ISC2 - Study Notes 16

Question 1

is an extension of both SPF and DKIM. It allows owners of a domain to publish a policy that identifies if they are using SPF, DKIM, or both. Administrators of receiving e-mail servers can use this policy to validate incoming e-mail.

Answer 1

DMARC

Question 2

is a device that filters traffic in and out of a network. It actively monitors data streams by inspecting datagrams, searching for malicious code or malicious behavior.

Answer 2

content-filtering appliance

Question 3

helps reduce malware infections because criminals won’t use ??? techniques to validate malware. It also helps identify modified code because a digital certificate will identify code that has been modified and display an alert.

is a standardized list of known security vulnerabilities, exploits, and malware.

Answer 3

Code signing / (CVE) list

Question 4

are observable occurrences in a system or network and typically recorded in a log. Events of interest are known events that an organization wants to monitor.

Answer 4

Events

Question 5

Attackers often capture data within a network and send it out of the network so that the criminals can harvest it. This can include files, e-mail from e-mail servers, databases, and any other data stored within the network. Attackers typically encrypt this data before ??? it, so a jump in encrypted data leaving the network is very likely an item of interest that needs to be investigated.

Answer 5

Data Exfiltration

Question 6

??? many organizations need to monitor systems and networks to ensure they are in compliance with various laws and regulations.

A network-based IDS (NIDS) monitors traffic going through a network. It uses agents to monitor traffic on network devices, and the agents forward the traffic to a central management console.

Answer 6

Compliance monitoring / Info

Question 7

If the monitored environment is modified, it’s critical to update the baseline in an anomaly-based system. Otherwise, the modification will be detected as an anomaly, resulting in a higher level of false positives.

After an attack, remote logs are the most valuable to re-create the events that occurred during and prior to the attack. Any logs on a local system should be treated with suspicion because the attacker may have modified them.

Answer 7

Info

Question 8

calculates hashes on critical system files to establish a baseline. It then periodically recalculates the hashes of these files and compares the two hashes. If the hashes are different, it detects the change and sends an alert.

Answer 8

A file integrity checker

Question 9

Many laws mandate the protection of PII. Tools such as Nessus can be used by organizations as part of a compliance check to ensure that they are in compliance with existing laws.

Answer 9

Info

Question 10

Gain permission from Management

Discovery = perform scans to identify weaknesses (using credentialed scan : checks for weaknesses w/a privileged account / noncredentialed scan : checks for weaknesses w/o being logged on).

Analyze Results

Document Vulnerabilities

Identify and Recommend methods to reduce vuln.’s

Present Recommendations to Management

Remediate (fix and run scan again to ensure fixes have been implemented).

Answer 10

Steps for Vulnerability Assessments :