Siber Güvenlik Uzmanı - Senaryo Soruları

Immediate: 1) Isolate affected systems (network segmentation), 2) Incident declaration (war room), 3) Communication (stakeholders, legal, PR). Containment: Shutdown sharing, disable accounts. Eradication: Malware removal, vulnerability patching. Recovery: Clean backups restoration (verify integrity), business continuity testing. Post-incident: Ransom payment decision (last resort), lessons learned.

Immediate: 1) Phishing campaign shutdown (block sender, URLs), 2) Password reset (compromised accounts), 3) MFA enforcement (if not enabled). Investigation: Email headers, attachment analysis, indicators of compromise. Remediation: User training, phishing simulation improvements, email filtering enhancement. Metrics: Reporting rate, click rate.

Prioritization framework: 1) CVSS score (Critical/High first), 2) Exploitability (public exploits), 3) Asset criticality (production systems), 4) Business impact. Quick wins: Low-hanging fruit. Long-term: Root cause analysis, secure SDLC. Communication: Risk-based remediation plan, executive sponsorship.

Investigation: 1) User activity logs (login, access, downloads), 2) DLP alerts, 3) Network traffic analysis. Interviews: Manager, HR, legal. Response: Account suspension, data collection, forensic analysis. Legal: Employee termination, legal action. Prevention: DLP enhancement, behavior analytics, least privilege enforcement.

Response: 1) Vendor communication (breach details), 2) Internal assessment (what data exposed?), 3) Legal/PR (regulatory notification). Investigation: Vendor's security practices, contract compliance. Remediation: Vendor relationship review, additional security requirements, data isolation. Prevention: Vendor risk management enhancement.

Immediate: 1) Vulnerability assessment (exploitability, impact), 2) Vulnerable system isolation, 3) Compensating controls (WAF rules, network segmentation). Coordination: Vendor communication, security community. Patch: Emergency patching plan, testing deployment. Monitoring: Exploit detection, anomaly monitoring.

Immediate: 1) Account lockdown (password reset, MFA reset), 2) Investigation (email rules, forwarding, sent items), 3) Communication (affected parties, financial team). Investigation: logs analysis, attacker actions, data exposure. Prevention: Executive protection program, advanced email filtering, transaction verification.

Immediate: 1) DDoS detection (traffic spike analysis), 2) Service activation (Cloudflare, AWS Shield), 3) Traffic filtering (rate limiting, geo-blocking). Long-term: DDoS protection service, CDN, traffic analysis. Post-incident: Attack analysis, source identification, prevention improvements.

Prioritization: 1) Critical systems protection, 2) Compliance requirements, 3) High-risk vulnerabilities. Cost optimization: Automation (reduce manual effort), open-source tools, managed services. Communication: Risk exposure to leadership, business impact. Strategy: Risk-based approach, quick wins.

Assessment: 1) Data inventory (location, type), 2) Regulatory requirements (which data?), 3) Impact analysis (systems, processes). Migration: Data classification, localization architecture, compliance controls. Implementation: Phased migration, validation, testing. Ongoing: Monitoring, audit preparation.