Alerting and Monitoring Flashcards
Objective 4.4: Explain security alerting and monitoring concepts and tools
- What is the primary purpose of system monitoring?
A) To track and manage the financial expenses of an organization
B) To observe and measure a computer system’s performance and resource utilization
C) To restrict access to applications and services
D) To ensure that all software updates are installed on time
Answer: B) To observe and measure a computer system’s performance and resource utilization
Explanation:
(A) Incorrect – Financial expenses are managed through accounting and financial systems, not system monitoring.
(B) Correct – System monitoring involves tracking CPU usage, memory consumption, disk activity, and network performance to ensure optimal system functionality.
(C) Incorrect – While access control is important, it falls under cybersecurity and identity management rather than system monitoring.
(D) Incorrect – Software updates are part of patch management, which is different from system monitoring.
What does a baseline represent in system monitoring?
A) The slowest performance of a system recorded in the past year
B) A set of performance metrics representing normal system behavior
C) The total downtime of a system within a given period
D) A random set of values collected from various system logs
Answer: B) A set of performance metrics representing normal system behavior
Explanation:
(A) Incorrect – A baseline is not about the slowest performance but rather what is considered normal for a system.
(B) Correct – A baseline is a reference point used to compare against real-time performance, helping detect deviations that might indicate issues.
(C) Incorrect – Total downtime refers to system availability, which is a separate metric from baseline performance.
(D) Incorrect – A baseline is not random; it is carefully established using systematic data collection over time.
What could a consistent deviation from a baseline indicate?
A) The system is performing within normal expectations
B) The system is experiencing potential issues or performance degradation
C) The network connection is secure and functioning properly
D) The system has been successfully optimized for better performance
Answer: B) The system is experiencing potential issues or performance degradation
Explanation:
(A) Incorrect – A deviation means the system is not behaving as expected, indicating potential issues.
(B) Correct – Deviations from a baseline suggest abnormalities, which could be performance problems, security threats, or hardware failures.
(C) Incorrect – A secure network connection does not necessarily mean a system is operating normally.
(D) Incorrect – While optimization can improve performance, deviations often signal problems rather than improvements.
Which of the following tools can be used for infrastructure monitoring?
A) New Relic
B) SolarWinds
C) AppDynamics
D) Visual Studio
Answer: B) SolarWinds
Explanation:
(A) Incorrect – New Relic is primarily used for application monitoring, not infrastructure monitoring.
(B) Correct – SolarWinds is a network and infrastructure monitoring tool used to observe servers, networking devices, and other IT resources.
(C) Incorrect – AppDynamics is also an application monitoring tool, not an infrastructure monitoring tool.
(D) Incorrect – Visual Studio is an integrated development environment (IDE) for coding, not a monitoring tool.
What is the primary goal of application monitoring?
A) To ensure that application performance meets expected standards
B) To prevent unauthorized access to an application
C) To track financial transactions within an application
D) To schedule regular system updates
Answer: A) To ensure that application performance meets expected standards
Explanation:
(A) Correct – Application monitoring focuses on tracking performance metrics such as response times, error rates, and user experience.
(B) Incorrect – Preventing unauthorized access is related to security, not application monitoring.
(C) Incorrect – Tracking financial transactions falls under accounting and business intelligence, not monitoring.
(D) Incorrect – System updates are part of maintenance but are not the main focus of application monitoring.
Which scenario best describes a situation requiring application monitoring?
A) A company wants to check if a network switch is being overloaded
B) A system administrator is analyzing CPU usage on a data center server
C) A web application is experiencing slow response times, affecting user experience
D) A company needs to replace aging hardware in its data center
Answer: C) A web application is experiencing slow response times, affecting user experience
Explanation:
(A) Incorrect – Monitoring network switches falls under infrastructure monitoring, not application monitoring.
(B) Incorrect – Analyzing CPU usage is part of system monitoring, not application monitoring.
(C) Correct – Application monitoring helps track response times, error rates, and other performance indicators to ensure a good user experience.
(D) Incorrect – Replacing hardware is part of IT asset management, not monitoring.
What tool is commonly used for application performance monitoring (APM)?
A) PRTG Network Monitor
B) SolarWinds
C) New Relic
D) Wireshark
Answer: C) New Relic
Explanation:
(A) Incorrect – PRTG is primarily used for network monitoring, not application monitoring.
(B) Incorrect – SolarWinds focuses more on infrastructure monitoring.
(C) Correct – New Relic is specifically designed for monitoring application performance, tracking response times, error rates, and other key performance indicators.
(D) Incorrect – Wireshark is used for network packet analysis, not application performance monitoring.
A network engineer notices that a network switch is constantly overloaded. What is the most likely solution?
A) Decreasing network bandwidth
B) Adding more network capacity or fixing configuration issues
C) Replacing all network switches in the company
D) Disabling all non-essential network traffic
Answer: B) Adding more network capacity or fixing configuration issues
Explanation:
(A) Incorrect – Decreasing bandwidth would worsen the problem, not fix it.
(B) Correct – An overloaded network switch often indicates a need for more capacity or a configuration issue.
(C) Incorrect – Replacing all network switches is unnecessary unless there is a widespread hardware failure.
(D) Incorrect – Disabling traffic without analyzing its impact could disrupt business operations.
Which type of monitoring focuses on tracking system resources like CPU utilization and memory consumption?
A) Infrastructure monitoring
B) Application monitoring
C) System monitoring
D) Network monitoring
Answer: C) System monitoring
Explanation:
(A) Incorrect – Infrastructure monitoring looks at physical and virtual components like servers and networking devices.
(B) Incorrect – Application monitoring tracks performance and errors in software applications.
(C) Correct – System monitoring focuses on resources like CPU, memory, disk usage, and network performance.
(D) Incorrect – Network monitoring is a subset of infrastructure monitoring, focusing specifically on network traffic and device health.
What is the primary purpose of log aggregation?
A) To notify administrators about failed login attempts
B) To collect and consolidate log data from various sources
C) To automatically block unauthorized access to a system
D) To replace manual security monitoring
Answer: B) To collect and consolidate log data from various sources
Explanation:
(A) Incorrect – While log aggregation helps in analyzing failed login attempts, its main function is broader.
(B) Correct – Log aggregation gathers logs from multiple sources into a centralized location, aiding in troubleshooting, security analysis, and compliance.
(C) Incorrect – Blocking unauthorized access is part of intrusion prevention systems (IPS), not log aggregation.
(D) Incorrect – Log aggregation supports monitoring but does not replace manual oversight.
- Which of the following is NOT a benefit of log aggregation?
A) Identifying system performance trends
B) Detecting security incidents
C) Automatically fixing system vulnerabilities
D) Meeting compliance requirements
Answer: C) Automatically fixing system vulnerabilities
Explanation:
(A) Correct – Log aggregation allows organizations to analyze historical data and spot performance trends.
(B) Correct – Security logs help in identifying potential threats, such as failed login attempts or suspicious network activity.
(C) Incorrect – Log aggregation does not fix vulnerabilities; it only identifies issues that need to be addressed.
(D) Correct – Compliance regulations like HIPAA and GDPR require businesses to maintain logs, making aggregation essential.
- What is the role of alerting in system monitoring?
A) To shut down the system in case of an error
B) To notify stakeholders about specific events or conditions
C) To automatically patch system vulnerabilities
D) To replace real-time monitoring
Answer: B) To notify stakeholders about specific events or conditions
Explanation:
(A) Incorrect – Alerting notifies relevant stakeholders but does not shut down systems automatically.
(B) Correct – Alerts inform IT teams, security analysts, or administrators about unusual activities or threshold breaches.
(C) Incorrect – Patching is part of remediation, not alerting.
(D) Incorrect – Alerting complements real-time monitoring but does not replace it.
How can alerts be triggered?
A) Manually by administrators only
B) Only when a critical failure occurs
C) Based on predefined thresholds or anomalies
D) When a system is rebooted
Answer: C) Based on predefined thresholds or anomalies
Explanation:
(A) Incorrect – Alerts are mostly automated, though manual alerts can also be set up.
(B) Incorrect – Alerts can be triggered before a failure occurs, not just after.
(C) Correct – Alerts can be set to trigger when a metric exceeds a certain threshold or when an anomaly is detected.
(D) Incorrect – System reboots may be logged, but they are not the main trigger for alerts.
- Which tool can be used for vulnerability scanning?
A) Nessus
B) Splunk
C) Amazon S3
D) CIS-CAT
Answer: A) Nessus
Explanation:
(A) Correct – Nessus is widely used for vulnerability scanning to detect security weaknesses in systems and applications.
(B) Incorrect – Splunk is a log aggregation and monitoring tool, not a vulnerability scanner.
(C) Incorrect – Amazon S3 is a cloud storage service, not a scanning tool.
(D) Incorrect – CIS-CAT is used for configuration scanning, not vulnerability scanning.
- What is the purpose of configuration scanning?
A) To detect misconfigurations affecting security or performance
B) To automatically update system software
C) To analyze malware in real time
D) To store system logs in cloud environments
Answer: A) To detect misconfigurations affecting security or performance
Explanation:
(A) Correct – Configuration scanning ensures that systems follow security and performance best practices.
(B) Incorrect – Configuration scanning identifies issues but does not update software automatically.
(C) Incorrect – Malware analysis is different from configuration scanning.
(D) Incorrect – Configuration scanning does not handle log storage.
- What is the purpose of alert tuning?
A) To increase the number of alerts generated
B) To adjust alert parameters to reduce false positives
C) To disable alerts in a monitoring system
D) To quarantine malicious files automatically
Answer: B) To adjust alert parameters to reduce false positives
Explanation:
(A) Incorrect – The goal is to reduce unnecessary alerts, not increase them.
(B) Correct – Alert tuning ensures that alerts are more relevant by adjusting thresholds and conditions.
(C) Incorrect – Disabling alerts entirely can lead to missing critical issues.
(D) Incorrect – Quarantining is a separate remediation step, not part of alert tuning.
- Why is remediation important in alerting and monitoring?
A) It provides insight into system performance trends
B) It helps resolve detected vulnerabilities and issues
C) It archives log data for future reference
D) It generates alerts for security teams
Answer: B) It helps resolve detected vulnerabilities and issues
Explanation:
(A) Incorrect – Performance trends are part of monitoring, but remediation focuses on fixing issues.
(B) Correct – Remediation involves actions like patching software, reconfiguring settings, or modifying code to fix vulnerabilities.
(C) Incorrect – Archiving refers to storing data, not remediation.
(D) Incorrect – Alert generation is a separate process from remediation.
- How does quarantining help in incident response?
A) It blocks all network activity
B) It isolates a potentially compromised system to prevent further spread
C) It automatically fixes all security vulnerabilities
D) It disables all user accounts on a system
Answer: B) It isolates a potentially compromised system to prevent further spread
Explanation:
(A) Incorrect – Quarantining does not block all network activity, only the affected system.
(B) Correct – Quarantining isolates a compromised system, network, or application to prevent malware or threats from spreading.
(C) Incorrect – Quarantining stops the spread but does not fix the issue.
(D) Incorrect – It does not disable all accounts; it isolates a specific system or file.
- Which of the following is an example of a regulatory compliance requirement for log retention?
A) Storing logs for at least six years under HIPAA regulations
B) Deleting logs after 30 days to improve system performance
C) Encrypting all log files before storing them
D) Only storing security logs and deleting performance logs
Answer: A) Storing logs for at least six years under HIPAA regulations
Explanation:
(A) Correct – HIPAA mandates that healthcare organizations store logs for six years to maintain compliance.
(B) Incorrect – Regulations often require long-term storage, not deletion after 30 days.
(C) Incorrect – While encryption is recommended, it is not a log retention requirement under HIPAA.
(D) Incorrect – Regulatory compliance often requires storing all relevant logs, not just security logs.
- What is the primary purpose of SNMP?
A) To send and receive emails securely
B) To monitor and manage network devices
C) To encrypt network communications
D) To prevent unauthorized access to a network
Answer: B) To monitor and manage network devices
Explanation:
(A) Incorrect – SNMP is used for network monitoring, not email communication.
(B) Correct – SNMP is a protocol used to collect and modify information on managed network devices (e.g., routers, switches, and servers).
(C) Incorrect – SNMP v3 includes encryption, but encryption is not its main function.
(D) Incorrect – While SNMP supports authentication, its primary role is device monitoring and management.
- What type of devices can SNMP manage?
A) Only routers and switches
B) Only client computers and mobile devices
C) Any device that supports SNMP, such as routers, switches, firewalls, and servers
D) Only enterprise-level hardware
Answer: C) Any device that supports SNMP, such as routers, switches, firewalls, and servers
Explanation:
(A) Incorrect – SNMP is used for more than just routers and switches.
(B) Incorrect – While client devices can be managed, SNMP is primarily used for network infrastructure devices.
(C) Correct – SNMP supports a wide range of network devices, including routers, switches, firewalls, printers, and servers.
(D) Incorrect – SNMP is used in both small and large networks, not just enterprise environments.
- What is the role of the SNMP Manager?
A) To store SNMP messages permanently
B) To collect, process, and manage SNMP data from network devices
C) To act as a firewall and block suspicious network activity
D) To serve as a backup for SNMP logs
Answer: B) To collect, process, and manage SNMP data from network devices
Explanation:
(A) Incorrect – SNMP Managers do not store messages permanently.
(B) Correct – The SNMP Manager is a centralized system that communicates with SNMP Agents and manages network device performance.
(C) Incorrect – Firewalls protect networks; SNMP is used for monitoring and management.
(D) Incorrect – While logs can be stored, the primary role of the SNMP Manager is device monitoring and management.
- What is an SNMP Agent responsible for?
A) Collecting and transmitting data to the SNMP Manager
B) Blocking unauthorized SNMP traffic
C) Encrypting SNMP communications
D) Automatically fixing configuration errors
Answer: A) Collecting and transmitting data to the SNMP Manager
Explanation:
(A) Correct – SNMP Agents run on network devices and collect system data (e.g., CPU usage, network activity) before sending it to the SNMP Manager.
(B) Incorrect – SNMP Agents do not handle security directly; that is the role of firewalls and access controls.
(C) Incorrect – SNMP v3 provides encryption, but the agent itself does not encrypt communications.
(D) Incorrect – The SNMP Agent only reports issues; it does not automatically fix them.
- What is the purpose of SNMP Trap messages?
A) To request data from an SNMP Agent
B) To modify a device’s settings
C) To send alerts from an SNMP Agent to an SNMP Manager without a request
D) To encrypt SNMP traffic
Answer: C) To send alerts from an SNMP Agent to an SNMP Manager without a request
Explanation:
(A) Incorrect – This describes SNMP Get messages.
(B) Incorrect – This describes SNMP Set messages.
(C) Correct – SNMP Traps are unsolicited alerts sent when an event occurs, such as network failures, high CPU usage, or link downtime.
(D) Incorrect – SNMP v3 supports encryption, but Trap messages themselves do not encrypt traffic.