Monitoring & Auditing Flashcards
Monitoring Types
Signature-based
Network traffic is analyzed for predetermined attack patterns
Anomaly-based
A baseline is established and any network traffic that is outside of the baseline is evaluated
Behavior-based
Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system
Baselining
Process of measuring changes in networking, hardware, software, and applications
Perfmon.exe = Windows Performance Monitor
Security Posture
Risk level to which a system or other technology element is exposed
Protocol Analyzers: Promiscuous Mode
Network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them
Protocol Analyzers: Non-promiscuous Mode
Network adapter can only capture the packets directly addressed to itself
SNMP: Agents
Software that is loaded on a managed device to redirect information to the network management system
NMS
Network Management System:
Software running on one or more servers to control the monitoring of network-attached devices and computers
SNMP Versions
SNMP v1/v2 are insecure due to the use of community strings to access a device
SNMP v3:
Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network
Auditing
A technical assessment conducted on applications, systems, or networks
Auditing is a detective control
• Security logs
• ACLs
• User rights/permissions
• Group policies (GPOs)
• Vulnerability scans
• Written organizational policies
• Interviewing personnel
Software tools are also used to help conduct audits
Syslog
A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them
SYSLOG uses port 514 over UDP
Log File Maintenance
Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, back up, security, and encryption of the log files
Log files should be saved to a different partition or an external server
Overwrite Events
When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room
Logs should be archived and backed up to ensure they are available when required
WORM
Write Once, Read Many:
Technology like a DVD-R that allows data to be written only once but read unlimited times
SIEM
Security Information & Events Management:
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications
SIEM Tools
Splunk
ArcSight
ELK/Elastic Stack
QRadar
Graylog
AlienVault/OSSIM