Monitoring and Auditing Flashcards
What is signature based monitoring?
Where network traffic is analyzed for predetermined attack patterns or “signatures”
This method has the least false positives
What type of monitoring has the least false positives?
Signature-based
What is anomaly based monitoring?
Where a baseline is established and any network traffic that deviates from the baseline is evaluated
What is behavior based monitoring?
When activity is evaluated based on the previous behavior of applications, files and OS in comparison to the current activity.
Most false positives
What type of monitoring has the most false positives?
Behavior based
What is baselining?
Process of measuring changes in the system based on deviations from a “baseline”
What is baseline reporting?
Documenting and reporting changes in a baseline
What is security posture?
Risk level to which a system element is exposed
What is an example of a common performance monitoring tool?
Windows Performance Monitor (perfmon.exe)
What is a protocol analyzer ?
A tool used to capture and analyze network traffic
Give an example of a protocol analyzer
Wireshark
What is promiscuous mode?
Where the network adapter captures all packets on the network
What is non promiscuous mode?
Where the network adapter only captures packets to itself directly
What is port mirroring?
Where one or more switch ports are configured to forward all packets to another port on the switch
What is a SPAN port?
The port used in port mirroring
What is a network tap?
Physical device that allows you to intercept network traffic
What is SNMP?
Simple Network Management Protocol - aids in monitoring network attached devices and computers
What are managed devices in SNMP?
Computers and other devices that are monitored through the use of agents by a network management system
What is an agent in SNMP ?
Software that is loaded on a managed device to redirect info to the network management system
What is a network management system ?
Software run on one or more servers to control monitoring of all network attached devices
What is the issue with versions 1 and 2 of SNMP
Lack of security due to the use of community strings - public (read only) or private (allows read write access)
What makes SNMP version 3 better?
Version 3 provides integrity, authentication and encryption of the messages being sent over the network
How does SNMP V3 provide integrity, authentication and encryption?
- Messages are hashed before transmission
- Message source is validated
- DES encryption
What is in band communication
In SNMP, when data is sent over the network you are using
Cheaper, easier, less secure
What is out of band communication
In SNMP, a secondary network is created where all management occurs
Most secure since the management data is separated from the general network traffic
What is auditing
Technical assessment conducted on applications, systems and networks
What is one of the main aspects of auditing?
Viewing of security logs
What are log files?
Data files that contain the accounting and audit trail for actions performed by a user on a network
What types of logs should be audited?
security, system and application logs
What is an example of security logs?
Logging events such as successful and unsuccessful user logons
What is an example of system logs?
Logging events such as system shutdown or driver failure
What is an example of application logs?
Logging events for the OS and third party applications
What can be used to consolidate all logs into a single repo?
SYSLOG
What is SYSLOG?
Protocol enabling the transmission of logs or event records to a central server
What is a SYSLOG server?
centralized monitoring server
What port does SYSLOG use?
514 over UDP
Where should log files save to? Why?
A different partition or external server. If the system gets attacked the log files will still be safe
Why are log files important?
They allow us to reconstruct an event after it occurs
How would overwriting log files work?
When the max log size is reached, the system can begin overwriting the oldest events in the log files to make room
What is WORM?
Write Once Read Many - data is written only once but read an unlimited times (Think DVD-R)
What is the advantage of WORM?
If someone hacks your server and you’ve written to something like a DVD-R, they cannot modify/delete your log files
Where should you save log files to?
Encrypted folder on the server
What is SIEM?
Solution that provides real time analysis of security alerts generated by network hardware and applications
What are the 3 components of SYSLOG message architecture?
PRI code, Header, Message
What is SOAR?
Security Orchestration Automation and Response - class of security tools that facilitate incident response, threat hunting and security configs through automation of runbooks - Basically SIEM 2.0
What is SOAR primarily used for?
Incident response since it can automate abilities
What is a playbook?
Checklist of actions to perform to detect and respond to a specific incident
