4.4 Flashcards
Security monitoring, security tools
3 main resources that you want to monitor
Systems
Applications
Infrastructure
What do you want to monitor systems for? (4)
Logins from strange places
Service activity
Backups
Software versions
What do you want to monitor applications for? (3)
Availability (uptime and response times)
Data transfers (sudden increases in activity can indicate malicious acts)
Security notifications from the dev/manufacturer
What do you want to monitor infrastructure for? (2)
Firewall and IPS reports
Remote access systems - who is connecting when?
The act of consolidating logs into a central database
Log aggregation
The act of using an automated service to actively check systems and devices for:
OS types and versions
Device driver versions
Installed applications
Potential anomalies
It saves all of this information into a database of valuable information that is useful to create detailed reports
Scanning
True/False
It is difficult to keep track of what type of vulnerabilities exist in each system because most of them are constantly moving and changing
True
The act of analyzing collected network data in order to:
Create documents regarding the status of the network
Determine next steps to remediate any vulnerabilities
Perform “what if” analysis and ad hoc reporting to preemptively secure the network against future attacks
Reporting
A type of report that helps authorized individuals implement changes in the network to provide better security
Actionable report
The act of keeping an extensive amount of backups over a long period of time
Archiving
The act of real-time notification of security events
Alerting
The act of authorized individuals taking action to stop an active security breach, and solve the problem that enabled it.
Alert response and remediation
Data that enables the quick response of security professionals during an attack
Actionable data
The most common first response to a cyber attack
Quarantine
The practice of teaching the machine what security alerts are false positives/negatives, or which alerts are not necessary, so that the machine can give the most accurate security alerts.
The end result is that the machine can automatically resolve low-level alerts, and that only high-priority alerts are forwarded to security personnel.
Alert tuning
SCAP stands for
Security Content Automation Protocol
A method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation.
It consolidates vulnerability information into a single language that all devices can understand. Then, because all the devices are on the same page, they can work together to automate the removal and detection of vulnerabilities in the network.
SCAP
2 methods of compliance checks
Install a software agent onto the device
On-demand agentless check
True/False
An agentless compliance check usually provides more detail
False
Agent-based compliance checks provide more detail since they’re installed as software directly onto the device.
True/False
Agent-based compliance checks require more maintenance than agentless.
True
You need to keep your agents updated
SIEM stands for
Security Information and Event Management
A centralized collector of security events and information. Also has a powerful reporting engine.
Because this device/service stores information for a very long time, it can help in forensic analysis.
SIEM
Tools used to identify and remove malicious software
Antivirus/antimalware
DLP stands for
Data Loss Prevention
Software that looks for and blocks the transferring and exfiltration of sensitive data on your network
DLP
SNMP stands for
Simple Network Management Protocol
OID stands for
Object Identifier
A group of decimal numbers that identify an object
Object Identifier
A protocol used to transfer network information
SNMP
How does SNMP work?
A network management workstation will poll a device, meaning it asks for an update on any relevant statistics such as storage, integrity, how much information has been transferred in bites, etc.
Then, the management station will wait a certain amount of time, and poll again.
These statistics are gathered in a database.
What problem do SNMP traps solve?
With SNMP, the network is dependent on the centralized management station to poll each device. This way, the monitoring station cannot react immediately when a problem occurs.
SNMP traps are messages that send network event information when a certain event triggers, according to how it was configured. That way, the monitoring station can react immediately when a problem is detected.
Unrequested notifications of an SNMP agent to a centralized management station, containing information about events or status updates when a certain event triggers according to its configuration.
SNMP trap
SNMP trap port number/protocol
UDP 162
How do SNMP traps come to be?
An administrator configures the settings on the SNMP agent on a device that, whenever a certain event occurs or a threshold is reached (ex. the number of CRC errors increases by 5), an SNMP trap is sent to the management station.
Difference between NetFlow and SNMP
SNMP focuses on low-level metrics like utilization, the amount of packets passing through an interface, response time information, etc.
NetFlow has more detailed, higher-level metrics like traffic flows, application use, what device communicates to what other device, top 10 endpoints, traffic analyzer events, etc.
How does NetFlow work?
A probe is inserted into the network as either software installed on a network device or a separate system (SPAN, TAP) in order to watch traffic going past.
The probes collect information, and then send copies to a collector which will compile the info and create reports - usually through a separate reporting app.
How does SNMP work?
Agents are installed on network devices that periodically send information to a centralized management station.
Many vulnerability scanners will also provide a ____ scan to see what services are installed on a particular device.
Port
True/False
You can provide a vulnerability scanner with a list of IP addresses or range and see all devices are active on that range.
True
True/False
It is helpful to perform a vulnerability scan from the outside of your network to see what an attacker might see.
True