4.4 Flashcards
Security monitoring, security tools
3 main resources that you want to monitor
Systems
Applications
Infrastructure
What do you want to monitor systems for? (4)
Logins from strange places
Service activity
Backups
Software versions
What do you want to monitor applications for? (3)
Availability (uptime and response times)
Data transfers (sudden increases in activity can indicate malicious acts)
Security notifications from the dev/manufacturer
What do you want to monitor infrastructure for? (2)
Firewall and IPS reports
Remote access systems - who is connecting when?
The act of consolidating logs into a central database
Log aggregation
The act of using an automated service to actively check systems and devices for:
OS types and versions
Device driver versions
Installed applications
Potential anomalies
It saves all of this information into a database of valuable information that is useful to create detailed reports
Scanning
True/False
It is difficult to keep track of what type of vulnerabilities exist in each system because most of them are constantly moving and changing
True
The act of analyzing collected network data in order to:
Create documents regarding the status of the network
Determine next steps to remediate any vulnerabilities
Perform “what if” analysis and ad hoc reporting to preemptively secure the network against future attacks
Reporting
A type of report that helps authorized individuals implement changes in the network to provide better security
Actionable report
The act of keeping an extensive amount of backups over a long period of time
Archiving
The act of real-time notification of security events
Alerting
The act of authorized individuals taking action to stop an active security breach, and solve the problem that enabled it.
Alert response and remediation
Data that enables the quick response of security professionals during an attack
Actionable data
The most common first response to a cyber attack
Quarantine
The practice of teaching the machine what security alerts are false positives/negatives, or which alerts are not necessary, so that the machine can give the most accurate security alerts.
The end result is that the machine can automatically resolve low-level alerts, and that only high-priority alerts are forwarded to security personnel.
Alert tuning
SCAP stands for
Security Content Automation Protocol