Security and Network Monitoring Flashcards
Which role does machine learning play in cyber security?
A. Conditional Authentication
B. Denial of service attack mitigation
C. Permissions restrictions
D. Threat hunting
D. Threat hunting.
Machine learning excels at analyzing vast amounts of data to identify patterns and anomalies. This makes it an ideal tool for threat hunting, where security analysts actively search for potential threats that may have evaded traditional security measures. By continuously monitoring network traffic, log files, and other data sources, machine learning algorithms can detect unusual behavior, potential vulnerabilities, and early indicators of compromise.
Which description defines a false positive?
A. Current configuration does not detect malicious item or activity
B. No alerts because problematic conditions are absent
C. Correctly identified malicious item or activity truly exists
D. Benign item or activity is incorrectly identified as being malicious
D. Benign item or activity is incorrectly identified as being malicious.
A false positive occurs when a security system mistakenly flags a harmless activity or file as a threat. This can lead to unnecessary alerts, investigations, and potential disruptions to normal operations.
What is the name of the default Splunk index?
A. main
B. default
C. first
D. Initial
A. main.
The “main” index is the default index in Splunk.
It stores all events that are not explicitly directed to another index.
Which network protocol is common in industrial control environments?
A. PLC
B. HTTP
C. NFS
D. Modbus
D. Modbus.
Modbus is a widely used industrial communication protocol that enables communication between devices like PLCs, HMIs, and other industrial equipment. It is known for its simplicity, reliability, and wide vendor support.
You are managing a Linux system and need to capture SSH traffic regardless of the packet size. Which command should you use?
A. tcpdump -i ens33 -v -tcpport 22 -A -s0
B. tcpdump -i ens33 -v -port 22 -A -s0
C. tcpdump -i ens33 -v -tcp 22 -A
D. tcpdump -i ens33 -v -port 22 -A
B. tcpdump -i ens33 -v -port 22 -A -s0
Let’s break down each part of the command:
tcpdump: This is the main command used to capture network packets.
-i ens33: This specifies the network interface to capture packets from. Replace ens33 with the actual name of your network interface.
-v: This option enables verbose output, providing more detailed information about each captured packet.
-port 22: This filter specifically targets packets on port 22, which is the standard port for SSH.
-A: This option ensures that the packets are printed in ASCII format, making them human-readable.
-s0: This sets the snapshot length to 0 bytes, capturing the entire packet without truncation, regardless of its size.
By combining these options, the command will capture all SSH traffic on the specified network interface and display the contents of each packet in a human-readable format.
You are viewing a WireShark packet capture. To which OSI model layer does the IP header correspond to?
A. 1
B. 2
C. 3
D. 4
C. 3.
The IP header corresponds to the Network Layer of the OSI model, which is layer 3. This layer is responsible for routing packets across networks. The IP header contains information such as the source and destination IP addresses, which are crucial for routing packets to their intended recipients.
Which splunk command determines which local host items are tracked and sent to the Splunk server?
A. splunk set
B. splunk add
C. splunk monitor
D. splunk enable
C. splunk monitor.
The splunk monitor command is used to display real-time logs and events being received by the Splunk server. It provides a way to see which hosts are sending data, the types of data being sent, and any errors or issues that may be occurring.
Here’s a breakdown of the other options:
A. splunk set: This command is used to set global configuration settings for Splunk.
B. splunk add: This command is used to add new configuration settings or data sources to Splunk.
D. splunk enable: This command is used to enable or disable specific features or components within Splunk.
You need to restrict access to specific Splunk indexes for searching purposes. What should you create in Splunk?
A. Role
B. User
C. Policy initiative
D. Group
A. Role
In Splunk, roles are used to define permissions for users, including which indexes they can access for searching. By creating and assigning roles, you can control which data a user can search, ensuring that only authorized users can access specific indexes.
Which is a core function of a SIEM system?
A. Threat hunting
B. Project management
C. Applying patches
D. CI/CD
A. Threat hunting
SIEM systems are designed to collect, analyze, and correlate security event data from various sources to detect and respond to potential security threats in real time. While SIEM can support threat hunting activities by providing the data and insights needed to actively search for threats within an organization’s network, its primary function is centered around threat detection, event correlation, and security monitoring.
Which phrase defines a situation where activity is determined to be acceptable, and it truly is?
A. True negative
B. False negative
C. False positive
D. True positive
A. True negative
A true negative occurs when a system correctly identifies an event as normal or acceptable, and in reality, it is indeed normal or acceptable.
Here’s a quick breakdown of the other options:
B. False negative: When something harmful is not detected (i.e., a threat is missed).
C. False positive: When a harmless activity is incorrectly identified as a threat.
D. True positive: When a threat is correctly identified as a threat.
