Module 27: Working with Network Security Data Quiz Answers

1. When real-time reporting of security events from multiple sources is being received, which function in SIEM provides capturing and processing of data in a common format?

  • normalization
  • compliance
  • log collection
  • aggregation

Explanation: SIEM combines SEM and SIM tools to provide some useful functions, one of which is data normalization. Data normalization is the process of mapping log messages from different systems into a common data model in order to analyze related security events, even if they are initially logged in different source formats.

2. What is the value of file hashes to network security investigations?

  • They can serve as malware signatures.
  • They ensure data availability.
  • They offer confidentiality.
  • They assure nonrepudiation.

Explanation: Data confidentiality, integrity, availability and nonrepudiation are all crucial components of data security. The use of encryption algorithms ensures data confidentiality by safeguarding information from being disclosed to unauthorized people, processes, or devices. Data Integrity uses hashes or a message digest to ensure data nonalteration. Data availability ensures timely and reliable access to data for authorized users, whereas nonrepudiation is the ability to prove that an operation or event has occurred and cannot be repudiated later on.

3. Which technology is an open source SIEM system?

  • Wireshark
  • Splunk
  • StealthWatch
  • ELK

Explanation: There are many SIEM systems available to network administrators. The ELK suite is an open source option.

4. A network administrator is working with ELK. The amount of network traffic to be collected by packet captures and the number of log file entries and alerts that will be generated by network and security devices can be enormous. What is the default time configured in Kibana to show the log entries?

  • 36 hours
  • 48 hours
  • 24 hours
  • 12 hours

Explanation: Logstash and Beats are used for ingestion in the ELK stack. They provide access to large numbers of log file entries. Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default.

5. In which programming language is Elasticsearch written?

  • Python
  • C
  • C++
  • Java

Explanation: Elasticsearch is a cross platform enterprise search engine written in Java.

6. For how long does the Payment Card Industry Security Standards Council (PCI DSS) require that an audit trail of user activities related to protected information be retained?

  • 24 months
  • 18 months
  • 6 months
  • 12 months

Explanation: Everyone would love the security of collecting and saving everything, but because of storage and access issues retaining NSM data indefinitely is not feasible. The retention period for certain types of network security information may be specified by compliance frameworks. The Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.

7. What is the host-based intrusion detection tool that is integrated into Security Onion?

  • OSSEC
  • Sguil
  • Snort
  • Wireshark

Explanation: Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

8. Which core open source component of the Elastic-stack is responsible for accessing, visualizing, and investigating data?

  • Kibana
  • Elasticsearch
  • Logstash
  • Beats

Explanation: The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.

9. What is the default time set in the securityonion.conf file for Sguil alert data retention?

  • 15 days
  • 45 days
  • 60 days
  • 30 days

Explanation: Sguil alert data is retained for 30 days by default. This value is set in the securityonion.conf file.

10. Which tool would an analyst use to start a workflow investigation?

  • ELK
  • Sguil
  • Snort
  • Zeek

Explanation: Sguil is a GUI-based application used by security analysts to analyze network security events.

11. Which core open source component of the Elastic-stack is responsible for storing, indexing, and analyzing data?

  • Kibana
  • Logstash
  • Beats
  • Elasticsearch

Explanation: The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.

12. Which tool concentrates security events from multiple sources and can interact with other tools such as Wireshark?

  • Sguil
  • Curator
  • Bro
  • Kibana

Explanation: Sguil is a GUI-based application used by security analysts to analyze session data and packet captures.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments