Understanding Monitoring and Auditing

Question 1

Which of the following can stop in-progress attacks on your network?

NIDS

NIPS

Proxy server

Answer 1

NIPS

A network-based intrusion prevention system (NIPS) analyzes network traffic patterns, generates event logs and alerts system administrators to events, and sometimes stops potential intrusions. Some implementations have a database of known attack patterns, while others can take notice of abnormal traffic for a specific network. The administrator can then take measures to stop the attack, such as dropping offending packets

Question 2

Which of the following could an administrator use to determine whether there has been unauthorized use of a wireless LAN?

Proxy server

Performance Monitor

Wireless access point log

Answer 2

Wireless access point log

A wireless access point log can reveal all wireless LAN activity. Some access points may require you to enable logging

Question 3

You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?

Firewall log

FTP access log

FTP download log

Answer 3

FTP access log

File Transfer Protocol (FTP) access logs list file activity on FTP servers, including file deletions or renames

Question 4

As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on the file share SALES. Where will you view the audit results?

Security log

Audit log

Application log

Answer 4

Security log

Windows machines write audit data to the Event Viewer security log. A centralized SIEM system can store audit log data from many devices in a single repository where the data is written once but can be read many times—write once read many (WORM). WORM functionality is sometimes required for regulatory compliance. An additional benefit is deduplication of similar events, which results in less storage space consumed and quicker searching

Question 5

Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the DMZ without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.

The honeypot needs to be patched.

Honeypots should not run a web site.

Honeypot logs are not forwarded to another secured host.

Answer 5

Honeypot logs are not forwarded to another secured host.

The honeypot host is unpatched and is therefore vulnerable, so storing the only copy of log files on a honeypot means attackers could delete the contents of logs to remove all traces of their malicious activity

Question 6

Which of the following are true regarding behavior-based network monitoring? (Choose two.)

A baseline of normal behavior must be established.

Deviations from acceptable activity cannot be monitored.

New threats can be blocked.

A database of known attack patterns is consulted.

Answer 6

A baseline of normal behavior must be established.

New threats can be blocked.

Behavior-based monitoring detects activity that deviates from the norm. A baseline is required to establish what normal is. Because of this, new attacks could potentially be stopped if they do not conform to normal network usage patterns

Question 7

You have configured a NIPS appliance to prevent web server directory traversal attacks. What type of configuration is this?

Behavior-based

Signature-based

Anomaly-based

Answer 7

Signature-based

Comparing known attacks against current activity is called signature-based detection

Question 8

An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?

Port scanner

System restore point

Performance Monitor

Answer 8

Performance Monitor

Windows machines include Performance Monitor to measure which aspect of the software or hardware is not performing as well as it should

Question 9

You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, you notice many users seem to have more privileges on the network than they need. What should you do?

Delete and re-create all user accounts.

Conduct a user access and rights review.

Check server audit logs.

Answer 9

Conduct a user access and rights review.

A user access and rights review identifies the rights and permissions users must have compared to what they have been given. In this case, the review would reveal what needs to be changed so users have only the rights needed to do their jobs

Question 10

To adhere to new corporate security guidelines, your branch offices must track details regarding visited web sites. What should you install?

VPN

Proxy server

Packet-filtering firewall

Answer 10

Proxy server

Proxy servers can track detailed web-surfing activity including site visited, time of day, user account name, and so on. The reliability of this data relies heavily upon time synchronization of all network devices

Question 11

You would like to know when user accounts are modified in any way. What should you configure?

Keyloggers on all user stations

Firewall auditing

User account auditing

Answer 11

User account auditing

Enabling auditing of user account administrative activities will log any modifications made to user accounts

Question 12

Which of the following are true regarding NIDS? (Choose two.)

Network traffic is analyzed for malicious packets.

Alerts and notifications can be configured.

Malicious packets are dropped.

Laptops are protected when disconnected from the LAN.

Answer 12

Network traffic is analyzed for malicious packets.

Alerts and notifications can be configured.

A NIDS does analyze network traffic for malicious packets; if it finds any, it then triggers an alert or notification

Question 13

Which of the following is true regarding HIDS?

Suspicious traffic entering the network can be blocked.

Encrypted transmissions cannot be monitored.

It must be installed on each system where needed.

Answer 13

It must be installed on each system where needed.

A HIDS is a host-based solution and thus must be installed on individual hosts. A HIDS has the benefit of being very application specific

Question 14

Your company would like to standardize how long various types of documents are kept and deleted. What is needed to do this?

Storage retention policy

RAID 0

Disaster recovery policy

Answer 14

Storage retention policy

Storage retention policies are sometimes mandated by government regulation. Even if they are not, this type of policy states how and where data is stored, how it is backed up, how long it must be kept, and how it is to be disposed of

Question 15

You are asked to analyze events in a firewall log that occurred six months ago. When you analyze the log file, you notice events go back only two months. What is the problem?

You must have administrative access to the logs.

The log file size is too small.

Firewalls cannot keep logs for more than two months.

Answer 15

The log file size is too small.

The firewall is probably configured to overwrite the oldest log entries after the maximum log size has been reached. Even in this case, however, there are normally log archival options available for configuration

Question 16

A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do?

Run Performance Monitor on each host.

RDP into each host and check Event Viewer logs.

Run Performance Monitor on her machine and add counters from the other seven servers.

Answer 16

Run Performance Monitor on her machine and add counters from the other seven servers.

Like many Microsoft administrative tools, Performance Monitor can run locally but can display data (performance counters) added from remote hosts

Question 17

You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall allowance. Where should you look to see who made the firewall change and when?

Security log

Firewall log

Audit log

Answer 17

Audit log

Audit logs differ from regular activity logs because they record administrative configuration activities, such as modifying firewall rules

Question 18

A corporate network baseline has been established over the course of two weeks. Using this baseline data, you configure your intrusion prevention systems to notify you of abnormal network activity. A new sales initiative requires sales employees to run high-bandwidth applications across the Internet. As a result, you begin receiving security alerts regarding abnormal network activity. Which of the following types of alerts do you receive?

False positives

False negatives

True positives

Answer 18

False positives

False positives report there is a problem when in fact there is none, such as in this case. The alert should still be checked to ensure that an attack is not coinciding with this new network activity

Question 19

What can be done to prevent malicious users from tampering with log files? (Choose three.)

Store log files on a secured centralized logging host.

Encrypt archived log files.

Run Windows Update.

Generate file hashes for log files.

Answer 19

Store log files on a secured centralized logging host.

Encrypt archived log files.

Generate file hashes for log files.

Log files should be encrypted and stored on secured centralized hosts, so if a machine is compromised, there is still a copy of the log. File hashes ensure that files have not been tampered with in any way; a modified file generates a different hash

Question 20

You are the Windows server administrator for a clothing outlet in Manhattan, New York. Six Windows Server 2008 Active Directory computers are used regularly. Files are being modified on servers during nonbusiness hours. You want to audit the system to determine who made the changes and when. What is the quickest method of deploying your audit settings?

Configure audit settings using Group Policy.

Configure each server with the appropriate audit settings.

Configure one server appropriately, export the settings, and import them to the other five.

Answer 20

Configure audit settings using Group Policy.

In an Active Directory environment, Group Policy can be used to deliver settings to domain computers, such as audit settings for servers

Question 21

What is the difference between a packet sniffer and a NIDS?

Packet sniffers put the network card in promiscuous mode.

NIDS puts the network card in promiscuous mode.

Packet sniffers do not analyze captured traffic.

Answer 21

Packet sniffers do not analyze captured traffic.

Packet sniffers (protocol analyzers) capture network traffic, but they do not analyze it in any way

Question 22

Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What should you do?

Check the logs on each computer.

Check the logs on your RDP servers.

Check your firewall log.

Answer 22

Check your firewall log.

Since RDP connections from the Internet would go through the firewall, it would be quickest and easiest to consult your firewall log

Question 23

What is a potential problem with enabling detailed verbose logging on hosts for long periods of time?

There is no problem.

It causes performance degradation.

Network bandwidth is consumed.

Answer 23

It causes performance degradation.

Detailed verbose logging presents much more log data than normal logging; therefore, performance is affected. Depending on what is being logged and how much activity there is will determine how much performance degradation will occur

Question 24

A user, Jeff, reports his client Windows 8 station has been slow and unstable since last Tuesday. What should you first do?

Use System Restore to revert the computer state to last Monday.

Check log entries for Monday and Tuesday on Jeff’s computer.

Run Windows Update.

Answer 24

Check log entries for Monday and Tuesday on Jeff’s computer.

Before jumping the gun and reimaging or applying a restore point, first check the log files for any indication of changes before the machine became slow and unstable

Question 25

User workstations on your network connect through NAT to a DMZ where your Internet perimeter firewall exists. On Friday night, a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the DMZ at the time. How can you track which user workstation visited the web site? (Choose two.)

View logs on the NAT router.

View logs on the perimeter firewall.

View your packet capture.

View all workstation web browser histories.

Answer 25

View logs on the NAT router.

View your packet capture.

NAT router logs will list which internal addresses were translated and at what time. This could be used in correlation with captured packet time stamps to establish who visited the web site

Question 26

An administrator is scheduling backup for Windows servers. She chooses to back up system state as well as user data folders on drive D:. What else should she have included in the backup?

Drive C:

Log files

Wallpaper images

Answer 26

Log files

Log files must be backed up along with user data and system configuration data

Question 27

You are monitoring the performance on a UNIX server called Alpha. Alpha is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on Alpha coincide with remote users working with large documents stored on a separate UNIX server called Bravo. What might be causing the degraded performance on Alpha?

There is too much network traffic.

The CPU is too slow.

There is not enough RAM.

Answer 27

There is not enough RAM.

Lack of RAM causes the oldest used data in RAM to be swapped to disk to make room for what must now be placed in RAM (many large documents). This sometimes makes it appear as if the disk is the problem

Question 28

A server, Charlie, runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor Charlie for suspicious activity and prevent any potential attacks. What should you deploy?

Honeypot

HIPS

NIDS

Answer 28

HIPS

To monitor specific apps running on host computers and prevent potential attacks, you should deploy a HIPS

Question 29

You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic within a short time frame coming from the firewall appliance’s public interface, 172.16.29.97, destined for UDP port 53. Which of the following might you conclude from this information?

172. 16.29.97 is an invalid IP address.
173. 16.29.97 is a spoofed IP address.

The logs on the firewall appliance have been tampered with.

Answer 29

172.16.29.97 is a spoofed IP address.

From the list of choices, the most likely answer is that 172.16.29.97 was a spoofed IP address. IP addresses used on the internal network should not be coming into the network from the outside

Question 30

How do logging and auditing differ?

Logging tracks more than just security events; auditing tracks specifically configured security events.

Auditing tracks more than just security events; logging tracks specifically configured security events.

Logging can track hardware events; auditing cannot.

Answer 30

Logging tracks more than just security events; auditing tracks specifically configured security events.

Logging tracks many different types of events related to hardware and software, but auditing specifically tracks security-related events that have been preconfigured

Question 31

Your network consists of PLCs that control robotic machinery as well as Linux servers and Windows desktops. Administrators complain that there are too many similar log events in reports and notifications via e-mail. A solution that can aggregate similar events is needed. What should you suggest?

PowerShell

SIEM

SCCM

Answer 31

SIEM

Security information and event management (SIEM) tools provide a centralized way to monitor and manage security incidents. SIEM solutions also combine, or aggregate, like events to reduce duplicate event notifications and provide reports that correlate data