1. Each day, a security analyst spends time examining logs and events from different systems and applications to quickly detect security threats. What function of the Security Information Event Management (SIEM) technology does this action represent?
- aggregation
- correlation
- retention
- forensic analysis
Explanation: The four essential functions of SIEM are:
- Forensic analysis – search logs and event records from sources throughout the organization for information for forensic analysis.
- Correlation – Examines logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
- Aggregation – Aggregation reduces the volume of event data by consolidating duplicate event records.
- Retention – Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.
2. Which network security tool can detect open TCP and UDP ports on most versions of Microsoft Windows?
- Nmap
- L0phtcrack
- SuperScan
- Zenmap
Explanation: There are various network security tools available for network security testing and evaluation. L0phtcrack can be used to perform password auditing and recovery. SuperScan is a Microsoft port scanning software that detects open TCP and UDP ports on systems. Nmap and Zenmap are low-level network scanners available to the public.
3. A security technician is evaluating a new operations security proposal designed to limit access to all servers. What is an advantage of using network security testing to evaluate the new proposal?
- Network security testing is most effective when deploying new security proposals.
- Network security testing is simple because it requires just one test to evaluate the new proposal.
- Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs.
- Network security testing is specifically designed to evaluate administrative tasks involving server and workstation access.
Explanation: Network security testing can evaluate the effectiveness of an operations security solution without having to wait for a real threat to take place. However, this type of testing should be conducted periodically, versus just once. It is effective to evaluate many different tasks when it is conducted during both the implementation and operational stages.
4. What information does the SIEM network security management tool provide to network administrators?
- detection of open TCP and UDP ports
- real time reporting and analysis of security events
- assessment of system security configurations
- a map of network systems and services
Explanation: SIEM, which is a combination of Security Information Management and Security Event Management products, is used for forensic analysis and provides real-time reporting of security events.
5. What network scanning tool has advanced features that allows it to use decoy hosts to mask the source of the scan?
- Nessus
- Nmap
- Tripwire
- Metasploit
Explanation: There are various network security tools available for network security testing and evaluation. Nessus can scan systems for software vulnerabilities. Metasploit is used for penetration testing and IDS signature development. Tripwire is used to assess if network devices are compliant with network security policies. Nmap is a low-level network scanner available to the public that an administrator can use to identify network layer protocol support on hosts. Nnmap can use decoy hosts to mask the source of the scan.
6. A new person has joined the security operations team for a manufacturing plant. What is a common scope of responsibility for this person?
- managing redundancy operations for all systems
- data security on host devices
- physical and logical security of all business personnel
- day-to-day maintenance of network security
Explanation: The operations team is responsible for keeping the network up and running in a secure and protected manner. They prevent reoccurring problems when possible, implement designs that reduce hardware failures to an acceptable level for critical systems, and reduce the impact of hardware failure.
7. Which security test is appropriate for detecting system weaknesses such as misconfiguration, default passwords, and potential DoS targets?
- penetration testing
- vulnerability scanning
- integrity checkers
- network scanning
Explanation: There are many tests used to assess the operational status of networks and systems. Weaknesses in systems such as blank or default passwords, or misconfigurations that would make a system a target of a DoS attack can be detected through vulnerability scanning.
8. What type of network security test would be used by network administrators for detection and reporting of changes to network systems?
- penetration testing
- network scanning
- integrity checking
- vulnerability scanning
Explanation: There are many security tests that can be used to assess a network. Penetration testing is used to determine the possible consequences of successful attacks on the network. Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.
9. Which network security tool allows an administrator to test and detect weak passwords?
- Metasploit
- L0phtcrack
- Tripwire
- Nessus
Explanation: L0phtcrack can be used to perform password auditing and recovery. Nessus can scan systems for software vulnerabilities. Metasploit is used for penetration testing and IDS signature development. Tripwire is used to assess if network devices are compliant with network security policies.
10. What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)
- identification of Layer 3 protocol support on hosts
- validation of IT system configuration
- password auditing
- TCP and UDP port scanning
- password recovery
Explanation: Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.
11. What type of security test uses simulated attacks to determine possible consequences of a real threat?
- penetration testing
- vulnerability scanning
- network scanning
- integrity checking
Explanation: There are many security tests that can be used to assess a network. Penetration testing is used to determine the possible consequences of successful attacks on the network. Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.
12. What function is provided by the Tripwire network security tool?
- password recovery
- IDS signature development
- logging of security events
- security policy compliance
Explanation: Tripwire is a network security testing tool that can be used by administrators to assess if network devices are compliant with company network security policies.