quiz 11 Flashcards
In a signature-based monitoring environment, network traffic is analyzed for predetermined attack patterns.
True—Signature-based monitoring analyzes network traffic for predetermined attack patterns known as signatures stored in a database.
Behavior-based monitoring establishes a performance baseline based on a set of normal network traffic evaluations.
False—Behavioral-based monitoring looks at previous behavior of applications and compares that to current activity on the system.
Anomaly-based monitoring uses predetermined attack patterns.
False—Anomaly-based monitoring establishes a performance baseline based on a set of normal network traffic evaluations. Signature-based monitoring uses predetermined attack patterns.
Baselining is the process of measuring changes in networking.
True—Creating a baseline consists of selecting something to measure and measuring it consistently for a period of time; baselining is the process of measuring changes.
A broadcast storm is when the TCP/IP handshake has been compromised.
False—A broadcast storm is when there is an accumulation of protest animal key cast packet traffic on the LAN.
By default, Wireshark is nonpromiscuous.
False—By default, Wireshark is promiscuous, which means it can delve into packets even if the packets were addressed to a different computer.
Network Monitor requires Windows server to run.
True—Windows Server 2003 and 2008 come with built-in versions of Network Monitor; the program does not run on Windows client operating systems.
An SNMP agent is software run on a server to monitor the network.
False—SNMP agents are software deployed by an NMS and loaded on monitored devices.
An NMS is the software run on one or more servers that control the monitoring of network attached devices and computers.
True—An NMS (network management system) controls the monitoring of SNMP-enabled devices.
SNMP uses port 143.
False—SNMP uses ports 161 and 162. IMAP uses 143.
When conducting an audit, what should be done after risk has been scanned for, analyzed, and calculated?
A. Define exactly what should be audited.
B. Create backups.
C. Create a list of vulnerabilities.
D. Develop a plan to mitigate risk.
D. After risk has been scanned for, analyzed, and calculated, a plan should be developed to mitigate those risks.
Which of the following is not part of the three-step auditing process? A. Enabling auditing for files. B. Turning on and auditing policy. C. Evaluating the system log. D. Reviewing the security log.
C. The system log doesn’t play into the auditing process; it deals with drivers, operating system files, and so on.
A person complains that he cannot see any events in the Event Viewer. Which of the following questions should you not ask the person?
A. Did you reboot your computer?
B. Has auditing been turned on in a policy?
C. Was auditing enabled for the individual objects?
D. Do you have administrative capabilities?
A. It is not necessary to ask the users whether they rebooted the computer. This will not affect whether they can see events in the Event Viewer.
Which of the following questions should you take into account when securing log files? (Select the two best answers.)
A. Were the log files encrypted and hashed?
B. Are the logs stored in multiple locations?
C. Were the log files encrypted in a Kerberos system?
D. How big are the log files?
A and B. It is important to find out if log files have been encrypted, hashed, and where they are stored. Log files would not be stored in a Kerberos system. The size of log files deals more with log file maintenance than it does with security.
Which file would you set permissions on to protect the security log on Windows Server 2003? A. config B. system.log1 C. SecEvent.evt D. Security.log
C. SecEvent.evt is the file you would set permissions on to protect the security log on Windows Server 2003. This file may have a different name depending on which Windows operating system you are working in.
