Chapter 11 - Monitoring and Auditing

Question 1

Which of the following is a record of the tracked actions of users?
A. Performance Monitor
B. Audit trails
C. Permissions
D. System and event logs

Answer 1

B. Audit trails are records showing the tracked actions of users. The Performance Monitor is a tool in Windows that enables you to track the performance of objects such as CPU, RAM, network adapter, physical disk, and so on. Permissions grant or deny access to resources. To see whether permissions were granted, auditing must be enabled. The system and other logs record events that happened in other areas of the system, for example, events concerning the operating system, drivers, applications, and so on.

Question 2

What tool enables you to be alerted if a server’s processor trips a certain threshold?
A. TDR
B. Password cracker
C. Event Viewer
D. Performance Monitor

Answer 2

D. The Performance Monitor can be configured in such a way where alerts can be set for any of the objects (processor, RAM, paging file) in a computer. For example, if the processor were to go beyond 90% usage for more than 1 minute, an alert would be created and could be sent automatically to an administrator. A TDR is a time-domain reflectometer, an electronic instrument used to test cables for faults. A password cracker is a software program used to recover or crack passwords; an example would be Cain & Abel. The Event Viewer is a built-in application in Windows that enables a user to view events on the computer such as warnings, errors, and other information events. It does not measure the objects in a server in the way that Performance Monitor does.

Question 3

The IT director has asked you to install agents on several client computers and monitor them from a program at a server.  What is this known as?
A. SNMP
B. SMTP
C. SMP
D. Performance Monitor

Answer 3

A. The Simple Network Management Protocol (SNMP) is used when a person installs agents on client computers to monitor those systems from a single remote location. SMTP is used by e-mail clients and servers. SMP is Symmetric Multi-Processing, which is not covered in the Security+ exam objectives. Performance Monitor enables a person to monitor a computer and create performance baselines.

Question 4

One of your coworkers complains to you that he cannot see any security events in the Event Viewer. What are three possible reasons for this? (Select the three best answers.)
A. Auditing has not been turned on.
B. The log file is only 512 KB.
C. The coworker is not an administrator.
D. Auditing for an individual object has not been turned on.

Answer 4

A, C, and D. To audit events on a computer, an administrator would need to enable auditing within the computer’s policy, then turn on auditing for an individual object (folder, file, and so on), and then view the events within the Security log of the Event Viewer. 512 KB is big enough for many events to be written to it.

Question 5

Which tool can be instrumental in capturing FTP GET requests?
A. Vulnerability scanner
B. Port scanner
C. Performance Monitor
D. Protocol analyzer

Answer 5

D. A protocol analyzer captures data including things such as GET requests that were initiated from an FTP client. Vulnerability scanners and port scanners look for open ports and other vulnerabilities of a host. Performance Monitor
is a Windows program that reports on the performance of the computer system and any of its parts.

Question 6

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly-based IDS
B. Signature-based IDS
C. Behavior-based IDS
D. Heuristic-based IDS

Answer 6

B. When using an IDS, particular types of traffic patterns refer to signaturebased IDS. Heuristic signatures are a subset of signature-based monitoring systems, so signature-based IDS is the best answer. Anomaly-based and behavior-
based systems use different methodologies.

Question 7

You are setting up auditing on a Windows XP Professional computer.  If set up properly, which log should have entries?
A. Application log
B. System log
C. Security log
D. Maintenance log

Answer 7

C. After Auditing is turned on and specific resources are configured for auditing, you need to check the Event Viewer’s Security log for the entries. These could be successful logons or misfired attempts at deleting files; there are literally hundreds of options. The Application log contains errors, warnings, and informational entries about applications. The System log deals with drivers and system files and so on. A System Maintenance log can be used to record routine maintenance procedures.

Question 8

You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline?
A. Performance Monitor
B. Antispyware
C. Antivirus software
D. Vulnerability assessments software

Answer 8

A. Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server 2003. (It is commonly referred to as the Performance Monitor.) Antivirus and antispyware applications
usually go hand-in-hand and are not used to monitor server baselines. Vulnerability assessing software such as Nessus or Nmap are used to see whether open ports and other vulnerabilities are on a server.

Question 9

In what way can you gather information from a remote printer?
A. HTTP
B. SNMP
C. CA
D. SMTP

Answer 9

B. SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer. HTTP is the hypertext transfer protocol that deals with the transfer of web pages. A CA is a certificate authority, and
SMTP is the Simple Mail Transfer Protocol.

Question 10

Which of the following can determine which flags are set in a TCP/IP handshake?
A. Protocol analyzer
B. Port scanner
C. SYN/ACK
D. Performance Monitor

Answer 10

A. A protocol analyzer can look inside the packets that make up a TCP/IP handshake. Information that can be viewed includes SYN, which is synchronize sequence numbers, and ACK, which is acknowledgment field-significant. Port scanners and performance monitor do not have the capability to view
flags set in a TCP/IP handshake, nor can they look inside packets in general.

Question 11

Which of following is the most basic form of IDS?
A. Anomaly based
B. Behavioral-based
C. Signature-based
D. Statistical-based

Answer 11

C. Signature-based IDS is the most basic form of intrusion detection systems, or IDS. This monitors packets on the network and compares them against a database of signatures. Anomaly-based, behavioral-based, and statistical-based are all more complex forms of IDS. Anomaly and statistical are often considered to be the same type of monitoring methodology.

Question 12

Which of the following deals with the standard load for a server?
A. Patch management
B. Group policy
C. Port scanning
D. Configuration baseline

Answer 12

D. A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server’s network adapter, you can create a configuration baseline over time.

Question 13

Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.)
A. The amount of virtual memory that you will allocate for this task
B. The amount of disk space you will require
C. The information that will be needed to reconstruct events later
D. Group policy information

Answer 13

B and C. It is important to calculate how much disk space you will require for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what information will be needed in the case that you need to reconstruct events later. Group policy information and virtual memory are not important for this particular task.

Question 14

Which of the following is the best practice to implement when securing logs files?
A. Log all failed and successful login attempts.
B. Deny administrators access to log files.
C. Copy the logs to a remote log server.
D. Increase security settings for administrators.

Answer 14

C. It is important to copy the logs to a secondary server in case something happens to the primary log server; this way you have another copy of any possible security breaches. Logging all failed and successful login attempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files.

Question 15

What is the main reason to frequently view the logs of a DNS server?
A. To create aliases
B. To watch for unauthorized zone transfers
C. To defend against denial of service attacks
D. To prevent domain name kiting

Answer 15

B. Security administrators should frequently view the logs of a DNS server to monitor any unauthorized zone transfers. Aliases are DNS names that redirect to a hostname or FQDN. Simply viewing the logs of a DNS server will not defend against denial-of-service attacks. Domain name kiting is the process of floating a domain name for up to five names without paying for the domain
name.

Question 16

As you review your firewall log, you see the following information.  What type of attack is this?
S=207.50.135.54:53 - D=10.1.1.80:0
S=207.50.135.54:53 - D=10.1.1.80:1
S=207.50.135.54:53 - D=10.1.1.80:2
S=207.50.135.54:53 - D=10.1.1.80:3
S=207.50.135.54:53 - D=10.1.1.80:4
S=207.50.135.54:53 - D=10.1.1.80:5
A. Denial of service
B. Port scanning
C. Ping scanning
D. DNS spoofing

Answer 16

B. Information listed is an example of a port scan. The source IP address perpetuating the port scan should be banned or blocked on the firewall. The fact that the source computer is using port 53 is of no consequence during the port scan and does not imply DNS spoofing. It is not a denial-of-service attack; note that the destination IP address ends in 80, but the number 80 is part of the IP and is not the port.

Question 17

Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.)
A. Cyclic redundancy checks
B. The application of retention policies on log files
C. Hashing of log files
D. Storing of temporary files

Answer 17

B and C. The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved. Cyclic redundancy checks or CRCs have to deal with the transmission of Ethernet frames over the network. Temporary files are normally not necessary when dealing with log files.

Question 18

You suspect a broadcast storm on the LAN. Which tool should you use to diagnose which network adapter is causing the storm?
A. Protocol analyzer
B. Firewall
C. Port scanner
D. Network intrusion detection system

Answer 18

A. A protocol analyzer should be used to diagnose which network adapter on the LAN is causing the broadcast storm. A firewall cannot diagnose attacks perpetuated on a network. Port scanner is used to find open ports on one or more computers. A network intrusion detection system is implemented to locate and possibly quarantine some types of attacks but will not be effective
when it comes to broadcast storms.

Question 19

Which of the following should be done if an audit recording fails?
A. Stop generating audit records.
B. Overwrite the oldest audit records.
C. Send an alert to the administrator.
D. Shut down the server.

Answer 19

C. If an audit recording fails, there should be sufficient safeguards employed that can automatically send an alert to the administrator, among other things. Audit records should not be overwritten and in general should not be stopped.

Question 20

Which of the following log files should show attempts at unauthorized access?
A. DNS
B. System
C. Application
D. Security

Answer 20

D. The security log file should show attempts at unauthorized access to a Windows computer. The application log file must deal with events concerning applications within the operating system and some third-party applications. The system log file deals with drivers, system files, and so on. A DNS log will log information concerning the domain name system.

Question 21

To find out when a computer was shutdown, which log file would an administrator use?
A. Security log
B. System log
C. Application log
D. DNS log

Answer 21

B. The system log will show when a computer was shut down (and turned on for that matter or restarted). The security log shows any audited information on a computer system. The application log deals with OS apps and third-party apps. The DNS log shows events that have transpired on a DNS server.

Question 22

Which of the following requires a baseline? (Select the two best answers.)
A. Behavior-based monitoring
B. Performance Monitor
C. Anomaly based monitoring
D. Signature-based monitoring

Answer 22

A and C. Behavior-based monitoring and anomaly-based monitoring require creating a baseline. Many host-based IDS systems will monitor parts of the dynamic behavior and the state of the computer system. An anomaly-based IDS will classify activities as either normal or anomalous; this will be based on rules instead of signatures. Both behavior-based and anomaly-based monitoring require a baseline to make a comparative analysis. Signature-based monitoring systems do not require this baseline because they are looking for specific patterns or signatures and are comparing them to a database of signatures. The performance monitor program can be used to create a baseline on Windows computers, but it does not necessarily require a baseline.

Question 23

Jason is a security administrator for a company of 4,000 users. He wants to store 6 months of logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented?
A. Performance baseline and audit trails
B. Time stamping and integrity of the logs
C. Log details and level of verbose logging
D. Log storage and backup requirements

Answer 23

A. A performance baseline and audit trails are not necessarily needed. Because the reports are not time-critical, a performance baseline should not be implemented. Auditing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Before implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.

Question 24

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly based IDS
B. Signature-based IDS
C. Behavior-based IDS
D. Heuristic-based IDS

Answer 24

B. When using an IDS, particular types of traffic patterns refers to signature based IDS.

Question 25

Michael has just completed monitoring and analyzing a web server. Which of the following indicates that the server might have been compromised?
A. The web server is sending hundreds of UDP packets.
B. The web server has a dozen connections to inbound port 80.
C. The web server has a dozen connections to inbound port 443.
D. The web server is showing a drop in CPU speed and hard disk speed.

Answer 25

D. If the Web server is showing a drop in processor and hard disk speed, it might have been compromised. Further analysis and comparison to a preexisting baseline would be necessary. All the other answers are common for a web server.

Question 26

What kind of security control do computer security audits fall under?
A. Detective
B. Preventive
C. Corrective
D. Protective

Answer 26

A. A computer security audit is an example of a detective security control. If a security administrator found that a firewall was letting unauthorized ICMP echoes into the network the administrator might close the port on the firewall— a corrective control, and for the future, a preventive control. The term
protective control is not generally used in security circles as it is a somewhat ambiguous term.