Understanding Monitoring and Auditing

Question 1

Which of the following can stop in-progress attacks on your network?

Network IDS

Network IPS

Proxy server

Answer 1

Network IPS

A network-based intrusion prevention system (NIPS) analyzes network traffic patterns, generates event logs and alerts system administrators to events, and sometimes stops potential intrusions. Some implementations have a database of known attack patterns, while others can take notice of abnormal traffic for a specific network. The administrator can then take measures to stop the attack, such as dropping offending packets. IPS and other device logs and alerts can be centrally collected, aggregated, correlated, and reported on by a SIEM system

Question 2

Which of the following would an administrator most likely use to determine whether there has been unauthorized use of a wireless LAN?

Protocol analyzer

Performance Monitor

Wireless access point logs

Answer 2

Wireless access point logs

Wireless access points as well as wireless router logs can reveal all wireless LAN activity. Some access points may require you to enable logging. In an enterprise, log events should be forwarded to a central logging host to facilitate the detection of suspicious activity

Question 3

You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files?

Firewall log

FTP access log

FTP download log

Answer 3

FTP access log

File Transfer Protocol (FTP) access logs list file activity on FTP servers, including file deletions or renames

Question 4

As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on the file share SALES. Where will you view the audit results?

Security log

Audit log

Application log

Answer 4

Security log

Windows machines write audit data to the Event Viewer security log. A centralized SIEM system can store audit log data from many devices in a single repository where the data is written once but can be read many times—write once read many (WORM). WORM functionality is sometimes required for regulatory compliance. An additional benefit is deduplication of similar events, which results in less storage space consumed and quicker searching

Question 5

Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the screened subnet without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration.

The honeypot needs to be patched.

Honeypots should not run a web site.

Honeypot logs are not being forwarded to another secured host.

Answer 5

Honeypot logs are not being forwarded to another secured host.

The honeypot host is unpatched and is therefore vulnerable, so storing the only copy of log files (a default setting) on a honeypot means attackers could delete the contents of logs to remove all traces of their malicious activity

Question 6

Which of the following are true regarding behavior-based network monitoring? (Choose two.)

A baseline of normal behavior must be established.

Deviations from acceptable activity cannot be monitored.

New threats can be blocked.

A database of known attack patterns is consulted.

Answer 6

A baseline of normal behavior must be established.

New threats can be blocked.

Behavior-based monitoring detects activity that deviates from the norm. A baseline is required to establish what normal is. Because of this, new attacks could potentially be stopped if they do not conform to normal network usage patterns

Question 7

You have configured a network-based IPS appliance to prevent web server directory traversal attacks. What type of configuration is this?

Behavior-based

Signature-based

Anomaly-based

Answer 7

Signature-based

Comparing known attacks against current activity is called signature-based detection

Question 8

An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use?

Port scanner

System restore point

Performance Monitor

Answer 8

Performance Monitor

Windows machines include Performance Monitor to measure which aspect of the software or hardware is not performing as well as it should

Question 9

You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, by viewing network and host configuration reports you notice many users seem to have more privileges on the network than they need. What should you do?

Delete and re-create all user accounts.

Conduct a user access and rights review.

Check server audit logs.

Answer 9

Conduct a user access and rights review.

A user access and rights review identifies the rights and permissions users must have compared to what they have been given. In this case, the review would reveal what needs to be changed so users have only the rights needed to do their jobs

Question 10

To adhere to new corporate security guidelines, your branch offices must track details regarding web sites visited by employees. What should you install to track this activity?

VPN

Proxy server

Packet-filtering firewall

Answer 10

Proxy server

Proxy servers can track detailed web-surfing activity including site visited, time of day, user account name, and so on. The reliability of this data relies heavily upon time synchronization of all network devices

Question 11

Which of the following are true regarding a network-based IDS? (Choose two.)

Network traffic is analyzed for malicious packets.

Alerts and notifications can be configured.

Malicious packets are dropped.

Laptops are protected when disconnected from the LAN.

Answer 11

Network traffic is analyzed for malicious packets.

Alerts and notifications can be configured.

A NIDS monitors and analyzes network traffic for malicious packets; if it finds any, it then triggers an alert or notification

Question 12

Which of the following is true regarding a HIDS?

Suspicious traffic entering the network can be blocked.

Encrypted transmissions cannot be monitored.

It must be installed on each system where needed.

Answer 12

It must be installed on each system where needed.

A HIDS is a host-based solution and thus must be installed on individual hosts. A HIDS has the benefits of being very application specific and being able to monitor each host at all times

Question 13

You are asked to analyze events in a firewall log that occurred six months ago. When you analyze the log file, you notice events go back only two months. What is most likely the problem?

You must have administrative access to the logs.

The log file size is too small.

Firewalls cannot keep logs for more than two months.

Answer 13

The log file size is too small.

The firewall is probably configured to overwrite the oldest log entries after the maximum log file size has been reached. Even in this case, however, there are normally log archival options available for configuration

Question 14

A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do?

Run Performance Monitor on each host.

Use RDP to log into each host and check Event Viewer logs.

Run Performance Monitor on her machine and add counters from the other seven servers.

Answer 14

Run Performance Monitor on her machine and add counters from the other seven servers.

Like many Microsoft administrative tools, Performance Monitor can run locally but can display data (performance counters) added from remote hosts

Question 15

You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall rule. Where should you look to see who made the firewall change and when?

Security log

Firewall log

Audit log

Answer 15

Audit log

Audit logs differ from regular activity logs because they record administrative configuration activities, such as modifying firewall rules

Question 16

In reviewing your firewall log, you notice a large number of your stations connecting to the web site www.freetripsforyou.com and downloading an EXE file, sometimes in the middle of the night. Your users state they did not visit the web site. Your firewall does not allow any inbound packets initiated from the Internet. What does this most likely indicate?

User stations are connecting to Windows Update to apply patches.

User stations have been hijacked and are downloading malware.

User stations are infected with a password-cracking program.

Answer 16

User stations have been hijacked and are downloading malware.

If a computer is visiting a web site and downloading an EXE file without the user’s knowledge, the machine may most likely be under an attacker’s control. This activity could commonly result from malware trying to download additional malicious code

Question 17

A corporate network baseline has been established over the course of two weeks. Using this baseline data, you configure your IPSs to notify you of abnormal network activity. A new sales initiative requires sales employees to run high-bandwidth applications across the Internet. As a result, you begin receiving security alerts regarding abnormal network activity. Which of the following types of alerts do you receive?

False positives

False negatives

True positives

Answer 17

False positives

False positives report there is a problem when in fact there is none, such as in this case, where sales employees are performing legitimate activities. The alert should still be checked to ensure that an attack is not coinciding with this new network activity

Question 18

What can be done to prevent malicious users from tampering with and modifying log file entries? (Choose three.)

Store log files on a secured centralized logging host.

Encrypt archived log files.

Run Windows Update.

Generate file hashes for log files.

Answer 18

Store log files on a secured centralized logging host.

Encrypt archived log files.

Generate file hashes for log files.

Log files should be encrypted and stored on secured centralized hosts, so if a machine is compromised, there is still a copy of the log. File hashes ensure that files have not been tampered with in any way; a modified file generates a different hash

Question 19

You are the Windows server administrator for a clothing outlet in New York City. Six Windows Server Active Directory computers are used regularly. Files are being modified on servers during nonbusiness hours. You want to audit the system to determine who made the changes and when. What is the quickest method of deploying your audit settings?

Configure audit settings using Group Policy.

Configure each server with the appropriate audit settings.

Configure one server appropriately, export the settings, and import them to the other five.

Answer 19

Configure audit settings using Group Policy.

In an Active Directory environment, Group Policy can be used to deliver settings to domain computers, such as audit settings for servers.

Question 20

What is the difference between a packet sniffer and a network-based IDS?

Packet sniffers put the network card in promiscuous mode.

A NIDS puts the network card in promiscuous mode.

Packet sniffers do not process captured traffic.

Answer 20

Packet sniffers do not process captured traffic.

Packet sniffers (protocol analyzers) capture network traffic, but they do not process the traffic resulting in a decision to allow, deny, or report on the activity; a NIDS does these things

Question 21

Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What would be the quickest and most efficient way to accomplish this?

Check the logs on each computer.

Check the logs on your RDP servers.

Check your firewall log.

Answer 21

Check your firewall log.

Since RDP connections from the Internet would go through the firewall, it would be quickest and easiest to consult your firewall log

Question 22

What is a potential problem with enabling detailed verbose logging on hosts for long periods of time?

There is no problem.

It causes performance degradation.

Network bandwidth is consumed.

Answer 22

It causes performance degradation.

Detailed verbose logging presents much more log data than normal logging; therefore, performance is affected. What is being logged and how much activity is occurring will determine how much performance degradation will occur

Question 23

A user reports that his client Windows client station has been slow and unstable since last Tuesday. What should you first do?

Use System Restore to revert the computer state to last Monday.

Check log entries for Monday and Tuesday on the computer.

Run Windows Update.

Answer 23

Check log entries for Monday and Tuesday on the computer.

Before jumping the gun and reimaging or applying a restore point, first check the log files for any indication of changes before the machine became slow and unstable

Question 24

User workstations on your network connect through NAT to a screened subnet, where your Internet perimeter firewall exists. On Friday night, a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the screened subnet at the time. What would be the easiest and fastest way to track which user workstation visited the web site? (Choose two.)

View logs on the NAT router.

View logs on the perimeter firewall.

View your packet capture.

View all workstation web browser histories.

Answer 24

View logs on the NAT router.

View your packet capture.

NAT router logs will list which internal addresses were translated and at what time. This could be used in correlation with captured packet time stamps to establish who visited the web site

Question 25

You are monitoring the performance on a Unix server called ALPHA. ALPHA is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on ALPHA coincide with remote users working with large documents stored on a separate Unix server called BRAVO. What might be causing the degraded performance on Alpha?

There is too much network traffic.

The disks are too slow.

There is not enough RAM.

Answer 25

There is not enough RAM.

Lack of RAM causes the oldest used data in RAM to be swapped to disk to make room for what must now be placed in RAM (many large documents). This sometimes makes it appear as if the disk is the problem

Question 26

A server named CHARLIE runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor CHARLIE for suspicious activity and prevent any potential attacks. What should you deploy?

Honeypot

Host-based IPS

Network-based IDS

Answer 26

Host-based IPS

To monitor specific apps running on host computers and prevent potential attacks, you should deploy a HIPS

Question 27

You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic within a short time frame coming from the firewall appliance’s public interface, 172.16.29.97, destined for UDP port 53. Which of the following might you conclude from this information, assuming default ports are in use?

172. 16.29.97 is an invalid IP address.
173. 16.29.97 is a spoofed IP address.

The logs on the firewall appliance have been tampered with.

Answer 27

172.16.29.97 is a spoofed IP address.

From the list of choices, the most likely answer is that 172.16.29.97 is a spoofed IP address. IP addresses used on the internal network should not be coming into the network from the outside

Question 28

How do logging and auditing differ?

Logging tracks more than just security events; auditing tracks specifically configured security events.

Auditing tracks more than just security events; logging tracks specifically configured security events.

Logging can track hardware events; auditing cannot.

Answer 28

Logging tracks more than just security events; auditing tracks specifically configured security events.

Logging tracks many different types of events related to hardware and software, but auditing specifically tracks security-related events

Question 29

Your network consists of programmable logic controllers (PLCs) that control robotic machinery as well as Linux servers and Windows desktops. Network administrators complain that there are too many similar log events in reports and notifications via e-mail. A solution that can aggregate similar events is needed. What should you suggest?

PowerShell

SIEM

SCCM

Answer 29

SIEM

SIEM tools provide a centralized way to monitor and manage security incidents. SIEM solutions also combine, or aggregate, like events to reduce duplicate event notifications and provide reports that correlate data

Question 30

You have established a baseline of employee login activity on the VPN. You are configuring notifications of abnormal login events to a security orchestration, automation, and response (SOAR) dashboard to reduce security incident response time. Which term is the most closely related to this scenario?

Network IPS

SIEM

User behavior analysis

Answer 30

User behavior analysis

Establishing a baseline of normal user login activity facilitates configuring notifications for login anomalies and sending them to a SOAR dashboard