A company's SICM Is continuously reporting false positives and false negatives The security operations team has Implemented configuration changes to troubleshoot possible reporting errors Which of the following sources of information best supports the required analysts process? (Select two).
Correct Answer:
AB
When dealing with false positives and false negatives reported by a Security Information and Event Management (SIEM) system, the goal is to enhance the accuracy of the alerts and ensure that actual threats are identified correctly. The following sources of information best support the analysis process:
* A. Third-party reports and logs: Utilizing external sources of information such as threat intelligence reports, vendor logs, and other third-party data can provide a broader
perspective on potential threats. These sources often contain valuable insights and context that can help correlate events more accurately, reducing the likelihood of false positives and false negatives.
* B. Trends: Analyzing trends over time can help in understanding patterns and anomalies in the data. By observing trends, the security team can distinguish between normal and abnormal behavior, which aids in fine-tuning the SIEM configurations to better detect true positives and reduce false alerts.
Other options such as dashboards, alert failures, network traffic summaries, and manual review processes are also useful but are more operational rather than foundational for understanding the root causes of reporting errors in SIEM configurations.
References:
✑ CompTIA SecurityX Study Guide: Emphasizes the importance of leveraging external threat intelligence and historical trends for accurate threat detection.
✑ NIST Special Publication 800-92, "Guide to Computer Security Log Management": Highlights best practices for log management, including the use of third-party sources and trend analysis to improve incident detection.
✑ "Security Information and Event Management (SIEM) Implementation" by David Miller: Discusses the use of external intelligence and trends to enhance SIEM accuracy.
An organization wants to manage specialized endpoints and needs a solution that provides the ability to
* Centrally manage configurations
* Push policies.
• Remotely wipe devices
• Maintain asset inventory
Which of the following should the organization do to best meet these requirements?
Correct Answer:
B
To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.
MDM Capabilities:
✑ Central Management: MDM allows administrators to manage the configurations of all devices from a central console.
✑ Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.
✑ Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.
✑ Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.
Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.
References:
✑ CompTIA SecurityX Study Guide
✑ NIST Special Publication 800-124 Revision 1, "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
✑ "Mobile Device Management Overview," Gartner Research
An organization wants to create a threat model to identity vulnerabilities in its infrastructure. Which of the following, should be prioritized first?
Correct Answer:
A
When creating a threat model to identify vulnerabilities in an organization's infrastructure, prioritizing external-facing infrastructure with known exploited vulnerabilities is critical. Here??s why:
✑ Exposure to Attack: External-facing infrastructure is directly exposed to the
internet, making it a primary target for attackers. Any vulnerabilities in this layer pose an immediate risk to the organization's security.
✑ Known Exploited Vulnerabilities: Vulnerabilities that are already known and
exploited in the wild are of higher concern because they are actively being used by attackers. Addressing these vulnerabilities reduces the risk of exploitation significantly.
✑ Risk Mitigation: By prioritizing external-facing infrastructure with known exploited
vulnerabilities, the organization can mitigate the most immediate and impactful threats, thereby improving overall security posture.
✑ References:
A software company deployed a new application based on its internal code repository Several customers are reporting anti-malware alerts on workstations used to test the application Which of the following is the most likely cause of the alerts?
Correct Answer:
B
The most likely cause of the anti-malware alerts on customer workstations is unsecure bundled libraries. When developing and deploying new applications, it is common for developers to use third-party libraries. If these libraries are not properly vetted for security, they can introduce vulnerabilities or malicious code.
Why Unsecure Bundled Libraries?
✑ Third-Party Risks: Using libraries that are not secure can lead to malware infections if the libraries contain malicious code or vulnerabilities.
✑ Code Dependencies: Libraries may have dependencies that are not secure, leading to potential security risks.
✑ Common Issue: This is a frequent issue in software development where libraries are used for convenience but not properly vetted for security.
Other options, while relevant, are less likely to cause widespread anti-malware alerts:
✑ A. Misconfigured code commit: Could lead to issues but less likely to trigger anti- malware alerts.
✑ C. Invalid code signing certificate: Would lead to trust issues but not typically anti- malware alerts.
✑ D. Data leakage: Relevant for privacy concerns but not directly related to anti- malware alerts.
References:
✑ CompTIA SecurityX Study Guide
✑ "Securing Open Source Libraries," OWASP
✑ "Managing Third-Party Software Security Risks," Gartner Research
A company receives reports about misconfigurations and vulnerabilities in a third-party hardware device that is part of its released products. Which of the following solutions is the best way for the company to identify possible issues at an earlier stage?
Correct Answer:
D
Addressing misconfigurations and vulnerabilities in third-party hardware requires a comprehensive approach to manage risks throughout the supply chain. Implementing a proper supply chain risk management (SCRM) program is the most effective solution as it encompasses the following:
✑ Holistic Approach: SCRM considers the entire lifecycle of the product, from initial
design through to delivery and deployment. This ensures that risks are identified and managed at every stage.
✑ Vendor Management: It includes thorough vetting of suppliers and ongoing
assessments of their security practices, which can identify and mitigate vulnerabilities early.
✑ Regular Audits and Assessments: A robust SCRM program involves regular audits
and assessments, both internally and with suppliers, to ensure compliance with security standards and best practices.
✑ Collaboration and Communication: Ensures that there is effective communication
and collaboration between the company and its suppliers, leading to faster identification and resolution of issues.
Other options, while beneficial, do not provide the same comprehensive risk management:
✑ A. Performing vulnerability tests on each device delivered by the providers: While useful, this is reactive and only addresses issues after they have been delivered.
✑ B. Performing regular red-team exercises on the vendor production line: This can identify vulnerabilities but is not as comprehensive as a full SCRM program.
✑ C. Implementing a monitoring process for the integration between the application and the vendor appliance: This is important but only covers the integration phase, not the entire supply chain.
References:
✑ CompTIA SecurityX Study Guide
✑ NIST Special Publication 800-161, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations"
✑ ISO/IEC 27036-1:2014, "Information technology — Security techniques — Information security for supplier relationships"
