Monitoring and Auditing Flashcards

1
Q

What is signature based monitoring?

A

Where network traffic is analyzed for predetermined attack patterns or “signatures”

This method has the least false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What type of monitoring has the least false positives?

A

Signature-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is anomaly based monitoring?

A

Where a baseline is established and any network traffic that deviates from the baseline is evaluated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is behavior based monitoring?

A

When activity is evaluated based on the previous behavior of applications, files and OS in comparison to the current activity.

Most false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of monitoring has the most false positives?

A

Behavior based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is baselining?

A

Process of measuring changes in the system based on deviations from a “baseline”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is baseline reporting?

A

Documenting and reporting changes in a baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is security posture?

A

Risk level to which a system element is exposed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an example of a common performance monitoring tool?

A

Windows Performance Monitor (perfmon.exe)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a protocol analyzer ?

A

A tool used to capture and analyze network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Give an example of a protocol analyzer

A

Wireshark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is promiscuous mode?

A

Where the network adapter captures all packets on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is non promiscuous mode?

A

Where the network adapter only captures packets to itself directly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is port mirroring?

A

Where one or more switch ports are configured to forward all packets to another port on the switch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a SPAN port?

A

The port used in port mirroring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a network tap?

A

Physical device that allows you to intercept network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is SNMP?

A

Simple Network Management Protocol - aids in monitoring network attached devices and computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are managed devices in SNMP?

A

Computers and other devices that are monitored through the use of agents by a network management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is an agent in SNMP ?

A

Software that is loaded on a managed device to redirect info to the network management system

20
Q

What is a network management system ?

A

Software run on one or more servers to control monitoring of all network attached devices

21
Q

What is the issue with versions 1 and 2 of SNMP

A

Lack of security due to the use of community strings - public (read only) or private (allows read write access)

22
Q

What makes SNMP version 3 better?

A

Version 3 provides integrity, authentication and encryption of the messages being sent over the network

23
Q

How does SNMP V3 provide integrity, authentication and encryption?

A
  • Messages are hashed before transmission
  • Message source is validated
  • DES encryption
24
Q

What is in band communication

A

In SNMP, when data is sent over the network you are using

Cheaper, easier, less secure

25
Q

What is out of band communication

A

In SNMP, a secondary network is created where all management occurs

Most secure since the management data is separated from the general network traffic

26
Q

What is auditing

A

Technical assessment conducted on applications, systems and networks

27
Q

What is one of the main aspects of auditing?

A

Viewing of security logs

28
Q

What are log files?

A

Data files that contain the accounting and audit trail for actions performed by a user on a network

29
Q

What types of logs should be audited?

A

security, system and application logs

30
Q

What is an example of security logs?

A

Logging events such as successful and unsuccessful user logons

31
Q

What is an example of system logs?

A

Logging events such as system shutdown or driver failure

32
Q

What is an example of application logs?

A

Logging events for the OS and third party applications

33
Q

What can be used to consolidate all logs into a single repo?

A

SYSLOG

34
Q

What is SYSLOG?

A

Protocol enabling the transmission of logs or event records to a central server

35
Q

What is a SYSLOG server?

A

centralized monitoring server

36
Q

What port does SYSLOG use?

A

514 over UDP

37
Q

Where should log files save to? Why?

A

A different partition or external server. If the system gets attacked the log files will still be safe

38
Q

Why are log files important?

A

They allow us to reconstruct an event after it occurs

39
Q

How would overwriting log files work?

A

When the max log size is reached, the system can begin overwriting the oldest events in the log files to make room

40
Q

What is WORM?

A

Write Once Read Many - data is written only once but read an unlimited times (Think DVD-R)

41
Q

What is the advantage of WORM?

A

If someone hacks your server and you’ve written to something like a DVD-R, they cannot modify/delete your log files

42
Q

Where should you save log files to?

A

Encrypted folder on the server

43
Q

What is SIEM?

A

Solution that provides real time analysis of security alerts generated by network hardware and applications

44
Q

What are the 3 components of SYSLOG message architecture?

A

PRI code, Header, Message

45
Q

What is SOAR?

A

Security Orchestration Automation and Response - class of security tools that facilitate incident response, threat hunting and security configs through automation of runbooks - Basically SIEM 2.0

46
Q

What is SOAR primarily used for?

A

Incident response since it can automate abilities

47
Q

What is a playbook?

A

Checklist of actions to perform to detect and respond to a specific incident