IBM Cybersecurity Analyst Professional Certificate

Coursera Courses | Note: These courses have a lot of spelling errors.

Introduction to Cybersecurity Tools & Cyber Attacks

  • Which of the following statements is True?

    • Passive attacks are easy to detect because of the latency created by the interception and second forwarding.

      Passive attacks are hard to detect because the original message is never delivered so the receiving does not know they missed anything.

      Passive attacks are hard to detect because the original message is delivered unchanged and can pass an integrity check.

      Passive attacks are easy to detect because the original message wrapper must be modified by the attacker before it is forwarded on to the intended recipient.

  • The purpose of security services includes which three (3) of the following?

    • Are intended to counter security attacks.

      Enhance security of data processing systems and information transfer.

      Often replicate functions found in physical documents

      Includes any component of your security infrastructure that has been outsourced to a third-party

  • Which statement best describes access control?

    • Protection against denial by one of the parties in communication

      Protection against the unauthorized disclosure of data

      Assurance that the communicating entity is the one claimed

      Prevention of unauthorized use of a resource

  • The International Telecommunication Union (ITU) X.800 standard addresses which three (3) of the following topics?

    • Transmission cost sharing between member countries

      Data transmission speeds

      Authentication

      Access Control

      Data Confidentiality

  • Protocol suppression, ID and authentication are examples of which?

    • Security Architecture

      Security Mechanism

      Business Policy

      Security Policy

  • The motivation for more security in open systems is driven by which three (3) of the following factors?

    • New requirements from the WTO, World Trade Organization

      The appearence[sic] of data protection legislation in several countries.

      The desire by a number of organizations to use OSI recommendations.

      Society's increasing dependance[sic] on computers.

  • True or False: The accidental disclosure of confidential data by an employee is considered a legitimate organizational threat.

    • True

  • True or False: The accidental disclosure of confidential information by an employee is considered an attack.

    • True

  • A replay attack and a denial of service attack are examples of which?

    • Security architecture attack

      Passive attack

      Masquerade attack

      Origin attack

  • True or False: An application that runs on your computer without your authorization but does no damage to the system is not considered malware.

    • False

  • How would you classify a piece of malicious code designed to cause damage, can self-replicate and spreads from one computer to another by attaching itself to files?

    • Worm

  • How would you classify a piece of malicious code designed to cause damage and spreads from one computer to another by attaching itself to files but requires human actions in order to replicate?

    • Virus

  • How would you classify a piece of malicious code designed collect data about a computer and its users and then report that back to a malicious actor?

    • Spyware

  • A large scale Denial of Service attack usually relies upon which of the following?

    • A botnet

  • Antivirus software can be classified as which form of threat control?

    • Technical controls

  • Which of the following measures can be used to counter a mapping attack?

    • Record traffic entering the network

      Look for suspicious activity like IP addresses or ports being scanned sequentially.

      Use a host scanner and keep an inventory of hosts on your network.

      All of the above.

  • In order for a network card (NIC) to engage in packet sniffing, it must be running in which mode?

    • Promiscuous mode

  • Which countermeasure can be helpful in combating an IP Spoofing attack?

    • Ingress filtering

      Enable IP Packet Authentication filtering

      Keep your certificates up-to-date

      Enable the IP Spoofing feature available in most commercial antivirus software.

      All of the above.

  • Which two (2) measures can be used to counter a Denial of Service (DOS) attack?

    • Enable the DOS Filtering option now available on most routers and switches.

      Implement a filter to remove flooded packets before they reach the host.

      Use traceback to identify the source of the flooded packets.

      Enable packet filtering on your firewall.

  • Which countermeasure should be used against a host insertion attack?

    • Maintain an accurate inventory of of computer hosts by MAC address.

      Use a host scanning tool to match a list of discovered hosts against known hosts.

      Investigate newly discovered hosts.

      All of the above.

  • Which is not one of the phases of the intrusion kill chain?

    • Installation

      Activation

      Command and Control

      Delivery

  • Which social engineering attack involves a person instead of a system such as an email server?

    • Vishing

      Spectra

      Phishing

      Cyberwarfare

  • Which of the following is an example of a social engineering attack?

    • Logging in to the Army's missle[sic] command computer and launching a nuclear weapon.

      Calling an employee and telling him you are from IT support and must observe him logging into his corporate account.

      Setting up a web site offering free games, but infecting the downloads with malware.

      Sending someone an email with a Trojan Horse attachment.

  • True or False: While many countries are preparing their military for a future cyberwar, there have been no "cyber battles" to-date.

    • False

  • Which tool did Javier say was crucial to his work as a SOC analyst?

    • SIEM (Security Information and Event Management): Tools like QRadar SIEM are crucial to Javier since he can use it to perform advanced corrolations and threat intelligence integration.

  • Which hacker organization hacked into the Democratic National Convension[sic] and released Hillery[sic] Clinton's emails?

    • Fancy Bears[sic]

  • What challenges are expected in the future?

    • Enhanced espionage from more countries

      Far more advanced malware

      New consumer technology to exploit

  • Why are cyber attacks using SWIFT so dangerous?

    • Cyber attacks using SWIFT are so dangerous as the protocol used by all banks to transfer money which risks confidential customer data

      Explanation:

      • SWIFT used by banking institutions, where the entire banking operation is connected to a messaging network with the help of data which originally aimed at making communications between banks easier.

      • Although the Government had taken various measures to prevent Cyber attacks are common occurrences that steal customer data and fetch money from their account.

      • Hence, SWIFT, which relies on the internet and networking might backfire and be a major threat to the people.

  • Which statement best describes Authentication?

    • Assurance that a resource can be accessed and used

    • Assurance that the communicating entity is the one claimed

    • Protection against denial by one of the parties in communication

    • Prevention of unauthorized use of a resource

  • Trusted functionality, security labels, event detection, security audit trails and security recovery are all examples of which type of security mechanism?

    • Contingent security mechanism

      Active security mechanism

      External security mechanism

      Passive security mechanism

  • If an organization responds to an intentional threat, that threat is now classified as what?

    • An attack

      -An active threat

      A malicious threat

      An open case

  • An attack that is developed particularly for a specific customer and occurs over a long period of time is a form of what type of attack?

    • -Water Hole

      Advanced Persistent Threat

      Spectra

      Denial of Service (DOS)

  • Which of three (3) these approaches could be used by hackers as part of a Business Email Compromise attack?

    • Account compromise

      Attorney impersonation

      Request to make a payment

      CEO Fraud, where CEO sends email to an employee

  • Which type of actor was not one of the four types of actors mentioned in the video A brief overview of types of actors and their motives?

    • Black Hats

  • A political motivation is often attributed to which type of actor?

    • Hacktivist

  • Which type of actor hacked the 2016 US Presidential Elections?

    • Government

  • True or False: Passive attacks are easy to detect because the original messages are usually alterned or undelivered.

  • Cryptography, digital signatures, access controls and routing controls considered which?

    • -Pervasive security mechanisms

    • security policy

  • Which type of attack can be addressed using a switched Ethernet gateway and software on every host on your network that makes sure their NICs is not running in promiscuous mode.

    • Packet Sniffing

  • True or False: An individual hacks into a military computer and uses it to launch an attack on a target he personally dislikes. This is considered an act of cyberwarfare.

  • True or False: A tornado threatening a data center can be classified as an attack.

  • Traffic flow analysis is classified as which?

    • Passive attack

  • Botnets can be used to orchestrate which form of attack?

    • Distribution of Spam

      -DDoS attacks

      Phishing attacks

      Distribution of Spyware

      As a Malware launchpad

      All of the above

  • Policies and training can be classified as which form of threat control?

    • -Administrative controls

    • Passive Controls

  • Encrypting your email is an example of addressing which aspect of the CIA Triad?

    • Confidentiality

      Integrity

      Availability

  • Trudy changes the meeting time in a message she intercepts from Alice before she forwards it on to Bob. This is a violation of which aspect of the CIA Triad?

    • Confidentiality

      Integrity

      Availability

  • You fail to backup your files and then drop your laptop breaking it into many small pieces. You have just failed to address which aspect of the CIA Triad?

    • Confidentiality

      Integrity

      Availability

  • The use of digital signatures is an example of which concept?

    • Non-repudiation

      Confidentiality

      Integrity

      Availability

  • Managers in the Singapore office at your company can access documents that managers in other offices cannot access, nor can nonmanager employees in the Singapore office. Which 2 access criterial types were likely involved in setting this up?

    • Groups: Managers would be in a managers group.

      Timeframe

      Transaction type

      Physical location: Location is used as an access control factor.

  • In incident management, an event that has a negative impact on some aspect of the network or data is called what?

    • Event

      Attack

      Incident: an event with impact

      Threat

  • In incident management, a data inventory, data classification and data management process are part of which key concept?

    • Automated system

      Business Continuity Plan & Disaster Recovery

      E-Discovery: It is crucial to have an automated inventory of systems and data so you can know if anything changes or does not belong.

      Post-Incident Activities

  • Which of the phase of the Incident Response Process do steps like Identify cyber security incident, Define objectives and investigate situation and Take appropriate action fall into?

    • Phase 1: Prepare

      Phase 2: Respond

      Phase 3: Follow Up]

  • In the context of security standards and compliance, which two (2) of these items are goals of frameworks and best practices?

    • They seek to improve performance, controls and metrics.

      They are rules to follow for a specific industry.

      They serve as an enforcement mechanism for government, industry or clients.

      They help translate the business needs into technical or operational needs.

  • A company document that says employees may not do online shopping while at work would be which of the following?

    • Strategic Plan

      Tactical Plan

      Procedure

      Policy

  • Which three (3) of these are compliance standards that must be adhered to by companies is some industries / countries?

    • HIPAA

      PCI/DSS

      OCTAVE

      SOX

  • A method of evaluating computer and network security by simulating an attack on a computer system or network from external or internal threats is know as which of the following?

    • A threat

      A white hat

      A hack

      A pentest

  • The OWASP “Top 10” provides guidance on what?

    • The top 10 malware exploits reported each year.

      The top 10 network vulnerabilities reported each year.

      The top 10 cybercrimes reported each year.

      The top 10 application vulnerabilities reported each year.

  • Which two (2) key components are part of incident response? (Select 2)

    • Response team

      Threat

      Investigation

      Attack

  • Which is not part of the Sans Institutes Audit process?

    • Deliver a report.

      Define the audit scope and limitations.

      Help to translate the business needs into technical or operational needs.

      Feedback based on the findings.

  • Which key concept to understand incident response is defined as "data inventory, helps to understand the current tech status, data classification, data management, we could use automated systems. Understand how you control data retention and backup."

    • E-Discovery

  • Which is not included as part of the IT Governance process?

    • Tactical Plans

      Procedures

      Audits

      Policies

  • A hash is a mathematical algorithm that helps assure which aspect of the CIA Triad?

    • Integrity

  • A successful DOS attack against your company’s servers is a violation of which aspect of the CIA Triad?

    • Availability

  • Which of these is an example of the concept of non-repudiation?

    • Alice sends a message to Bob with certainty that it was not altered while in route by Trudy.

      Alice sends a message to Bob with certainty that it will be delivered.

      Alice sends a message to Bob and Bob knows for a certainty that it came from Alice and no one else.

      Alice sends a message to Bob and Alice is certain that it was not read by Trudy.

  • You have been asked to establish access to corporate documents in such a way that they can be read from anywhere, but only modified while the employees are in the office. Which 2 access criteria types were likely involved in setting this up?

    • Groups

      Physical location

      Transaction type

      Timeframe

  • In incident management, an observed change to the normal behavior of a system, environment or process is called what?

    • Event

  • In incident management, tools like SIEM, SOA and UBA are part of which key concept?

    • Automated system

      BCP & Disaster Recovery

      Post-Incident Activities

      E-Discovery

  • Which phase of the Incident Response Process do steps like Carry out a post incident review and Communicate and build on lessons learned fall into?

    • Respond

      Follow Up

      Prepare

  • In the context of security standards and compliance, which two (2) of these are considered normative and compliance items?

    • They seek to improve performance, controls and metrics.

      They are rules to follow for a specific industry.

      They help translate the business needs into technical or operational needs.

      They serve as an enforcement mechanism for government, industry or clients.

  • A company document that details how an employee should request Internet access for her computer would be which of the following?

    • Procedure

      Strategic Plan

      Policy

      Tactical Plan

  • Which of these is a methodology by which to conduct audits?

    • SOX

      HIPAA

      PCI/DSS

      OCTAVE

  • Mile 2 CPTE Training teaches you how to do what?

    • Conduct a pentest.

      Advanced network management tasks

      Conduct a Ransomware attack

      Construct a botnet

  • Which three (3) statements about OWASP are True?

    • OWASP stands for Open Web Application Security Project

      OWASP provides tools and guidance for mobile applications.

      OWASP Top 10 only lists the top 10 web application vulnerabilities but you must engage an OWASP certified partner to learn how to fix them.

      OWASP provides guidance and tools to help you address web application vulnerabilities on their Top 10 list.

  • Firewalls contribute to the security of your network in which three (3) ways?

    • Prevent unauthorized modifications to internal data from an outside actor.

      Allow only authorized access to inside the network.

      Prevent an internal user from downloading data she is not authorized to access.

      Prevent Denial of Service (DOS) attacks.

  • Which packets are selected for inspection by a packet filtering firewall?

    • Every packet entering or leaving a network.

      The first packet of every transmission but only subsequent packets when “high risk” protocols are used.

      Every packet entering the network but no packets leaving the network.

      The first packet in any transmission, whether entering or leaving.

  • True or False: Application Gateways are an effective way to control which individuals can establish telnet connections through the gateway.

  • Why are XML gateways used?

    • XML packet headers are different from that of other protocols and often “confuse” conventional firewalls.

      Conventional firewalls attempt to execute XML code as instructions to the firewall.

      XML traffic cannot pass through a conventional firewall.

      XML traffic passes through conventional firewalls without inspection.

  • Which three (3) things are True about Stateless firewalls?

    • They filter packets based upon Layer 3 and 4 information only (IP address and Port number)

      They are faster than Stateful firewalls.

      They maintain tables that allow them to compare current packets with previous packets.

      They are also known as packet-filtering firewalls.

  • True or False: Most Antivirus/Antimalware software works by comparing each file encountered on your system against a compressed (zipped) version of known malware maintained by the vendor on the local host.

  • How many unique encryption keys are required for 2 people to exchange a series of messages using asymmetric public key cryptography?

    • 4

  • What is Cryptographic Strength?

    • Relies on math, not secrecy

      Ciphers that have stood the test of time are public algorithms.

      Exclusive Or (XOR) is the “secret sauce” behind modern encryption.

      All of the above.

  • What is the primary difference between Symmetric and Asymmetric encryption?

    • The same key is used to both encrypt and decrypt the message.

  • Which type of cryptographic attack is characterized by an attack based upon trial an error where many millions of keys may be attempted in order to break the encrypted message?

    • brute-force

  • What is the correct sequence of steps required for Alice to send a message to Bob using asymmetric encryption?

    • Alice requests Bob’s public key and uses it to encrypt her message. Alice then sends the encrypted message to Bob who decrypts it using his private key.

  • A skilled penetration tester wants to show her employer how smart she is in hopes of getting a promotion. Without obtaining permission, she hacks into the company’s new online store to see if there are any weaknesses that can be hardened before the system goes live. She does not do any damage and writes a useful report which she sends over her boss’s head to the CISO. What color hat was she wearing?

    • A White Hat

      A Gray Hat

      A Black Hat

      A Pink Hat

      A Rainbow Hat

  • Which three (3) are resources that are available to help guide penetration testing efforts by cybersecurity specialists?

    • General Data Protection Regulation (GDPR)

      Open Source Security Testing Methodology Manual (OSSTMM).

      NIST SP 800-42 Guidelines on Network Security Testing.

      Information Systems Security Assessment Framework (ISSAF)

  • According to the Vulnerability Assessment Methodology, Potential Impacts are determined by which 2 factors?

    • Identify Indicators and Exposure

      Exposure and Sensitivity

      Potential Impacts and Adaptive Capacity

      Sensitivity and Adaptive Capacity

  • In digital forensics, the term Chain of Custody refers to what?

    • This is a digital “chain” that isolated digital evidence from being disturbed until it can be analyzed by the police or other authorities.

      This is a physical chain that is place around a crime scene to protect the evidence from being disturbed.

      The record that documents the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

      This chain of custody is simply a written record of who possessed the evidence as it moves from collection to analysis to presentation in a court of law.

  • What is the primary function of a firewall?

    • Scans the system and search for matches against the malware definitions.

      Secures communication that may be understood by the intended recipient only.

      Filter traffic between networks.

      Uses malware definitions.

  • What is Locard's exchange principle?

    • The perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.

  • Which two (2) are types of firewall?

    • Protocol-filtering

      Packet-filtering

      Statutory

      Application-level

  • Which type of data does a packet-filtering firewall inspect when it decides whether to forward or drop a packet?

    • Source and destination IP addresses.

      TCP/UDP source and destination port numbers.

      ICMP message type.

      TCP SYN and ACK bits.

      All of the above.

  • Which three (3) of the following are limitations of Application gateways?

    • Application gateways are susceptible to IP spoofing.

      Each application to be managed needs its own gateway.

      Client software must be “smart” and know to contact the gateway.

      Application gateways are not good and understanding protocols such as telnet.

  • Which type of firewall inspects XML packet payloads for things like executable code, a target IP address that make sense, and a known source IP address?

    • An XML Gateway.

      An application-level firewall.

      A packet-filtering firewall.

      All of the above.

  • Which statement about Stateful firewalls is True?

    • They have state tables that allow them to compare current packets with previous packets.

      They are less secure in general than Stateless firewalls.

      They are faster than Stateless firewalls.

      All of the above.

  • True or False: Most Antivirus/Antimalware software works by comparing a hash of every file encountered on your system against a table of hashes of known virus and malware previously made by the antivirus/antimalware vendor.

  • Which type of cryptographic attack is characterized by comparing a captured hashed password against a table of many millions of previously hashed words or strings?

    • Social Engineering

      Brute force

      Rainbow Tables

      Known Plaintext

      Known Ciphertext

  • What are two (2) drawbacks to using symmetric key encryption?

    • A modern supercomputer can break even the most advanced symmetric key in a matter of minutes.

      The sender and recipient must find a secure way to share the key itself.

      Symmetric key encryption is slower than asymmetric key encryption.

      You need to use a different encryption key with everyone you communicate with, otherwise anyone who has ever received an encrypted message from you could open any message you sent to anyone else using that key.

Cybersecurity Roles, Processes & Operating System Security

  • The statement: “The protection of computer systems from theft or damage to the hardware, software or information on them, as well as from disruption or misdirection of the services they provide.” Is a good definition for what?

    • IT Security

  • When looking at security standard and compliance, which three (3) are characteristics of best practices, baselines and frameworks?

    • They are rules to follow for a specific industry.

      They seek to improve performance, controls and metrics.

      They enforce government, industry or client regulations.

      They are used to improved controls, methodologies and governance for the IT department.

      They help translate the business needs into technical or operational needs.

  • Which three (3) of these roles would likely exist in an Information Security organization?

    • Regional Sales Executive

      Product Development Manager

      CISO, Chief Information Security Officer

      Vulnerability Assessor

      Director of Human Resources

      Information Security Architect

  • In the video Introduction to Process, which three (3) items were called out as critical to the success of a Security Operations Center (SOC)?

    • People

      Process

      Tools

      Uninterruptible Power Supplies for all critical systems.

      Bandwidth

      Faraday Cages

  • Process performance metrics typically measure items in which four (4) categories?

    • Rework

      Parts Inventory on hand

      Backlog of pending orders

      Quality (defect rate)

      Injuries

      Cost

      Cycle time

  • Service Portfolio Management, Financial Management, Demand Management and Business Relationship Management belong to which ITIL Service Lifecycle Phase?

    • Service Design

      Service Improvement

      Service Operations

      Service Strategy

      Service Transition

  • Log, Assign, Track, Categorize, Prioritize, Resolve and Close are all steps in which ITIL process?

    • Change Management

      Problem Management

      Incident Management

      Event Management

  • What critical item is noted when discussing process roles?

    • Separation of duties is critical; the approver should not be the requester.

  • Service Operations: Event Management, Incident Management, Problem Management

  • Service Design: Service Catalogue Management, Service Level Management, InfoSec Management, Supplier Management

  • The process in ITIL where changes are released to an IT environment is called what?

    • Release Management

  • Which two (2) processes are operational processes? (Select 2)

    • Change Management

      Incident Management

      Availability Management

      Financial Management

  • Which two (2) of these are considered best practices? (Select 2)

    • ITIL

      Project Manager methodologies

      HIPAA

      SOX

  • Which service management process has the responsibility of understanding the root cause of a problem?

    • Problem Management

      Change Management

      Incident Management

      Configuration Management

  • In the video What is IT Security, Elio Sanabria Echeverria put forth a definition that included which factors?

    • The protection of computer hardware.

      The protection of computer software.

      The protection of data.

      The disruption or misdirection of services provided by your systems.

      All of the above.

  • This description belongs to which information security role? “This position is in charge of testing the effectiveness of computer information systems, including the security of the systems and reports their findings.”

    • Information Security Auditor

  • Which of these statements more accurately conveys what was stated in the video Introduction to Process?

    • As volumes of security alerts and false positives grow, more burden is placed upon Security Analysts & Incident Response teams.

      Solid and well documented security processes are making the role of the security analyst increasingly obsolete.

      As security monitoring and analysis tools advance and incorporate artificial intelligence, Information Security organizations are challenged to find new work for underutilized security analysts.

  • Continual Process Improvement consists of which four (4) items? (Select 4)

    • Financial performance

      Maturity Assessments

      Customer Feedback

      Process Metrics

      Focus Group studies

      Market Research

      Legal Review

  • Event Management, Incident Management, and Problem Management belong to which ITIL Service Lifecycle Phase?

    • Service Transition

      Service Improvement

      Service Design

      Service Strategy

      Service Operations

  • Maintaining Information Security Policy (ISP) and specific security policies that address each aspect of strategy, objectives and regulations is the part of which ITIL process?

    • Problem Management

      Change Management

      Service Level Management

      Information Security Management

  • Which aspect of the CIA Triad would cover preserving authorized restrictions on information access and disclosure?

    • Confidentiality

  • A message that Bob receives from Alice is genuine and can be verified as such demonstrates which key property?

    • Authenticity

  • Which is the correct order for gaining access to a resource?

    • Authentication Identification, Authorization, Accountability

      Identification, Authentication, Authorization, Accountability

      Identification, Authorization, Authentication, Accountability

      Accountability, Identification, Authentication, Authorization

  • Which type of method would include something you know, such as a password?

    • Accountability

      Authentication: something you know, something you have, something you are

      Identification

      Authorization

  • Which three (3) are common methods of access control?

    • Role Based Access Control (RBAC): assigns access based upon the roles assigned to an individual

      Perimeter Access Control (PAC)

      Mandatory Access Control (MAC): common form that uses labels to restrict access

      CIA Triad Access Control (CTAC)

      Discretionary Access Control (DAC): requires the creator of any object to assign access controls to that object

  • Which three (3) items would be considered Physical Access Control methods?

    • Perimetral

      Access Control Lists (ACL) - logical control

      Work areas

      Password policies - logical control

      Building

  • Which is an example of technical uses of physcial[sic] security controls?

    • Tokens

      Tramps

      Lists and logs

      All of the above.

  • Hamid has access to certain resources because he is a Quality Control Inspector and he has access to other resources because he is the manager of that team. Which form of access control is his company most likely using?

    • RBAC

  • Which type of method would include something you are, such as a fingerprint?

    • Authentication

  • How many unique address spaces are used by applications running in kernel mode?

    • 1: All applications run in the same shared address space in Kernel mode

  • Which two (2) of these file systems could you use to format a 64 GB USB drive?

    • FAT32 && NTFS

  • Where does Windows 10 store 64-bit applications?

    • \Program Files

  • Where does Windows 10 store 32-bit applications?

    • \Program Files (x86)

  • Which three (3) groups can "own" a file in Linux?

    • user, group, everybody

  • What application can you use to see all the active running applications and processes on macOS?

    • Activity Monitor

  • What feature in macOS prevents unauthorized applications from being installed?

    • Gatekeeper

  • Which three (3) utilities are found when booting macOS to the recovery partition? (Select 3)

    • Safari

    • Disk Utility

    • Time Machine

Cybersecurity Compliance Framework & System Administration

  • A security attack is defined as which of the following?

    • An event that has been reviewed by analysts and deemed worthy of deeper investigation.

      All cybersecurity events.

      An event on a system or network detected by a device.

      An event that has been identified by correlation and analytics tools as a malicious activity.

  • Which order does a typical compliance process follow?

    • Establish scope, readiness assessment, gap remediation, testing/auditing, management reporting

  • Under GDPR who determines the purpose and means of processing of personal data?

    • Controller

  • Under the International Organization for Standardization (ISO) which standard focuses on Privacy?

    • ISO 27018

  • What is an auditor looking for when they test control the control for implementation over an entire offering with no gaps?

    • Completeness

  • The HIPAA Security Rule requires covered entities to maintain which three (3) reasonable safeguards for protecting e-PHI?

    • administrative

      physical

      technical

  • HIPAA Administrative safeguards include which two (2) of the following?

    • Workforce training and management

      Security Personnel

  • Who is the governing entity for HIPAA?

    • US Department of Health and Human Services Office of Civil Rights

  • HIPAA Physical safeguards include which two (2) of the following?

    • Facility Access and Control

      Workstation and Device Security

  • PCI uses which three (3) of the following Card Holder Data Environment categories to determine scope?

    • Processes

      Technology

      People

  • One PCI Requirement is using an approved scanning vendor to scan at what frequency?

    • Quarterly

  • In which CIS control category will you find Incident Response and Management?

    • Organizational

  • Which is NOT an example of a client?

    • e-mail Server

  • Which three (3) threat key factors should be considered when looking at an Endpoint Security Solution?

    • detection response, user education, threat hunting

  • Which two types of updates do most organizations patch as soon as possible after testing?

    • Security and Critical

  • A patch is a set of changes to a computer program or its data designed for which three (3) functions?

    • improve, fix, update

  • Which three (3) are common Endpoint attack types?

    • Spear Phishing

      Whale hunting

      Ad Network

  • Which three (3) of the following steps can be taken to help protect sensitive Windows domain accounts? (Select 3)

    • Disable the account delegation rights for administrator accounts.

      Grant user logon access to servers and workstations.

      Create dedicated workstation hosts without Internet and email access.

      Separate administrator accounts from user accounts.

Network Security & Database Vulnerabilities

  • Which network layer do IP addresses belong to?

    • The Network Layer

  • Which address assures a packet is delivered to a computer on a different network segment from the sender?

    • The IP Address

  • A network device that is capable of sending and receiving data at the same time is referred to as which of the following?

    • Full duplex

  • True or False: Collision avoidance protocols are critical to the smooth operation of modern networks.

  • Comparing bridges with switches, which are three (3) characteristics specific to a bridge?

    • End-user devices share bandwidth on each port.

    • Virtual LANs are not possible.

    • Half-duplex transmission.

  • ARP tables only keep track of addresses within the node's broadcast domain

  • If a network server has four (4) network interface cards, how many MAC addresses will be associated with that server?

    • 4

  • True or False: When you connect your laptop to a new network, a new IP address will be assigned.

  • What does the Address Resolution Protocol (ARP) do when it needs to send a message to a location that is outside its broadcast domain?

    • ARP sends the message to the MAC address of the default gateway.

  • Routing tables are maintained by which of the following devices?

    • On any network connected device.

  • What is the purpose of a default gateway?

    • It forwards messages coming from, or going to, external networks.

  • If a message is being sent to a computer that is identified in the computer's routing table, what type of connection would be established?

    • Direct

  • What is meant by "stateless" packet inspection?

    • It is a packet-by-packet inspection with no awareness of previous packets.

  • True or False: An Intrusion Detection System (IDS) is generally a passive device that listens to network traffic and alerts an administrator when a potential problem is detected?

  • True or False: The primary difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) is that an IDS is designed as a passive system that listens and alerts while an IPS is an active system that is designed to take action when a problem is detected?

  • Which intrusion system does not add any delay to network traffic?

    • IDS

  • How does using Network Address Translation (NAT) provide an additional layer of security to your network?

    • By hiding the real IP addresses of all the devices on your private network and exposing only a single public IP address.

  • Which type of NAT routing maps unregistered IP addresses to a single registered IP address allowing thousands of users to be connected to the Internet using only a single global IP address?

    • Overload

  • Which network layer do MAC addresses belong to?

    • Data Link

  • Which address assures a packet is delivered to a computer on the same network segment as the sender?

    • The MAC address.

  • A network device that cannot send and receive data at the same time is referred to as which of the following?

    • Half duplex

  • When a NIC reads a packet header and sees the destination address is not its own address, what does it do with the packet?

    • It discards the packet.

  • Comparing bridges with switches, which are three (3) characteristics specific to a switch?

    • Virtual LANs are possible.

      Each port is dedicated to a single device; bandwidth is not shared.

      Full-duplex transmission.

  • True or False: Switches can connect two geographically dispersed networks.

  • A network interface card's MAC address is also known by which two (2) of the following?

    • The physical address.

      The burn address.

  • What is the main function of the Address Resolution Protocol (ARP)?

    • To translate a MAC address to an IP address and vice versa.

  • What does a router do when it needs to send a packet to an address that is not in its routing table?

    • It forwards the packet to the default gateway.

  • What happens to messages sent from a computer that has no gateway address specified?

    • Messages sent to other computers on the same subnet will be delivered but those destined to computers on other networks will not be delivered.

  • Which three (3) are types of routes found in a routing table?

    • Direct

      Dynamic

      Default

  • The IP address range goes from 0.0.0.0 to 255.255.255.255 and is known as the "four octets". Why are these 4 numbers called octets?

    • The number 255 in decimal takes up 8 digits in binary.

  • How many octets are used to define the network portion of the IP address in a Class C network?

    • 3

  • True or False: A routable protocol is a protocol whose packets may leave your network, pass through your router, and be delivered to a remote network.

  • True or False: The destination address is defined in the packet header but the source address is in the packet footer.

  • Which network mask belongs to a Class A network?

    • 255.0.0.0

  • What is the primary function of DNS?

    • To translate domain names to IP addresses and vice versa.

  • How does a new endpoint know the address of the DHCP server?

    • The endpoint sends a DHCP Discover broadcast request to all endpoints on the local network.

  • Which Syslog layer contains the actual message contents?

    • Syslog Content

  • True or False: Setting the correct Syslog Severity Level on systems helps keep the Syslog server from being flooded by the millions of messages that could be generated by these systems.

  • True or False: The Syslog message typically includes the severity level, facility code, originator process ID, a time stamp, and the hostname or IP address of the originator device.

  • Why is port mirroring used?

    • To provide a stream of all data entering or leaving a specific port for debugging or analysis work.

  • What is the main difference between a Next Generation Firewall (NGFW) and a traditional firewall?

    • NGFW use sessions.

  • True or False: Unlike traditional stateful firewalls, next-generation firewalls drill into traffic to identify the applications traversing the network.

  • What are the two (2) primary methods used by Intrusion Prevention Systems (IPS) to discover an exploit?

    • Statistical anomaly-based detection.

    • Signature-based detection.

  • If your nontechnical manager told you that you must configure your traditional second-generation firewalls to block all users on your network from posting messages on Facebook from their office computers, how would you carry out this request?

    • You would have to block any IP addresses used by Facebook.

  • How does an endpoint know the address of the DNS server?

    • It is manually configured in the network settings by the administrator or obtained from the DHCP server.

  • What is the primary function of DHCP?

    • To automatically assign IP addresses to systems.

  • Which Syslog layer would handles the routing and storage of a Syslog message?

    • Syslog Application

  • Which of the following flow data are gathered by utilities such as NetFlow?

    • Packet count and byte count.

      Source and destination TCP/UDP ports.

      Source and destination IP addresses.

      Routing and peering data such as TCP flags and protocol.

      All of the above.

  • When a network interface card in operating in promiscuous mode, what action does it take?

    • The NIC sends all packets to the CPU for processing instead of only those packets indicated for its MAC address.

  • If a packet is allowed to pass through a NGFW based upon the established firewall rules and a new session is established, how does the NGFW treat the next packet it encounters from the same session?

    • Subsequent packets of the same session are automatically allowed.

  • If your nontechnical manager told you that you must configure your next generation firewalls (NGFW) to block all users on your network from posting messages on Facebook from their office computers, what would be the consequence of carrying out his order?

    • No serious consequence, application-level inspection and blocking can be configured.

  • Monitoring network traffic and comparing it against an established baseline for normal use is an example of which form of intrusion detection?

    • Statistical anomaly-based detection

  • Which are three (3) characteristics of a highly available system?

    • Redundancy

      Failover

      Monitoring

  • True or False: If all of your organization's data is centralized in a small number of data centers, than focusing security on perimiter defense is adequate to assure your data is safe.

  • Which two (2) of the following data source types are considered structured data?

    • Data warehouses

    • Distributed databases

  • Data that has not been organized into a specialized repository, but does have associated information, such as metadata that makes it more amenable to processing than raw data, is an example of which data model type?

    • Semi-structured data

  • How are the tables in a relational database linked together?

    • Through the use of primary and foreign keys.

  • In the video Securing the Crown Jewels, the "Identification and Baseline" phase contains which three (3) of the following items?

    • Vulnerability Assessment

      Blocking & Quarantine

      Activity Monitoring

      Discovery & Classification

      Entitlements Reporting

  • In the video Securing the Crown Jewels, the "Real-Time Monitor & Protection" phase contains which three (3) of the following items?

    • Activity Monitoring

      Blocking & Quarantine

      Dynamic Data Masking

  • In the video Securing the Crown Jewels, the "Raise Bar" phase contains:

    • Reconfigure, Mask & Encrypt

  • In the video Leveraging Security Industry Best Practices, which US Government agency is a co-publisher of the Database Security Requirements Guide (SRG)?

    • Department of Defense (DoD)

  • For added security, a firewall is often placed between which of these?

    • The database and the hardened data repository.

  • True or False: In a vulnerability assessment test, a new commercial database installed on a new instance of a major operating system should pass 80-90% of the vulnerability tests out-of-the-box unless there is a major flaw or breach.

  • Which of these hosting environments requires the enterprise to manage the largest number of different data sources?

    • on prem

  • While data security is an ongoing process, what is the correct order to consider these steps?

    • Discover, Harden, Monitor & Protect, Repeat

  • In setting up policy rules for data monitoring, what is the purpose of "exclude" rules?

    • To exclude certain applications or safe activities from being logged.

  • True or False: Data monitoring products such as IBM Guardium can send access alerts to syslog for manual intervention by a security analyst but must be connected to addition applications if automated interventions are desired.

  • To created auditable reports of data access using the IBM Guardium product, the administrator would do which of the following?

    • Use the Audit Process Builder feature to automate the reporting process.

  • True or False: The IBM Guardium monitoring applications is capable of monitoring activities in non-relational databases such as Hadoop, Cognos, and Spark.

  • At a minimum, which 3 entities should be captured in any event log?

    • When the activity took place.

    • What activity took place.

    • Who or what committed the activity.

  • True of False: In the IBM Guardium data monitoring tool, the number of failed login attempts that would trigger an alert are always counted since the last successful login.

  • Which activity should be considered suspicious and might indicate inappropriate activity is being attempted?

    • Attempts are made to access data using nonstandard tools, such as MS Excel or MS Access, rather than through the application the data belongs to.

  • Which two (2) activities should be considered suspicious and warrant further investigation?

    • Use of an Application ID from an IP that is different from what has been specified by the application owner.

    • Use of an Application ID from a hostname that is different from what has been specified by the application owner.

  • Distributed databases, data warehouses, big data, and File shares are all classified as what?

    • Data source types

  • Hadoop, MongoDB, and BigTable are all examples of which data source type?

    • Big data databases

  • Data that has been organized into a formatted repository, typically a database, so its elements can be made addressable, is an example of which data model type?

    • Structured data

  • Which of the following is the primary difference between a flat file database and a relational database?

    • All the data in a flat file database is stored in a single table.

  • In the video Leveraging Security Industry Best Practices, where would you turn to look for help on establishing security benchmarks for your database?

    • not Department of Defense/Defence Information Systems Agency (DoD/DISA).

    • Center for Internet Security (CIS).

  • Most of the time, how do users access data?

    • Through an application.

  • True or False: In a vulnerability assessment test, it is not uncommon to fail more than 50% of the tests before the operating system and database are hardened.

  • Which of these hosting environments requires the service provider to manage the largest number of different data sources?

    • SaaS

  • While data security is an ongoing process, what is the correct order to consider these steps?

    • Identification & Baseline, Raise the Bar, Real-time Monitor & Protection

  • To automatically terminate a session if an attempt is made to access data in a sensitive table, such as Social Security (SSN) ID numbers, you would set up which type of rule?

    • not terminate

    • An Access rule.

  • True or False: Data monitoring products such as IBM Guarduim are fully capable of blocking access to sensitive data based upon access parameters configured in policy rules.

  • In which two (2) ways can security events collected by a data monitoring tool be logged to a security incident and event management (SIEM) system?'

    • Configure the monitoring system to write to the SIEM systems syslog file.

      Configure bidirectional communication between the monitoring and SIEM systems, if available.

      Export security events from your monitoring tool and import them into your SIEM tool.

      Configure your SIEM system to read the monitoring systems local syslog file.

  • True or False: Data monitoring tools such as IBM Guardium are designed to monitor activities within a database, but external products, such as a privileged identity management (PIM) tool would be required to monitor changes to the data monitoring tool itself, such as the addition of new users or the alteration of existing user accounts.

  • True or False: In the IBM Guardium data monitoring tool, it is possible to create a report that shows not only how many SQL unauthorized access attempts were made by an individual, but also exactly which SQL statements were disallowed.

  • Which activity should be considered suspicious and might indicate inappropriate activity is being attempted?

    • Attempts are made to SELECT lists of usernames and passwords by a non-administrator account.

  • Which two (2) activities should be considered suspicious and warrant further investigation?

    • The data monitoring logging system was manually shut down.

      There were attempts to purge event logs.

      It takes an authorized user 3 attempts to enter the correct password.

      An authorized user attempts to run SQL statements with invalid syntax.

  • Which operating system is susceptible to OS Command Injection attacks?

    • All

  • What is a possible impact of running commands thought OS shell interpreters such as sh, bash, cmd.exe and powershell.exe?

    • It makes it easier for a hacker to inject additional commands or arguments.

  • True or False: Safe coding practice avoids using OS commands when it can be avoided.

  • True or False: Safe coding practice always runs commands through a shell interpreter.

  • True or False: Safe coding practice uses library functions when running OS commands.

  • True or False: Safe coding practice uses blacklists and avoids the use of whitelists.

  • A hacker tailoring his actions based on the database errors the application displays is an example of which type of SQL Injection attack?

  • True or False: Use of prepared statements is an effective mitigation against SQL Injection attacks because it seperates the query structure from the query parameters.

  • True or False: Native database errors should be hidden from the user to prevent hackers from gaining insight into the internal structure of your application.

  • True or False: The use of object-relational mapping (ORM) libraries is a dangerous practice that can help hackers conduct successful SQL Injection attacks.

  • Which of the following statements is True?

    • Injection attacks were ranked #1 on the OWASP Top 10 list in 2013 and again in 2017.

  • Which vulnerability is being exploited in an OS Command Injection attack?

    • Poor user input sanitation and unsafe execution of OS commands.

  • What is a simple but effective way to protect against DLL hijacking?

    • use absolute paths

  • True or False: Safe coding practice runs code with the least possible privilege.

  • True or False: Safe coding practice always specifies relative paths when running applications or using shared libraries.

  • True or False: Safe coding practice does not let user input reach an OS command unchanged.

  • A hacker exfiltrating data by injecting an HTTPrequest command is an example of which type of SQL Injection attack?

    • Out of Band

  • Protecting against SQL Injection attacks by sanitizing user input can be accomplished by which two (2) of the following techniques?

    • Use of whitelists.

      Use of mapping tables.

  • True or False: Limiting database user permissions is an ineffective strategy in preventing SQL Injection attacks since the injected code will run directly against the database regardless of the permission levels that have been set.

  • Which of the following will help reduce the SQL Injection attack surface?

    • Use of stored procedures.

  • When developing an application, using NoSQL instead of MySQL will have what effect on the applications susceptibility to SQL Injection attacks?

    • Reduce the attack surface, but not eliminate it

Penetration Testing, Incident Response and Forensics

  • General Methodology

    • Planning

      • Setting Objectives

      • Establishing Boundaries (Source)

      • Informing Need-to-know employees

    • Discovery

      • Vulnerability scanning

      • Google Dorks (Source)

      • Passive-Online

        • Wire sniffing

        • MitM

        • Replay attack

      • Active-Online

        • password brute-forcing

        • Network mapping

        • port scanning

        • trojan/spyware/keyloggers

        • hash injection (NTLM, LanMan)

        • Phishing

      • Offline Attacks

        • Pre-Computed hashes

        • Distributed Network Attack (DNA), password cracker

        • Rainbow

      • Tech-less

        • Social engineering

        • Shoulder surfing

        • Dumpster diving

    • Attack

      • Exploited vulnerabilities

        • misconfigurations

        • kernel flaws

        • insufficient input validation

        • symbolic links

        • file descriptor attacks

        • race conditions

        • buffer overflows

        • incorrect file and directory permissions

    • Report

      • Executive Summary

        • Background

        • Overall posture

        • risk ranking

        • general findings

        • recommendations

        • roadmap

          • 30,60,90 day plan

  • Incident Response

    • General

      • Event -> Incident

      • Team Models: Central, Distributed, Coordinating

      • Common Attack Vectors

        • External/Removable Media

        • Attrition

        • Web

        • Email

        • Impersonation

        • Loss or Theft of Equipment

      • Baseline Questions; help coordinate with other teams and the media

        • Who attacked you? Why?

        • When and how did it happen?

        • Did this happen because you have poor security processes?

        • How widespread is the incident?

        • What steps are you taking to determine what happened and prevent future occurrences?

        • What is the impact? Any PII exposed? Estimated cost of incident?

  • Incident Response Continued

    • Phases

      • Preparation

        • Policy (Source)

          • IR Team, roles, means, tools, resources, policy testing, action plan

          • Risk assessment, network security, user awareness, host security, malware prevention

          • What types of events should trigger investigation?

          • What assets do we have?

      • Detection & Analysis

        • Precursor: sign incident may occur in future

          • e.g. log shows vulnerability scanning going on

        • Indicator: a sign that an incident may have occurred or may be occurring now

          • e.g. unusual deviation from typical network flow

        • Monitoring Systems

          • IDS vs IPS

          • DLP

          • SIEM

        • Documentation

          • current status, summary, indicators, related incidents, actions taken, chain of custody if applicable, impact assessments, contact info, evidence gathered, comments from incident handlers, next steps to be taken

          • Functional Impact Categories

            • None, Low, Medium, High: effect on ability to provide services to users

          • Information Impact Categories

            • None, Privacy Breach, Proprietary Breach, Integrity loss

          • Recoverability Effort Categories

            • Regular, Supplemented, Extended, Not Recoverable

          • Notifications

            • CIO, Local and Head of InfoSec, other incident response teams in or out of the org, system owner, HR, Public Affairs, legal department, law enforcement if appropriate

      • Containment, Eradication & Recovery

        • Containment: decision making is easier with predetermined procedures

          • Potential damage to and theft of resources

          • need for evidence preservation

          • service availability

          • time and resources needed to implement the strategy

          • effectiveness of the strategy

          • duration of the solution

        • Forensics in IR

          • Capture a backup image of the system as-is

          • Gather evidence

          • Follow chain of custody protocols

        • Eradication & Recovery

          • Deleting malware, disabling breached accounts, identifying and mitigating all vulnerabilities

          • Restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, patching, changing passwords, tightening network perimeter security

          • high level of testing and monitoring are often deployed to ensure restored systems are no longer impacted by the incident. This could take weeks or months depending on how long it takes to bring back compromised systems into production.

          • Checklist

            • Can problem be isolated? Are all affected systems isolated from non-affected systems? Have forensic copies of affected systems been created for further analysis?

            • If possible can the system be reimaged and then hardened with patches and/or other countermeasures to prevent or reduce the risk of attacks? Have all malware and other artifacts been removed, and systems hardened?

            • What tools are you goin got use to test, monitor, and verify that the systems being restored to productions are not compromised by the same methods that caused the original incident?

      • Post-incident Activity

        • Retrospective: what happened at what times? What info was needed sooner? Were procedures adequate? What could be done differently? Could communication be improved?

        • Utilizing data collected

        • Evidence retention

        • Documentation

    • Incident Response Demo

      • Common Threats

        • Software Attacks

        • Data exfiltration

        • Information Sabotage

        • Theft of equipment

      • Attack Vectors

        • Website hosting malicious content, countered by:

          • Qradar

          • McAfee ePolicy Orchestrator

          • Next generation firewalls

  • Questions

    • Which three (3) of the following are phases of an incident response?

      • Containment, Eradication & Recovery

      • Preparation

      • Detection & Analysis

    • Which statement is true about an event?

      • An event may be totally benign, like receiving an email.

    • True or False: A robust automated incident response system should be able to detect and prevent loss from all incidents.

    • A good automated Incident Response system should be able to detect which three (3) of these common attack vectors?

      • An email phishing attack.

      • An unauthorized removable drive being attached to the network.

      • A brute force hacking attack.

      • A former employee using his knowledge at a competitor company.

    • Which three (3) of the following are components of an Incident Response Policy?

      • IR Awareness training.

      • Means, tools and resources available.

      • Identity of IR team members.

      • IR Policy testing responsibility.

    • Contact information, Smart phones, and Secure storage facilities all belong to which Incident Response resource category?

      • Incident Handler Communications and Facilities.

    • Which three (3) of the following would be considered an incident detection precursor?

      • Detecting the use of a vulnerability scanner

      • An application log showing numerous failed login attempts from an unknown remote system.

      • A vendor notice of a vulnerability to a product you own.

      • An announced threat against your organization from an activist group.

    • True or False: The Incident Response team should keep their documentation as concise as possible so only the most important facts take up the attention of the team leadership.

    • What is the proper classification for a data breach that resulted in the exposure of sensitive personally identifiable information (PII)?

      • Privacy Breach

    • What is the proper classification for the recovery effort from a breach if you can estimate the total effort required but it will require bringing in additional resources?

      • Supplemented

    • During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Potential damange to and theft of resources, Need for evidence preservation, and Service availability?

      • Containment

    • Which Post Incident activity would include ascertaining exactly what happened and at what times?

      • Lessons learned meeting

    • Which statement is true about an incident?

      • An incident is an event that negatively affects IT systems.

    • True or False: A Coordinating Incidents Response Team provides advice and guidance to the Distributed IR teams in each department, but generally does not have specific authority over those teams.

    • Which Incident Response Team model describes a team that has authority over all aspects of IR within the entire organization?

      • Central

    • In what way will having a set of predefined baseline questions will help you in the event of an incident?

      • Coordinate with other teams and the media.

    • Incident Response team resources can be divided into which three (3) of the following categories?

      • Incident Analysis Hardware and Software

        Incident Analysis Resources

        Incident Handler Communications and Facilities

    • Port lists, Documentation, and Cryptographic hashes all belong to which Incident Response resource category?

      • Incident Analysis Hardware and Software

        Incident Handler Communications and Facilities

        Incident Analysis Resources

        Incident Post-Analysis Resources

    • Which three (3) of the following would be considered an incident detection indicator?

      • The discovery of a file containing unusual characters by a system administrator.

        Detecting the use of a vulnerability scanner.

        A significant deviation from typical network traffic flow patterns.

        An application log showing numerous failed login attempts from an unknown remote system.

    • Which type of monitoring system analyzes logs and events in real time?

      • SIEM

    • True or False: Highly detailed and thorough documentation is needed to support the analysis of current and future incidents.

    • What is the proper classification for a breach that results in sensitive or proprietary information being changed or deleted.

      • Integrity loss

    • What is the proper classification for the recovery effort from a breach if sensitive data was stolen and posted on a public web site?

      • Not Recoverable

    • During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Eliminate components of the incident, Disable compromised accounts, and Identify and mitigate vulnerabilities?

      • Eradication

    • Which Post Incident activity would include reviewing response times, which systems were impacted and other metrics associated with the incident?

      • Utilizing collected data

  • Digital Forensics

    • Types of Data

      • CDs/DVDs

      • Internal/External drives

      • Volatile data

      • Network activity

      • Application usage

      • Portable digital devices

      • externally owned property

      • computer at home office

      • alternate sources of data

      • logs

      • keystroke monitoring

    • Objectives

      • Recover, analyze, preserve materials; in format useful as evidence in court of law

      • design procedures to ensure evidence is not corrupted

      • data acquisition and duplication

      • identify quickly, estimate potential impact

      • produce forensic report

      • preserve evidence by following chain of custody

    • Process

      • Collection

        • Develop plan

        • acquire

        • verify integrity; hashes

    • Examination

      • Bypassing controls: data compression, encryption, ACLs

      • Sea of Data: hundreds of thousands of files, not all relevant

      • Tools: filter and exclude data from searches

    • Analysis

      • putting the pieces together

        • IDS log, link event to host, host audit logs linking event to user account, host IDS log indicating what actions user performed

    • Reporting

      • If it's not in the report, you cannot testify about it.

      • Must detail the basis for your conclusions

      • Detail every test conducted, the methods and tools used, and results

      • Report Composition

        • Overview/Case Summary

        • Forensic Acquisition & Examination Preparations

        • Findings and Report (analysis)

        • Conclusion

      • SANS Institute Best Practices

        • screenshots

        • bookmark evidence via forensic app

        • built-in logging options within forensic tool

        • highlight and export data items into CSV or TXT files

        • digital audio recorder vs handwritten notes

    • Forensic Data

      • What's not there

        • Deleted files: pointer deleted, file might still exist

        • Slack space: if a file requires less space than the file allocation unit size, an entire file allocation unit is still reserved for the file

        • Free space: area on media that is not allocated to any partition may still contain pieces of data

      • MAC data

        • modification time, access time, creation time

      • Logical Backup vs Imaging

        • Logical: copies the directories and files of a logical volume, no deleted files or residual data stored in slack space

        • Imaging: bit-for-bit copy of original media

          • disk-to-disk or disk-to-file

          • should not be used on a live system since data is always changing

      • Tools for Techniques

        • File viewers

        • uncompressing files

        • GUI for data structures

        • identifying known files

        • string searches and pattern matches

        • metadata

      • Operating System Data

        • Collection & Prioritization of Volatile Data

          • slack space, free space, network config/connections, running processes, open files, login sessions, operating system time

        • Collecting non-volatile data

          • types: config files, logs, app files, data files, swap files, dump files, hibernation files, temp files

          • Power-Down options, File system data collected, users and groups, passwords, network shares, logs

        • Logs

          • network hack: collect logs of all network devices in route

          • unauthorized access: save web server logs, app server logs, app logs, router or switch logs, firewall logs, database logs, IDS logs, etc

          • trojan/worm/virus: save antivirus logs apart from the event logs (pertaining to the antivirus)

        • Windows

          • Recycle Bin, Registry, Thumbs.db, Files, Browser History, Print Spooling

        • MacOS

          • has forensic duplicate technique: Target Disk Mode

        • Linux

          • /etc/config

          • /etc/passwd

          • /var/log

          • /home/$USER

      • Application Data

        • Application Components

          • Config Settings

            • Config File

            • Runtime Options

            • Added to Source Code

          • Authentication

            • External

            • Proprietary

            • Pass-through

            • Host/user Environment

          • Logs

            • Event

            • Audit

            • Error

            • Installation

            • Debugging

          • Data

            • can live in memory or permanent files

            • file format can be generic or proprietary

            • may be in databases

            • some apps create temp files during session or improper shutdown

          • Supporting Files

            • Docs

            • Links

            • Graphics

          • App Architecture

            • Local

            • Client/Server

            • Peer-to-Peer

        • Types of Apps

          • Email

          • Web Usage

            • Web Data from Host

              • Favorite sites

              • History w/ timestamps of sites visited

              • cached web data files

              • cookies

            • Web Data from Server

              • Timestamps

              • IP addresses

              • Web Browser version

              • Type of request

              • Resource requested

          • Interactive messaging

            • IRC, IM, VoIP

          • File Sharing

          • Document usage

          • Security apps

          • Data Concealment tools

      • Network Data

        • Sources

          • Firewalls and Routers

          • Packet Sniffers and Protocol Analyzers

          • Intrusion Detection System

          • Security Event Management Software

          • Network Forensic Analysis Tools

          • Remote Access

        • Data Value

          • IDS: starting point for finding malicious activity

          • SEM: automatically bringing together multiple sources of information and presenting useful info

          • NFAT - Network Forensic Analysis Tool

          • Firewalls, Routers, Proxy Servers, & RAS

          • DHCP Servers: timestamps, who was using what IP when

          • Packet Sniffers: huge sea of info

          • Network Monitoring: finding variations from normal traffic flows

          • ISP records: useful to determine attacker

        • Attacker Identification

          • Contact IP Address Owner

          • Send Network Traffic - not recommended for orgs

          • Application Content - data packets could contain info of attacker's identity

          • Seek ISP assistance - requires court order and is done only to assist in the most serious of attacks

          • History of IP address - look for trends of suspicious activity

    • Questions

      • Digital forensics can be defined as the application of science to the identification, collection, examination, and analysis of data.

      • According to NIST, a forensic analysis should include four elements, Places, Items, Events and what?

        • People

      • True or False. Digital forensics report must contain details of every test conducted, the methods and tools used, and the results.

      • Which section of a digital forensics report would contain a list of the steps you have taken to insure the integrity of the evidence?

        • Forensic Acquisition & Examination Preparation

      • Network activity, Application usage, Logs and Keystroke monitoring are all sources of what?

        • Data

      • What are the three (3) main hurdles that must be overcome when examining data? (Select 3)

        • Dealing with a sea of data. A single hard drive will contains many thousands of files that are not relevant to our investigation.

        • Selecting the most effective tools to help with the searching and filtering of data.

        • Bypassing controls such as operating system and encryption passwords.

      • True of False. Only data files can be effectively analyzed during a forensic analysis.

      • Most data files are smaller than the number of blocks allocated to their storage by the file system, the unused spaces is known as what?

        • Slack space

      • True or False. When collecting forensic data from a running system, you should always attempt to collect volatile data first.

      • Which of these applications would likely be of the most interest in a forensic analysis?

        • Patch files

          Operating system DLLs

          Email

          OSI Application Layer protocols

      • Digital forensics is commonly applied to which of the following activities?

        • Criminal investigation

          Incident handling

          Data recovery

          All of the above

      • NIST includes which three (3) as steps in collecting data? (Select 3)

        • Acquire the data

          Develop a plan to acquire the data

          Verify the integrity of the data

          Normalize the data

      • What is the primary purpose of maintaining a chain of custody?

        • To avoid allegations of mishandling or tampering of evidence.

      • True or False. Digital forensics had been used to solve a number of high-profile violent crimes.

      • True or False. Digital forensics report is a summary of your findings. If your case goes to trial, your testimony can, and usually does, involve far more detail than is in the report.

      • Which section of a digital forensics report would include using the best practices of taking lots of screenshots, use built-in logging options of your digital forensics tools, and exporting key data items into a .csv or .txt file?

        • Findings & Analysis

      • Which types of files are appropriate subjects for forensic analysis?

        • Data files

          Image and video files

          Application files

          All of the above

      • Deleting a file results in what action by most operating systems?

        • The memory registers used by the file are marked as available for new storage but are otherwise not changed.

      • Forensic analysis should always be conducted on a copy of the original data. What type of copying is appropriate for getting data from a live system that cannot be taken offline?

        • A logical backup

      • How does a forensic analysis use hash sets acquired from NIST's Software Reference Library project?

        • They can quickly eliminate known good operating system and application files from consideration.

      • Which three (3) of the following data types are considered non-volatile? (Select 3)

        • Dump files

          Free space

          Swap files

          Logs

      • Configuration files are considered which data type?

        • Non-volatile

      • Which three (3) of the following are application components? (Select 3)

        • Application architecture

          Authentication mechanisms

          OSI Application Layer protocols

          Data files

      • Which of these applications would likely be of the least interest in a forensic analysis?

        • Patch files

      • The Internet layer of the TCP/IP stack, also known as the Network layer in the OSI model, contains which two (2) protocols that are very useful to a forensic investigation? (Select 2)

        • UDP

        • ICMP

        • IPv4 / IPv6

        • LDAP

      • Which device would you inspect if you were looking event data correlated across a number of different network devices?

        • Firewall

      • Which of these sources might require a court order in order to obtain the data for forensic analysis?

        • ISP records

  • Scripting

    • How many spaces must be used to indent a block of code in Python?

      • Any number 1 or more as long as the same indentation is used within a code block.

Cyber Threat Intelligence

Threat Intelligence

  • Security Drivers

    • breached records

    • human error

    • iot innovation

    • breach cost amplifiers (3rd parties, cloud migration, system complexity)

    • skills gap

  • $3.92M total cost of a data breach

  • Insider Threats

  • Questions

    • Which three (3) of these were among the top 5 security drivers in 2019? (Select 3)

      • New security and privacy laws that went into effect in 2019

        Human error accounting for the majority of security breaches

        The number of breached records in 2019 more than 3 times that of 2018

        IOT device attacks moving from targeting consumer electronics to targeting enterprise devices

    • What was the average cost of a data breach in 2019 in US dollars?

      • $3.92M

    • What was the average size of a data breach in 2019?

      • 25575 records

    • According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as gathering data from internal, external, technical and human sources?

      • Collect

    • Crowdstrike organizes threat intelligence into which three (3) areas? (Select 3)

      • Operational

      • Strategic

      • Tactical

    • According to the Crowdstrike model, Endpoints, SIEMs and Firewalls belong in which intelligence area?

      • Tactical

    • Which three (3) sources are recommended reading for any cybersecurity professional? (Select 3)

      • DarkReading

      • Trend Micro

      • BleepingComputer

    • Which two (2) of these were among the 4 threat intelligence platforms covered in the Threat Intelligence Platforms video? (Select 2)

      • FireEye

      • Recorded Future

    • True or False. The average enterprise has 85 different security tools from 45 vendors.

    • Which threat intelligence framework can be described as a system that is effective if there are only 2 players and the adversary is motivated by socioeconomic or sociopolitical payoffs?

      • Diamond Model of Intrusion Analysis

    • True or False. An organization's security immune system should not be considered fully integrated until it is integrated with the extended partner ecosystem.

    • Which term can be defined as "The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise"?

      • Security Intelligence

    • What are the three (3) pillars of effective threat detection? (Select 3)

      • See everything

      • Become proactive

      • Automate intelligence

    • True or False. According to the FireEye Mandiant's Security Effectiveness Report 2020, organizations have an average of 50-70 security tools in their IT environments.

    • What was the average time to identify and contain a breach in 2019?

      • 279 days

    • Which industry had the highest average cost per breach in 2019 at $6.45M

      • Healthcare

    • Breaches caused by which source resulted in the highest cost per incident in 2019?

      • Credentials theft

    • According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as normalize, correlate, confirm and enrich the data?

      • Process

    • According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as investigate, contain, remediate and prioritize?

      • Analyze

    • According to the Crowdstrike model, threat hunters, vulnerability management and incident response belong in which intelligence area?

      • Operational

    • Which three (3) sources are recommended reading for any cybersecurity professional? (Select 3)

      • X-Force Exchange

        InfoSecurity Magazine

        Krebs on Security

    • Which two (2) of these were among the 4 threat intelligence platforms covered in the Threat Intelligence Platforms video? (Select 2)

      • TruSTAR

        IBM X-Force Exchange

    • Which threat intelligence framework is divided into 3 levels. Level one is getting to know your adversaries. Level 2 involves mapping intelligence yourself and level 3 where you map more information and used that to plan your defense?

      • Mitre Att&ck Knowledgebase

    • True or False. An organization's security immune system should be isolated from outside organizations, including vendors and other third-parties to keep it from being compromised.

    • Activities performed as a part of security intelligence can be divided into pre-exploit and post-exploit activities. Which two (2) of these are pre-exploit activities? (Select 2)

      • Prioritize vulnerabilities to optimize remediation processes and close critical exposures

        Detect deviations from the norm that indicate early warnings of APTs

        Gather full situational awareness through advanced security analytics

        Perform forensic investigation

    • True or False. According to the FireEye Mandiant's Security Effectiveness Report 2020, more that 50% of successful attacks are able to infiltrate without detection.

Data Loss Prevention and Mobile Endpoint Protection

  • A student's grades should be visible to that student when she logs in to her university account. Her ability to see her grades is an example of which aspect of the CIA Triad?

    • Availability

  • A university has implemented practices that ensures all student data is encrypted while stored on university servers. Which aspect of the CIA Triad does this practice support?

    • Confidentiality

  • The Student Portal of a university issues a confirmation code with a hash value each time a student submits an assignment using the portal. This is an example of which aspect of the CIA Triad?

    • Integrity

  • True or False. An organization has "air gapped" its small network of critical data servers so they are accessible internally but not to any external system. These systems are now safe from a deliberate attack.

  • C-level executives face 4 challenges when assuring their organizations maintain a comprehensive, workable data security solution. The proliferation of smartphones used for work would impact which two (2) of these concerns the most? (Select 2)

    • New privacy regulations

    • Explosive data growth

  • True or False. An organization is subject to both GDPR and PCI-DSS data security regulations and has dedicated all of its efforts in remaining in compliance with these 2 sets of regulations. They are correct in believing that their data is safe.

  • True or False. A newly hired CISO made the right choice when he moved the Known Vulnerabilities list to a high priority for his team to resolve even though none of these had ever been exploited on the company's network to-date.

  • All industries have their own unique data security challenges. Which of these industries has a particular concern with HIPAA compliance and the highest cost per breached record?

    • Healthcare

  • All industries have their own unique data security challenges. Which of these industries has a particular concern with being targeted more than any other by cybercriminals "because that is where the money is"?

    • Financial

  • Which three (3) of these are among the top 12 capabilities that a good data security and protection solution should provide? (Select 3)

    • Data discovery

    • Blocking, masking and quarantining

    • Data risk analysis

  • Parsing discovered data against known patterns or key words is a process known as what?

    • Data classification

  • Which data protection process takes data activity monitoring output and uses it to generate insights about threats?

    • Active analytics

  • True or False. The Guardium administrator needs to be someone with the highest level of access to the data being protected?

  • Which mobile operating system runs the majority of smartphones today?

    • Android

  • Which mobile operating system runs approximately 60% of tablet computers worldwide?

    • iOS

  • True or False. Security is enhanced on iOS mobile devices because users typically cannot interact directly with the operating system.

  • Which statement best describes the use of anti-virus software on mobile devices?

    • Antivirus software can "see" the apps that are running on a mobile device but cannot see the data that is associated with each app.

  • Which type of threat is Jailbreaking?

    • System based

  • On a mobile device, which type of threat is a phishing scam?

    • App based

  • True or False. An operator who corrupts data by mistake is considered an "inadvertent attack" that should be considered when developing data protection plans.

  • C-level executives face 4 challenges when assuring their organizations maintain a comprehensive and workable data security solution. GDPR, CCPA, and PCC-DSS are concerned with which one of these challenges?

    • New privacy regulations

  • True of False. A biotech research company with a very profitable product line has grown so rapidly it has acquired a marketing company, a small IT services company and a company that specializes in pharmaceutical manufacturing and distribution. The CEO of the parent company made a good decision when he decided not to consolidate all data security under a single CISO, believing that each of the new divisions understands its own data security needs better than the parent company possibly could.

  • What are the 5 common pitfalls of data security?

    • Failure to move beyond compliance

    • Failure to recognize the need for centralized data security

    • Failure to define who owns responsibility for the data itself

    • Failure to address known vulnerabilities

    • Failure to prioritize and leverage data activity monitoring

  • All industries have their own unique data security challenges. Which of these industries has a particular concern with a widely distributed IT infrastructure that must provide services across a multiple government jurisdictions while not violating the privacy concerns of its users?

    • Transportation

  • Which three (3) of these are among the top 12 capabilities that a good data security and protection solution should provide? (Select 3)

    • Data classification

      Encryption

      Data and file monitoring

  • Which is the data protection process that addresses inappropriate privileges, insecure authentication methods, account sharing, configuration files and missing security patches?

    • Vulnerability assessment

  • Which data protection process substitutes key data with a token that is issued by a trusted third-party where the token can be accessed but not redeemed by an untrusted party?

    • Tokenization

Scanning

  • Which component of a vulnerability scanner would perform security checks according to its installed plug-ins?

    • Engine Scanner

  • Which component of a vulnerability scanner stores vulnerability information and scan results?

    • Database

  • How does a vulnerability scanner detect internal threats?

    • By scanning hosts

  • In which component of a Common Vulnerability Score (CVSS) would the attack vector be reflected?

    • Base-Exploitability Subscore

  • In which component of a Common Vulnerability Score (CVSS) would confidentiality be reflected?

    • Base-Impact Subscore

  • In which component of a Common Vulnerability Score (CVSS) would exploit code maturity be reflected?

    • Temporal Score

  • True or False. The US Dept of Defense has produced a number of Security Technical Implementation Guides to show the most secure ways to deploy common software packages such as operation systems, open source software, and network devices. These guides are available to the public and can be freely downloaded.

  • The Center for Internet Security (CIS) has implementation groups that rank from the least secure to the most secure. Which of these has the least stringent security requirements?

    • a) CIS Sub-Controls for small, commercial off-the-shelf or home office software environments.

      b) CIS Sub-Controls focused on helping security teams manage sensitive client or company information.

      c) CIS Sub-Controls that reduce the impact of zero-day and targeted attacks from sophisticated adversaries.

  • Which three (3) of these is identified by a basic port scanner? (Select 3)

    • Available services provided by the target system

    • A list of Open ports on a target system

    • Active hosts using TCP

  • Port numbers 49152 through 65535 are known as what?

    • Dynamic and Private Ports

  • What are the three (3) responses a port scanner might receive when it is scanning a system for open ports? (Select 3)

    • Open

    • Filtered (or blocked)

    • Closed

  • Which type of scan is commonly used to check if a working system is at the address indicated and that it is responding?

    • Ping (ICMP Echo Request)

  • Which type of scan sends an empty packet or packet with a different payload for each port scanned. A response is received only for closed ports?

    • UDP port scan

  • Which two (2) of these are other names for a protocol analyzer? (Select 2)

    • Packet analyzer

    • Network analyzer

  • Which is the most popular packet sniffer used?

    • WireShark

  • Ports 0–1023 – system or well-known ports

  • Ports 1024–49151 – user or registered ports

  • Ports 49152–65535 – dynamic / private / ephemeral ports

  • Which type of scan notes the connection but leaves the target hanging, i.e. does not reveal any information to the target about the host that initiated the scan?

    • TCP/Half Open Scan (aka a SYN scan)

  • Which two (2) of these are other names for a protocol analyzer? (Select 2)

    • Traffic analyzer

      Sniffer

  • True or False. Packet sniffers are used by hackers but have no legitimate place in legitimate network management.

  • Which component of a vulnerability scanner provides high-level graphs and trend reports for executive leadership?

    • Report Module

  • How does a vulnerability scanner detect external threats?

    • By scanning internet facing hosts from the Internet

  • If a port is blocked, what response will be sent to the port scanner?

    • There will be no response

Application and Security Testing

  • Enterprise Architecture

    • considers the needs of the whole enterprise within scope (org or department)

    • maps the main components of the problem space at a very high level

  • Solution Architecture

    • describes the main elements, showing internal architecture, stored data, and the use of components/patterns

  • Architectural Building Blocks (ABBs) and Solution Building Blocks (SBBs)

    • ABB

      • Data Sec, AppSec, IAM, Infrastructure and Endpoint Sec, Detect and Respond

    • SBB

      • Key Security Manager, Certificate Authority, HSM, WAF, SAST, Directory, Privilege Access Manager, Hardware Token, Virus protection, App firewall, SPAM filter, Network intrusion prevention system, incident workflow manager'

  • True or False. A security architect's job is to make sure that security considerations dominate other design aspects such as usability, resilience and cost.

  • Which of these is an aspect of an Enterprise Architecture?

    • Considers the needs of the entire organization

  • Which of these is an aspect of a Solution Architecture?

    • Describes how specific products or technologies are used

  • Which three (3) of these are general features of Building Blocks? (Select 3)

    • May be product or vendor aware

      Defined boundary, but can work with other building blocks

      Could be an actor, business service, application or data

      Package of function defined to meet a business need

  • In security architecture, a reusable solution to a commonly recurring problem is known as what?

    • a pattern

  • What is lacking in a security architecture pattern that prevents it from being used as a finished design?

    • context

  • What are the possible consequences if a bug in your application becomes known?

    • It is embarrassing to your company

      Financial losses via lawsuits and fines can be very significant

      Government agencies can impose fines and other sanctions against your company

      All of the above

  • Failure to use input validation in your application introduces what?

    • A vulnerability

  • Which software development lifecycle is characterized as a top-down approach where one stage of the project is completed before the next stage begins?

    • Waterfall

  • Which form of penetration testing allows the testers complete knowledge of the systems they are trying to penetrate in advance of their attack to simulate an internal attack from a knowledgeable insider?

    • White Box testing

  • Which application testing method requires access to the original application source code?

    • SAST: Static Application Security Testing

  • Which three (3) steps are part of a Supplier Risk Assessment? (Select 3)

    • Identify mitigations that would minimize or eliminate the risk

      Identify how the risk would impact the business

      Identify how any risks would impact your organization's business

      Determine the likelihood the risk would interrupt the business

  • What type of firewall should you install to protect applications used by your organization from hacking?

    • WAF

  • Which of these threat modeling methodologies was introduced in 1999 at Microsoft to provide their developer’s a mnemonic that would help them find security vulnerabilities in their products?

    • STRIDE

  • What was the ultimate consequence to Target Stores in the United States from their 2013 data breach in which over 100M records were stolen?

    • Costs of $10M and reputational damage only.

  • Select the two (2) top vulnerabilities found in common security products. (Select 2)

    • Cross-site request forgery

      Cross-site scripting

  • True or False. If you can isolate your product from the Internet, it is safe from being hacked.

  • Which three (3) things can Cross-site scripting be used for?

    • Take over sessions

      Steal cookies

      Break encryption

      Harvest credentials

  • True or False. Commonly a Reflect XSS attack is sent as part of an Email or a malicious link and affects only the the user who receives the Email or link.

  • Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?: <b>Password</b>

    • <b>Password</b>

  • Which three (3) statements about whitelisting user input are true?

    • Special characters should only be allowed on an exception basis

    • Whitelisting reduces the attack surface to a known quantity

    • Whenever possible, input should be whitelisted to alphanumeric values to prevent XSS

  • Which two (2) statements are considered good practice for avoiding XSS attacks?

    • Use strict whitelists on accepting input

    • Encode all data output as part of HTML and JavaScript

  • How would you classify a hactivist group who thinks that your company's stance on climate change threatens the survival of the planet?

    • a threat

  • Which software development lifecycle is characterized by short bursts of analysis, design, coding and testing during a series of 1 to 4 week sprints?

    • Agile and Scrum

  • Which software development lifecycle is characterized by a series of cycles and an emphasis on security?

    • Spiral

  • Which application testing method requires a URL to the application, is quick and cheap but also produces the most false-positive results?

    • DAST: Dynamic Security Application Testing

  • Which type of application attack would include buffer overflow, cross-site scripting, and SQL injection?

    • input validation

  • Which type of application attack would include unauthorized access to configuration stores, unauthorized access to administration interfaces and over-privileged process and service accounts?

    • Configuration management

  • Which one of the OWASP Top 10 Application Security Risks would be occur when authentication and session management functions are implemented incorrectly allowing attackers to compromise passwords, keys or session tokens.

    • Broken authentication

  • Which one of the OWASP Top 10 Application Security Risks would be occur when restrictions on what a user is allowed to do is not properly enforced?

    • Broken access control

  • Which of these threat modeling methodologies is integrated seamlessly into an Agile development methodology?

    • VAST

  • Which phase of DevSecOps would contain the activities Secure application code, Secure infrastructure configuration, and OSS/COTS validation?

    • Code & build

  • Which phase of DevSecOps would contain the activities Detect & Visualize, Respond, and Recover?

    • Operate & monitor

  • The Deploy step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?

    • Versioning of infrastructure

      Creation of Immutable images

      Data backup cleansing

      IAM controles to regulate authorization

  • The Respond step in the DevSecOps Operate & Monitor phase contains which of these activities?

    • Root Cause Analysis

      Inventory

      Chaos engineering

      Virtual Patching

SIEM Platforms

  • Core Duties

    • Log Collection

    • Normalization

    • Correlation

    • Aggregation

    • Reporting

  1. A SIEM system collects logs and other security documentation for analysis

  2. The core function is to manage network security by monitoring flows and events

  3. It consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network

  4. A SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries

  5. Captures log event and network flow data in near real time and apply advanced analytics to reveal security offenses

  6. It can be available on prem and in a cloud environment