4_3_3 Section 4 – Operations and Incident Response - 4.3 – Investigations- Log Management

Questions and Answers

What type of information can be obtained from a log file on a switch?

• Interface status and security information (correct)
• Application setup information
• File system details
• Router updates

What type of attack is being blocked by the switch for 60 seconds?

• Denial of Service (DoS)
• TCP SYN flood
• TCP SYN traffic (correct)
• Authentication attack

What type of devices can provide feedback about network activity?

• Switches, routers, firewalls, VPN concentrators, and other devices (correct)
• Only routers and switches
• Only firewalls and VPN concentrators
• Only operating systems

What type of information can be collected from Windows operating system logs?

Application, setup, system, forwarded events, and security events (C)

Why is it important to analyze log files from network devices?

To identify potential security threats and network issues (D)

What type of issues may occur with VPN concentrators?

Authentication issues (A)

Where can you find application log information in a Windows operating system?

Event Viewer under Application log (A)

What type of information can you gather from security devices connected to your network?

Information about network traffic flows (C)

What type of attacks can be identified from a web application firewall log?

Cross-site scripting attacks and SQL injections (D)

What is the primary emphasis of this course?

Security (B)

Where can you find log entries in a Linux operating system?

/var/log (A)

What can you do with log files from different security devices?

Correlate them with other log files (B)

What type of information can you gather from a web server log?

Information about website access and errors (D)

What is the purpose of a SIEM (Security Information and Event Manager)?

To consolidate log files from different security devices (A)

What type of information can you gather from a DNS server log?

Information about DNS queries (B)

What can you learn from a firewall log?

Information about traffic flows that have been allowed or blocked (A)

What can be viewed from the IP address of a request and many log files?

The fully-qualified domain name of the request (A)

What can be done if a device is attempting to resolve a known malicious site?

Block the attempt and identify the potentially infected device (C)

What information can be found in an authentication log file?

The account name, source IP address, and authentication method used (C)

What is the purpose of correlating authentication log files with other log files?

To identify the causes of authentication failures and potential security threats (B)

What is the purpose of a memory dump file?

To resolve application problems and locate issues (A)

How can a memory dump file be created in Windows?

Using the Task Manager to create a dump file (B)

What type of information can be viewed from Call Manager logs?

Inbound and outbound call information and endpoint details (A)

What can be created from multiple log files to show authentication attempts across the network?

A single report showing all authentication attempts (D)

What is a potential indicator of a brute force attack?

Multiple failed authentication attempts from the same IP address (D)

What is a benefit of consolidating log files into a single SIEM?

It allows for easier identification and analysis of security threats (B)