Cheat Sheet Overview

Core principles, frameworks, and control families that anchor every decision.

1. Map CIA, AAA, and control categories (preventive, detective, corrective) to scenarios.
2. Understand governance terms like due diligence, data classification, risk appetite.
3. Tie frameworks (NIST CSF, ISO 27001, CIS) to stakeholder requests and gap analyses.

Insight: Questions love phrasing like "best next step"—link the control objective to the action.

Adversary TTPs, malware, and intel handling from alert to containment.

1. Tell the story: recon → weaponize → deliver → execute (kill chain mentality).
2. Differentiate malware purpose (worm vs trojan vs fileless) and delivery method.
3. Prioritize vulnerability reports using CVSS, exploitability, and business impact.

Insight: Expect log snippets, packet captures, and threat actor profiles to analyze.

Secure network patterns, zero trust, cloud responsibilities, and hardening baselines.

1. Sketch DMZs, microsegmentation, NAC, and zero trust flows until second nature.
2. Compare on-prem vs cloud vs hybrid controls and who owns which responsibility.
3. Secure emerging tech: OT, IoT, virtualization, containers, and edge compute.

Insight: Diagram questions appear often—annotate every component during practice.

Monitoring, playbooks, automation, and forensic handling—the largest domain.

1. Memorize IR lifecycle (Preparation → Lessons Learned) plus order of volatility.
2. Decide when to contain vs eradicate vs recover in scenario prompts.
3. Understand SOAR, EDR, script automation, and evidence handling requirements.

Insight: Weighted heavily—daily reps here deliver the fastest score gains.

BIA outputs, testing methods, legal requirements, and program maturity.

1. Translate BIA findings into RTO, RPO, MTTR, and continuity strategies.
2. Know testing types (tabletop, walkthrough, parallel, full interruption).
3. Map privacy and regulatory requirements (PII, PCI-DSS, HIPAA, GDPR) to controls.

Insight: Look for keywords like "evidence", "attestation", or "stakeholder" in stems.

• Risk = Threat × Vulnerability × Impact
• SLE = Asset Value × Exposure Factor
• ALE = SLE × ARO
• ARO represents expected frequency per year

• MFA factors: know, have, are, do, where
• SSO protocols: SAML (XML), OIDC (JSON), Kerberos (tickets)
• Account policies: lockout threshold, password history, time-of-day
• Auth models: RBAC, ABAC, MAC, DAC

• Segment with VLANs, SDN microsegments, air gaps for OT
• Inline stack: NGFW, IPS, SWG, CASB, WAF
• NAC posture checks (agent/agentless) with 802.1X enforcement
• Preferred secure protocols: HTTPS, SFTP, SSH, LDAPS, IMAPS

• Service models: IaaS, PaaS, SaaS, FaaS—know who secures what
• CASB delivers visibility, policy enforcement, and SaaS DLP
• Container security: image signing, runtime profiles, orchestrator RBAC
• Object storage controls: versioning, immutability, lifecycle policies

• AES (symmetric) vs RSA/ECC (asymmetric) roles
• Cipher modes: CBC (legacy), GCM/CCM (authenticated), ECB (avoid)
• Hashing: SHA-256/3, HMAC = integrity + authenticity
• PKI chain: Root → Intermediate → Issued cert; validate via CRL/OCSP

• Preparation → Identification → Containment → Eradication → Recovery → Lessons
• Order of volatility: CPU/cache → memory → disk → logs → backups
• Containment options: isolate host, disable account, geo-fence, block IOC
• Chain of custody: hash evidence before/after transport, log handlers