4.2

Question 1

Monitoring and visibility is a critical aspect of

Answer 1

hardened security and zero trust initiatives

Question 2

All types of systems must be monitored including:

Answer 2

• Corporate LAN endpoint devices
• Web, email, productivity, and other application
  servers (i.e., SharePoint)
• Voice over Internet Protocol (VoIP), messaging, and
  conferencing services
• Databases and storage area networks
• Infrastructure devices
• Customer premises edge

Question 3

what do Network monitoring tools enhance?

Answer 3

enhance visibility into system health by offering real-time information about various wired, wireless, and
cloud-based components

Question 4

This suite of tools utilizes two techniques to capture performance
metrics from assorted infrastructure and security devices – both physical and virtual:

Answer 4

*Agent-based monitoring
* Agentless monitoring

Question 5

Agent-based monitoring

Answer 5

leverages lightweight software, known as a monitoring agent, on the devices or virtual machine to track the uptime and performance

Question 6

Agentless monitoring

Answer 6

uses special application programming interfaces
(APIs) or integrated code to track the health of the devices

a less intrusive way to
achieve visibility

Question 7

agent based monitoring example

Answer 7

*A prototypical example of agent-based monitoring is using Simple Network Management Protocol
version 2C and 3 agents on infrastructure devices to send traps and informs to SNMP management
stations
*In cloud computing environments, special agents can be embedded into virtual machine instances
or installed on instantiated virtual servers to perform various system management activities

*slowed system down

Question 8

Agentless monitoring (info)

Answer 8

*It typically utilizes application-specific APIs and different network protocols (such as SNMP and
Windows Management Interface -WMI) to discern the overall performance of on-site and cloud-based assets, such as servers and applications
* This monitoring method does not involve the overhead of installing, tuning, and updating dedicated or third-party monitoring agents on every component
* This may be considered easier than the traditional agent-based approach

less intrusive

Question 9

Log aggregation

Answer 9

the process of accumulating,
categorizing, standardizing, and consolidating log
data from across an IT infrastructure to enable and
enhance streamlined log analysis

Question 10

what happens without Log aggregation?

Answer 10

administrators and
engineers would have to manually organize, deduplicate, and search through log data from various sources to generate meaningful metrics and information

Question 11

Log aggregation goals

Answer 11

• Replicating log files to a centralized location
• Collecting Syslog, auditd, and other traps
• Supporting automated pipelines and workflows
• Parsing key-value pairs
• Performing more complex transformations such as
  multiline log aggregation, tokenization, scrubbing,
  or masking sensitive data

Question 12

alerting

Answer 12

m delivers metrics and alarms
from various tools and systems to admins and
security operators for informational/event
notifications, incident management, and optimization of the wider ecosystem

Question 13

what do alerting systems help ensure?

Answer 13

that event
responses are quick and efficient so that the odds of overlooked actions are reduced

Question 14

The Security Content Automation
Protocol (SCAP)

Answer 14

a synthesis of interoperable
specifications derived from community ideas.
Community participation is a great strength for SCAP,
because the security automation community ensures
the broadest possible range of use cases is reflected in
SCAP functionality

compliance more achievable

Question 15

importance of SCAP

Answer 15

Improves cybersecurity posture
Streamlines vulnerability evaluation
Simplifies compliance
Makes software deployments easy
Boosts cybersecurity collaboration

Question 16

SCAP specifications

Answer 16

Asset Identification
Asset Reporting Format (ARF)
Common Platform Enumeration (CPE)
Open Vulnerability Assessment Language (OVAL)
Open Checklist Interactive Language (OCIL)
Trust Model for Security Automation Data (TMSAD)
Extensible Configuration Checklist Description Format
(XCCDF)
Software Identification (SWID) Tagging

Question 17

Asset Identification

Answer 17

an important role in an
organization’s ability to quickly correlate different
sets of information about assets

Question 18

Asset Reporting Format (ARF)

Answer 18

a data model to express the transport format of
information about assets, and the relationships between assets and reports

Question 19

Common Platform Enumeration (CPE)

Answer 19

a standardized
method of describing and identifying classes of applications,
operating systems, and hardware devices present among an
enterprise’s computing assets

Question 20

Open Vulnerability Assessment Language (OVAL)

Answer 20

an information security community effort to standardize how to
assess and report upon the machine state of computer systems

Question 21

Open Checklist Interactive Language (OCIL)

Answer 21

a framework for expressing a set of questions to be presented to a
user and corresponding procedures to interpret responses to
these questions

Question 22

Trust Model for Security Automation Data (TMSAD)

Answer 22

describes
a common trust model that can be applied to specifications
within the security automation domain, such as SCAP

Question 23

Extensible Configuration Checklist Description Format
(XCCDF)

Answer 23

is a specification language for writing security
checklists, benchmarks, and related kinds of documents

Question 24

Software Identification (SWID) Tagging

Answer 24

allows for the proper
management of software inventories of managed devices in
support of higher-level business, information technology, and
cybersecurity functions

Question 25

Security information and event management (SIEM)

Answer 25

is a solution that helps enterprises detect, analyze, and respond to security threats before they affect business operations

Question 26

Security information and event management (SIEM) is a combination of?

Answer 26

security information management (SIM) and security event management (SEM) into a unified security management system

Question 27

SIEM technology gathers?

Answer 27

event log data from a range of sources and recognizes activity that diverges from the norm in real-time

Question 28

benefits of SIEM systems

Answer 28

*A centralized look at potential threats *Advanced threat intelligence *Regulatory compliance auditing and reporting *Enhancing transparency into users, applications, and devices

Question 29

Security orchestration, automation, and response (SOAR)

Answer 29

an assortment of software services and tools that allow organizations to simplify and aggregate security operations in three core areas

Question 30

Security orchestration, automation, and response (SOAR) 3 core areas:

Answer 30

* Threat and vulnerability management * Incident response * Security operations automation

Question 31

Security automation involves:

Answer 31

performing security related tasks without the need for human intervention * Can be defensive detection, response, and remediation, or offensive vulnerability assessment and penetration testing

Question 32

Antivirus software

Answer 32

intended to protect computers and mobile devices from exploits, malware, crackers, and cybercriminals

Question 33

antivirus systems examine:

Answer 33

data on hard drives, memory, and incoming packets from the Internet (websites, email messages, attachments, and applications) to recognize, block, and offer ongoing protection against malicious software, infected links, and other threats and suspicious activity

Question 34

Antivirus software functions by:

Answer 34

regularly scanning all devices to discover and block known worms and viruses as well as new and emerging malware variants

Question 35

heuristic rules

Answer 35

human driven but also a machine learning tool

Question 36

Antivirus forms of detection:

Answer 36

* Signature detection * Heuristic detection of files * Multicriteria analysis (MCA) – uses the data from other detection methods to flag a file as possibly dangerous * Sandbox and cloud analysis * Intrusion prevention via host intrusion prevention system (HIPS) * Anti-spam * Ransomware protection

Question 37

Data loss prevention (DLP)

Answer 37

a security initiative that recognizes and mitigates unsafe or unauthorized sharing, transfer, or use of sensitive data such as personally identifiable information (PII) and protected health information (PHI)

Question 38

DLP engines and services can help organizations with:

Answer 38

monitoring and protection of sensitive information across on-premises systems, cloud-based locations, and endpoint devices It also assists with compliance for regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR)

Question 39

Simple Network Management Protocol (SNMP)

Answer 39

a powerful protocol and toolset that facilitates the sharing of information among various devices on a network, regardless of their hardware or software

Question 40

SNMP uses a basic client-server architecture using:

Answer 40

* Managers collect and process information about devices on the network * Clients, called agents, are any type of device or device component connected to the network

Question 41

netflow

Answer 41

a network monitoring protocol, developed by Cisco, invented to capture metrics about the volume and types of traffic traversing a network device

Question 42

Technically, a flow is defined by its 5-tuple, a collection of five data points:

Answer 42

* The source and destination IP addresses exchange information * The source and destination ports, if any (ICMP, for example, doesn't use ports) * The protocol