Section 23 Monitoring and Auditing

Question 1

Network traffic is analyzed for predetermined attack patterns.

Answer 1

Signature Based

Question 2

A baseline is established and any network traffic that is outside of the baseline is evaluated.

Answer 2

Anomaly Based

Question 3

Activity is evaluated based on the pervious behavior of applications, executables, and the operating system in comparison to the current activity of the system.

Answer 3

Behavior Based

Question 4

Process of measuring changes in networking, hardware, software, and appliances.

Answer 4

Baselining

Question 5

Documenting and reporting on the changes in a baseline.

Answer 5

Baseline Reporting

Question 6

Risk level to which a system or other technology element is exposed.

Answer 6

Security Posture

Question 7

Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them.

Answer 7

Promiscuous Mode

Question 8

Network adapter can only capture the packets addressed to itself directly.

Answer 8

Non-Promiscuous Mode

Question 9

One or more switch ports are configured to forward all of their packets to another port on the switch.

Answer 9

Port Mirroring

Question 10

A physical device that allows you to intercept the traffic between two points on the network.

Answer 10

Network Tap

Question 11

A TCP/IP protocol that aids in monitoring network attached devices and computers.

Answer 11

Simple Network Management Protocol (SNMP)

Question 12

Computers and other network attached devices monitored through the use of agents by a network management system.

Answer 12

Managed Devices

Question 13

Software that is loaded on a managed device to redirect information to the network management system.

Answer 13

Agents

Question 14

Software run on one or more servers to control the monitoring of network attached devices and computers.

Answer 14

Network Management System (NMS)

Question 15

Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network.

Answer 15

SNMPv3

Question 16

Data files that contain the accounting and audit trail for actions performed by a user on the computer or network.

Answer 16

Logs

Question 17

Logs the events such as successful and unsuccessful user logons to the system.

Answer 17

Security Logs

Question 18

Logs the events for the operating system and third party applications to consolidate all the logs into a single repository, you can use SYSLOG.

Answer 18

Application Logs

Question 19

A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.

Answer 19

SYSLOG

Question 20

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backing up, securing, and encrypting of the log files.

Answer 20

Log File Maintenance

Question 21

When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room.

Answer 21

Overwrite Events

Question 22

Technology like a DVD-R that allows data to be written only once but read unlimited times.

Answer 22

Write Once Read Many (WORM)

Question 23

A solution that provides real time or near real time analysis of security alerts generated by network hardware and applications.

Answer 23

SIEM

Question 24

A market leading big data information gathering and analysis tool that can import machine generated data via a connector or visibility add on.

Answer 24

Splunk

Question 25

Collection of free and open source SIEM tools that provides storage, search, and analysis functions.

Answer 25

ELK/Elastic Stack

Question 26

A SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS.

Answer 26

Arc Sight

Question 27

A SIEM log management, analytics, and compliance reporting platform created by IBM.

Answer 27

QRadar

Question 28

A SIEM solution originally developed by Alien Vault, now owned by AT&T, and rebranded as AT&T cybersecurity.

Answer 28

Alien Vault and OSSIM (Open Source Security Information Mangement)

Question 29

An open source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps.

Answer 29

Graylog

Question 30

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

Answer 30

Security Orchestration, Automation, and Response (SOAR)

Question 31

A security information and event monitoring system with an integrated SOAR.

Answer 31

Nextgen SIEM

Question 32

A checklist of actions to perform to detect and respond to a specific type of incident

Answer 32

Playbook

Question 33

An automated version of a playbook that leaves clearly defined interaction points for human analysis.

Answer 33

Runbook