Understanding Monitoring and Auditing Flashcards
Which of the following can stop in-progress attacks on your network?
NIDS
NIPS
Proxy server
NIPS
A network-based intrusion prevention system (NIPS) analyzes network traffic patterns, generates event logs and alerts system administrators to events, and sometimes stops potential intrusions. Some implementations have a database of known attack patterns, while others can take notice of abnormal traffic for a specific network. The administrator can then take measures to stop the attack, such as dropping offending packets
Which of the following could an administrator use to determine whether there has been unauthorized use of a wireless LAN?
Proxy server
Performance Monitor
Wireless access point log
Wireless access point log
A wireless access point log can reveal all wireless LAN activity. Some access points may require you to enable logging
You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?
Firewall log
FTP access log
FTP download log
FTP access log
File Transfer Protocol (FTP) access logs list file activity on FTP servers, including file deletions or renames
As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on the file share SALES. Where will you view the audit results?
Security log
Audit log
Application log
Security log
Windows machines write audit data to the Event Viewer security log. A centralized SIEM system can store audit log data from many devices in a single repository where the data is written once but can be read many times—write once read many (WORM). WORM functionality is sometimes required for regulatory compliance. An additional benefit is deduplication of similar events, which results in less storage space consumed and quicker searching
Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the DMZ without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.
The honeypot needs to be patched.
Honeypots should not run a web site.
Honeypot logs are not forwarded to another secured host.
Honeypot logs are not forwarded to another secured host.
The honeypot host is unpatched and is therefore vulnerable, so storing the only copy of log files on a honeypot means attackers could delete the contents of logs to remove all traces of their malicious activity
Which of the following are true regarding behavior-based network monitoring? (Choose two.)
A baseline of normal behavior must be established.
Deviations from acceptable activity cannot be monitored.
New threats can be blocked.
A database of known attack patterns is consulted.
A baseline of normal behavior must be established.
New threats can be blocked.
Behavior-based monitoring detects activity that deviates from the norm. A baseline is required to establish what normal is. Because of this, new attacks could potentially be stopped if they do not conform to normal network usage patterns
You have configured a NIPS appliance to prevent web server directory traversal attacks. What type of configuration is this?
Behavior-based
Signature-based
Anomaly-based
Signature-based
Comparing known attacks against current activity is called signature-based detection
An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?
Port scanner
System restore point
Performance Monitor
Performance Monitor
Windows machines include Performance Monitor to measure which aspect of the software or hardware is not performing as well as it should
You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, you notice many users seem to have more privileges on the network than they need. What should you do?
Delete and re-create all user accounts.
Conduct a user access and rights review.
Check server audit logs.
Conduct a user access and rights review.
A user access and rights review identifies the rights and permissions users must have compared to what they have been given. In this case, the review would reveal what needs to be changed so users have only the rights needed to do their jobs
To adhere to new corporate security guidelines, your branch offices must track details regarding visited web sites. What should you install?
VPN
Proxy server
Packet-filtering firewall
Proxy server
Proxy servers can track detailed web-surfing activity including site visited, time of day, user account name, and so on. The reliability of this data relies heavily upon time synchronization of all network devices
You would like to know when user accounts are modified in any way. What should you configure?
Keyloggers on all user stations
Firewall auditing
User account auditing
User account auditing
Enabling auditing of user account administrative activities will log any modifications made to user accounts
Which of the following are true regarding NIDS? (Choose two.)
Network traffic is analyzed for malicious packets.
Alerts and notifications can be configured.
Malicious packets are dropped.
Laptops are protected when disconnected from the LAN.
Network traffic is analyzed for malicious packets.
Alerts and notifications can be configured.
A NIDS does analyze network traffic for malicious packets; if it finds any, it then triggers an alert or notification
Which of the following is true regarding HIDS?
Suspicious traffic entering the network can be blocked.
Encrypted transmissions cannot be monitored.
It must be installed on each system where needed.
It must be installed on each system where needed.
A HIDS is a host-based solution and thus must be installed on individual hosts. A HIDS has the benefit of being very application specific
Your company would like to standardize how long various types of documents are kept and deleted. What is needed to do this?
Storage retention policy
RAID 0
Disaster recovery policy
Storage retention policy
Storage retention policies are sometimes mandated by government regulation. Even if they are not, this type of policy states how and where data is stored, how it is backed up, how long it must be kept, and how it is to be disposed of
You are asked to analyze events in a firewall log that occurred six months ago. When you analyze the log file, you notice events go back only two months. What is the problem?
You must have administrative access to the logs.
The log file size is too small.
Firewalls cannot keep logs for more than two months.
The log file size is too small.
The firewall is probably configured to overwrite the oldest log entries after the maximum log size has been reached. Even in this case, however, there are normally log archival options available for configuration