Monitoring and Auditing Flashcards by Zack Robin

What is signature based monitoring?

Where network traffic is analyzed for predetermined attack patterns or “signatures”

This method has the least false positives

How well did you know this?

Not at all

Perfectly

What type of monitoring has the least false positives?

Signature-based

How well did you know this?

Not at all

Perfectly

What is anomaly based monitoring?

Where a baseline is established and any network traffic that deviates from the baseline is evaluated

How well did you know this?

Not at all

Perfectly

What is behavior based monitoring?

When activity is evaluated based on the previous behavior of applications, files and OS in comparison to the current activity.

Most false positives

How well did you know this?

Not at all

Perfectly

What type of monitoring has the most false positives?

Behavior based

How well did you know this?

Not at all

Perfectly

What is baselining?

Process of measuring changes in the system based on deviations from a “baseline”

How well did you know this?

Not at all

Perfectly

What is baseline reporting?

Documenting and reporting changes in a baseline

How well did you know this?

Not at all

Perfectly

What is security posture?

Risk level to which a system element is exposed

How well did you know this?

Not at all

Perfectly

What is an example of a common performance monitoring tool?

Windows Performance Monitor (perfmon.exe)

How well did you know this?

Not at all

Perfectly

What is a protocol analyzer ?

A tool used to capture and analyze network traffic

How well did you know this?

Not at all

Perfectly

Give an example of a protocol analyzer

Wireshark

How well did you know this?

Not at all

Perfectly

What is promiscuous mode?

Where the network adapter captures all packets on the network

How well did you know this?

Not at all

Perfectly

What is non promiscuous mode?

Where the network adapter only captures packets to itself directly

How well did you know this?

Not at all

Perfectly

What is port mirroring?

Where one or more switch ports are configured to forward all packets to another port on the switch

How well did you know this?

Not at all

Perfectly

What is a SPAN port?

The port used in port mirroring

How well did you know this?

Not at all

Perfectly

What is a network tap?

Physical device that allows you to intercept network traffic

How well did you know this?

Not at all

Perfectly

What is SNMP?

Simple Network Management Protocol - aids in monitoring network attached devices and computers

How well did you know this?

Not at all

Perfectly

What are managed devices in SNMP?

Computers and other devices that are monitored through the use of agents by a network management system

How well did you know this?

Not at all

Perfectly

What is an agent in SNMP ?

Software that is loaded on a managed device to redirect info to the network management system

What is a network management system ?

Software run on one or more servers to control monitoring of all network attached devices

What is the issue with versions 1 and 2 of SNMP

Lack of security due to the use of community strings - public (read only) or private (allows read write access)

What makes SNMP version 3 better?

Version 3 provides integrity, authentication and encryption of the messages being sent over the network

How does SNMP V3 provide integrity, authentication and encryption?

Messages are hashed before transmission
Message source is validated
DES encryption

What is in band communication

In SNMP, when data is sent over the network you are using

Cheaper, easier, less secure

What is out of band communication

In SNMP, a secondary network is created where all management occurs Most secure since the management data is separated from the general network traffic

What is auditing

Technical assessment conducted on applications, systems and networks

What is one of the main aspects of auditing?

Viewing of security logs

What are log files?

Data files that contain the accounting and audit trail for actions performed by a user on a network

What types of logs should be audited?

security, system and application logs

What is an example of security logs?

Logging events such as successful and unsuccessful user logons

What is an example of system logs?

Logging events such as system shutdown or driver failure

What is an example of application logs?

Logging events for the OS and third party applications

What can be used to consolidate all logs into a single repo?

SYSLOG

What is SYSLOG?

Protocol enabling the transmission of logs or event records to a central server

What is a SYSLOG server?

centralized monitoring server

What port does SYSLOG use?

514 over UDP

Where should log files save to? Why?

A different partition or external server. If the system gets attacked the log files will still be safe

Why are log files important?

They allow us to reconstruct an event after it occurs

How would overwriting log files work?

When the max log size is reached, the system can begin overwriting the oldest events in the log files to make room

What is WORM?

Write Once Read Many - data is written only once but read an unlimited times (Think DVD-R)

What is the advantage of WORM?

If someone hacks your server and you've written to something like a DVD-R, they cannot modify/delete your log files

Where should you save log files to?

Encrypted folder on the server

What is SIEM?

Solution that provides real time analysis of security alerts generated by network hardware and applications

What are the 3 components of SYSLOG message architecture?

PRI code, Header, Message

What is SOAR?

Security Orchestration Automation and Response - class of security tools that facilitate incident response, threat hunting and security configs through automation of runbooks - Basically SIEM 2.0

What is SOAR primarily used for?

Incident response since it can automate abilities

What is a playbook?

Checklist of actions to perform to detect and respond to a specific incident