Week 5 Flashcards
(96 cards)
1
Q
Two ways to access ESX
A
- cmd line
- Vsphere client
2
Q
Primary means of accessing VMs
A
- console tab
- console window
3
Q
What does HBSS provide?
A
- signature and behavior based threat protection
- desktop firewall
4
Q
What does the McAfee Agent do?
A
Tells point products what to do
5
Q
What does HIPS do?
A
Provides capability to block known intrusion systems
6
Q
What does RSD do?
A
- Rogue System Detection
- Notifies admin of any rogue/no agent/wrong agent
7
Q
What does VSE do?
A
Active
-protects hosts from viruses, worms, Trojans
8
Q
What does DCM/DLP do?
A
Module is what allows/prevents plug and play and USB devices
9
Q
What does ABM do?
A
- asset baseline monitor
- passive
- notifies admin when host goes against compose baseline
10
Q
What does PA do?
A
- policy auditor
- passive
- notifies admin when policies set in ePO are not enforced on host
11
Q
Where are polices applied?
A
System Tree
12
Q
Characteristics of Lost and Found group
A
- Cannot be deleted
- Cannot be renamed
- Sorting criteria cannot be changed from being a catch-all group
- Always appears last
- Users must be granted permissions to see contents
- When a system is sorted into L&F, it is placed in a subgroup named for the systems domain. If it doesn’t exist, it will be created
13
Q
What contains all the necessary information that a client will need to install the McAfee Agent and communicate with ePO server?
A
Framepkg.exe
14
Q
What are the HIP sub-agents?
A
- buffer overflow
- logon
- SQL
- registry
- services
- files
- HTTP
- HIP API
- Get Admin
- Illegal Use
- Program
15
Q
How often is detected network device information forwarded to the ePO server?
A
5 minutes
16
Q
What allows HBSS admins to configure and manage the instances of the rogue system sensor installed throughout the network?
A
RSD Policy Settings
17
Q
What are the system statuses?
A
- Exceptions
- Inactive
- Managed
- Rogue
18
Q
What are the Rogue System Sensor Statuses?
A
- Active
- Missing
- Passive
19
Q
How many Rogue System Sensors should you have?
A
2 per subnet
20
Q
What are the Subnet Statuses?
A
- Contains rogues
- Covered
- Uncovered
21
Q
What is a policy?
A
Collection of settings that are created, configured, and then enforced
22
Q
How are policy settings grouped?
A
By product then by category
23
Q
What are the stackable policy rules?
A
Firewall rules can’t be stacked and only one policy can be applied at a time
24
Q
How often is policy enforcement?
A
30 minutes
25
Admins can assign policies by?
- site or group level
- single systems
- node with multiple policies
26
What does HIP do?
- Provides the ability to protect systems from attacks such as buffer overflows and privilege escalation
- uses the IPS signature base to identify threats to the host from both the network and application later perspective
27
What is the detection methodology?
HIP uses both signature and ananomly (behavior) based methods
28
Elements that HIPS examines
- system calls
- file system access
- system registry settings
- host input/output
- host network traffic monitoring
- shielding
- enveloping of applications
29
What are the general policies?
- Client UI
- Trusted Networks
- trusted applications
30
How to navigate to threat event log
Menu>reporting>threat event log
31
What is the trusted application policy?
When you mark an application as trusted, it helps to eliminate creating exceptions
32
What do the IPS options tell you?
Whether it is on or off
33
What does protect mode mean?
Blocks according to policy
34
What is adapted mode?
- Blocks all high severity events
| - allows everything else
35
What does learned mode require?
User interaction
36
What are the components of HIP policy?
- general
- IPS
- Firewall
- Application Blocking
37
What are the policy categories under General?
- Client UI
- Trusted Networks
- Trusted Application
38
What is the purpose of a Client UI?
To configure the HIP Agent interface
39
What is the purpose of a Trusted Network?
To specify network ranges to allow through the Firewall with rules that specify “Trusted” specify IP address to “trust for NIPS”
40
What is the purpose of the Trusted Application?
To specify applications to ignore IPS/Firewall/Application Blocking at a specified path
41
What are the policy categories for IPS?
- options
- rules
- protection
42
What is the purpose of options (IPS)?
Turns IPS protection on or off
43
What is the purpose of rules (IPS)?
Specified the signatures and behaviors and their associates severity levels
44
What is the purpose of protection?
Specified the protective reaction to detected signatures
45
What are the policy categories for firewall?
- options
| - rules
46
What is options (firewall) for?
Turns firewall on or off
47
What is the purpose of rules (firewall)?
Specified the access rules through the firewall with their ports, protocols, services, and “trusted”
48
What are the sub-components of IPS?
- HIPS
- NIPS
- Application Protection
49
What are the sub-components of Firewall?
- incoming comms
| - outgoing comms
50
What is hooking (application blocking)?
-controls which applications can BIND together
51
What are the components of HBSS?
Server side: ACAS, HBSS, MSSQL
| Client side: McAfee Agent
51
Why is RDP the preferred method of accessing VMs?
Less resource intensive
51
What order do you power on VMs?
- MSSQL, ACAS, HBSS
| - to allow services to start on MSSQL
51
How many types of users are in HBSS? What are they? How are they defined?
- Global: creates accounts, does everything
- Everyone Else: view
- defined based on permissions given
51
What does the System tree contain?
- sites
- groups
- subgroups
51
Why do we create subgroups?
To manage policies for systems in one place, rather than setting policies for each system individually
51
How do you break inheritance?
At lowest level possible
- break DLP Policy? Do it at the workstation
- apply McAfee default policy? Do it at the top
51
What criteria is used to place managed systems into a system tree group?
Tags with and without criteria
51
What is the default Agent to Server Client Intervals?
-30 minutes
51
Which file contains all necessary information that a client will need to install the McAfee Agent?
What does it contain?
- frampkg.exe
| - contains drivers, ePO server information, and encryption keys
51
What does the Wake Up Agent do?
Forces agents to call in and update policies and tasks
52
What is priority event forwarding?
Forwards priority events immediately according to user-selected level of priority
53
What is SADR?
A repository for ships
54
What option must be selected in order for a system to become a superagent?
-convert Agent to Super Agent
55
Explain lazy caching.
-a workstation needs software, it goes to SADR and gives it to the workstation. If SADR doesn’t have it, it goes to HBSS
55
Where are HBSS servers located?
-UARNOC and PRNOC
56
In regards to RSD, how many sensors are required to be on each subset and what kind of information do they gather?
- 2
| - ARP, IP, DHCP, info about computers, routers, printers
57
What is the purpose of detected systems menu?
Makes monitoring and managing network easier.
58
What is the default policy enforcement?
15 minutes
59
What does the overall system status show?
-a percentage of compliant systems. Managed, rogue, and exceptions
60
What is a rogue device?
-device not managed by ePO server.
61
DISA requires how many days before System is reported as rogue?
10 days
62
3 classes of rogue devices and explain
- Alien: not in local ePO database
- Inactive: in ePO database by not detected
- No Agent: no McAfee Agent installed
63
How is Rogue System Sensor Status displayed and explain them.
- active: sensors report info to ePO server
- missing: sensors that haven’t communicated in a certain amount of time
- passive: check in but do not report info
64
What is the subnet status? Explain.
Subnet status: how many detected sinners are on network
- contains rogues
- covered
- uncovered
65
What systems would you include on the Rogue Sensor blacklist?
-mission critical servers of core services
66
Explain merging systems.
-a computer with multiple NICs with it’s own MAC address
67
What are the three methods to installing McAfee Agents?
1. Rogue Agent Auto Push
2. Deploying agents via RSD
3. Manually installing agents
68
When does an alien system occur?
When an agent is not recognized by the ePO server
69
What is that logic statement?
-if rogue equals true & & domain = shipboard domain
70
Other issues that may cause inactive
- system not on board
- network cable damaged
- agent service fail/corrupt
- system decommissioned and not removed from system tree
- system disconnected
71
What kind of systems are excluded in RSD?
- routers
- switches
- WAP
- printers
- IP phones
- storage arrays
- ESX
- hypervisors
72
What are the 3 days to correct a duplicate GUID?
- via server tasks
- via registry
- agent de-installation
73
What are the steps for embarkable units to have the McAfee Agent installed?
- contact the embarkable unit prior to arrival
- create a custom group within system tree
- create a permission set
- create a group admin account
74
What policy is crucial to your network to where if improperly configured, will not allow your network to receive updates?
McAfee Default Policy
75
How do policies get enforced?
- every 15 minutes
| - how long locally set client changes will last until server overwrites them
76
Explain inheritance.
Child groups inherit policies from parent groups
77
What does a host based IPS provide?
- protects systems from attacks such as buffer overflows and privilege escalation
- uses IPs to identify threats to the host from both the network and application layer perspective
78
What is the IPS software responsible for?
- Host and network intrusion protection
| - shielding and enveloping of applications
79
What is the benefit of trusting applications and networks?
-eliminates the need to create exceptions
80
Why do we have HIP tuning?
- network is a constantly hanging environment
- manual
- auto: learned, adaptive
81
What type of incidents does intrusion detection and prevention protect against?
- incidents have many causes, malware
- attackers gaining unauthorized access to systems from internet
- authorized users of systems who misuse privileges
82
The IPS protection policy sets the reaction to events based on what level?
Severity: high, medium, low, Informational
83
What is an exception rule for?
-to allow a device that would otherwise be blocked
84
Within DLP, what are the 3 device class statuses? Explain each.
- managed: USB, plug n play
- unmanaged: no McAfee Agent, could be managed but we don’t, like local printers and scanners
- unmanageable
85
What does the computer assignment group features allow?
-DLP rules for specific groups of computer objects
