Monitoring and Auditing

Question 1

What is signature based monitoring?

Answer 1

Where network traffic is analyzed for predetermined attack patterns or “signatures”

This method has the least false positives

Question 2

What type of monitoring has the least false positives?

Answer 2

Signature-based

Question 3

What is anomaly based monitoring?

Answer 3

Where a baseline is established and any network traffic that deviates from the baseline is evaluated

Question 4

What is behavior based monitoring?

Answer 4

When activity is evaluated based on the previous behavior of applications, files and OS in comparison to the current activity.

Most false positives

Question 5

What type of monitoring has the most false positives?

Answer 5

Behavior based

Question 6

What is baselining?

Answer 6

Process of measuring changes in the system based on deviations from a “baseline”

Question 7

What is baseline reporting?

Answer 7

Documenting and reporting changes in a baseline

Question 8

What is security posture?

Answer 8

Risk level to which a system element is exposed

Question 9

What is an example of a common performance monitoring tool?

Answer 9

Windows Performance Monitor (perfmon.exe)

Question 10

What is a protocol analyzer ?

Answer 10

A tool used to capture and analyze network traffic

Question 11

Give an example of a protocol analyzer

Answer 11

Wireshark

Question 12

What is promiscuous mode?

Answer 12

Where the network adapter captures all packets on the network

Question 13

What is non promiscuous mode?

Answer 13

Where the network adapter only captures packets to itself directly

Question 14

What is port mirroring?

Answer 14

Where one or more switch ports are configured to forward all packets to another port on the switch

Question 15

What is a SPAN port?

Answer 15

The port used in port mirroring

Question 16

What is a network tap?

Answer 16

Physical device that allows you to intercept network traffic

Question 17

What is SNMP?

Answer 17

Simple Network Management Protocol - aids in monitoring network attached devices and computers

Question 18

What are managed devices in SNMP?

Answer 18

Computers and other devices that are monitored through the use of agents by a network management system

Question 19

What is an agent in SNMP ?

Answer 19

Software that is loaded on a managed device to redirect info to the network management system

Question 20

What is a network management system ?

Answer 20

Software run on one or more servers to control monitoring of all network attached devices

Question 21

What is the issue with versions 1 and 2 of SNMP

Answer 21

Lack of security due to the use of community strings - public (read only) or private (allows read write access)

Question 22

What makes SNMP version 3 better?

Answer 22

Version 3 provides integrity, authentication and encryption of the messages being sent over the network

Question 23

How does SNMP V3 provide integrity, authentication and encryption?

Answer 23

• Messages are hashed before transmission
• Message source is validated
• DES encryption

Question 24

What is in band communication

Answer 24

In SNMP, when data is sent over the network you are using

Cheaper, easier, less secure

Question 25

What is out of band communication

Answer 25

In SNMP, a secondary network is created where all management occurs

Most secure since the management data is separated from the general network traffic

Question 26

What is auditing

Answer 26

Technical assessment conducted on applications, systems and networks

Question 27

What is one of the main aspects of auditing?

Answer 27

Viewing of security logs

Question 28

What are log files?

Answer 28

Data files that contain the accounting and audit trail for actions performed by a user on a network

Question 29

What types of logs should be audited?

Answer 29

security, system and application logs

Question 30

What is an example of security logs?

Answer 30

Logging events such as successful and unsuccessful user logons

Question 31

What is an example of system logs?

Answer 31

Logging events such as system shutdown or driver failure

Question 32

What is an example of application logs?

Answer 32

Logging events for the OS and third party applications

Question 33

What can be used to consolidate all logs into a single repo?

Answer 33

SYSLOG

Question 34

What is SYSLOG?

Answer 34

Protocol enabling the transmission of logs or event records to a central server

Question 35

What is a SYSLOG server?

Answer 35

centralized monitoring server

Question 36

What port does SYSLOG use?

Answer 36

514 over UDP

Question 37

Where should log files save to? Why?

Answer 37

A different partition or external server. If the system gets attacked the log files will still be safe

Question 38

Why are log files important?

Answer 38

They allow us to reconstruct an event after it occurs

Question 39

How would overwriting log files work?

Answer 39

When the max log size is reached, the system can begin overwriting the oldest events in the log files to make room

Question 40

What is WORM?

Answer 40

Write Once Read Many - data is written only once but read an unlimited times (Think DVD-R)

Question 41

What is the advantage of WORM?

Answer 41

If someone hacks your server and you’ve written to something like a DVD-R, they cannot modify/delete your log files

Question 42

Where should you save log files to?

Answer 42

Encrypted folder on the server

Question 43

What is SIEM?

Answer 43

Solution that provides real time analysis of security alerts generated by network hardware and applications

Question 44

What are the 3 components of SYSLOG message architecture?

Answer 44

PRI code, Header, Message

Question 45

What is SOAR?

Answer 45

Security Orchestration Automation and Response - class of security tools that facilitate incident response, threat hunting and security configs through automation of runbooks - Basically SIEM 2.0

Question 46

What is SOAR primarily used for?

Answer 46

Incident response since it can automate abilities

Question 47

What is a playbook?

Answer 47

Checklist of actions to perform to detect and respond to a specific incident