SEC+ Revision Questions Understanding Monitoring and Auditing

Question 1

Which of the following can stop in-progress attacks to your network?
A. NIDS
B. NIPS
C. Proxy server
D. Packet filtering firewall

Answer 1

A. (NIDS) Network Intrustion Detection System

Question 2

Which of the following could an administrator use to determine whether there has been unauthorized use of a wireless LAN?
A. Protocol analyzer
B. Proxy server
C. Performance Monitor
D. Wireless access point log

Answer 2

D. Wireless access point log

Question 3

You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?
A. Firewall log
B. FTP access log
C. FTP download log
D. FTP upload log

Answer 3

B. FTP access log

Question 4

As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on file share SALES. Where will you view the audit results?
A. Security log
B. Audit log
C. Application log
D. Deletion log

Answer 4

A. Security log

Question 5

Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the DMZ without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.
A. The honeypot needs to be patched.
B. Honeypots should not run a web site.
C. Forward honeypot logs to another secured host.
D. Honeypots should not run SMTP services.

Answer 5

C. Forward honeypot logs to another secured host.

Question 6

Which of the following are true regarding behavior-based network monitoring? (Choose two.)
A. A baseline of normal behavior must be established.
B. Deviations from acceptable activity cannot be monitored.
C. New threats can be blocked.
D. A database of known attack patterns is consulted.

Answer 6

A. A baseline of normal behavior must be established.
&
C. New threats can be blocked.

Question 7

You have configured a NIPS appliance to prevent web server directory traversal attacks. What type of configuration is this?
A. Behaviour-based
B. Signature-based
C. Anomaly-based
D. Web-based

Answer 7

B. Signature-based

Question 8

An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?
A. Virus scanner
B. Port scanner
C. System restore point
D. Performance Monitor

Answer 8

D. Performance Monitor

Question 9

You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, you notice many users seem to have more privileges on the network than they need. What should you do?
A. Delete and re-create all user accounts.
B. Conduct a user access and rights review.
C. Check server audit logs.
D. Enforce stronger user passwords.

Answer 9

B. Conduct a user access and rights review.

Question 10

To adhere to new corporate security guidelines, your branch offices must track details regarding visited web sites. What should you install?
A. VPN
B. Proxy server
C. Packet filtering firewall
D. NIDS

Answer 10

B. Proxy server

Question 11

Which of the following is true regarding HIDS?
A. Suspicious traffic entering the network can be blocked.
B. Encrypted transmissions cannot be monitored.
C. It must be installed on each system where needed.
D. Log files are not analysed.

Answer 11

C. It must be installed on each system where needed.

Question 11

You would like to know when user accounts are modified in any way. What should you configure?
A. Keyloggers on all user stations
B. Firewall auditing
C. User account auditing
D. Personal firewall on all user stations

Answer 11

C. User account auditing

Question 12

Which of the following are true regarding NIDS? (Choose two.)
A. Network traffic is analysed for malicious packets.
B. Alerts and notifications can be configured.
C. Malicious packets are dropped.
D. Laptops are protected when disconnected from the LAN.

Answer 12

A. Network traffic is analysed for malicious packets.
&
B. Alerts and notifications can be configured.

Question 13

You are asked to analyse events in a firewall log that occurred six months ago. When you analyse the log file, you notice events go back only two months. What is the problem?
A. You must have administrative access to the logs.
B. The log file size is too small.
C. Firewalls cannot keep logs for more than two months.
D. The firewall is not patched.

Answer 13

B. The log file size is too small.

Question 13

Your company would like to standardize how long various types of documents are kept and deleted. What is needed to do this?
A. Storage retention policy
B. RAID 0
C. Disaster recovery policy
D. RAID 1

Answer 13

A. Storage retention policy

Question 14

A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do?
A. Run Performance Monitor on each host.
B. RDP into each host and run Performance Monitor.
C. RDP into each host and check Event Viewer logs.
D. Run Performance Monitor on her machine and add counters from the other seven servers.

Answer 14

D. Run Performance Monitor on her machine and add counters from the other seven servers.

Question 14

You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall allowance. Where should you look to see who made the firewall change and when?
A. Security log
B. Firewall log
C. Audit log
D. Event Viewer log

Answer 14

C. Audit log

Question 15

In reviewing your firewall log, you notice a large number of your stations connecting to www.freetripsforyou.com and downloading an EXE file, sometimes in the middle of the night. Your users state they did not visit the web site. Your firewall does not allow any inbound packets initiated from the Internet. What does this indicate?
A. User stations are connecting to Windows Update to apply patches.
B. User stations have been hijacked and are downloading malware.
C. User stations are infected with a password-cracking program.
D. User stations are being controlled from the Internet through RDP.

Answer 15

B. User stations have been hijacked and are downloading malware.

Question 16

A corporate network baseline has been established over the course of two weeks. Using this baseline data, you configure your intrusion prevention systems to notify you of abnormal network activity. A new sales initiative requires sales employees to run high-bandwidth applications across the Internet. As a result, you begin receiving security alerts regarding abnormal network activity. What are these type of alerts referred to as?
A. False positives
B. False negatives
C. True positives
D. True negatives

Answer 16

A. False positives

Question 16

What can be done to prevent malicious users from tampering with log files? (Choose three.)
A. Store log files on a secured centralized logging host.
B. Encrypt archived log files.
C. Run Windows Update.
D. Generate file hashes for log files.

Answer 16

A. Store log files on a secured centralized logging host.
&
B. Encrypt archived log files.
&
D. Generate file hashes for log files.

Question 17

You have been asked to identify any irregularities from the following web server log excerpt:
199.0.14.202, -, 03/15/09, 8:33:12, W3SVC2, SERVER, 192.168.1.1, 4502
12.168.12.79, -, 03/15/09, 8:34:09, W3SVC2, SERVER, 192.168.1.1, 3455
12.168.12.79, -, 03/15/09, 17:02:26, W3SVC2, SERVER, 192.168.1.1, 4302
192.16.255.202, -, 03/15/09, 17:03:11, W3SVC2, SERVER, 192.168.1.1, 4111
A. 199.0.14.202 is not a valid IP address.
B. 192.16.255.202 is not a valid IP address.
C. Web servers cannot use 192.168.1.1.
D. The log is missing entries for a long period of time.

Answer 17

D. The log is missing entries for a long period of time.

Question 18

You are the Windows server administrator for a clothing outlet in Manhattan, New York. There are six Windows Server 2008 Active Directory computers used regularly. Files are being modified on servers during nonbusiness hours. You would like to audit who makes the changes and when. What is the quickest method of deploying your audit settings?
A. Configure audit settings using Group Policy.
B. Configure each server with the appropriate audit settings.
C. Configure one server appropriately, export the settings, and import them to the other five.
D. Delegate the audit configuration task to six other administrators.

Answer 18

A. Configure audit settings using Group Policy.

Question 19

What is the difference between a packet sniffer and a NIDS?
A. There is no difference.
B. Packet sniffers put the network card in promiscuous mode.
C. NIDS puts the network card in promiscuous mode.
D. Packet sniffers do not analyze captured traffic.

Answer 19

D. Packet sniffers do not analyze captured traffic.

Question 20

Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What should you do?
A. Check the logs on each computer.
B. Check the logs on your RDP servers.
C. Check your firewall log.
D. Contact your ISP and have them check their logs.

Answer 20

C. Check your firewall log.

Question 21

What is a potential problem with enabling detailed verbose logging on hosts for long periods of time?
A. There is no problem.
B. Performance degradation.
C. Network bandwidth is consumed.
D. Verbose logging consumes a user license.

Answer 21

B. Performance degradation.

Question 22

A user, Jeff, reports his client Windows 8 station has been slow and unstable since last Tuesday. What should you first do?
A. Use System Restore to revert the computer state to last Monday.
B. Check log entries for Monday and Tuesday on Jeff’s computer.
C. Run Windows Update.
D. Re-image Jeff’s computer.

Answer 22

B. Check log entries for Monday and Tuesday on Jeff’s computer.

Question 23

User workstations on your network connect through NAT to a DMZ where your Internet perimeter firewall exists. On Friday night a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the DMZ at the time. How can you track which user workstation visited the web site? (Choose two.)
A. View logs on the NAT router.
B. View logs on the perimeter firewall.
C. View your packet capture.
D. View all workstation web browser histories.

Answer 23

A. View logs on the NAT router.
&
C. View your packet capture.

Question 24

An administrator is scheduling backup for Windows servers. She chooses to back up system state as well as user data folders on drive D:. What else should she have included in the backup?
A. Drive C:
B. Log files
C. Wallpaper images
D. Registry

Answer 24

B. Log files

Question 25

You are monitoring the performance on a Unix server called Alpha. Alpha is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on Alpha coincide with remote users working with large documents stored on a separate Unix server called Bravo. What might be causing the degraded performance on Alpha?
A. There is too much network traffic.
B. The CPU is too slow.
C. The disks are too slow.
D. There is not enough RAM.

Answer 25

D. There is not enough RAM.

Question 26

A server, Charlie, runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor Charlie for suspicious activity and prevent any potential attacks. What should you deploy?
A. Honeypot
B. HIPS
C. NIDS
D. PKI

Answer 26

B. HIPS

Question 27

You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic on the firewall appliance’s public interface within a short time frame coming from 172.16.29.97 destined for UDP port 53. Which of the following might you conclude from this information?
A. 172.16.29.97 is an invalid IP address.
B. 172.16.29.97 is a spoofed IP address.
C. The logs on the firewall appliance have been tampered with.
D. An HTTP denial-of-service attack was in progress.

Answer 27

B. 172.16.29.97 is a spoofed IP address.

Question 28

A user complains that their machine performance has degraded ever since they downloaded a free file recovery utility. You would like to rule out the possibility of any malicious network services running in the background by viewing active port numbers on the machine. Which Windows command should you use to do this?

Answer 28

netstat

Question 29

How do logging and auditing differ?
A. Logging tracks more than just security events; auditing tracks specifically configured security events.
B. Auditing tracks more than just security events; logging tracks specifically configured security events.
C. Logging can track hardware events; auditing cannot.
D. Auditing can track hardware events; logging cannot.

Answer 29

Logging tracks more than just security events; auditing tracks specifically configured security events.