Information Security Continuous Monitoring Quiz

Questions and Answers

What is the main challenge of traditional approaches to security process data collection?

• They are only effective for IT infrastructure.
• They are too costly to implement.
• They are not specific to any solution.
• They do not handle complexity well. (correct)

What is the primary goal of information security continuous monitoring (ISCM)?

• To implement a piecemeal approach to data collection.
• To focus solely on endpoint protection.
• To align security with organizational needs. (correct)
• To reduce overall IT budget.

What factor is essential for the success of a security program?

• A focus on end-user training.
• Continuous updates of technology.
• A complex set of tools.
• Support from upper management. (correct)

Which of the following is NOT a capability of implementing continuous information security monitoring?

Manage budget allocations. (D)

What does the Appendix provide information about regarding ISCM?

Challenges of integrating OT systems. (B)

What does ISCM help organizations to actively manage?

Risk. (B)

Which of the following NIST publications is related to ISCM?

NIST SP800-137. (A)

In the context of ISCM, what is meant by 'monitor all systems'?

To include all components of IT infrastructure. (C)

What is the primary focus of the Continuous Monitoring Strategy Guide?

Planning and implementing the ISCM strategy (A)

Which of the following best describes the role of ISCM within an organization?

To define and measure the organization’s risk tolerance (D)

What should be the first step when implementing an ISCM program?

Select metrics to formally establish the program (A)

What action should not be taken after analyzing and reporting findings in an ISCM program?

Ignoring the findings (B)

Which is a common misconception about security incident and event management (SIEM)?

SIEM tools can replace an ISCM strategy (C)

What is the purpose of key performance indicators (KPIs) and key risk indicators (KRIs) in an ISCM strategy?

To manage, schedule, and coordinate security tasks (A)

What should organizations focus on before selecting security information management tools?

Understanding what tasks need to be accomplished (D)

What is the recommended approach when starting an ISCM project?

Adopting a step-by-step fashion (C)

What best describes an indicator in the context of information security?

A signal or characteristic of a possible security incident. (A)

Which of the following is an example of an indicator of compromise (IOC)?

A signature of malware recognized by security software. (B)

Which scenario would most likely indicate a security breach?

An endpoint device experiences an unplanned restart. (A)

What could be a potential sign of malware infection on a device?

Unusual file names containing unexpected characters. (D)

What action might an access control system take that could signal a compromise?

Noticing a device trying to connect without required updates. (D)

Which statement is true about indicators of an information security incident?

They can include unusual deviations in network traffic. (D)

What is a common misconception about monitoring for security incidents?

Indicators are always clear and easy to identify. (A)

What role does the information security community play in relation to indicators of compromise?

They standardize the format of IOC information for better communication. (C)

Which services are recommended to log Single Sign-On (SSO) activities as a quality data source?

Directory services (A)

What type of servers provides extensive logs of all attempts to resolve names and IP addresses?

DNS servers (D)

Which type of directory services is specifically mentioned as a logging source for internal activities?

X.500 directory services (A)

Which information should be logged by DHCP services?

Device connection and disconnection events (B)

What is one reason that logging is emphasized for file replication services and subsystems?

To enhance the survivability of data (B)

Which of the following services is mentioned as still being used in business for traffic logging?

Fax servers (C)

What should email servers log to enhance security and filter spam effectively?

Connection requests and email body contents (D)

Which of the following logging actions is essential for virtual machine managers?

Logging VM creation and termination (C)

What is the primary purpose of logging within an organization's infrastructure?

To track changes and actions taken by users. (C)

Which of the following is a main benefit of using a security information and event management (SIEM) system?

It allows for centralized collection and automated analysis of logs. (D)

What can overwhelming log volumes lead to in an organization?

Challenges in log management. (C)

Why is log integrity critical for an organization's logging practice?

It impacts auditing and incident response. (B)

What should organizations consider when configuring logging systems?

Implementing industry best practices. (B)

Which of the following is NOT a use of log data in an organization?

Assisting in decision-making for personnel hires. (B)

What advantage do distinct log aggregation systems provide?

They help verify and centralize log data securely. (A)

What is a major risk of logs that are not properly managed?

Potential for misconfigurations and abuse. (B)

What role does UEBA play in anomaly detection?

It examines the behavior of multiple entities over time. (D)

What is necessary for identifying desired baseline behavior sets?

Effective configuration management and control. (A)

How are behavioral abnormalities detected in complex systems according to the concepts discussed?

Using machine learning and AI techniques. (D)

In the context of a natural gas-fired electric power generation system, what critical subsystem is highlighted?

The real-time pricing system. (B)

What is the main purpose of establishing baseline behavior in IT systems?

To gather data for anomaly detection. (B)

What aspect of modern security involves helping managers understand machine decisions?

Behavioral Analytics Integration. (B)

What is the significance of detecting complex behavioral patterns in security monitoring?

It enables the recognition of sophisticated attacks. (A)

Which domain is highlighted for anomaly detection and response in the discussed security strategies?

Behavioral modeling in various architectures. (A)

Flashcards

Information Security Continuous Monitoring (ISCM)

A holistic strategy that improves and addresses security by aligning people, processes, and technologies within an organization's IT infrastructure.

Traditional Security Monitoring

A method using solution-specific logging and data capture, possibly with a central SIEM.

Challenges of OT Monitoring

Extending security monitoring to Operational Technology (OT) systems (e.g., smart buildings, ICS, SCADA, IoT) presents unique difficulties.

NIST SP 800-137

A NIST publication that provides guidance and recommendations (especially within federal systems) to aid in planning and enacting ISCM.

Benefits of ISCM

Implementing ISCM improves the ability to monitor all systems, understand threats, assess security controls, collect/analyze security data, communicate status, and actively manage risks.

Log Management

The process of collecting, storing, analyzing, and managing log data generated by different systems.

Log Integrity

Ensuring the accuracy and trustworthiness of log data.

Centralized Logging

Collecting logs from multiple sources into a single location for easier management and analysis.

Log Volume

The amount of log data generated by systems.

SIEM System

Security Information and Event Management system, used for centralizing and analyzing security logs.

Log Analysis

Examining log data to identify patterns, security issues, and performance problems.

Security Control Testing

Using log entries to understand the effectiveness and gaps in security controls

ISCM Strategy

A plan to manage and protect information systems from threats by identifying risks, monitoring for events, and analyzing findings to determine appropriate responses.

Risk Tolerance

The level of risk an organization is willing to accept in its operations.

Metrics (ISCM)

Quantifiable measures used to track and evaluate performance of the ISCM program, based on the organization's specific needs.

Security Information and Event Management (SIEM)

A tool, not a strategy; a tool used to collect and analyze security events from various sources.

Key Performance Indicators (KPIs)

Metrics used to measure the success of a given process or activity.

Key Risk Indicators (KRIs)

Indicators used to identify and measure potential risks within an organization’s security systems.

Risk Mitigation

Actions to lessen the impact of a risk, reducing its effects.

Risk Transference

Shifting risk from one entity to another, like through insurance.

Risk Avoidance

Eliminating a risk by halting the activity or process that poses the risk.

Risk Acceptance

Acknowledging the risk and deciding to not take any action to minimize it.

Continuous Monitoring

Constantly observing and evaluating information systems for security threats.

FedRAMP

A security framework for government cloud services.

Cloud Security Alliance STAR Level 3

A continuous monitoring-based certification program for cloud security.

Anomaly Detection

Identifying unusual or unexpected behavior in systems or data, often using machine learning and AI.

UEBA (User and Entity Behavior Analytics)

A security technology that analyzes user and entity (like devices) behavior to detect complex threats.

Security Baselines

Established norms for acceptable IT system and infrastructure behavior.

Behavioral Modeling

Predicting and understanding behavior using techniques like machine learning, applied to systems.

Industrial Process Control

A system controlling industrial processes (like power generation or manufacturing).

Real-Time Pricing System

A system that determines prices for electricity based on supply and demand.

Indicator

A sign, signal, or observable characteristic suggesting an information security incident may be occurring.

Indicator of Compromise (IOC)

An observable artifact strongly suggesting a system has been or is being compromised.

Network intrusion detector alert

A warning generated when unusual network activity (like SQL injection attempts) is detected.

Antivirus software detection

An alert from antivirus software when a device shows signs of malware infection.

Unusual filenames

Files with unusual or unprintable characters, potentially indicating malicious intent.

Unauthorized device connection

A device trying to connect without proper software updates or malware definitions.

Unplanned system restart

A system restarting unexpectedly, which might be a sign of malware activity.

New/Unmanaged host

A new or unmanaged device trying to connect to a network that is suspicious.

Configuration changes

Unexpected modifications to a system's baseline configuration.

Failed login attempts

Multiple failed login attempts from unfamiliar systems/IP addresses.

Unusual email activity

Increased bounced, refused, or quarantined emails with suspicious content or unknown senders.

Network traffic anomalies

Unusual or unexpected patterns in network traffic or system load.

Malware signatures

Recognizable patterns of malicious software.

Hostile IP addresses/URLs

Known or suspected IP addresses/URLs associated with malicious intent.

Botnet control servers

Domain names linked to malicious botnet control servers.

Directory Services Logging

Directory services (like Active Directory) log attempts by entities to access other entities.

Single Sign-On (SSO) Logging

All Single Sign-On (SSO) activities should be logged for quality data.

File Replication Logging

File replication, journaling, and storage services log information for data survivability in case of problems.

DNS Logging

DNS servers log name resolution attempts, IP address lookups, and cache changes.

VM Management Logging

Virtual Machine (VM) managers log VM creation, modification, activation, and termination.

DHCP Logging

DHCP services log new IP address assignments (leases), device connections, and disconnections.

Print Server Logging

Print servers log print jobs, including source, destination, and status.

Fax Server Logging

Fax servers log all incoming and outgoing fax traffic.

Smart Copier/Scanner Logging

Smart copiers and scanners log user activity, user IDs, and file destinations.

Email Server Logging

Email servers log connections, spoofing attempts, spam, security violations, and keyword-triggered services.

Study Notes

Incident Response and Recovery

• Incident response is a process for responding to security incidents.
• Incidents can be hostile, accidental, or natural.
• The first priority is the safety of people.
• No matter how the organization divides the incident response process into steps, it must prioritize the safety of people.
• Precursors are indicators that something might happen.
• An indicator is something that signals a security incident.
• An indicator of compromise (IOC) is a sign that a system has been compromised.
• The incident response lifecycle has preparation, detection, containment, eradication, recovery. and post-incident analysis.

Description

Test your knowledge on the concepts and practices surrounding Information Security Continuous Monitoring (ISCM). This quiz covers the challenges of traditional security approaches, the goals of ISCM, and essential factors for a successful security program. Enhance your understanding of how ISCM helps manage organizational security.