Monitoring & Auditing Flashcards

1
Q

Monitoring Types

A

Signature-based
Network traffic is analyzed for predetermined attack patterns

Anomaly-based
A baseline is established and any network traffic that is outside of the baseline is evaluated

Behavior-based
Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Baselining

A

Process of measuring changes in networking, hardware, software, and applications

Perfmon.exe = Windows Performance Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Posture

A

Risk level to which a system or other technology element is exposed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Protocol Analyzers: Promiscuous Mode

A

Network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Protocol Analyzers: Non-promiscuous Mode

A

Network adapter can only capture the packets directly addressed to itself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SNMP: Agents

A

Software that is loaded on a managed device to redirect information to the network management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NMS

A

Network Management System:
Software running on one or more servers to control the monitoring of network-attached devices and computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SNMP Versions

A

SNMP v1/v2 are insecure due to the use of community strings to access a device

SNMP v3:
Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Auditing

A

A technical assessment conducted on applications, systems, or networks

Auditing is a detective control
• Security logs
• ACLs
• User rights/permissions
• Group policies (GPOs)
• Vulnerability scans
• Written organizational policies
• Interviewing personnel

Software tools are also used to help conduct audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Syslog

A

A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

SYSLOG uses port 514 over UDP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Log File Maintenance

A

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, back up, security, and encryption of the log files

Log files should be saved to a different partition or an external server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Overwrite Events

A

When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room

Logs should be archived and backed up to ensure they are available when required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WORM

A

Write Once, Read Many:
Technology like a DVD-R that allows data to be written only once but read unlimited times

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SIEM

A

Security Information & Events Management:
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SIEM Tools

A

Splunk
ArcSight
ELK/Elastic Stack
QRadar
Graylog
AlienVault/OSSIM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Syslog Drawbacks

A

Since syslog relied on UDP, there can be delivery issues within congested networks

Basic security controls like encryption and authentication are not included by default within syslog

17
Q

Newer Syslog Features

A

Due to security issues, newer syslog implementations added new features and capabilities
▪ Newer implementations can use port 1468 (TCP) for consistent delivery
▪ Newer implementations can use TLS to encrypt messages sent to servers
▪ Newer implementations can use MD-5 or SHA-1 for authentication and integrity
▪ Some newer implementations can use message filtering, automated log analysis, event response scripting, and alternate message formats

The newer version of the server is called syslog-ng or rsyslog

Syslog can refer to the protocol, the server, or the log entries themselves

18
Q

SOAR

A

Security Orchestration, Automation, & Response:
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

Primarily used for incident response

19
Q

Next-Gen SIEM

A

A security information and event monitoring system with an integrated SOAR

Scans security/threat data
Analyze it with ML
Automate data enrichment
Provision new resources

20
Q

SOAR: Playbook & Runbook

A

Playbook:
A checklist of actions to perform to detect and respond to a specific type of incident

Runbook:
An automated version of a playbook that leaves clearly defined interaction points for human analysis