4.4

Question 1

3 main resources that you want to monitor

Answer 1

Systems
Applications
Infrastructure

Question 2

What do you want to monitor systems for? (4)

Answer 2

Logins from strange places

Service activity

Backups

Software versions

Question 3

What do you want to monitor applications for? (3)

Answer 3

Availability (uptime and response times)

Data transfers (sudden increases in activity can indicate malicious acts)

Security notifications from the dev/manufacturer

Question 4

What do you want to monitor infrastructure for? (2)

Answer 4

Firewall and IPS reports

Remote access systems - who is connecting when?

Question 5

The act of consolidating logs into a central database

Answer 5

Log aggregation

Question 6

The act of using an automated service to actively check systems and devices for:

OS types and versions
Device driver versions
Installed applications
Potential anomalies

It saves all of this information into a database of valuable information that is useful to create detailed reports

Answer 6

Scanning

Question 7

True/False

It is difficult to keep track of what type of vulnerabilities exist in each system because most of them are constantly moving and changing

Answer 7

True

Question 8

The act of analyzing collected network data in order to:

Create documents regarding the status of the network

Determine next steps to remediate any vulnerabilities

Perform “what if” analysis and ad hoc reporting to preemptively secure the network against future attacks

Answer 8

Reporting

Question 9

A type of report that helps authorized individuals implement changes in the network to provide better security

Answer 9

Actionable report

Question 10

The act of keeping an extensive amount of backups over a long period of time

Answer 10

Archiving

Question 11

The act of real-time notification of security events

Answer 11

Alerting

Question 12

The act of authorized individuals taking action to stop an active security breach, and solve the problem that enabled it.

Answer 12

Alert response and remediation

Question 13

Data that enables the quick response of security professionals during an attack

Answer 13

Actionable data

Question 14

The most common first response to a cyber attack

Answer 14

Quarantine

Question 15

The practice of teaching the machine what security alerts are false positives/negatives, or which alerts are not necessary, so that the machine can give the most accurate security alerts.

The end result is that the machine can automatically resolve low-level alerts, and that only high-priority alerts are forwarded to security personnel.

Answer 15

Alert tuning

Question 16

SCAP stands for

Answer 16

Security Content Automation Protocol

Question 17

A method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation.

It consolidates vulnerability information into a single language that all devices can understand. Then, because all the devices are on the same page, they can work together to automate the removal and detection of vulnerabilities in the network.

Answer 17

SCAP

Question 18

2 methods of compliance checks

Answer 18

Install a software agent onto the device

On-demand agentless check

Question 19

True/False

An agentless compliance check usually provides more detail

Answer 19

False

Agent-based compliance checks provide more detail since they’re installed as software directly onto the device.

Question 20

True/False

Agent-based compliance checks require more maintenance than agentless.

Answer 20

True

You need to keep your agents updated

Question 21

SIEM stands for

Answer 21

Security Information and Event Management

Question 22

A centralized collector of security events and information. Also has a powerful reporting engine.

Because this device/service stores information for a very long time, it can help in forensic analysis.

Answer 22

SIEM

Question 23

Tools used to identify and remove malicious software

Answer 23

Antivirus/antimalware

Question 24

DLP stands for

Answer 24

Data Loss Prevention

Question 25

Software that looks for and blocks the transferring and exfiltration of sensitive data on your network

Answer 25

DLP

Question 26

SNMP stands for

Answer 26

Simple Network Management Protocol

Question 27

OID stands for

Answer 27

Object Identifier

Question 28

A group of decimal numbers that identify an object

Answer 28

Object Identifier

Question 29

A protocol used to transfer network information

Answer 29

SNMP

Question 30

How does SNMP work?

Answer 30

A network management workstation will poll a device, meaning it asks for an update on any relevant statistics such as storage, integrity, how much information has been transferred in bites, etc.

Then, the management station will wait a certain amount of time, and poll again.

These statistics are gathered in a database.

Question 31

What problem do SNMP traps solve?

Answer 31

With SNMP, the network is dependent on the centralized management station to poll each device. This way, the monitoring station cannot react immediately when a problem occurs.

SNMP traps are messages that send network event information when a certain event triggers, according to how it was configured. That way, the monitoring station can react immediately when a problem is detected.

Question 32

Unrequested notifications of an SNMP agent to a centralized management station, containing information about events or status updates when a certain event triggers according to its configuration.

Answer 32

SNMP trap

Question 33

SNMP trap port number/protocol

Answer 33

UDP 162

Question 34

How do SNMP traps come to be?

Answer 34

An administrator configures the settings on the SNMP agent on a device that, whenever a certain event occurs or a threshold is reached (ex. the number of CRC errors increases by 5), an SNMP trap is sent to the management station.

Question 35

Difference between NetFlow and SNMP

Answer 35

SNMP focuses on low-level metrics like utilization, the amount of packets passing through an interface, response time information, etc.

NetFlow has more detailed, higher-level metrics like traffic flows, application use, what device communicates to what other device, top 10 endpoints, traffic analyzer events, etc.

Question 36

How does NetFlow work?

Answer 36

A probe is inserted into the network as either software installed on a network device or a separate system (SPAN, TAP) in order to watch traffic going past.

The probes collect information, and then send copies to a collector which will compile the info and create reports - usually through a separate reporting app.

Question 37

How does SNMP work?

Answer 37

Agents are installed on network devices that periodically send information to a centralized management station.

Question 38

Many vulnerability scanners will also provide a ____ scan to see what services are installed on a particular device.

Answer 38

Port

Question 39

True/False

You can provide a vulnerability scanner with a list of IP addresses or range and see all devices are active on that range.

Answer 39

True

Question 40

True/False

It is helpful to perform a vulnerability scan from the outside of your network to see what an attacker might see.

Answer 40

True