Section 23: Monitoring and Auditing

Question 1

Signature Based Monitoring

Answer 1

Network traffic is analyzed for predetermined attack patterns

Question 2

Anomaly-based Monitoring

Answer 2

A baseline is established and any network traffic that is outside of the baseline is evaluated

Question 3

Behavior-based Monitoring

Answer 3

Activity is evaluated based on the previous behavior of applications, executables, and the OS in comparison to the current activity of the system

Question 4

Baselining

Answer 4

Process of measuring changes in networking, hardware, software, and applications

Question 5

Security Posture

Answer 5

The amount of risk you want to take in; it’s like the target you want to reach in your security

Question 6

What is a protocol analyzer?

Answer 6

Captures and analyzes network traffic; can be connected in promiscuous mode (captures everything) or non-promiscuous mode (only capturing packets address to the specific machine)

Question 7

Port Mirroring

Answer 7

One more switch ports are configured to send their packets to another switch

Question 8

SNMP

Answer 8

Aids in monitoring network-attached devices and computers

Question 9

Agents

Answer 9

Software that is loaded onto the system so you can manage it

Question 10

SNMPv3

Answer 10

Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network (don’t use 1 and 2)

Question 11

Logs are considered as being part of ______

Answer 11

Auditing

Question 12

Logs

Answer 12

Data files that contain the accounting an audit trail for actions performed by a user on the computer or network

Question 13

Security Logs

Answer 13

Logging on and off the system

Question 14

System Logs

Answer 14

crashing, etc.

Question 15

Application Logs

Answer 15

Logs the events for the OS and third party apps

Question 16

SYSLOG uses what port?

Answer 16

514 UDP

Question 17

Log File Maintenance

Answer 17

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backing up, securing and encrypting of the log files

Question 18

Log files should not be saved on _________

Answer 18

the same device on which the logs are collected

Question 19

Protecting Logs. How do you do it?

Answer 19

Save your logs to an encrypted folder on the server and have good backup processes in place

Question 20

SIEM

Answer 20

A solution that provides real time or near real time analysis of security alerts generated by network hardware and applications

Question 21

Syslog

Answer 21

Allows you to collect your logs and send them to a central server

Question 22

SOAR

Answer 22

Security Orchestration, Automation, and Response - A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment (think of it as SIEM 2.0)

Question 23

Playbook

Answer 23

A checklist of actions to perform to detect and respond to a specific type of incident

Question 24

Runbook

Answer 24

An automated version of a playbook that leaves clearly defined interaction points for human analysis