Monitoring and Auditing Flashcards
What is signature based monitoring?
Where network traffic is analyzed for predetermined attack patterns or “signatures”
This method has the least false positives
What type of monitoring has the least false positives?
Signature-based
What is anomaly based monitoring?
Where a baseline is established and any network traffic that deviates from the baseline is evaluated
What is behavior based monitoring?
When activity is evaluated based on the previous behavior of applications, files and OS in comparison to the current activity.
Most false positives
What type of monitoring has the most false positives?
Behavior based
What is baselining?
Process of measuring changes in the system based on deviations from a “baseline”
What is baseline reporting?
Documenting and reporting changes in a baseline
What is security posture?
Risk level to which a system element is exposed
What is an example of a common performance monitoring tool?
Windows Performance Monitor (perfmon.exe)
What is a protocol analyzer ?
A tool used to capture and analyze network traffic
Give an example of a protocol analyzer
Wireshark
What is promiscuous mode?
Where the network adapter captures all packets on the network
What is non promiscuous mode?
Where the network adapter only captures packets to itself directly
What is port mirroring?
Where one or more switch ports are configured to forward all packets to another port on the switch
What is a SPAN port?
The port used in port mirroring
What is a network tap?
Physical device that allows you to intercept network traffic
What is SNMP?
Simple Network Management Protocol - aids in monitoring network attached devices and computers
What are managed devices in SNMP?
Computers and other devices that are monitored through the use of agents by a network management system