CH23 Monitoring and Auditing Flashcards
What are 3 Automated ways to monitor activities?
signature-based, anomaly-based, or behavior-based
- Signature-based monitoring – network traffic is analyzed for predetermined attack patterns
- Anomaly-based monitoring – a baseline is established and any network traffic that is outside of the baseline is evaluated. (looking for something that is outside of ordinary)
- Behavior-based monitoring – activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system
What is Signature-based monitoring?
network traffic is analyzed for predetermined attack patterns
What is Anomaly-based monitoring?
a baseline is established and any network traffic that is outside of the baseline is evaluated. (looking for something that is outside of ordinary)
What is Behavior-based monitoring?
activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system
What is Security Posture?
Risk level to which a system or other technology element is exposed.
What is Perfmon.exe ?
Windows program for performance monitor
What is Protocol Analyzers?
it is used to capture and analyze network traffic.
What is Promiscuous mode in Protocol Analyzers?
Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them
What is Non-promiscuous mode in Protocol Analyzers?
Network adapter can only capture the packets addressed to itself directly
What is Port mirroring?
one or more switch ports are configured to forward all of their packets to another port on the switch. This port is normally called a SPAN port
Port mirroring can slow down the network speed and cause packets to drop. To avoid, this, you can network tap.
If cannot configure a SPAN port, then you can use a network tap.
What is Network Tap?
a physical device that allows you to intercept the traffic between two points on the network.
What is SNMP ?
SNMP = Simple Network Management Protocol
A TCP/IP protocol that aids in monitoring network-attached devices and computers.
SNMP is incorporated into a network management and monitoring system
For the exam, know the function of SNMP.
What are Managed Devices in regards to SNMP?
Computers and other network-attached devices monitored through the use of agents by a network management system
What are Agent in regards to SNMP?
software that is loaded on a managed device to redirect information to the network management system
What are Network Management System (NMS) in regards to SNMP?
Software run on one or more servers to control the monitoring of network-attached devices and computers
What are 3 different versions on SNMP ?
SNMP v1, SNMP v2, SNMP v3
SNMP v1/v2 are insecure due to the use of community strings to access a device.
SNMP v3 – provides integrity, authentication, and encryption of the messages bring sent over the network.
What is Manual audit?
look at security logs, ACLs, User rights/ permissions, group policies, vulnerability scans, written organizational policies, and interview personnels.
For the exam : logs are part of auditing
What are three types of logs in Windows?
Security log - logs the events such as successful and unsuccessful user logons to the system
System log - logs the events such as a system shutdown and driver failures
Applications logs - logs the events for the operating system and third-party applications
On the exam : you might get a question like : “If you are trying to find when a user was successfully logged onto a system, which log would you look at?”. With the choices, Security, Application, or System log. Know that it’s a security log
What is SYSLOG ?
a standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
To consolidate all the logs into a single repository, you can use SYSLOG.
What is SYSLOG server?
different servers around the world sending their log files back to a single logging server.
SYSLOG uses port 514 over UDP
What is Write Once Read Many (WORM) ?
technology like DVD-R that allows data to be written only once but read unlimited times.
On the exam: anytime you’re trying to protect something from prying eyes, anytime you want to make sure that you keep people out from seeing things, encryption is a great choice.
What is SIEM ?
SIEM = Security Information and Event Monitoring system
a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
SIEM solution can be implemented as software, hardware appliances, or outsourced managed services
What are some of the commercial SIEM applications?
Splunk - Market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on
ELK/Elastic Stack
ArcSight
QRadar
Alien Vault and OSSIM (Open-Source Security Information Management)
Graylog
For the exam: if you hear any of these names, you should know they have the ability to act as a SIEM.
What is Syslog?
a protocol enabling different appliances and software applications to transmit logs or event records to a central server
Syslog follows a client-server model and is the de facto standard for logging of events from distributed systems.
Port 514 UDP
Port 1468 TPC/IP (newer version called syslog-ng or rsyslog)
What is Security Orchestration, Automation, and Response (SOAR) ?
a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
SOAR is primarily used for incident response.
SOAR is essentially Next generation SIEM - a security information and event monitoring system with an integrated SOAR
SOAR gives you :
* Scan security / threat data
* Analyze it with Machine Leaning (ML)
* Automate data enrichment
* Provision new resources.
What is Playbook in regards to monitoring?
checklist of actions to perform to detect and respond to a specific type of incident
What is Runbook in regards to monitoring?
an automated version of a playbook that leaves clearly defined interaction points for human analysis
