Monitoring and Auditing Flashcards

1
Q

What is SYSLOG

A

Standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Log File Maintence

A

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backup, securing, and encryption of the log files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is ELK/Elastic Stack

A

Collection of free and open-source SIEM tools that provides, storage, search, and analysis functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what does ELK/ Elastic Stack consist of.

A

Elasticsearch (query/analytics),
logstatsh( log colleciton/normalization),
kibana(visualization),
beats (endpoint collection agents)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is syslog

A

A protocol enabling different appliances and software applications to transmit logs or event records toa central server.

It is the defacto standard for logging of events from distributed systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are the contexts of a syslog message?

A

PRI Code (priority code)
A header
A message portion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is the pri code in a syslog message determined

A

A PRI code is calculated form the facility and severity level of the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is contained in the header of a syslog message

A

A header contains the timestamp of the event and the hostname

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the message portion of a syslog message contain

A

The source process of the event and related content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What was the original drawback to Syslog

A

Since the syslog relied on UDP, there can be delivery issues within congested networks.

There were also no security controls such as authentication and encryption included by default.

This can cause issues because UDP packets may be lost as they are fire and forget. This can be problematic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the improvements to newer Syslog messagin?

A

The ability to use port 1468 for TCP connections, ensuring consistent delivery.

The ability to use TLS to encrypt messages sent to servers

The ability to use MD-5 or SHA-1 for authentication and integrity

Message filtering, automated log analysis, event response scripting, and alternate message formats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the newer version of syslog server called?

A

Syslog-NG or Rsyslog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Syslog can be refered to as what three thigns

A

The network protocol, the server, or the log entries themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is soar? And what is it primarily used for?

A

Security orchestration, automation, and response (SIEM 2.0) is used for incident response.

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What can you use a SOAR For

A

Scan security / threat data
Analyze data with Machine Learning
Automate data enrichment
Provision new resources using automated playbooks
( New accounts, VMs, delete infected virtual machines. )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a playbook

A

A checklist of actions to perform to detect and respond to a specific type of incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a runbook

A

An automated version of a playbook that leaves clearly defined interaction points for human analysis

Assist analysts by performing tasks before flagging for human involvement, humans make a decision, then the runbook performs actions based on the choices made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is SNMP and what does it provide

A

Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 3 main forms of automated monitoring and their characteristics

A

Signature - Network traffic is analyzed for predetermined attack patterns

Anomaly - Baseline is established, anything outside baseline is evaluated

Behavior - activity is based upon the previous behavior of applications, executables, and OS in comparison to the activity of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What automated monitoring form causes the most and least number of false positvives

A

Behavior creates the largest number of false positives
Signature based produces the fewest number of false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Can you combine monitoring methods?

A

Yes, hybrid approaches can be used with some IDS\IPS systems

22
Q

What is baseline reporting

A

Documenting and reporting on the changes in a baseline which is used to inform the organizations security posture.

Example: 60% CPU utilization is now running at 80%, 5 apps installed on a PC now there are 30

23
Q

How is security posturing measured

A

High Risk = Less configuration management
Low Risk = more configuration management

24
Q

What is performance baselining used for

A

Used to investigate anomalies and track operations and functions to their root.

More useful for Operations and functionality than security.

I/O usage, CPU usage, Memory
Can use Resource Monitor to track and create alerts

25
Q

What are protocol analyzers used for

A

Capturing and analyzing network traffic

26
Q

What are the two modes that protocol analyzers can run in?

A

Promiscuos mode - The network adapter is able to capture all of the packets on the network regardless of the destination mac address of the frames

Non-Promisuos - Network adapter is only capturing the packets addressed to the protocol analyzer itself

27
Q

What are somethings to know about promiscuos mode

A

You need promiscuous mode enabled to capture the most amount of traffic

Not all network adapters allow this

The port on the switch must also support this.

28
Q

What is port mirroring

A

One or more switch ports are configured to forward all of their traffic to another port on a switch known as a “SPAN PORT”

29
Q

What can you do if a span port is not an option, but you need to analyze all traffic coming across a port or device link.

A

Span ports put strain on the CPU of switches, a network tap can come in handy. You break the line between the switches or routers, and insert a physical device between the two links.
Network taps add no strain on networking devices.

30
Q

What is SNMP

A

Simple Network Management Protocol aides in the monitoring of network attached devices

SNMP is typically incorporated into a network management ad monitoring system, but it can also send data inband, although this is much less secure.

31
Q

What are the three components of SNMP

A

Managed Devices - Computers and other network attached devices monitored through the use of agents by a NMS

Agent- Software that is loaded on to a managed device to redirect information to the NMS

Network Management System (NMS)- Software running on one or more servers to control the monitoring of network attached devices and PCs

32
Q

What is SNMP Trap used for?

A

It is a connection whereby un-solicited traffic can be sent from agent to the NMS

33
Q

What Versions are there of SNMP and are there any concerns?

A

SNMP V.1 and V.2 are insecure due to the risk of community strings used to access devices.

SNMP V. provides integrity, authentication and encryption of the message over the network

34
Q

How should management traffic be tramsitted on a network

A

Management traffic should be conducted out of band to increase security

35
Q

What is Open files and what does it do?

A

it is a CMD that allows you to see what files are open on the system, what process is calling the file and the PID of the process

36
Q

What does Netstat -ano do

A

It shows all connections in established, listening, and closed. It also shows source and destination IP along with the PID

37
Q

What is Auditing in IT

A

Technical assessment conducted on applications systems, or networks

38
Q

What are some manual auditing items

A

Reviewing of:
Security logs
ACL
User Rights and Permissions
GPOs
Performing Vulnerability Scans
Written Organizational Policy
Interviewing Personell

39
Q

What are some automatic auditing tools

A

Windows local group policy editor can be used to establish audit policies based on computer events

You can also use the security tab in NTFS settings to configure file access auditing

40
Q

what is a log

A

Data file that contains the accounting and audit trail for actions performed by a user on a computer or network.

41
Q

Where are logs located in Linux

A

/var/log

42
Q

Which windows logs should always be audited and where do you find them

A

Security, System, and Application logs

Windows event viewer

43
Q

Explain what security, system, and application logs measure

A

Security Logs - events such as successful and unsuccessful user logons to the syste.

System Logs - logs events such as a system shutdown or driver failures

Application logs - logs events for the OS and third part apps

44
Q

What is the importance of log files? What are some considerations with Log files

A

They allow for the reconstruction of events once they occur.

What the scope of the audit should be, and how long you should keep them

45
Q

How should log files be stored at rest?

A

Log files should not be stored on the same device that is generating them.
They should be stored on an external server

Logs should be archived and backed up to ensure availability

46
Q

Wat is a SIEM

A

Security Information Event Management

A solation that provides real-time or near real-time analysis of security events generated b network hardware and applications.

The main function of a SIEM is log review and event correlation

47
Q

How can SIEMs be implemented

A

They can be implemented as both software and hardware appliances. SIEMs can also be outsourced managed services

48
Q

What are the first 3 steps to implementing a SIEM

A
  1. Log all relevant events and filter irrelevant data
  2. Establish and document scope of events
  3. Develop use cases to define a threat
49
Q

What are the last 4 steps to implementing a SIEM

A
  1. Plan incident response for an event
  2. Establish a ticketing process to track events
  3. Schedule threat hunting
  4. Provide evidence trail for analysts and auditors
50
Q

What is splunk

A

Big data information gathering and analytics tool that can import machine generated data using connector visibility addon. Can be installed locally or cloud based

51
Q

What are some other SIEMS

A

ArcSight
Qradar - log mgmt - created by IBM
Alien Vault - Owned by ATT AKA ATT cyber security
OSSIM - open source,
GrayLog - focused on Devo Ops and IT Operations