CBROPS Summary Challenges
session data
Which NSM data type can be consulted to determine if any internal systems have communicated with any of the suspicious external IP addresses? session data transaction data alert data statistical data extracted content
web application firewall
Which security device is best for defending web servers against the OWASP Top 10 web application security risks? load balancer intrusion prevention system web security appliance stateful firewall web application firewall
integrity
Which security property guarantees that sensitive information is changed only by an authorized party? accountability availability confidentiality integrity visibility
Discretionary Access Control (DAC)
Uses an ACL to decide which users or group of users have access to the information. The owner of information is able to change the ACL permissions at their discretion.
round robin fewest connections least time hash
What are four common algorithms that typical load balancers use to load balance the traffic? (Choose four.) round robin fewest connections least time weighted early random detection anomaly based hash
Non-discretionary access control
Access decisions are based on an individual's roles and responsibilities within the organization, also known as role-based access control (RBAC).
promiscuous
To capture traffic that is not destined for the local machine, in which mode must the network card must be placed? promiscuous transparent not attached managed bypass
Least connections
A new request is sent to the server with the fewest current connections to clients.
The source and destination IP addresses are private IP addresses. The attacker uses random source ports. The attack targets the same web server.
According to the following figure, which three statements are true? (Choose three.) The destination port is associated with the HTTPS protocol. The source and destination IP addresses are private IP addresses. The attacker uses random source ports. The attack targets the same web server. The alerts indicate an SQL injection attack.
open source code
Which option is not considered intellectual property? trademarks copyrighted material open source code patents
white hat hackers
Which option is not one of the four categories of attackers that threaten information assets? organized crime unscrupulous competitors white hat hackers state entities individuals
Telnet
Which protocol sends data in cleartext? Telnet HTTPS SSH SCP
They both refer to the same source IP address. The DNS query provided resolution supporting the HTTP query.
Consider the following two transaction events that are produced by Bro. Which two statements describe how these two events are correlated? (Choose two.) host=127.0.0.1 program=bro_dns class=BRO_DNS srcip=10.10.6.11 srcport=49585 dstip=10.10.4.20 dstport=53 proto=UDP hostname=www.services.public answer=sp-srv.services.public,209.165.200.235 query_class=C_INTERNET query_type=A return_code=NOERROR host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.11 srcport=10103 dstip=209.165.200.235 dstport=80 status_code=200 content_length=1211 method=GET site=www.services.public uri=/home/index.php referer=- user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=text/html They both refer to the same source IP address. They both refer to the same destination IP address. They both provide evidence of a SQL injection attempt. They both provide evidence of a DNS tunneling attempt. The DNS query provided resolution supporting the HTTP query. The DNS server returned an A record to the client.
HIPAA (Health Insurance Portability and Accountability Act)
Which regulation compliancy measure focuses on personal health care information? HIPAA PCI DSS GBLA PIPEDA
PCI DSS (Payment Card Industry Data Security Standard)
Which regulation specifically addresses credit card compliance? Sarbanes-Oxley PCI DSS Safe Harbor Act FISMA
to permit only the returning TCP packets from an already existing TCP connection, and deny the initial TCP packet of a new session from an untrusted network
How can the established keyword in an ACL entry be used? to permit only the returning TCP packets from an already existing TCP connection, and deny the initial TCP packet of a new session from an untrusted network to permit both the initial TCP packet of a new session and the returning TCP packets from an existing TCP connection to permit only the initial TCP packet of a new session to change a router into a true stateful firewall controlling the access on a session-by-session basis
Session data is summary data that is associated with network conversations. A SOC analyst examining session data is analogous to a detective examining a phone bill. Transaction data generally lies between session data and full packet capture.
In NSM data types, which three statements about session data and transaction data are true? (Choose three.) Session data is summary data that is associated with network conversations. Transaction data is summary data that is associated with network conversations. A SOC analyst examining transaction data is analogous to a detective examining a phone bill. A SOC analyst examining session data is analogous to a detective examining a phone bill. Session data captures the details that are associated with requests and responses. Transaction data generally lies between session data and full packet capture. Transaction data is based on the IP 5-tuple: source IP address, source port, destination IP address, destination port, and transport layer protocol.
Full packet capture records all the network traffic at some particular locations in the network. Most often, extracted content takes the form of files such as images retrieved by a web browser or attachments to email messages.
In NSM data types, which two statements describe full packet capture and extracted content? (Choose two.) Extracted content records all the network traffic at some particular locations in the network. Full packet capture records all the network traffic at some particular locations in the network. A SOC analyst examining extracted content is analogous to a detective reviewing a wiretap. Most often, extracted content takes the form of files such as images retrieved by a web browser or attachments to email messages. Most often, full packet capture takes the form of files such as images retrieved by a web browser or attachments to email messages.
Alert data is typically produced by IPS systems. Metadata can be used to augment the NSM data that is directly collected in the SOC.
In NSM data types, which two statements regarding alert data and metadata are true? (Choose two.) Metadata is typically produced by IPS systems. Alert data is typically produced by IPS systems. Alert data must also include the metadata associated with the IPS alert. Metadata can be used to augment the NSM data that is directly collected in the SOC. Alert data can be used to augment the NSM data that is directly collected in the SOC.
IP 5-tuple
In NSM, session data contains which element? HTTP URL full packet contents IPS alert data IP 5-tuple
The traffic will be implicitly denied.
In an ACL, if a traffic flow is not explicitly permitted, what will be the result of the traffic flow after it has finished testing all the user-configured control entries in the list? The traffic will be implicitly permitted. The traffic will be explicitly permitted. The traffic will be explicitly denied. The traffic will be implicitly denied.
extracted content ==> PDF File full packet capture ==> PCAP File metadata ==> reputation transaction data ==> DNS query and response statistical data ==> DNS query and response
Match the example NSM data to the associated NSM data type. ***NSM Data*** extracted content full packet capture metadata transaction data statistical data ***NSM Data Type*** HPPT throughput baseline PDF File DNS query and response PCAP File reputation
session
NetFlow records provide IP flow information that is based on the IP 5-tuple and can be considered which type of NSM data? full packet capture transaction alert session
network capacity planning analysis past and current events false positive events
Predictive analysis can use which three options to make predictions about future attacks or events? (Choose three.) data mining log mining network capacity planning analysis past and current events false positive events
Traffic can be captured using a network tap, which splits a duplex connection into two separate simplex connections. Storage requirements and policies must also be considered with full packet capture, because the full packet capture quickly consumes disk space.
Regarding full packet capture, which two statements are true? (Choose two.) Placement of sensing interfaces will not affect which conversations will be seen. Mirroring the traffic on the switch is the most reliable method of full packet capture. Traffic can be captured using a network tap, which splits a duplex connection into two separate simplex connections. TCP segmentation offload should be enabled to improve packet capture performance. Storage requirements and policies must also be considered with full packet capture, because the full packet capture quickly consumes disk space.
Log clustering can be used to mine through large amounts of data to build profiles and to identify anomalous behavior.
Regarding log mining, which statement about log clustering is true? Log clustering can be used to reconstruct network traffic or to follow it. Log clustering is an interpretation of a chain of consecutive events that occur during a set period. Log clustering can be used to make predictions about unknown future attacks or events. Log clustering can be used to mine through large amounts of data to build profiles and to identify anomalous behavior. Log clustering labels data packets, allowing them to traverse through the network on different paths but still remaining identifiable to the destination node when it is reconstructed.
Path analysis is an interpretation of a chain of consecutive events that occur during a set period.
Regarding log mining, which statement about path analysis is true? Path analysis can be used to reconstruct network traffic or to follow it. Path analysis is an interpretation of a chain of consecutive events that occur during a set period. Path analysis can be used to make predictions about unknown future attacks or events. Path analysis can be used to mine through large amounts of data to build profiles and to identify anomalous behavior. Path analysis labels data packets allowing them to traverse through the network on different paths but still remaining identifiable to the destination node when it is reconstructed.
Cisco SecureX includes many of the same elements as a SOAR. The expertise of Cisco Talos threat analysts is a benefit of Cisco SecureX. Pre-built playbooks are included in Cisco SecureX.
Regarding the Cisco SecureX platform, which three statements are true? (Choose three.) Cisco SecureX includes many of the same elements as a SOAR. Most parts of an organization's security portfolio are made visible, except third-party solutions. The expertise of Cisco Talos threat analysts is a benefit of Cisco SecureX. Pre-built playbooks are included in Cisco SecureX. Playbooks cannot be custom-tailored. Cisco SecureX replaces an organization's existing security portfolios.
The destination port is associated with the HTTP protocol. The protocol is identified as UDP. The destination IP address is a private IP address.
Regarding the following screenshot, which three statements are true? (Choose three.) The destination port is associated with the HTTP protocol. The destination port is associated with the SMTP protocol. The protocol is identified as TCP. The protocol is identified as UDP. The destination IP address is a public IP address. The destination IP address is a private IP address.
Round robin
Requests are distributed across the group of servers sequentially.
Hash
Requests are distributed based on a hash value, such as the source and destination IP address.
Least time
Requests are sent to the server according to a formula that combines the fastest response time and fewest active connections.
Mandatory Access Control (MAC)
Secures information by assigning sensitivity (security level) labels on information and comparing them to the level of sensitivity that a user is operating at. Usually appropriate for extremely secure systems, such as military applications or mission-critical applications.
Snort ELSA
Security Onion is composed of which two components? (Choose two.) Snort Netwitness Metasploit ELSA Nessus
Tcpdump Wireshark
Security Onion provides which two tools to analyze PCAP files? (Choose two.) Tcpdump netsed Wireshark OSSEC barnyard2
modems
The Cisco SecureX platform does not integrate with which part of an organization's network? endpoints network traffic modems data centers cloud-based applications
availability confidentiality integrity
What are the three basic security requirements of network security? (Choose three.) accountability availability confidentiality integrity visibility
Security Onion provides an entire suite of open source tools in a single distribution. Security Onion provides visibility and context into network events, traffic, and alerts. Security Onion provides tools for packet capture, threat detection, and packet analysis.
What are three benefits of deploying Security Onion for network security monitoring? (Choose three.) Security Onion provides an entire suite of open source tools in a single distribution. Security Onion automates security monitoring eliminating the need for security analyst intervention. Security Onion provides visibility and context into network events, traffic, and alerts. Security Onion can be installed on your mobile devices such as tablets to provide a portable security analysis tool. Security Onion provides tools for packet capture, threat detection, and packet analysis.
passport number place and date of birth fingerprints
What are three examples of PII? (Choose three.) type and model of personal vehicle office location passport number business email address place and date of birth fingerprints
Snort ELSA (Enterprise Log Search and Archive)
What are two tools that are provided by Security Onion? (Choose two.) Metasploit Stealthwatch Snort Nagios ELSA
same IP 5-tuple
What is a simple and effective way to correlate events? different TCP destination ports different TCP source ports same alert timestamp same alert severity level same IP 5-tuple
Apply confidentiality processes when handling PII.
What is the best way to manage PII data? Back up PII on a local hard drive. Apply confidentiality processes when handling PII. Use mandatory access control to secure PII. Sign PII using a digital signature.
Receive syslog messages from syslog clients that are distributed across the network and store those messages in a flat log file.
What is the first step in centralized syslog management? Receive syslog messages from syslog clients that are distributed across the network and store those messages in a flat log file. Present syslog data in the form of automated reports, dashboards, and real-time query responses. Move messages from the flat log file to a high-performance relational database. Process low-level data in the relational database to produce higher-level information constructs.
IP addresses of hosts that may have been affected the path that was used in the attack the timeline of the attack
When attempting to reconstruct an incident from a packet capture, an analyst should pay special attention to which three options? (Choose three.) IP addresses of hosts that may have been affected the path that was used in the attack the timeline of the attack the tool used to produce the packet capture the geo-location information in the IP header
ELSA (Enterprise Log Search and Archive)
Which Security Onion tool should the security analyst use as the centralized syslog collector? OSSEC ELSA Snort Bro
ACK or RST
Which TCP flag must be set in a packet in order for the packet to match an ACL entry that contains the establishedkeyword? SYN only ACK only RST only SYN or ACK ACK or RST
Mandatory Access Control (MAC)
Which access control model originates from the military and uses security labels? access control list discretionary access control mandatory access control role-based access control
protects web applications from common vulnerabilities and DDoS attacks
Which benefit does a web application firewall provide, in addition to the benefits provided by a traditional load balancer? protects any Layer 7 applications from malware protects web applications from common vulnerabilities and DDoS attacks protects the back-end database by acting as a reverse proxy between the web server and the back-end database protects the servers behind the WAF from attacks using Layer 3 and 4 firewall rules
ip access-group
Which command is required on an interface in order to apply an ACL as a packet filter? access-class ip access-group ip access-list <SGA group id>
policy NAT
Which form of NAT enables a firewall to selectively perform translations based on the destination address? static NAT dynamic PAT static PAT policy NAT dynamic NAT
dynamic PAT
Which form of NAT uses port addresses to distinguish between translated sessions? static NAT policy NAT dynamic PAT dynamic NAT
Full Packet Capture (FPC)
Which network security data type requires the largest amount of storage? session data full packet capture transaction data extracted content alert data
The three options above are all concerns.
Which of the following is a concern regarding full packet capture data? NIC performance features such as TCP segmentation offload can distort the collected full packet capture. Storage resources may limit the duration of full packet capture retention. The location of sensing interfaces affects the visibility that the data provides. The three options above are all concerns. Only the second and third options above are concerns.
Scalability issues force network administrators to enter username credentials into each network device.
Which one of the following best describes the limitations of local AAA databases? Usernames, passwords, and credentials must be synchronized with a TACACS+/RADIUS server. Scalability issues force network administrators to enter username credentials into each network device. While they support accounting, they do not meet the requirements for large persistent storage. Authorization policies that are created with local AAA databases cannot be synchronized and made available to all the devices across the network.
Metasploit
Which option is a penetration-testing tool? Wireshark Metasploit Snort Netwitness NetFlow
Snort
Which option is an intrusion detection system? Wireshark Metasploit Nessus NetFlow Snort
NetFlow analyzers allow you to pinpoint machines and devices that are hogging bandwidth, to find bottlenecks in your system, and, ultimately, to improve your network's overall efficiency.
Which statement about NetFlow analyzers is true? NetFlow analyzers allow you to pinpoint machines and devices that are hogging bandwidth, to find bottlenecks in your system, and, ultimately, to improve your network's overall efficiency. NetFlow analyzers are an interpretation of a chain of consecutive events that occur during a set period. NetFlow analyzers can be used to reconstruct network traffic or to follow it. NetFlow is a network utilization monitoring tool that is not applicable to use as a network security tool.
The firewall applies broad-based application and file control policies to detect malware.
Which statement best describes how a network-based malware protection feature detects a possible event? Using virus signature files locally on the firewall, it will detect incorrect MD5 file hashes. The firewall applies broad-based application and file control policies to detect malware. Malware can be detected correctly by using reputation databases on both the firewall and from the cloud. IDS signature files that are located on the firewall are used to detect the presence of malware. Malware can be detected and stopped by using ACLs and the modular policy framework within the firewall appliance.
Modern networks use a common set of widely known and open protocols. The global connectivity of the internet provides more opportunities for threat actors to connect to information systems. The increased complexity of operating systems and application software has made it more difficult to ensure security across all systems.
Which three changes have occurred in modern networks that require enhanced security? (Choose three.) Modern networks use a common set of widely known and open protocols. The use of common operating systems on smart phones such as Apple iOS and Android has provided attackers with simpler means to instigate targeted attacks. Fault tolerance and backup systems provide threat actors easy access to system resources and data. The global connectivity of the internet provides more opportunities for threat actors to connect to information systems. The increased complexity of operating systems and application software has made it more difficult to ensure security across all systems.
commonly used protocols SHA-256 hashes metadata stored that is within the files
Which three elements can be configured in firewall policies to detect network-based malware? (Choose three.) commonly used rainbow hash tables commonly used protocols SHA-256 hashes metadata stored that is within the files access control lists (ACLs)
Wireshark Tshark tcpdump
Which three options are tools that can perform packet captures? (Choose three.) Wireshark ELSA Sguil Squert Tshark tcpdump
anomaly detection data correlation automated reporting
Which three options best describe how a SIEM should be used? (Choose three.) anomaly detection data correlation automated reporting malware reverse engineering sandboxing
routers, Layer 3 switches, firewalls
Which three types of devices can do NAT? (Choose three.) routers Layer 3 switches bridges wireless access points firewalls
host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=9892 dstip=23.209.176.129 dstport=80 status_code=200 content_length=4266 method=GET site=tile-service.weather.microsoft.com uri=/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold referer=- user_agent=Microsoft-WNS/10.0 mime_type=application/xml host=127.0.0.1 program=bro_dns class=BRO_DNS srcip=10.10.6.10 srcport=52224 dstip=10.10.4.20 dstport=53 proto=UDP hostname=evan-pc.abc.private answer=- query_class=C_INTERNET query_type=SOA return_code=NOERROR
Which two logs are examples of transaction data? (Choose two.) host=127.0.0.1 program=bro_conn class=BRO_CONN srcip=10.10.6.10 srcport=9887 dstip=64.4.54.254 dstport=443 proto=TCP bytes_in=4556 service=ssl conn_duration=60.432303 bytes_out=3176 pkts_out=12 pkts_in=10 resp_country_code=US host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=9892 dstip=23.209.176.129 dstport=80 status_code=200 content_length=4266 method=GET site=tile-service.weather.microsoft.com uri=/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold referer=- user_agent=Microsoft-WNS/10.0 mime_type=application/xml host=127.0.0.1 program=bro_dns class=BRO_DNS srcip=10.10.6.10 srcport=52224 dstip=10.10.4.20 dstport=53 proto=UDP hostname=evan-pc.abc.private answer=- query_class=C_INTERNET query_type=SOA return_code=NOERROR host=127.0.0.1 program=bro_conn class=BRO_CONN srcip=10.10.4.20 srcport=55060 dstip=8.8.8.8 dstport=53 proto=UDP bytes_in=51 service=dns conn_duration=0.015342 bytes_out=51 pkts_out=1 pkts_in=1 resp_country_code=US
TACACS+ RADIUS
Which two protocols are most commonly found in AAA? (Choose two.) TCP/IP TACACS+ OSPF MD5 RADIUS IPSEC
Commercial tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive. Technical support is often considered to be an advantage of commercial tools.
Which two statements about commercial and open source SOC tools are true? (Choose two.) Commercial tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive. Open source tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive. Technical support is often considered to be an advantage of commercial tools. Technical support is often considered to be an advantage of open source tools. Commercial tools are freely distributable; open source tools are not.
Transaction data provides audit trails of client requests and server responses. Some NSM tools can decode application protocols, recognize transactions within the live traffic, and produce transaction logs.
Which two statements about transaction data are true? (Choose two.) Transaction data provides audit trails of client requests and server responses. The logs from the servers such as DHCP servers, DNS servers, mail servers, and proxies are not considered as a source of transaction data. Some NSM tools can decode application protocols, recognize transactions within the live traffic, and produce transaction logs. Bro cannot produce transaction logs for common application protocols.
SOAR automates information security event management processes and incident response procedures. A SOAR analyzes cyber threat intelligence from external threat feeds.
Which two statements are benefits of a SOAR platform? (Choose two.) SOAR automates information security event management processes and incident response procedures. Only one set of functions is used to automatically react to malicious elements from well-known attack vectors. A SOAR analyzes cyber threat intelligence from external threat feeds. A SOAR is less costly than a SIEM but shares many of the same capabilities. The SOAR platform does not use playbooks. Since the Gartner Group defined the term, the number of companies that use SOAR tools is not increasing.
If the system is deployed using port mirroring or network taps, then it is operating in IDS mode. If the system is deployed inline so that it can drop traffic that it classifies as malicious, then it is operating in IPS mode.
Which two statements are true regarding the deployment of IDS and IPS systems? (Choose two.) If the system is deployed using port mirroring or network taps, then it is operating in IPS mode. If the system is deployed using port mirroring or network taps, then it is operating in IDS mode. If the system is deployed inline so that it can drop traffic that it classifies as malicious, then it is operating in IPS mode. If the system is deployed inline so that can drop traffic that it classifies as malicious, then it is operating in IDS mode.
Accurate time stamping across the network is critical to forensic investigation after a compromise occurs. NTP can provide an authenticated time source from which security tools can operate.
Which two statements best describe why it is important to deploy an NTP solution in a network infrastructure? (Choose two.) NTP makes it impossible for time stamp information to be falsified. NTP is needed as a time source for network devices that do not have their own internal clocks. Accurate time stamping across the network is critical to forensic investigation after a compromise occurs. NTP can provide an authenticated time source from which security tools can operate.
Statistical data aggregates the individual events and provides summaries of the data. The summaries of statistical data can be used by the analyst to develop a clear and coherent picture that may not be discernable from examining individual events.
Which two statements regarding statistical data are true? (Choose two.) Statistical data aggregates the individual events and provides summaries of the data. Statistical data records all the network traffic at some particular locations in the network. The summaries of statistical data can be used by the analyst to develop a clear and coherent picture that may not be discernable from examining individual events. Statistical data is typically produced by IDS or IPS systems.
Wireshark Tcpdump
Which two tools can be used to perform raw network packet capture? (Choose two.) Wireshark Snort Metasploit Tcpdump Nessus Squert
alert data
Which type of NSM data is primarily associated with IDS and IPS systems? transaction data alert data metadata session data
everyone in the company
Who is required to protect the company's information assets? chief executive officer chief information officer chief financial officer chief technical officer everyone in the company