Episode 71: Data Encryption Methods and Controls
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Network security is one of the most critical areas in enterprise cybersecurity. Networks connect users, systems, data, and external resources, making them a primary target for attackers. If a network is compromised, it can serve as a pathway into every connected device, database, and application. Weaknesses in network design or control can bypass otherwise effective application or endpoint defenses. That is why network security plays such an important role in defense-in-depth strategies. It protects data as it moves between systems, enforces policies at defined boundaries, and controls how different segments of the infrastructure interact. Firewalls, intrusion detection systems, secure protocols, and network segmentation are just a few of the tools involved. The CISA exam often includes questions about these topics, especially in scenarios that require evaluating whether configurations are correct, traffic is properly restricted, or threats are detected in time. As a candidate, understanding the fundamentals and best practices of network security is essential.
Perimeter security is the first defensive layer for most networked environments. Firewalls are commonly used to enforce rules at the network boundary, controlling which types of traffic can enter or leave based on protocol, port, source, and destination. These firewalls may use simple packet filtering or more advanced stateful inspection to evaluate the context of each connection. Proxy servers sit between users and external resources, filtering outbound requests and helping anonymize internal systems. Virtual private networks, or VPNs, provide encrypted tunnels for remote users to connect to internal systems securely. Secure gateways also protect email, web traffic, and cloud application access by filtering content and blocking known threats. Auditors review whether perimeter defenses are active, updated, and monitored. Misconfigured or outdated perimeter tools can expose the organization to unnecessary risk. On the exam, be ready to identify gaps in firewall configurations or assess the placement and effectiveness of perimeter controls.
Network segmentation is another core practice in managing risk and reducing the impact of potential intrusions. By dividing the network into logical or physical zones, organizations can control how traffic flows between systems. For example, internal corporate systems can be separated from public-facing services such as web servers or external email gateways. A demilitarized zone, or DMZ, is a common structure that isolates internet-exposed resources from the internal network. Within the internal environment, networks can be further segmented by business unit, data sensitivity, or function. This limits lateral movement—meaning that if one system is compromised, the attacker cannot easily reach others. Virtual local area networks, access control lists, and subnet design are common segmentation tools. Highly sensitive systems, such as those supporting finance, payroll, or industrial operations, should have stricter segmentation rules. CISA scenarios often ask you to evaluate whether segmentation is appropriate, whether traffic restrictions are in place, or whether sensitive zones are adequately protected.
Intrusion detection and prevention systems play a central role in identifying and stopping malicious activity. An intrusion detection system, or IDS, monitors network traffic for signs of suspicious behavior and generates alerts when certain thresholds or patterns are detected. An intrusion prevention system, or IPS, goes a step further by actively blocking threats based on rules or behavior signatures. These tools must be kept up to date with the latest threat indicators, whether based on known attack signatures or heuristic models. Placement is a key design consideration. IDS and IPS tools may be deployed at the network perimeter, internally between segments, or on host systems. The goal is to monitor both inbound and internal traffic to catch threats early. Auditors review the configuration of these systems, including how they are tuned, how alerts are reviewed, and how incident response workflows are triggered. On the CISA exam, expect to evaluate IDS or IPS effectiveness, and determine whether alerts are being acted upon.
Secure communication protocols are essential for protecting data in transit. When data moves between systems or across the internet, it can be intercepted unless it is encrypted. Common secure protocols include Transport Layer Security, HTTPS for web traffic, Secure FTP for file transfers, and IPsec for secure tunneling at the network layer. These protocols ensure that data cannot be read or altered during transmission. Legacy protocols such as Telnet, FTP, or older versions of SNMP should be disabled unless there is a compelling business need and appropriate compensating controls are in place. Organizations must enforce the use of strong encryption algorithms and cipher suites. Weak or outdated encryption can still be broken by attackers even if a secure protocol is in place. Auditors examine configuration files, protocol usage, and encryption settings to ensure that data in transit is properly protected. On the CISA exam, expect questions about encryption requirements and how to detect insecure network protocols in use.
Wireless networks introduce unique risks and therefore require specific security measures. Wireless traffic should always be encrypted using WPA3, or at minimum WPA2, to prevent interception. Broadcasting the network name, or SSID, should be disabled on internal or private networks to reduce visibility to outsiders. MAC address filtering can be used to limit device access, though it is not sufficient on its own. Organizations should implement controls that detect rogue access points—unauthorized devices broadcasting signals that could be used to lure users or bypass protections. Guest networks should be completely separated from internal business traffic. Wireless segmentation can help isolate sensitive systems from general access. When combined with VPN enforcement and multi-factor authentication, wireless networks can support secure mobility. CISA questions may involve the evaluation of wireless policies, especially in scenarios involving mobile workforces, remote access, or unmanaged devices connecting to sensitive systems.
Logging and network monitoring are essential for visibility and response. Network devices such as routers, switches, and firewalls must be configured to generate and store logs about activity, changes, and errors. These logs are often collected in centralized logging platforms or security information and event management tools for analysis. NetFlow data and packet captures provide deeper insights into traffic patterns, including bandwidth usage, protocol activity, and potential anomalies. Security teams use this information to detect indicators such as port scanning, data exfiltration, or command-and-control communications. Alerts should be configured to detect suspicious behavior in near real time. For example, repeated access attempts from unusual locations or large transfers of data outside of business hours may indicate compromise. Auditors evaluate whether monitoring thresholds are set appropriately, whether alerts are followed up on, and whether logs are retained according to policy. CISA candidates should understand how logging contributes to auditability and incident response.
Patch and configuration management is just as important for network devices as it is for servers and applications. Network equipment such as switches, routers, and wireless controllers often run firmware that may have known vulnerabilities if not updated. Regular patching is required to address those weaknesses. Equally important is configuration management. Network settings must be backed up and aligned to security baselines. Unused services and ports should be disabled to reduce the attack surface. Default credentials must be changed, and access to administrative interfaces must be restricted. All changes should go through formal change control processes, including testing and documentation. Configuration errors can create exposure even if the device is fully patched. Auditors review patch management reports, change logs, and configuration backups to ensure that network devices are maintained securely. On the exam, you may be asked to assess the completeness of a patching program or identify weaknesses in device configuration.
Third-party and remote access must be managed carefully to avoid introducing risk. Vendors, contractors, and other external users often require access to internal systems, but that access must be tightly controlled. Virtual private networks and multi-factor authentication should be standard requirements. Jump servers, which serve as controlled access points, can restrict external users from reaching the broader network. Access control lists can further restrict what remote users are able to see or do. Every session must be logged and subject to review. If vendors are providing managed services, service level agreements and contracts must specify security expectations, monitoring obligations, and response times. CISA scenarios may test whether vendor access is segmented properly, whether logs are retained, and whether contracts address cybersecurity responsibilities. For auditors, it is important to evaluate both the technical and procedural controls surrounding third-party access.
For the CISA candidate, the key takeaway is that network security involves a layered and coordinated approach. You must be able to evaluate controls at the perimeter, inside the network, and at remote entry points. This includes understanding how firewalls, proxies, and gateways operate; how segmentation reduces risk; and how encryption protects data in transit. Logging, monitoring, configuration, and patching must also be evaluated to confirm that defenses remain effective over time. On the exam, expect to assess the placement and effectiveness of security controls, interpret log or alert data, and identify misconfigurations or policy gaps. Network security is not only technical—it is strategic. Auditors help confirm that network protections are aligned with business objectives, properly maintained, and actively monitored. Strong network controls protect the organization’s digital backbone and ensure that systems, data, and services remain secure in a connected world.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
