Checkpoint Exam: Evaluating Security Alerts Flashcards

1
Q

Which two technologies are primarily used on peer-to-peer networks? (Choose two.)

Darknet

Snort

BitTorrent

Bitcoin

Wireshark

A

BitTorrent

Bitcoin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which technique would a threat actor use to disguise traces of an ongoing exploit?

Use SSL to encapsulate malware.

Create an invisible iFrame on a web page.

Corrupt time information by attacking the NTP infrastructure.

Encapsulate other protocols within DNS to evade security measures.

A

Corrupt time information by attacking the NTP infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?

reconnaissance

phishing

social engineering

denial of service

A

reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of Tor?

to allow users to browse the Internet anonymously

to securely connect to a remote network over an unsecure link such as an Internet connection

to inspect incoming traffic and look for any that violates a rule or matches the signature of a known exploit

to donate processor cycles to distributed computational tasks in a processor sharing P2P network

A

to allow users to browse the Internet anonymously

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which protocol is exploited by cybercriminals who create malicious iFrames?

DHCP

DNS

ARP

HTTP

A

HTTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?

It can determine which network host was first affected.

It can identify how the malware originally entered the network.

A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.

It can calculate the probability of a future incident.

A

A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which technique is necessary to ensure a private transfer of data using a VPN?

encryption

scalability

authorization

virtualization

A

encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which method is used by some malware to transfer files from infected hosts to a threat actor host?

UDP infiltration

ICMP tunneling

iFrame injection

HTTPS traffic encryption

A

ICMP tunneling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Match the Windows host log to the messages contained in it.

events logged by various applications -

events related to logon attempts and operations related to file or object management and access -

information about the installation of software, including Windows Updates -

events related to the operation of drivers, processes, and hardware -

piece them together

application logs

setup logs

security logs

system logs

A

events logged by various applications
(application logs)

events related to logon attempts and operations related to file or object management and access
(security logs)

information about the installation of software, including Windows Updates
(setup logs)

events related to the operation of drivers, processes, and hardware
(system logs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a key difference between the data captured by NetFlow and data captured by Wireshark?

NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump.

NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.

NetFlow provides transaction data whereas Wireshark provides session data.

A

NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?

statistical

session

alert

transaction

A

statistical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Match the network monitoring data type with the description.

includes device-specific serrver and host logs

generated by IPS or IDS devices when suspicious traffic is detected

used to describe and analyze network flow or performance data

contains details of network flows including the 5 tuples, the amount of data transmitted, and the duration of data transmission

piece them together

statistical data

transaction data

alert data

session data

A

includes device-specific serrver and host logs
(statistical data)

generated by IPS or IDS devices when suspicious traffic is detected
(transaction data)

used to describe and analyze network flow or performance data
(alert data)

contains details of network flows including the 5 tuples, the amount of data transmitted, and the duration of data transmission
(session data)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?

WSA

ESA

ASA

AVC

A

WSA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A system administrator runs a file scan utility on a Windows PC and notices a file lsass.exe in the Program Files directory. What should the administrator do?

Move it to Program Files (x86) because it is a 32bit application.

Open the Task Manager, right-click on the lsass process and choose End Task.

Delete the file because it is probably malware.

Uninstall the lsass application because it is a legacy application and no longer required by Windows.

A

Delete thhe file becauuse it is probably malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does a web proxy device provide data loss prevention (DLP) for an enterprise?

by functioning as a firewall

by inspecting incoming traffic for potential exploits

by checking the reputation of external web servers

by scanning and logging outgoing traffic

A

by scanning and logging outgoing traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which two services are provided by the NetFlow tool? (Choose two.)

network monitoring

log analysis

access list monitoring

QoS configuration

usage-based network billing

A

network monitoring

usage-based network billing

17
Q

What information is contained in the options section of a Snort rule?

source and destinatoin address

action to be taken

text describing the event

dirrection of traffic flow

A

text describing the event

18
Q

Which classification indicates that an alert is verified as an actualy security incident?

true negative

false negative

false positive

true positive

A

true positive

19
Q

Match the characteristic to the method of security analysis.

each event is the inevitable result of antecedent causes

precise method that yields the same result every time by relying on predefined conditions

analysis of applications that conform to application/
networking standards

random variables create difficulty in knowing the outcome of any given event with certainty

preferred method for analyzing applications designed to circumvent firewalls

answer them with deterministic or probabilistic

A

each event is the inevitable result of antecedent causes
(Deterministic)

precise method that yields the same result every time by relying on predefined conditions
(Deterministic)

analysis of applications that conform to application/
networking standards
(Deterministic)

random variables create difficulty in knowing the outcome of any given event with certainty
(Probabilistic)

preferred method for analyzing applications designed to circumvent firewalls
(Probabilistic)

20
Q

A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?

false negative

true positive

true negative

false positive

A

false negative

21
Q

What are two scenarios where probabilistic security analysis is best suited? (Choose two.)

when applications that conform to application/networking standards are analyzed

when random variables create difficulty in knowing with certainty the outcome of any given event

when each event is the inevitable result of antecedent causes

when analyzing applications designed to circumvent firewalls

when analyzing events with the assumption that they follow predefined steps

A

when random variables create difficulty in knowing with certainty the outcome of any given event

when analyzing applications designed to circumvent firewalls

21
Q

What are the three core fucntions provided by the Security Onion? (Choose three.)

securiy device managment

full packet capture

alert analysis

intrusion detection

business continuity planning

threat containment

A

full packet capture

alert analysis

intrusion detection

22
Q

Refer to the exhibit. Which field in the Sguil event window indicates the number of times an event is detected for the same source and destination IP address?

CNT

Pr

AlertID

ST

23
Q

Match the Snort rule source to the description.

older rules created by Sourcefire

open source rules under BSD license

rules created and maintened by Cisco Talos

piece them together

GPL

ET

VRT

A

older rules created by Sourcefire
(GPL)

open source rules under BSD license
(ET)

rules created and maintened by Cisco Talos
(VRT)