4.4 Flashcards

Security monitoring, security tools

1
Q

3 main resources that you want to monitor

A

Systems
Applications
Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What do you want to monitor systems for? (4)

A

Logins from strange places

Service activity

Backups

Software versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do you want to monitor applications for? (3)

A

Availability (uptime and response times)

Data transfers (sudden increases in activity can indicate malicious acts)

Security notifications from the dev/manufacturer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What do you want to monitor infrastructure for? (2)

A

Firewall and IPS reports

Remote access systems - who is connecting when?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The act of consolidating logs into a central database

A

Log aggregation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The act of using an automated service to actively check systems and devices for:

OS types and versions
Device driver versions
Installed applications
Potential anomalies

It saves all of this information into a database of valuable information that is useful to create detailed reports

A

Scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True/False

It is difficult to keep track of what type of vulnerabilities exist in each system because most of them are constantly moving and changing

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The act of analyzing collected network data in order to:

Create documents regarding the status of the network

Determine next steps to remediate any vulnerabilities

Perform “what if” analysis and ad hoc reporting to preemptively secure the network against future attacks

A

Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A type of report that helps authorized individuals implement changes in the network to provide better security

A

Actionable report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The act of keeping an extensive amount of backups over a long period of time

A

Archiving

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The act of real-time notification of security events

A

Alerting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The act of authorized individuals taking action to stop an active security breach, and solve the problem that enabled it.

A

Alert response and remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data that enables the quick response of security professionals during an attack

A

Actionable data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The most common first response to a cyber attack

A

Quarantine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The practice of teaching the machine what security alerts are false positives/negatives, or which alerts are not necessary, so that the machine can give the most accurate security alerts.

The end result is that the machine can automatically resolve low-level alerts, and that only high-priority alerts are forwarded to security personnel.

A

Alert tuning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SCAP stands for

A

Security Content Automation Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation.

It consolidates vulnerability information into a single language that all devices can understand. Then, because all the devices are on the same page, they can work together to automate the removal and detection of vulnerabilities in the network.

A

SCAP

18
Q

2 methods of compliance checks

A

Install a software agent onto the device

On-demand agentless check

19
Q

True/False

An agentless compliance check usually provides more detail

A

False

Agent-based compliance checks provide more detail since they’re installed as software directly onto the device.

20
Q

True/False

Agent-based compliance checks require more maintenance than agentless.

A

True

You need to keep your agents updated

21
Q

SIEM stands for

A

Security Information and Event Management

22
Q

A centralized collector of security events and information. Also has a powerful reporting engine.

Because this device/service stores information for a very long time, it can help in forensic analysis.

A

SIEM

23
Q

Tools used to identify and remove malicious software

A

Antivirus/antimalware

24
Q

DLP stands for

A

Data Loss Prevention

25
Q

Software that looks for and blocks the transferring and exfiltration of sensitive data on your network

A

DLP

26
Q

SNMP stands for

A

Simple Network Management Protocol

27
Q

OID stands for

A

Object Identifier

28
Q

A group of decimal numbers that identify an object

A

Object Identifier

29
Q

A protocol used to transfer network information

A

SNMP

30
Q

How does SNMP work?

A

A network management workstation will poll a device, meaning it asks for an update on any relevant statistics such as storage, integrity, how much information has been transferred in bites, etc.

Then, the management station will wait a certain amount of time, and poll again.

These statistics are gathered in a database.

31
Q

What problem do SNMP traps solve?

A

With SNMP, the network is dependent on the centralized management station to poll each device. This way, the monitoring station cannot react immediately when a problem occurs.

SNMP traps are messages that send network event information when a certain event triggers, according to how it was configured. That way, the monitoring station can react immediately when a problem is detected.

32
Q

Unrequested notifications of an SNMP agent to a centralized management station, containing information about events or status updates when a certain event triggers according to its configuration.

A

SNMP trap

33
Q

SNMP trap port number/protocol

A

UDP 162

34
Q

How do SNMP traps come to be?

A

An administrator configures the settings on the SNMP agent on a device that, whenever a certain event occurs or a threshold is reached (ex. the number of CRC errors increases by 5), an SNMP trap is sent to the management station.

35
Q

Difference between NetFlow and SNMP

A

SNMP focuses on low-level metrics like utilization, the amount of packets passing through an interface, response time information, etc.

NetFlow has more detailed, higher-level metrics like traffic flows, application use, what device communicates to what other device, top 10 endpoints, traffic analyzer events, etc.

36
Q

How does NetFlow work?

A

A probe is inserted into the network as either software installed on a network device or a separate system (SPAN, TAP) in order to watch traffic going past.

The probes collect information, and then send copies to a collector which will compile the info and create reports - usually through a separate reporting app.

37
Q

How does SNMP work?

A

Agents are installed on network devices that periodically send information to a centralized management station.

38
Q

Many vulnerability scanners will also provide a ____ scan to see what services are installed on a particular device.

A

Port

39
Q

True/False

You can provide a vulnerability scanner with a list of IP addresses or range and see all devices are active on that range.

A

True

40
Q

True/False

It is helpful to perform a vulnerability scan from the outside of your network to see what an attacker might see.

A

True