Chapter 2 - Monitoring & Diagnosing Networks

Question 1

Network monitors are also called what?

What do they do to your NIC?

2-46

Answer 1

sniffers

put it in promiscuous mode

Question 2

Tell me the 2 most important logs for security purposes

2-47

Answer 2

application log

security log

Question 3

Linux has 2 logs that are important to security. What are their names and how do they help you?

2-47

Answer 3

faillog - this has the failed user logins, use this when you’re looking for attempts to crack into the system.

apport.log - records application crashes, can reveal attempts to compromise the system, virus or spyware

Question 4

Where do you view the event logs?

2-48

Answer 4

go to the Event Viewer

Question 5

Your event viewer is recording logs and the maximum has been reached for space allotted for those logs. It still needs more space for the new logs. What will happen?

2-51

Answer 5

Older log files will be overwritten.

Question 6

Explain the basic concept of “hardening”.

2-52

Answer 6

It means you’re doing everything you can do make your system secure. Don’t have unnecessary applications running, keep things updated, keep your user accounts secure, etc.

Question 7

Why is it important to turn off the unnecessary services?

2-53

Answer 7

Because services can provide an attack vector.

Question 8

File and Print Servers are vulnerable to what kind of attack?

What can you do to defend against this?

2-53

Answer 8

Denial of Service and access attacks

Only run the necessary protocols on your servers.

Question 9

For a PC-based system, some attacks are targeted at NetBIOS servers. What ports will these attacks happen on?

What 2 things can you do to combat this?

If you’re on a Unix system, what port should you close?

2-53

Answer 9

135, 137, 138, and 139

You can disable the NetBIOS services on servers OR put a robust firewall between the server and the Internet.

111, the RPC (remote procedure call)

Question 10

What is a good practice for hardening the root directories?

2-53

Answer 10

Keep them hidden from browsing.

Question 11

Tell me 3 things you can configure from the System and Security applet in Control Panel.

2-55

Answer 11

Windows Firewall
automatic scans
Windows Defender

Question 12

If you suspect that your workstation has been compromised, what is something in Performance Monitor that might tip you off?

2-55

Answer 12

look at the CPU usage

Question 13

True of False: According to the book, it is better to have one role per server instead of multiple roles on one server.

2-55

Answer 13

True

Question 14

Tell me the appropriate way to deal with patches on your machines.

2-56

Answer 14

Test it on one to make sure everything is okay instead of just blindly applying across the whole network at once.

Question 15

There are 3 kinds of patches. Explain what they are and tell me which ones don’t need to be installed immediately.

2-57

Answer 15

service pack - provides new tools and extends functionality
updates - code fixes when there’s no available workaround
security updates - mandatory addressing of security vulnerability

security update is immediate. the others aren’t

Question 16

Tell me 3 types of accounts you should disable.

2-59

Answer 16

employees who left the company

temporary employees

default guest accounts

Question 17

Going chronologically, tell me 4 file system types.

2-58,59

Answer 17

FAT - File Allocation Table
FAT16 - first upgrade to FAT
FAT32 - designed for large disk systems
NTFS - New Technology File System, handles larger disk sizes, more security, added file stability

Question 18

Which file system should you use to establish your network shares?

2-59

Answer 18

NTFS

Question 19

Tell me the command to see the NTFS version on your workstation.

2-59

Answer 19

from administrative command prompt, type

fsutil fsinfo ntfsinfo C:

Question 20

You have a wireless network and need port based security. Which wireless standard defines this?

2-60

Answer 20

802.1X

Question 21

Tell me 4 things you can do to heighten the security of your network.

2-60

Answer 21

MAC filtering
802.1X
Disable unused ports
scan for rogue machines

Question 22

What is a security audit?

2-62

Answer 22

a thorough evaluation of your security

Question 23

When you perform a security audit, what 4 things should you be searching through?

2-62

Answer 23

security logs
policies and compliance with policies
security device configuration
incident response reports

Question 24

You are looking at discrepancies between the current security state of your system and where it should be. What are the 3 categories for the discrepancies?

2-62

Answer 24

minor - no immediate threat

serious - nasty threat, but highly unlikely

critical - you need to deal with this ASAP

Question 25

System events are classified as one of three things in the Event Viewer. What are they?

2-63

Answer 25

information
warning
error

Question 26

What is the value of observing trends?

2-64

Answer 26

It can help you take action to avoid a major catastrophe.

Question 27

Honeypot systems are used to draw attackers away from your true system and to learn their methods for their attacks. What is the process of luring someone into your trap called?

2-65

Answer 27

enticement

Question 28

What do you call it when the government encourages someone to commit a crime?

2-65

Answer 28

entrapment

And no, “politics” is NOT the correct answer here.