Domain 2.4 Given a scenario, analyze and interpret output from security technologies. Flashcards
HIDS/HIPS
installed on one host and only protects that single host
File integrity Verifier
file integrity products are configured to check to see if certain files have been changed and to record such activity. (ie. Tripwire)
Application Whitelist
A list of applications explicitly allowed to be installed or used on a computer.
Application Blacklist
Software specifically not allowed to be used.
Removable media control
a Group Policy that now removable media (CD, USB, Floppy) can be used.
Patch Management Tool for microsoft
WSUS, Windows Server Update Service. pushes patches to your network hosts.
Single point of failure (SPOF)
if a single item fails your entire network goes down.
Data Loss Prevention (DLP)
Software attempts to detect exfiltration of data.
Microsofts version of Data execution prevention (DEP)
For Microsoft, this is called UAC (User Account Control.) requires admin credentials in order to run a program. for instance if something is not on the whitelist it may need excalated priviledges to install.
Web Application Firewall (WAF)
A WAF is the best mitigation for an SQL injection or a XSS Attack.
Look at the following output from a file integrity application and determine when the system was compromised?
/etc/password
- 1/1/2018-14:30-e0d123e5f316bef78bfdf5a008837577
- 1/1/2018-14:45-e0d123e5f316bef78bfdf5a00883757
- 1/1/2018-15:00-d86c4246f3c0eb516628bf324d6b9a3 4. 1/1/2018-15:15-66bd00e43ff8b932c14140472c4b8cc6
/boot/initrd.img
- 1/1/2018-14:00-ff6626c69507a6f511cc398998905670
- 1/1/2018-14:30-ff6626c69507a6f511cc398998905670
- 1/1/2018-15:00-cc273fe9d442850fa18c31c88c823e07
- 1/1/2018-15:30-cc273fe9d442850fa18c31c88c823e07
- 1/1/2018-15:15-66bd00e43ff8b932c14140472c4b8cc6
The HASH has changed so that means the file was changed here.
You are analyzing a packet capture file and notice that a host made a connection with another host using a nonstandard port. Which line would make a connection with the other host?
- Mkdir/local/user/bin/tempdirectory
- Ping -c 15 8.8.4.4 - 1500
- Traceroute 8.8.4.4
- nc -1 192.168.27.41 -p 1337
- pskill pid 4723
- dig 8.8.8.8
- nc -1 192.168.27.41 -p 1337