Checkpoint Exam: Evaluating Security Alerts Flashcards
Which two technologies are primarily used on peer-to-peer networks? (Choose two.)
Darknet
Snort
BitTorrent
Bitcoin
Wireshark
BitTorrent
Bitcoin
Which technique would a threat actor use to disguise traces of an ongoing exploit?
Use SSL to encapsulate malware.
Create an invisible iFrame on a web page.
Corrupt time information by attacking the NTP infrastructure.
Encapsulate other protocols within DNS to evade security measures.
Corrupt time information by attacking the NTP infrastructure.
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?
reconnaissance
phishing
social engineering
denial of service
reconnaissance
What is the purpose of Tor?
to allow users to browse the Internet anonymously
to securely connect to a remote network over an unsecure link such as an Internet connection
to inspect incoming traffic and look for any that violates a rule or matches the signature of a known exploit
to donate processor cycles to distributed computational tasks in a processor sharing P2P network
to allow users to browse the Internet anonymously
Which protocol is exploited by cybercriminals who create malicious iFrames?
DHCP
DNS
ARP
HTTP
HTTP
After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?
It can determine which network host was first affected.
It can identify how the malware originally entered the network.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
It can calculate the probability of a future incident.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
Which technique is necessary to ensure a private transfer of data using a VPN?
encryption
scalability
authorization
virtualization
encryption
Which method is used by some malware to transfer files from infected hosts to a threat actor host?
UDP infiltration
ICMP tunneling
iFrame injection
HTTPS traffic encryption
ICMP tunneling
Match the Windows host log to the messages contained in it.
events logged by various applications -
events related to logon attempts and operations related to file or object management and access -
information about the installation of software, including Windows Updates -
events related to the operation of drivers, processes, and hardware -
piece them together
application logs
setup logs
security logs
system logs
events logged by various applications
(application logs)
events related to logon attempts and operations related to file or object management and access
(security logs)
information about the installation of software, including Windows Updates
(setup logs)
events related to the operation of drivers, processes, and hardware
(system logs)
What is a key difference between the data captured by NetFlow and data captured by Wireshark?
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump.
NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
NetFlow provides transaction data whereas Wireshark provides session data.
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?
statistical
session
alert
transaction
statistical
Match the network monitoring data type with the description.
includes device-specific serrver and host logs
generated by IPS or IDS devices when suspicious traffic is detected
used to describe and analyze network flow or performance data
contains details of network flows including the 5 tuples, the amount of data transmitted, and the duration of data transmission
piece them together
statistical data
transaction data
alert data
session data
includes device-specific serrver and host logs
(statistical data)
generated by IPS or IDS devices when suspicious traffic is detected
(transaction data)
used to describe and analyze network flow or performance data
(alert data)
contains details of network flows including the 5 tuples, the amount of data transmitted, and the duration of data transmission
(session data)
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?
WSA
ESA
ASA
AVC
WSA
A system administrator runs a file scan utility on a Windows PC and notices a file lsass.exe in the Program Files directory. What should the administrator do?
Move it to Program Files (x86) because it is a 32bit application.
Open the Task Manager, right-click on the lsass process and choose End Task.
Delete the file because it is probably malware.
Uninstall the lsass application because it is a legacy application and no longer required by Windows.
Delete thhe file becauuse it is probably malware.
How does a web proxy device provide data loss prevention (DLP) for an enterprise?
by functioning as a firewall
by inspecting incoming traffic for potential exploits
by checking the reputation of external web servers
by scanning and logging outgoing traffic
by scanning and logging outgoing traffic
Which two services are provided by the NetFlow tool? (Choose two.)
network monitoring
log analysis
access list monitoring
QoS configuration
usage-based network billing
network monitoring
usage-based network billing
What information is contained in the options section of a Snort rule?
source and destinatoin address
action to be taken
text describing the event
dirrection of traffic flow
text describing the event
Which classification indicates that an alert is verified as an actualy security incident?
true negative
false negative
false positive
true positive
true positive
Match the characteristic to the method of security analysis.
each event is the inevitable result of antecedent causes
precise method that yields the same result every time by relying on predefined conditions
analysis of applications that conform to application/
networking standards
random variables create difficulty in knowing the outcome of any given event with certainty
preferred method for analyzing applications designed to circumvent firewalls
answer them with deterministic or probabilistic
each event is the inevitable result of antecedent causes
(Deterministic)
precise method that yields the same result every time by relying on predefined conditions
(Deterministic)
analysis of applications that conform to application/
networking standards
(Deterministic)
random variables create difficulty in knowing the outcome of any given event with certainty
(Probabilistic)
preferred method for analyzing applications designed to circumvent firewalls
(Probabilistic)
A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?
false negative
true positive
true negative
false positive
false negative
What are two scenarios where probabilistic security analysis is best suited? (Choose two.)
when applications that conform to application/networking standards are analyzed
when random variables create difficulty in knowing with certainty the outcome of any given event
when each event is the inevitable result of antecedent causes
when analyzing applications designed to circumvent firewalls
when analyzing events with the assumption that they follow predefined steps
when random variables create difficulty in knowing with certainty the outcome of any given event
when analyzing applications designed to circumvent firewalls
What are the three core fucntions provided by the Security Onion? (Choose three.)
securiy device managment
full packet capture
alert analysis
intrusion detection
business continuity planning
threat containment
full packet capture
alert analysis
intrusion detection
Refer to the exhibit. Which field in the Sguil event window indicates the number of times an event is detected for the same source and destination IP address?
CNT
Pr
AlertID
ST
CNT
Match the Snort rule source to the description.
older rules created by Sourcefire
open source rules under BSD license
rules created and maintened by Cisco Talos
piece them together
GPL
ET
VRT
older rules created by Sourcefire
(GPL)
open source rules under BSD license
(ET)
rules created and maintened by Cisco Talos
(VRT)