Monitoring for Security Threats Flashcards
You are setting initial performance baselines for an important database server. Which of the following collected data is considered a good indication of a system performance baseline?
Network bandwidth usage per hour for a 24-hour period
CPU processing trends measured during typical working hours
CPU, memory, and network usage data collected for an entire week
CPU, memory, and network usage data collected for an entire week
To establish a performance baseline, you must measure your system activity for 24 hours per day for at least seven continuous days. This ensures that you have data for an entire week’s worth of activity, including working hours, nonworking hours, and weekends. Simply sampling performance data for a few hours during the day will not provide a sufficient indication of performance trends
A signature-based monitoring system has failed to detect an attack on one of your web servers. Which of the following is the most likely cause?
Signature-based systems scan only outbound traffic.
You did not properly implement an access rule for that type of attack.
This is a new type of attack that has no signature available yet.
This is a new type of attack that has no signature available yet.
Signature-based systems are powerful and efficient because they rely on the collective knowledge of security vendors who analyze and collect information on Internet security threats and trends and can update their databases very quickly when new threats arise. However, they are unable to detect very new attacks that do not have signatures available yet
Which of the following types of scanning methodologies checks for anomalous behavior on a system that differs from its routine baseline performance?
Behavioral-based
Rule-based
Signature-based
Behavioral-based
Behavior-based monitoring systems start from a baseline of normal system behavior and then learn from these system performance profiles to recognize behavioral anomalies that pass the thresholds of the normal baseline of the system
Your building’s physical security is very critical, and you need to implement procedures to deal with security issues in the event of a malfunction with the security card access control system or a power outage. For maximum security, which of the following concepts should you use in your implementation?
Surveillance video
Fail-open security
Fail-secure security
Fail-secure security
Fail secure means that you implement maximum security in the event of a failure or malfunction. In this example, making sure doors stay locked during an access card reader malfunction or power outage is an example of using fail-secure concepts
Due to downsizing, your department of IT administrators has been drastically reduced, and the time available to monitor your security applications and logs is at a minimum. Which of the following logging procedures would reduce the amount of time needed to examine and analyze several different logs?
Disabling logging
Logging only minor errors
Logging only warning and critical errors
Logging only warning and critical errors
To reduce the number of minor and informational types of messages in the logs, administrators should configure their logging systems to log only warning and critical error messages. This reduces the amount of resources required to store logs and reduces the time required to analyze them because only the most important data is logged
You are auditing a performance log for your web server. Which of the following performance statistics may indicate a security issue?
Disk space free at 70 percent
Memory usage at 45 percent on average
CPU usage at 99 percent 75 percent of the time
CPU usage at 99 percent 75 percent of the time
A system running with its CPU usage at 99 percent for a long time can indicate that some anomalous process (such as a virus, Trojan horse, or worm) is causing CPU processing to spike beyond the normal system operating baseline
During routine examination of the firewall logs, you notice that a specific host is attempting to connect to the same internal IP address starting at port 1 and continuing to port 65525. Which of the following issues could this be evidence of?
A ping sweep of a server on your network
Port scanning of a server on your network
Normal behavior for network diagnostics
Port scanning of a server on your network
A host system that is scanning a server for any open ports using the entire port range indicates that a port-scanning program is being used to determine which services are running and which ports are open and available. A malicious hacker might be trying to find vulnerabilities and attack your system
After a security audit, which of the following items would not be considered anomalous behavior?
Several unsuccessful attempts to log in as the administrator
Error messages in the system’s log that indicate excessive disk usage
A member of the sales group accessing the sales group’s shared file directory
A member of the sales group accessing the sales group’s shared file directory
A member of a group accessing the shared files for the group to which she belongs does not constitute anomalous behavior; however, ping sweeps against the firewall, disk error messages in the system’s log, and several attempts to access the administrator account are all security issues that should be carefully examined
You are developing a security policy for a SCADA system. Which of the following should be the first consideration?
Extra firewalls
More IDS coverage within the network
Internet connectivity
Internet connectivity
The first thing to consider for SCADA systems is their Internet connectivity. SCADA systems should never be connected to the Internet, and only rarely to other networked systems
