Chapter 88 · Flashcards

Security Tools — Flashcards

Ten cards covering SCAP, CIS benchmarks, agents vs. agentless, DLP, SNMP ports, SNMP traps, NetFlow architecture, and vulnerability scanning scope. Click any card to flip it.

What problem does SCAP solve, who maintains it, and where is it found?

SCAP (Security Content Automation Protocol) solves the problem of diverse security tools using different names for the same vulnerability. It provides a common language so NGFWs, IPS, and scanners all identify the same finding the same way. Maintained by NIST at scap.nist.gov. Enables automation: ongoing monitoring, alerting, and automated remediation of non-compliant systems.

What is a security benchmark, and which organization publishes the most widely used library?

A security benchmark is a curated set of recommended security configuration settings representing the minimum acceptable security posture for a specific technology. Defines what "secure" looks like for an OS, cloud platform, mobile device, etc. The most widely referenced source is the Center for Internet Security (CIS) at cisecurity.org, which publishes free, community-validated benchmarks for hundreds of platforms.

What is the key trade-off between agent-based and agentless monitoring?

Agent-based: software installed on device; continuous monitoring; real-time alerts; deeper visibility. Requires ongoing maintenance and updates. Agentless: no permanent install; runs on demand (login/VPN connect) then disappears; minimal maintenance. No continuous monitoring or real-time alerting between check windows. Trade-off: coverage depth vs. deployment overhead.

What is DLP, what data does it protect, and why does it require multiple deployment layers?

Data Loss Prevention (DLP) monitors and controls data in motion, at rest, and in use to prevent sensitive information leaving without authorization. Protects: SSNs, credit cards, medical records, confidential documents. Requires multiple layers — endpoint clients, network/perimeter, email gateway, cloud-based — because sensitive data has many exit paths and a single deployment covers only one channel.

What are the SNMP MIB and OID, and on which port does SNMP polling operate?

The MIB (Management Information Base) is the structured database of metrics on each SNMP-managed device. Each metric is identified by an OID (Object Identifier) — a numerical sequence uniquely naming that data point. A management station polls devices over UDP port 161, specifying an OID to retrieve its current value. Polling at regular intervals builds historical performance data for graphing and trend analysis.

How does an SNMP trap differ from polling, and on which port does it operate?

SNMP polling: management station requests data from device on a fixed schedule (UDP 161). SNMP trap: device proactively sends an unsolicited notification to the management station when a configured threshold is crossed (UDP 162). Traps are immediate — no waiting for the next poll interval. Used for real-time alerting (e.g., CRC errors increase by 5 → device sends trap immediately).

What is NetFlow, and what two components make up its architecture?

NetFlow collects flow-level traffic statistics — who talks to whom, over what protocols, in what volumes. Architecture: a probe (built into router/switch or external hardware via SPAN port or tap) observes traffic and compiles flow summaries; a collector receives those summaries and provides them to a reporting application. NetFlow captures metadata, not full packet contents — storage-efficient visibility into traffic patterns.

What is a SPAN port and how is it used with NetFlow?

A SPAN port (Switched Port Analyzer) is a switch feature that mirrors traffic from monitored ports to a designated monitoring port. A NetFlow probe or network sensor connected to the SPAN port receives a copy of all mirrored traffic without being inline — passive, non-disruptive observation. Enables the probe to observe all traffic through the switch without affecting normal network operations or requiring the probe to be in the traffic path.

Why must vulnerability scans be run both internally and externally?

An external scan shows what an attacker sees from the internet: services reachable through the perimeter firewall. An internal scan shows what an attacker can reach once inside the network: services protected by the firewall but reachable from an internal position. An attacker who gains access via phishing or a compromised endpoint operates from inside. External-only scanning leaves the internal attack surface — which may include critical servers — unmeasured.

How do anti-virus and anti-malware differ, and what is the practical answer for the exam?

Anti-virus originally targeted specific virus types: Trojans, worms, macro viruses. Anti-malware is broader: covers spyware, ransomware, fileless malware, keyloggers. Practical exam answer: the terms are effectively interchangeable today — modern anti-virus platforms have expanded to cover the full malware spectrum. The naming difference is historical/marketing. Use a comprehensive solution that covers both categories.