to only those resources absolutely necessary to function.

By operating under least privilege, the ability of malware to spread within a system or network is significantly minimized.

If a user account or process that becomes compromised has restricted permissions, the impact of the attack can be contained more quickly.

By limiting privileges for applications and system processes, it reduces the number of ways an attacker can gain unauthorized access within the system.

Question28

How can application whitelisting enhance Windows security?

Answer text Question 28

Whitelisting limits the number of programs that can run, thus reducing the exposure of the system to vulnerable software.

Since only pre-approved applications are allowed to run, the chances of malware executing on the system are greatly reduced.

In enterprise environments, whitelisting helps ensure that only licensed and approved software is used.

Question29

Why is it advisable to disable unnecessary services and protocols in Windows, how does this enhance security?

Answer text Question 29

Disabling unnecessary services and protocols in Windows is a recommended security practice because it reduces the potential attack on the system.

Each service and protocol that is running on a Windows system can introduce potential vulnerabilities or entry points for malicious code.

By limiting the number of active services and protocols, you minimize the chances of exploitation and enhance the overall security of the system.

Question30

What is the purpose of a firewall in Windows?

Answer text Question 30

The purpose of a firewall in Windows is to provide a layer of security that allow or block specific traffic into and out of a computer or network based on a defined set of security rules.

Question31

Describe in detail the different types of SOC (Security Operation Centre) models.

Describe at least three (3)

Answer text Question 31

1. Dedicated SOC

A dedicated SOC operates within the organization with a team of security experts to focus on the company’s cybersecurity needs.

Allows for security practices specific to the organization’s environment.

Provides continuous surveillance and rapid incident response.

The in-house team has the knowledge of the internal systems to identify and react to threats for faster and more effective incident response.

2. Virtual SOC

A virtual SOC does not have a physical presence within the organization but operates remotely to utilize cloud technologies and remote monitoring tools.

Team members work remotely coordinating via cloud-based solutions.

Easily scales up or down based on the organization’s needs and threat levels.

Uses cloud computing for enhanced data analysis and storage capabilities.

Reduces the overhead costs associated with a physical SOC, such as office space and related utilities which offers flexibility.

Provides the ability to monitor systems across multiple locations easily.

3. Co-managed SOC

A co-managed SOC is a hybrid approach where internal IT staff collaborate with external service providers. This model combines the expertise of third-party security professionals with the internal team.

Security responsibilities are shared between the organization and a third-party provider.

Helps organizations that have limited security expertise or need additional support during high-demand periods.

More budget-friendly than a fully dedicated SOC by sharing costs with the service provider.

Question32

What is the role of the Windows Kernel in the Windows operating system?

Provide a brief explanation.

Answer text Question 32

The Windows kernel is a crucial core component of the Windows operating system.

Its primary roles involve memory management, process and task management, and handling system resources and security.

The kernel is responsible for managing both physical and virtual memory in the system. It allocates memory to processes ensuring that applications have the necessary memory resources to operate efficiently.

It prevents processes from interfering with each other’s memory, enhancing system stability and security.

It schedules which processes and threads should run on the processor managing CPU resources to ensure that system performance is maintained.

Question33

What is the role of device drivers in the Windows operating system?

Explain with examples.

Answer text Question 33

A device driver is a type of software that allows computer programs to interact with a hardware device.

Drivers translate system commands into specific commands that the hardware device understands.

Examples of Device Drivers in Windows

1. Printer Driver

A printer driver in Windows translates print commands into specific instructions that a printer model understands.

When you hit “print” in a Word document, the operating system uses the printer driver to send a page description in a language that the printer can understand.

2. Graphics Card Driver

A graphics card driver translates graphic commands from the operating system or an application into specific instructions that the graphics card can execute.

This driver ensures that all visual elements displayed by the operating system or applications are rendered correctly and efficiently on your screen.

Question34

Briefly explain the purpose of the Local Security Authority Subsystem Service (LSASS) in Windows.

Answer text Question 34

The Local Security Authority Subsystem Service (LSASS) in Windows is a component responsible for enforcing the security policy on the system. Its primary functions is authentication and authorization processes, managing passwords, and creating access tokens.

Question35

Describe the function of the Memory Manager in the Windows operating system.

Answer text Question 35

The Memory Manager in the Windows operating system is a system component responsible for handling the system’s memory resources.

Its main functions include managing physical and virtual memory, handling memory allocation and deallocation, and optimizing the performance and efficiency of the computer’s RAM.

Question36

Describe the role of the Windows Shell in the Windows operating system.

Answer text Question 36

The Windows Shell in the Windows operating system acts as the graphical user interface (GUI) that users interact with.

It provides a way to access and manage the operating system’s features and services as the bridge between users and the system’s functionalities.

Question37

Describe the function of the Security Account Manager (SAM) in the Windows operating system.

Answer text Question 37

The Security Account Manager (SAM) is a component of the Windows operating system that manages user and group security information.

It functions as a database that stores security-related information regarding user accounts on a local computer.

SAM is critical for handling user authentication and enforcing security policies.

Question38

Explain the purpose of the Windows Sockets (Winsock) in the Windows operating system.

Answer text Question 38

Windows Sockets (Winsock) are an essential part of the Windows operating system that manages how programs access network services, particularly those over the Internet or local networks.

It acts as a translator between the network software in your computer and the programs that use network services.

Winsock enables network communication using standard socket APIs.

Question39

Describe the key features of a Security Information Event Management (SIEM) system and explain how they contribute to enhancing an organisation’s cybersecurity infrastructure.

Answer text Question 39

Key Features of a SIEM System

SIEM systems collect and aggregate logs from various sources within an organization, including network devices, servers, databases, and applications.

It automatically investigates collected events and logs to identify anomalies or patterns associated with malicious activities.

It provides real-time analysis of events to detect abnormal activities as they occur.

Contribution to Cybersecurity Infrastructure

By collecting data from multiple sources, SIEM improves the detection of cyber threats that might not trigger alarms.

Real-time alerting and automated response capabilities enable organizations to respond to threats immediately.

Automated reporting reduces the time and effort needed to prepare for audits and ensures that compliance standards are met continuously.

Question40

Explain the importance of real-time monitoring in a SIEM system and how it contributes to effective cybersecurity.

Answer text Question 40

Real-time monitoring ensures that any unusual or suspicious activity is detected as it happens.

The faster a threat can be identified and assessed, the quicker an organization can respond.

Early detection and response reduce the potential damage caused by security incidents. For example, detecting a ransomware attack as it starts can allow an organization to shut down affected systems and prevent the encryption of critical data.

Contribution to Effective Cybersecurity

With real-time monitoring allows organizations to anticipate and mitigate threats before they become critical, rather than simply responding to incidents after they have occurred.

Many frameworks require continuous monitoring and immediate incident reporting. Real-time monitoring in SIEM helps ensure compliance with these regulations by providing the necessary tools to track and report incidents as they occur.