Ch. 8 Flashcards
What are the three tiers a log management infrastructure typically comprises?
- Log monitoring
- Log analysis and storage
- Log generation
What are types of network-based attack?
- Eavesdropping
- Data Modification
- IP Address Spoofing
- Denial-of-Service Attack
- Man-in-the-Middle Attack
- Packet Sniffing
- Enumeration
- Session Hijacking
- Buffer Overflow
- Email Infection
- Malware attack
- Password-based attack
- Router Attacks
What attack floods the target with large amounts of invalid traffic exhausting resources available on the target?
Denial-of-service
How can an attacker exploit a network?
Through wired or wireless connections.
What is the primary reason for forensic investigators to examine logs?
To correlate the information across multiple log files to understand how an attack was conducted.
What is true about the transport layer in the TCP/IP model?
It is the backbone for data flow between two devices in a network.
What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately?
Real-time analysis
What attack is specific to wireless networks?
Jamming signal attack
In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is?
Postmortem
What is the most common MAC spoofing detection method in which investigators analyze the sequence number field in the MAC-layer frame header?
Sequence number-based detection
In Event Correlation Approaches, which approach is used to monitor the computers’ and computer users’ behavior and provide an alert if something anomalous is found?
Role-based approach
Investigators use what command to view the ARP table in Windows?
arp -a
What describes the implementation of sniffing, capturing, and analyzing network traffic and event logs to investigate a network security incident?
Network forensics
Network Indicators of Compromise (IOCs)
- Unusual outbound network traffic
- Uniform Resource Locators or URLs
- User agent strings
- Log-in anomalies
- Increased number of requests for same file
- Network traffic traversing on unusual ports
What layer of the TCP/IP Model do the application layer, presentation layer, and session layer of the OSI model together form?
Application layer
What layer of the TCP/IP model do the data link layer and the physical layer of the OSI model together form?
Network access layer
What type of network-based evidence provides a summary of a conversation between two network devices and includes an aggregation of metadata from network traffic, such as the destination IP and destination port, source IP and source port, start time of the session, and information exchanged during that session?
Session data
What type of network-based evidence is gathered by capturing and storing all the packets following through a network without any filtration using a tool like tcpdump or wireshark and can assist investigators perform post-mortem analysis of a security incident?
Full Content Data
What type of tool addresses the concern of managing increasing volumes of log data from multiple sources over a centralized platform to mitigate the chances of cyberattacks with real-time incident monitoring analysis?
Security information and event management (SIEM)
A SIEM is composed of two layers, a base layer for log management and an additional layer for security analytics. The activities in both of these layers are distributed between the security information management (SIM) and the ______________.
security event management (SEM)
What technique is used to assign a new meaning for relating a set of events that occur in a fixed amount of time where few important events are identified among a large number of events?
Event correlation
What event correlation step compiles repeated events into a single event and avoids the duplication of the same event?
Event aggregation
What event correlation step is the most complex and identifies all devices that became inaccessible due to network failures?
Root cause analysis
What type of event correlation method is used when different operating systems (OS) and network hardware platforms are used in the network of an organization?
Cross-platform correlation
What type of event correlation approach is an advanced correlation method based on statistics and probability theory that uses prior probabilities of conditions to predict what a hacker might do next after an attack?
Bayesian correlation
A wireless access point can be termed rogue when it is installed within a trusted network without appropriate _____________.
authorization
