SEC+ Revision Questions Understanding Monitoring and Auditing Flashcards
Which of the following can stop in-progress attacks to your network?
A. NIDS
B. NIPS
C. Proxy server
D. Packet filtering firewall
A. (NIDS) Network Intrustion Detection System
Which of the following could an administrator use to determine whether there has been unauthorized use of a wireless LAN?
A. Protocol analyzer
B. Proxy server
C. Performance Monitor
D. Wireless access point log
D. Wireless access point log
You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?
A. Firewall log
B. FTP access log
C. FTP download log
D. FTP upload log
B. FTP access log
As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on file share SALES. Where will you view the audit results?
A. Security log
B. Audit log
C. Application log
D. Deletion log
A. Security log
Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the DMZ without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.
A. The honeypot needs to be patched.
B. Honeypots should not run a web site.
C. Forward honeypot logs to another secured host.
D. Honeypots should not run SMTP services.
C. Forward honeypot logs to another secured host.
Which of the following are true regarding behavior-based network monitoring? (Choose two.)
A. A baseline of normal behavior must be established.
B. Deviations from acceptable activity cannot be monitored.
C. New threats can be blocked.
D. A database of known attack patterns is consulted.
A. A baseline of normal behavior must be established.
&
C. New threats can be blocked.
You have configured a NIPS appliance to prevent web server directory traversal attacks. What type of configuration is this?
A. Behaviour-based
B. Signature-based
C. Anomaly-based
D. Web-based
B. Signature-based
An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?
A. Virus scanner
B. Port scanner
C. System restore point
D. Performance Monitor
D. Performance Monitor
You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, you notice many users seem to have more privileges on the network than they need. What should you do?
A. Delete and re-create all user accounts.
B. Conduct a user access and rights review.
C. Check server audit logs.
D. Enforce stronger user passwords.
B. Conduct a user access and rights review.
To adhere to new corporate security guidelines, your branch offices must track details regarding visited web sites. What should you install?
A. VPN
B. Proxy server
C. Packet filtering firewall
D. NIDS
B. Proxy server
Which of the following is true regarding HIDS?
A. Suspicious traffic entering the network can be blocked.
B. Encrypted transmissions cannot be monitored.
C. It must be installed on each system where needed.
D. Log files are not analysed.
C. It must be installed on each system where needed.
You would like to know when user accounts are modified in any way. What should you configure?
A. Keyloggers on all user stations
B. Firewall auditing
C. User account auditing
D. Personal firewall on all user stations
C. User account auditing
Which of the following are true regarding NIDS? (Choose two.)
A. Network traffic is analysed for malicious packets.
B. Alerts and notifications can be configured.
C. Malicious packets are dropped.
D. Laptops are protected when disconnected from the LAN.
A. Network traffic is analysed for malicious packets.
&
B. Alerts and notifications can be configured.
You are asked to analyse events in a firewall log that occurred six months ago. When you analyse the log file, you notice events go back only two months. What is the problem?
A. You must have administrative access to the logs.
B. The log file size is too small.
C. Firewalls cannot keep logs for more than two months.
D. The firewall is not patched.
B. The log file size is too small.
Your company would like to standardize how long various types of documents are kept and deleted. What is needed to do this?
A. Storage retention policy
B. RAID 0
C. Disaster recovery policy
D. RAID 1
A. Storage retention policy