- Ethical Hacking Statement
- The Modern Security Operations Center
- The Windows Operating System
- Linux Basics
- Network Protocols
- Ethernet and IP Protocol
- Connectivity Verification
- Address Resolution Protocol
- The Transport Layer
- Network Services
- Network Communication Devices
- Network Security Infrastructure
- Attackers and Their Tools
- Common Threats and Attacks
- Network Monitoring and Tools
- Attacking the Foundation
- Attacking What We Do
- Understanding Defense
- Access Control
- Threat Intelligence
- Public Key Cryptography
- EndPoint Protection
- Endpoint Vulnerability
- Technologies and Protocols
- Network Security Data
- Evaluating Alerts
- Working with Network Security Data
- Digital Forensics and Incidents Analysis and response
1. When real-time reporting of security events from multiple sources is being received, which function in SIEM provides capturing and processing of data in a common format?
- A. Normalization
- B. Aggregation
- C. Compliance
- D. Log collection
SIEM combines SEM and SIM tools to provide some useful functions, one of which is data normalization. Data normalization is the process of mapping log messages from different systems into a common data model in order to analyze related security events, even if they are initially logged in different source formats.
2. What is the value of file hashes to network security investigations?
- A. They ensure data availability.
- B. They can serve as malware signatures.
- C. They offer confidentiality.
- D. They assure nonrepudiation.
Data confidentiality, integrity, availability and nonrepudiation are all crucial components of data security. The use of encryption algorithms ensures data confidentiality by safeguarding information from being disclosed to unauthorized people, processes, or devices. Data Integrity uses hashes or a message digest to ensure data nonalteration. Data availability ensures timely and reliable access to data for authorized users, whereas nonrepudiation is the ability to prove that an operation or event has occurred and cannot be repudiated later on.
3. Which technology is an open source SIEM system?
- A. StealthWatch
- B. Wireshark
- C. ELK
- D. Splunk
There are many SIEM systems available to network administrators. The ELK suite is an open source option.
4. A network administrator is working with ELK. The amount of network traffic to be collected by packet captures and the number of log file entries and alerts that will be generated by network and security devices can be enormous. What is the default time configured in Kibana to show the log entries?
- A. 36 hours
- B. 12 hours
- C. 48 hours
- D. 24 hours
Logstash and Beats are used for ingestion in the ELK stack. They provide access to large numbers of log file entries. Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default.
5. In which programming language is Elasticsearch written?
- A. C++
- B. C
- C. Python
- D. Java
Elasticsearch is a cross platform enterprise search engine written in Java.
6. For how long does the Payment Card Industry Security Standards Council (PCI DSS) require that an audit trail of user activities related to protected information be retained?
- A. 12 months
- B. 24 months
- C. 6 months
- D. 18 months
Everyone would love the security of collecting and saving everything, but because of storage and access issues retaining NSM data indefinitely is not feasible. The retention period for certain types of network security information may be specified by compliance frameworks. The Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.
7. What is the host-based intrusion detection tool that is integrated into Security Onion?
- A. Snort
- B. OSSEC
- C. Sguil
- D. Wireshark
Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.
8. Which core open source component of the Elastic-stack is responsible for accessing, visualizing, and investigating data?
- A. Logstash
- B. Kibana
- C. Beats
- D. Elasticsearch
The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.
9. What is the default time set in the securityonion.conf file for Sguil alert data retention?
- A. 45 days
- B. 15 days
- C. 30 days
- D. 60 days
Sguil alert data is retained for 30 days by default. This value is set in the securityonion.conf file.
10. Which tool would an analyst use to start a workflow investigation?
- A. ELK
- B. Zeek
- C. Snort
- D. Sguil
Sguil is a GUI-based application used by security analysts to analyze network security events.
11. Which core open source component of the Elastic-stack is responsible for storing, indexing, and analyzing data?
- A. Elasticsearch
- B. Logstash
- C. Beats
- D. Kibana
The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.
12. Which tool concentrates security events from multiple sources and can interact with other tools such as Wireshark?
- A. Sguil
- B. Kibana
- C. Bro
- D. Curator
Sguil is a GUI-based application used by security analysts to analyze session data
and packet captures.