Ch. 8

Question 1

What are the three tiers a log management infrastructure typically comprises?

Answer 1

• Log monitoring
• Log analysis and storage
• Log generation

Question 2

What are types of network-based attack?

Answer 2

• Eavesdropping
• Data Modification
• IP Address Spoofing
• Denial-of-Service Attack
• Man-in-the-Middle Attack
• Packet Sniffing
• Enumeration
• Session Hijacking
• Buffer Overflow
• Email Infection
• Malware attack
• Password-based attack
• Router Attacks

Question 3

What attack floods the target with large amounts of invalid traffic exhausting resources available on the target?

Answer 3

Denial-of-service

Question 4

How can an attacker exploit a network?

Answer 4

Through wired or wireless connections.

Question 5

What is the primary reason for forensic investigators to examine logs?

Answer 5

To correlate the information across multiple log files to understand how an attack was conducted.

Question 6

What is true about the transport layer in the TCP/IP model?

Answer 6

It is the backbone for data flow between two devices in a network.

Question 7

What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately?

Answer 7

Real-time analysis

Question 8

What attack is specific to wireless networks?

Answer 8

Jamming signal attack

Question 9

In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is?

Answer 9

Postmortem

Question 10

What is the most common MAC spoofing detection method in which investigators analyze the sequence number field in the MAC-layer frame header?

Answer 10

Sequence number-based detection

Question 11

In Event Correlation Approaches, which approach is used to monitor the computers’ and computer users’ behavior and provide an alert if something anomalous is found?

Answer 11

Role-based approach

Question 12

Investigators use what command to view the ARP table in Windows?

Answer 12

arp -a

Question 13

What describes the implementation of sniffing, capturing, and analyzing network traffic and event logs to investigate a network security incident?

Answer 13

Network forensics

Question 14

Network Indicators of Compromise (IOCs)

Answer 14

• Unusual outbound network traffic
• Uniform Resource Locators or URLs
• User agent strings
• Log-in anomalies
• Increased number of requests for same file
• Network traffic traversing on unusual ports

Question 15

What layer of the TCP/IP Model do the application layer, presentation layer, and session layer of the OSI model together form?

Answer 15

Application layer

Question 16

What layer of the TCP/IP model do the data link layer and the physical layer of the OSI model together form?

Answer 16

Network access layer

Question 17

What type of network-based evidence provides a summary of a conversation between two network devices and includes an aggregation of metadata from network traffic, such as the destination IP and destination port, source IP and source port, start time of the session, and information exchanged during that session?

Answer 17

Session data

Question 18

What type of network-based evidence is gathered by capturing and storing all the packets following through a network without any filtration using a tool like tcpdump or wireshark and can assist investigators perform post-mortem analysis of a security incident?

Answer 18

Full Content Data

Question 19

What type of tool addresses the concern of managing increasing volumes of log data from multiple sources over a centralized platform to mitigate the chances of cyberattacks with real-time incident monitoring analysis?

Answer 19

Security information and event management (SIEM)

Question 20

A SIEM is composed of two layers, a base layer for log management and an additional layer for security analytics. The activities in both of these layers are distributed between the security information management (SIM) and the ______________.

Answer 20

security event management (SEM)

Question 21

What technique is used to assign a new meaning for relating a set of events that occur in a fixed amount of time where few important events are identified among a large number of events?

Answer 21

Event correlation

Question 22

What event correlation step compiles repeated events into a single event and avoids the duplication of the same event?

Answer 22

Event aggregation

Question 23

What event correlation step is the most complex and identifies all devices that became inaccessible due to network failures?

Answer 23

Root cause analysis

Question 24

What type of event correlation method is used when different operating systems (OS) and network hardware platforms are used in the network of an organization?

Answer 24

Cross-platform correlation

Question 25

What type of event correlation approach is an advanced correlation method based on statistics and probability theory that uses prior probabilities of conditions to predict what a hacker might do next after an attack?

Answer 25

Bayesian correlation

Question 26

A wireless access point can be termed rogue when it is installed within a trusted network without appropriate _____________.

Answer 26

authorization