Section 4.3 Appropriate data sources to support an investigation

Question 1

What can identify an report various vulnerabilities before they are exploited, such as software flaws, missing patches, open ports, services that should not be running, and weak passwords?

Answer 1

Vulnerability scanners

Question 2

Dashboards are very useful to the security operations centers as they provide?

Answer 2

centralized visibility and information on threats in real time

Question 3

What kind of log file can identify the IP and MAC addresses of devices that are attached to your network? NIDS/NIPS can be important in identifying threats and anomalies from these.

Answer 3

Network log files

Question 4

What kind of log file contains many types of information about web requests so evidence of potential threats and attacks will be visible here?

Answer 4

Web log files

Question 5

400 series HTTP response codes are what kind of errors?

Answer 5

client-side errors

Question 6

500 series HTTP response codes are what kind of errors?

Answer 6

server-side errors

Question 7

Sending log files that exist on client and server systems can help establish what?

Answer 7

a central audit trail and visibility into the scope of an attack

Question 8

What kind of log files contain information about hardware changes, updates to devices, and time synchronization, group policy application, etc…?

Answer 8

System log files

Question 9

What kind of log files contain information about software applications when launched, success or failure, and warnings about potential problems or errors?

Answer 9

Application log files

Question 10

What kind of log files contain information about a successful login as well as unauthorized attempts to access the system and resources? Captures information on file access and can determine who has downloaded certain data and can identify attackers trying to log into your computer systems.

Answer 10

Security log files

Question 11

What kind of log files contain virtually all DNS server-level activity such as zone transfer, DNS server errors, DNS caching, and DNSSEC?

Answer 11

DNS log files

Question 12

What kind of log files contain information about login events, logging success or failure?

Answer 12

Authentication log files

Question 13

What kind of log files are generated when a computer crashes with contents in the memory saved in a dump file (.dmp)?

Answer 13

Dump files

Question 14

What is known as a log collector as it collects event logs from various devices and often sent to a central server?

Answer 14

Syslog

Question 15

What logging solution is a utility for querying and displaying logs from a journald, which is systemd’s logging service?

Answer 15

journalctl

Question 16

What logging solution collects and stores log data in binary format?

Answer 16

journald

Question 17

What logging solution is used to query and display journald logs in a readable format?

Answer 17

journalctl

Question 18

What logging solution is an open-source log management tool that helps identify security risks in a Linux/Unix environment? It’s a multi-platform log collection and centralization tool that offers log processing features, including log enrichment and log forwarding.

Answer 18

NXLog

Question 19

What monitor changes in traffic patterns and identify devices on the network that are causing bottlenecks? They can be used to understand you network traffic flow and can detect broadcast storms and potential denial-of-service attacks.

Answer 19

Bandwidth Monitors

Question 20

What do you call data that provides information about other data?

Answer 20

Metadata

Question 21

What kind of metadata is headers that contain detailed information, including source, destination, and route through the email providers to the recipient? Can be used when phishing emails are received to identify the bad actor.

Answer 21

Email Metadata

Question 22

What kind of metadata provides information about every page created on a website, including author, date created, images, and other files (videos, pdfs, etc..)?

Answer 22

Web Metadata

Question 23

What kind of metadata can be used to track information such as the author, date created, date modified, and file size?

Answer 23

File Metadata

Question 24

What kind of metadata might include geotagging that documents the location in which a photograph was taken?

Answer 24

Photograph metadata

Question 25

What kind of network monitoring solution is a CISCO product that monitors network traffic and can identify the load on the network? In an investigation, it can help identify patterns in network traffic.

Answer 25

Netflow

Question 26

What kind of network monitoring solution is a multi-vendor product that provides visibility into network traffic patterns? Can help identify malicious traffic to help in securing the network.

Answer 26

Sflow

Question 27

What kind of network monitoring solution can be used to capture traffic from the node itself and data can then be exported to a collector within the node? Can be used to identify data traveling through a switch to facilitate billing and format IP flow data and forward it to a collector.

Answer 27

IP Flow Information Export (IPFIX)