Module 25 Network Security Data

Question 1

What are some network security monitoring tools?

Answer 1

Snort, Sguil

Question 2

What is an example of a network IDS?

Answer 2

Snort

Question 3

What is alert data?

Answer 3

Messages generated by intrusion prevention systems or intrusion detection systems in response to traffic that violates a rule or matches a signature of an exploit

Question 4

How are alerts generated?

Answer 4

Generated by Snort (NIDS), and made readable by Sguil and Squert applications.

Question 5

How is session data recorded?

Answer 5

Record of a conversation between two end points.

Question 6

Within this recorded data, what are the five tuples?

Answer 6

Source/Destination IP, Source/Destination port and the IP code for protocol in use

Question 7

Why are packet captures important?

Answer 7

Contains the actual content of conversations, text of email messages, the HTML in web pages and the files that enter or leave the network.

Question 8

How do we collect statistical data?

Answer 8

Cisco Cognitive Threat Analysis - finds malicious activity that has bypassed security controls by identifying traffic patterns.

Question 9

What are some types of host logs

Answer 9

HIDS - event viewer - application logs, system logs, setup logs, security logs and command-line logs.

Question 10

What is a system log?

Answer 10

These include events regarding the operation of drivers, processes and hardware

Question 11

What is a setup log?

Answer 11

Installation of software, including windows updates

Question 12

What is a security log?

Answer 12

These record events related to security, logon attempts and operations related to file or object management and access

Question 13

What are application logs?

Answer 13

These contain events logged by various applications

Question 14

What are command-line logs?

Answer 14

Attackers who have gained access, execute commands from the CLI rather than GUI.

Question 15

What are some type of host logs? Event types

Answer 15

Error, Warning, Information, Success Audit, Failure Audit

Question 16

What is a warning log?

Answer 16

Not necessarily significant but may indicate a future problem.

Question 17

What is an error log

Answer 17

Event that indicates a significant problem such as loss of data or functionality.

Question 18

What is an information log

Answer 18

Describes successful operation of an app, driver or service

Question 19

How many distinct parts of a syslog message

Answer 19

3 - priority, header and msg

Question 20

Describe the priority part of the syslog message

Answer 20

Two elements - Severity and Facility. Severity is a value (0-7), facility consists of sources that generated the message

Question 21

What are the Syslog severity values?

Answer 21

0 - 7 (Emergency, Alert, Critical, Error, Warning, Notice, Informational and Debug

Question 22

What is an emergency?

Answer 22

System is unusable

Question 23

What is alert

Answer 23

Action must be taken immediately

Question 24

What is critical?

Answer 24

critical conditions that should be corrected immediately and indicates failure in a system

Question 25

What is error?

Answer 25

A failure that is not urgent

Question 26

What is a warning?

Answer 26

An error that does not presently exist, but an error will occur in the future if IT IS NOT ADDRESSED

Question 27

What is notice?

Answer 27

An event that is not an error, but it is unusual

Question 28

What is informational

Answer 28

messages issued regarding normal operations

Question 29

What is debug

Answer 29

Message of interest

Question 30

How about server logs?

Answer 30

Server logs are an essential source of data for networking security monitoring.

Question 31

What are two important file logs?

Answer 31

Apache webserver and Microsoft Internet Information Server (IIS)

Question 32

All of these logs, server, network, etc - should be dumping into where? What type of central holding dump

Answer 32

SIEM - Security Information and Event Management. Provides real time reporting and long-term analysis of security events.

Question 33

What are the main points SIEM hits on - providing a view of the enterprise network using the following functiosn

Answer 33

Log collection, normalization, correlation, aggregation, report and compliance

Question 34

What is log collection

Answer 34

Events recorded from sources through the org

Question 35

What is normalizaiton

Answer 35

This maps log messages from diff systems into a common data model enabling the org to connect and analyze related vents

Question 36

What is correlation

Answer 36

Links logs from disparate systems or applicaitons

Question 37

What is aggregation

Answer 37

This reduces the volume of event data by consolidating duplicate records

Question 38

What is reporting

Answer 38

Presents the correlated, aggregated event data in real-time monitoring and long-time summaries.

Question 39

What is a popular SIEM

Answer 39

Splunk

Question 40

What is a popular packet analyzer?

Answer 40

Tcpdump

Question 41

What does NetFlow do?

Answer 41

Provides an important set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, DoS monitoring capabilities and network monitoring

Question 42

What other things does netflow do

Answer 42

It provides information about network users, applications, peak usage times and traffic routing. Records info about packet flow including metadata

Question 43

What is AVC?

Answer 43

Cisco Application Visibility and Control system combines multiple technologies to recognize, analyze and control over 1000 applications.

Question 44

What would be a type of AVC or application recognition?

Answer 44

NBAR2 (L3-L7)

Question 45

What would be a metrics collection tool - bandwidth, usage, latency, etc/

Answer 45

Netflow

Question 46

How about, collecting data and reporting on application performance?

Answer 46

Cisco Prime

Question 47

How about. what control application can we use to maximize network performance?

Answer 47

QoS

Question 48

What is the diff between port monitoring and application monitoring/

Answer 48

Port looks at port number, applications look at applications DUH. Data and ports vs data and apps.

Question 49

What is the difference between cisco facility, severity and Mnemonic when it comes to a log

Answer 49

Cisco Facility would be like ASA or SYS, severity is like 5 or 4 or 3, etc. Mnemonic is config - text changed in the configuration

Question 50

What does Cisco Umbrella do?

Answer 50

Offers a hosted DNS service that extends the capability of DNS to include security enhancements