Alerting and Monitoring

Question 1

What is the importance of alerting and monitoring?

Answer 1

Crucial for maintaining integrity, confidentiality, and availability of information systems

Question 2

What are the two main components of alerting and monitoring?

Answer 2

• Alerting
• Monitoring

Question 3

What is a True Positive in alerting?

Answer 3

Correctly identifies a legitimate issue

Question 4

What is a False Positive in alerting?

Answer 4

Incorrectly indicates an issue when there isn’t one

Question 5

What is a True Negative in alerting?

Answer 5

Correctly recognizes the absence of an issue

Question 6

What is a False Negative in alerting?

Answer 6

Fails to alert about a real issue

Question 7

What are the goals of an alerting system?

Answer 7

• Maximize true positives
• Minimize false positives to avoid alert fatigue

Question 8

What are the types of monitoring?

Answer 8

• Automated Monitoring
• Manual Monitoring

Question 9

What is log aggregation?

Answer 9

Collecting and centralizing log data

Question 10

What is the purpose of alerting?

Answer 10

Notification of potential security incidents

Question 11

What does scanning involve in monitoring?

Answer 11

Continuous examination for anomalies

Question 12

What is the purpose of reporting in monitoring?

Answer 12

Generating reports on system and network status

Question 13

What is archiving in the context of monitoring?

Answer 13

Storing historical data

Question 14

What is SNMP and its primary use?

Answer 14

Widely used in network management systems to monitor and manage network devices

Question 15

What is the function of a Security Information and Event Management (SIEM) system?

Answer 15

Integrated management technologies for holistic security views

Question 16

What does SIEM collect and aggregate?

Answer 16

Log data

Question 17

What is the Security Content Automation Protocol (SCAP)?

Answer 17

Enables automated vulnerability management, measurement, and policy compliance evaluation

Question 18

What are network traffic flows?

Answer 18

A sequence of packets from source to destination identifiable by a unique set of identifiers

Question 19

What does a ‘Single Pane of Glass’ refer to?

Answer 19

Consolidates data from different sources into a unified display

Question 20

What is a baseline in monitoring?

Answer 20

A reference point representing normal system behavior under typical operating conditions

Question 21

What does application monitoring focus on?

Answer 21

Managing and monitoring software application performance and availability

Question 22

What tools are used for application monitoring?

Answer 22

• New Relic
• AppDynamics

Question 23

What does infrastructure monitoring observe?

Answer 23

Physical and virtual infrastructure, including servers and networks

Question 24

What types of scanning are included in alerting and monitoring activities?

Answer 24

• Vulnerability scanning
• Configuration scanning
• Code scanning

Question 25

What are the data sources for SIEM?

Answer 25

* Antivirus * DLP systems * NIDS * NIPS * Firewalls * Vulnerability scanners

Question 26

What is the function of alert response and remediation/validation?

Answer 26

Managing and resolving identified issues based on alerts or scans

Question 27

What does alert tuning involve?

Answer 27

Adjusts alert parameters to reduce errors and improve alert relevance

Question 28

What does SNMP stand for?

Answer 28

Simple Network Management Protocol

Question 29

What is the role of an SNMP manager?

Answer 29

Collects and processes information from managed devices

Question 30

What are the types of SNMP messages?

Answer 30

* SET * GET * TRAP

Question 31

What is the purpose of the Management Information Base (MIB)?

Answer 31

A hierarchical namespace containing OIDs and their descriptions

Question 32

What security enhancements does SNMP version 3 offer?

Answer 32

* Integrity * Authentication * Confidentiality

Question 33

What is the primary function of a SIEM?

Answer 33

Real-time or near-real-time analysis of security alerts generated by network hardware and applications

Question 34

What are common SIEM solutions?

Answer 34

* Splunk * ELK (Elastic Stack) * ArcSight * QRadar

Question 35

What does a firewall do?

Answer 35

Acts as a barrier between trusted internal networks and untrusted external networks

Question 36

What is the purpose of vulnerability scanners?

Answer 36

Identify security weaknesses, including missing patches and incorrect configurations

Question 37

What does SCAP stand for?

Answer 37

Security Content Automation Protocol

Question 38

Fill in the blank: The SCAP suite includes the OVAL, XCCDF, and _______.

Answer 38

ARF

Question 39

What is OVAL?

Answer 39

Open Vulnerability and Assessment Language, an XML schema for describing system security states and querying vulnerability reports ## Footnote OVAL helps in automating vulnerability assessment.

Question 40

What does XCCDF stand for?

Answer 40

Extensible Configuration Checklist Description Format, an XML schema for developing and auditing best-practice configuration checklists and rules ## Footnote XCCDF allows improved automation in compliance assessments.

Question 41

What is ARF?

Answer 41

Asset Reporting Format, an XML schema for expressing information about assets and their relationships ## Footnote ARF is vendor and technology neutral and flexible for various reporting applications.

Question 42

What is the purpose of CCE?

Answer 42

Common Configuration Enumeration, a scheme for provisioning secure configuration checks across multiple sources ## Footnote CCE provides unique identifiers for different system configuration issues.

Question 43

What does CPE stand for?

Answer 43

Common Platform Enumeration, which identifies hardware devices, operating systems, and applications ## Footnote Standard format: cpe:/part:vendor:product:version:update:edition:language.

Question 44

What is CVE?

Answer 44

Common Vulnerabilities and Exposures, describes publicly known vulnerabilities with unique identifiers ## Footnote Standard format: CVE-Year first documented-Number (e.g., CVE-2017-0144).

Question 45

What is CVSS used for?

Answer 45

Common Vulnerability Scoring System, provides a numerical score reflecting the severity of a vulnerability (0 to 10) ## Footnote Scores categorize vulnerabilities as none, low, medium, high, or critical.

Question 46

What are SCAP Benchmarks?

Answer 46

Sets of security configuration rules for specific products to establish security baselines ## Footnote They provide detailed checklists for securing systems and are expressed in the XCCDF format.

Question 47

Name two examples of SCAP Benchmarks.

Answer 47

* Red Hat Enterprise Linux Benchmark * CIS Microsoft Windows 10 Enterprise Benchmark

Question 48

What is Full Packet Capture (FPC)?

Answer 48

Captures entire packets, including headers and payloads

Question 49

What is Flow Analysis?

Answer 49

Focuses on recording metadata and statistics about network traffic, saving storage space ## Footnote It does not include actual content, just metadata.

Question 50

What is a Flow Collector?

Answer 50

Records metadata and statistics about network traffic ## Footnote It collects information about type of traffic, protocol used, and data volume.

Question 51

What does flow analysis provide?

Answer 51

Metadata about data, not the actual content ## Footnote Metadata includes details about traffic types and volumes.

Question 52

What is NetFlow?

Answer 52

Cisco-developed protocol for reporting network flow information ## Footnote Also known as IPFIX (IP Flow Information Export).

Question 53

What data does NetFlow collect?

Answer 53

* Network protocol interface * IP version and type * Source and destination IP addresses * Source and destination ports * Type of service used

Question 54

What is Zeek?

Answer 54

Hybrid tool for network monitoring that logs full packet captures based on interest ## Footnote It normalizes data for easy import into other tools for visualization and analysis.

Question 55

What does MRTG stand for?

Answer 55

Multi Router Traffic Grapher, creates graphs displaying network traffic flows through routers and switches

Question 56

What might traffic spikes indicate?

Answer 56

Anomalies that may require investigation ## Footnote They could reveal issues like malware infection or unauthorized data transfer.

Question 57

What is a Single Pane of Glass (SPOG)?

Answer 57

Central point of access for security teams to monitor, manage, and secure an organization's IT environment

Question 58

What are the benefits of a SPOG?

Answer 58

* Simplifies security operations management * Improves collaboration and communication * Aids compliance with regulatory requirements

Question 59

What is the first step in implementing a SPOG?

Answer 59

Defining Requirements, identifying the information, tools, and systems required for effective security management

Question 60

What is the role of APIs in SPOG implementation?

Answer 60

Used to collect and analyze data from various sources ## Footnote They help integrate data sources like log servers and intrusion detection systems.

Question 61

Fill in the blank: Flow analysis information is stored in a _______.

Answer 61

database

Question 62

True or False: Flow analysis includes the actual content of network traffic.

Answer 62

False