4.4

Question 1

DLP

Answer 1

data loss prevention
a strategy to prevent sensitive data from leaving an org
aims to monitor data in use, in transit or at rest to detect and precent data theft

Question 2

Types of DLP Systems

Answer 2

Endpoint DLP
Network DLP
Storage DLP
Cloud Based DLP

Question 3

Endpoint DLP

Answer 3

installed as a software on workstations or laptops
monitors data in use on individual computers
can prevent or alert on file transfers based on predefined rules

Question 4

NEtwork DLP

Answer 4

Software or hardware placed at the network perimeter
● Focuses on monitoring data entering and leaving the network
● Detects unauthorized data leaving the network

Question 5

Storage DLP

Answer 5

installed on a server in the data center
inspects data at rest

Question 6

Cloud based DLP

Answer 6

offered as a SaaS solution
protects data in the cloud

Question 7

Monitoring systems

Answer 7

involves observing CPU< memory, disk usage, and netowrk performance

Question 8

Baseline

Answer 8

A reference point representing normal system behavior under typical operating
conditions
■ Baseline metrics can include CPU usage, memory utilization, disk activity, and
network traffic

Question 9

Alerting

Answer 9

Involves setting up notifications for specific events or conditions
● Alerts can be triggered based on thresholds or anomalies

Question 10

Scanning

Answer 10

Regularly examines systems, networks, or applications to identify
vulnerabilities, misconfigurations, and issues
includes code scanning, configurations canning and code scanning

Question 11

archiving

Answer 11

Involves long-term storage of data, including
○ Log data
○ Performance data
○ Incident data

Question 12

Quarantining

Answer 12

Isolates a system, network, or application suspected of being compromised
■ Prevents the spread of threats and limits potential impact
■ Commonly used when dealing with malware infections

Question 13

Alert Tuning

Answer 13

Adjusts alert parameters to reduce errors, false positives, and improve alert
relevance

Question 14

SNMP

Answer 14

Simple Network Management Protocol (SNMP)
An Internet protocol used for collecting information from managed devices on IP
networks and modifying device behavior
Managed devices include the following
● Routers
● Switches
● Firewalls
● Printers
● Servers
● Client devices

Question 15

SNMP MAnager

Answer 15

A central system that collects and processes information from managed devices
■ Often set up as a server, especially in large enterprise environments
■ Sends and receives SNMP messages to and from agents

Question 16

SNMP Agents

Answer 16

Networked devices that send information about themselves to the manager
■ Run background services to collect data and send it to the manager
■ Transmit data at regular intervals or when requested by the manager

Question 17

SNMP Message Types

Answer 17

SET
GET
TRAP

Question 18

SET

Answer 18

Manager-to-agent request to change variable valuesG

Question 19

GET

Answer 19

Manager-to-agent request to retrieve variable values

Question 20

TRAP

Answer 20

Asynchronous notifications from agents to the manager to notify
significant events
● Notify the manager of events such as uptime, configuration changes, and
network downtime
● May be granular or verbose

Question 21

TRAP Granular

Answer 21

Sent TRAP messages get a unique object identifier OID) to
distinguish each message as a unique message being
received

Question 22

OID

Answer 22

Unique object identifier used to identify variables
for reading or setting via SNMP
● Allows the manager to distinguish individual SNMP
trap messages

Question 23

MIB

Answer 23

management info base
A hierarchical namespace containing OIDs and their
descriptions
● Describes the structure of device subsystem
management data
● Stores consolidated information received through
SNMP traps

Question 24

Verbose TRAP

Answer 24

SNMP traps may be configured to contain all of the information about a given alert or event as a payload

Question 25

SNMP V3

Answer 25

SNMP version 3 offers enhanced security features
integrity
ntegrity
■ Hashing messages before transmission to prevent data
alteration
○ Authentication
■ Validating the source of messages
○ Confidentiality
■ Adding encryption using DES, 3DES, or AES
○ Dividing SNMP components into entities with different access
privileges for improved security

Question 26

SIEM

Answer 26

SIEM (Security Information and Event Management)
■ A solution for real-time or near-real-time analysis of security alerts generated by
network hardware and applications
■ SIEM helps correlate various events and incidents from system log
SIEM Functionality
■ Correlates and analyzes log data
■ Consolidates data from various systems into a centralized database or repository
■ Detects patterns indicating security threats
■ Generates alerts for security teams to investigate

Question 27

Agent based SIEM

Answer 27

Software agents are installed on each system to collect and send log data
● Provides real-time data and detailed information

Question 28

Agentless SIEM

Answer 28

Log data is collected directly from systems using standard protocols
● Reduces maintenance but may not collect real-time or detailed data

Question 29

ELK

Answer 29

(Elastic Stack)
● A collection of free and open-source SIEM tools, including the following
○ Elasticsearch
○ Logstash
○ Kibana
○ Beats
Components work together for log collection, storage, analysis, and virtualization

Question 30

Archsight

Answer 30

SIEM log management and analytics software
● Suitable for compliance reporting for regulations like HIPAA, SOX, and PCI
DSS

Question 31

QRadar

Answer 31

A SIEM log management, analytics, and compliance reporting platform
created by IBM

Question 32

Firewalls

Answer 32

Act as a barrier between trusted internal networks and untrusted external
networks
■ Filter incoming and outgoing traffic based on security rules (ACLs)

Question 33

Vulnerability Scanners

Answer 33

Identify security weaknesses, including missing patches, incorrect configurations,
and known vulnerabilitie

Question 34

SCAP

Answer 34

Security Content Automation Protocol (SCAP)
Suite of open standards that enhances the automation of vulnerability
management, measurement, and policy compliance evaluation of systems
deployed in an organization
■ Developed by the National Institute of Standards and Technology (NIST)
■ Enhances the automation of security tasks, including the following
● Vulnerability scanning
● Configuration checking
● Software inventory

Question 35

OVAL

Answer 35

an SCAP language
(Open Vulnerability and Assessment Language)

Question 36

XCCD

Answer 36

SCAP language
(Extensible Configuration Checklist Description Forma
XML schema for developing and auditing best-practice configuration
checklists and rules
● Allows improved automation

Question 37

ARF

Answer 37

asset reporting format
SCAP language
XML schema for expressing information about assets and their
relationships
● Vendor and technology neutral
● Flexible
● Suited for a wide variety of reporting application

Question 38

CCE

Answer 38

common configuration enumeration method for SCAP
Scheme for provisioning secure configuration checks across multiple
sources
● Provides unique identifiers for different system configuration issues

Question 39

CPE

Answer 39

(Common Platform Enumeration)
● Identifies hardware devices, operating systems, and applications
● Standard formatting

Question 40

CVSS

Answer 40

Common Vulnerability Scoring System (CVSS)
Used to provide a numerical score reflecting the severity of a vulnerability (0 to
10)
■ Scores are used to categorize vulnerabilities as none, low, medium, high, or
critical
■ Scores assist in prioritizing remediation efforts but do not account for existing
mitigations

Question 41

Benchmarks

Answer 41

Sets of security configuration rules for specific products to establish
security baselines
● Provide a detailed checklist that can be used to secure systems to a
specific baseline

Question 42

Red Hat Enterprise Linux Benchmark

Answer 42

Examples of SCAP Benchmarks
Provides security configuration rules for Red Hat Enterprise Linux

Question 43

FPC

Answer 43

full packet capture
Captures entire packets, including headers and payloads
Network and Flow Analysis

Question 44

Flow Analysis

Answer 44

Focuses on recording metadata and statistics about network traffic, saving
storage space
■ Doesn’t include the actual content, just the metadata
■ Rapidly generates visualizations to map network connections, traffic types and session volumes

Question 45

Flow Collector

Answer 45

Records metadata and statistics about network traffic
■ Collects information about the following
● Type of traffic
● Protocol used
● Data volume
■ Allows for efficient data storage and reduces processing overhead

Question 46

Netflow

Answer 46

Cisco-developed protocol for reporting network flow information
■ Also known as IPFIX (IP Flow Information Export)
■ Defines traffic flows based on shared characteristics (e.g., source and destination
IP)
■ Data collected by NetFlow
● Network protocol interface
● IP version and type
● Source and destination
● IP addresses
● Source and destination ports
● Type of service use

Question 47

Zeke

Answer 47

Hybrid tool for network monitoring
■ Monitors traffic like NetFlow but logs full packet captures based on interest
■ Filters or signatures trigger full packet capture to analyze specific data
■ Normalizes data for easy import into other tools for visualization and analysis

Question 48

MRTG

Answer 48

multi router traffic grapher
Creates graphs displaying network traffic flows through routers and switches
■ Uses SNMP (Simple Network Management Protocol) to gather data
■ Helps identify traffic patterns and anomalies by visualizing data transfer volumes

Question 49

SPOG

Answer 49

Single Pane of Glass
Central point of access for security teams
■ Provides access to information, tools, and systems for monitoring, managing, and
securing an organization’s IT environment
■ Offers a unified view of the security posture and facilitates informed
decision-making
● Can quickly and easily access critical information, aiding informed
decision-making