SEC+ Revision Questions Understanding Monitoring and Auditing Flashcards

1
Q

Which of the following can stop in-progress attacks to your network?
A. NIDS
B. NIPS
C. Proxy server
D. Packet filtering firewall

A

A. (NIDS) Network Intrustion Detection System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following could an administrator use to determine whether there has been unauthorized use of a wireless LAN?
A. Protocol analyzer
B. Proxy server
C. Performance Monitor
D. Wireless access point log

A

D. Wireless access point log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?
A. Firewall log
B. FTP access log
C. FTP download log
D. FTP upload log

A

B. FTP access log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on file share SALES. Where will you view the audit results?
A. Security log
B. Audit log
C. Application log
D. Deletion log

A

A. Security log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the DMZ without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.
A. The honeypot needs to be patched.
B. Honeypots should not run a web site.
C. Forward honeypot logs to another secured host.
D. Honeypots should not run SMTP services.

A

C. Forward honeypot logs to another secured host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following are true regarding behavior-based network monitoring? (Choose two.)
A. A baseline of normal behavior must be established.
B. Deviations from acceptable activity cannot be monitored.
C. New threats can be blocked.
D. A database of known attack patterns is consulted.

A

A. A baseline of normal behavior must be established.
&
C. New threats can be blocked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have configured a NIPS appliance to prevent web server directory traversal attacks. What type of configuration is this?
A. Behaviour-based
B. Signature-based
C. Anomaly-based
D. Web-based

A

B. Signature-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?
A. Virus scanner
B. Port scanner
C. System restore point
D. Performance Monitor

A

D. Performance Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, you notice many users seem to have more privileges on the network than they need. What should you do?
A. Delete and re-create all user accounts.
B. Conduct a user access and rights review.
C. Check server audit logs.
D. Enforce stronger user passwords.

A

B. Conduct a user access and rights review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

To adhere to new corporate security guidelines, your branch offices must track details regarding visited web sites. What should you install?
A. VPN
B. Proxy server
C. Packet filtering firewall
D. NIDS

A

B. Proxy server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is true regarding HIDS?
A. Suspicious traffic entering the network can be blocked.
B. Encrypted transmissions cannot be monitored.
C. It must be installed on each system where needed.
D. Log files are not analysed.

A

C. It must be installed on each system where needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You would like to know when user accounts are modified in any way. What should you configure?
A. Keyloggers on all user stations
B. Firewall auditing
C. User account auditing
D. Personal firewall on all user stations

A

C. User account auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following are true regarding NIDS? (Choose two.)
A. Network traffic is analysed for malicious packets.
B. Alerts and notifications can be configured.
C. Malicious packets are dropped.
D. Laptops are protected when disconnected from the LAN.

A

A. Network traffic is analysed for malicious packets.
&
B. Alerts and notifications can be configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are asked to analyse events in a firewall log that occurred six months ago. When you analyse the log file, you notice events go back only two months. What is the problem?
A. You must have administrative access to the logs.
B. The log file size is too small.
C. Firewalls cannot keep logs for more than two months.
D. The firewall is not patched.

A

B. The log file size is too small.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Your company would like to standardize how long various types of documents are kept and deleted. What is needed to do this?
A. Storage retention policy
B. RAID 0
C. Disaster recovery policy
D. RAID 1

A

A. Storage retention policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do?
A. Run Performance Monitor on each host.
B. RDP into each host and run Performance Monitor.
C. RDP into each host and check Event Viewer logs.
D. Run Performance Monitor on her machine and add counters from the other seven servers.

A

D. Run Performance Monitor on her machine and add counters from the other seven servers.

14
Q

You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall allowance. Where should you look to see who made the firewall change and when?
A. Security log
B. Firewall log
C. Audit log
D. Event Viewer log

A

C. Audit log

15
Q

In reviewing your firewall log, you notice a large number of your stations connecting to www.freetripsforyou.com and downloading an EXE file, sometimes in the middle of the night. Your users state they did not visit the web site. Your firewall does not allow any inbound packets initiated from the Internet. What does this indicate?
A. User stations are connecting to Windows Update to apply patches.
B. User stations have been hijacked and are downloading malware.
C. User stations are infected with a password-cracking program.
D. User stations are being controlled from the Internet through RDP.

A

B. User stations have been hijacked and are downloading malware.

16
Q

A corporate network baseline has been established over the course of two weeks. Using this baseline data, you configure your intrusion prevention systems to notify you of abnormal network activity. A new sales initiative requires sales employees to run high-bandwidth applications across the Internet. As a result, you begin receiving security alerts regarding abnormal network activity. What are these type of alerts referred to as?
A. False positives
B. False negatives
C. True positives
D. True negatives

A

A. False positives

16
Q

What can be done to prevent malicious users from tampering with log files? (Choose three.)
A. Store log files on a secured centralized logging host.
B. Encrypt archived log files.
C. Run Windows Update.
D. Generate file hashes for log files.

A

A. Store log files on a secured centralized logging host.
&
B. Encrypt archived log files.
&
D. Generate file hashes for log files.

17
Q

You have been asked to identify any irregularities from the following web server log excerpt:
199.0.14.202, -, 03/15/09, 8:33:12, W3SVC2, SERVER, 192.168.1.1, 4502
12.168.12.79, -, 03/15/09, 8:34:09, W3SVC2, SERVER, 192.168.1.1, 3455
12.168.12.79, -, 03/15/09, 17:02:26, W3SVC2, SERVER, 192.168.1.1, 4302
192.16.255.202, -, 03/15/09, 17:03:11, W3SVC2, SERVER, 192.168.1.1, 4111
A. 199.0.14.202 is not a valid IP address.
B. 192.16.255.202 is not a valid IP address.
C. Web servers cannot use 192.168.1.1.
D. The log is missing entries for a long period of time.

A

D. The log is missing entries for a long period of time.

18
Q

You are the Windows server administrator for a clothing outlet in Manhattan, New York. There are six Windows Server 2008 Active Directory computers used regularly. Files are being modified on servers during nonbusiness hours. You would like to audit who makes the changes and when. What is the quickest method of deploying your audit settings?
A. Configure audit settings using Group Policy.
B. Configure each server with the appropriate audit settings.
C. Configure one server appropriately, export the settings, and import them to the other five.
D. Delegate the audit configuration task to six other administrators.

A

A. Configure audit settings using Group Policy.

19
Q

What is the difference between a packet sniffer and a NIDS?
A. There is no difference.
B. Packet sniffers put the network card in promiscuous mode.
C. NIDS puts the network card in promiscuous mode.
D. Packet sniffers do not analyze captured traffic.

A

D. Packet sniffers do not analyze captured traffic.

20
Q

Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What should you do?
A. Check the logs on each computer.
B. Check the logs on your RDP servers.
C. Check your firewall log.
D. Contact your ISP and have them check their logs.

A

C. Check your firewall log.

21
Q

What is a potential problem with enabling detailed verbose logging on hosts for long periods of time?
A. There is no problem.
B. Performance degradation.
C. Network bandwidth is consumed.
D. Verbose logging consumes a user license.

A

B. Performance degradation.

22
Q

A user, Jeff, reports his client Windows 8 station has been slow and unstable since last Tuesday. What should you first do?
A. Use System Restore to revert the computer state to last Monday.
B. Check log entries for Monday and Tuesday on Jeff’s computer.
C. Run Windows Update.
D. Re-image Jeff’s computer.

A

B. Check log entries for Monday and Tuesday on Jeff’s computer.

23
Q

User workstations on your network connect through NAT to a DMZ where your Internet perimeter firewall exists. On Friday night a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the DMZ at the time. How can you track which user workstation visited the web site? (Choose two.)
A. View logs on the NAT router.
B. View logs on the perimeter firewall.
C. View your packet capture.
D. View all workstation web browser histories.

A

A. View logs on the NAT router.
&
C. View your packet capture.

24
Q

An administrator is scheduling backup for Windows servers. She chooses to back up system state as well as user data folders on drive D:. What else should she have included in the backup?
A. Drive C:
B. Log files
C. Wallpaper images
D. Registry

A

B. Log files

25
Q

You are monitoring the performance on a Unix server called Alpha. Alpha is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on Alpha coincide with remote users working with large documents stored on a separate Unix server called Bravo. What might be causing the degraded performance on Alpha?
A. There is too much network traffic.
B. The CPU is too slow.
C. The disks are too slow.
D. There is not enough RAM.

A

D. There is not enough RAM.

26
Q

A server, Charlie, runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor Charlie for suspicious activity and prevent any potential attacks. What should you deploy?
A. Honeypot
B. HIPS
C. NIDS
D. PKI

A

B. HIPS

27
Q

You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic on the firewall appliance’s public interface within a short time frame coming from 172.16.29.97 destined for UDP port 53. Which of the following might you conclude from this information?
A. 172.16.29.97 is an invalid IP address.
B. 172.16.29.97 is a spoofed IP address.
C. The logs on the firewall appliance have been tampered with.
D. An HTTP denial-of-service attack was in progress.

A

B. 172.16.29.97 is a spoofed IP address.

28
Q

A user complains that their machine performance has degraded ever since they downloaded a free file recovery utility. You would like to rule out the possibility of any malicious network services running in the background by viewing active port numbers on the machine. Which Windows command should you use to do this?

A

netstat

29
Q

How do logging and auditing differ?
A. Logging tracks more than just security events; auditing tracks specifically configured security events.
B. Auditing tracks more than just security events; logging tracks specifically configured security events.
C. Logging can track hardware events; auditing cannot.
D. Auditing can track hardware events; logging cannot.

A

Logging tracks more than just security events; auditing tracks specifically configured security events.