Вы находитесь на странице: 1из 38


Understanding Monitoring and Auditing

Sad truth
New exploits are released every single day
There are "Zero-Day" exploits in the wild
There are "Zero-Day exploits available for sale
What can you do
Assume the worst
Think ahead
Plan to be compromised when all your
protections are bypassed
Logging and Auditing
Your new best friend
You may be compromised and not yet know it
Detection Tools
Host Based Intrusion Detection
Network Based Intrusion Detection
Sometimes just called IDS
Detection based on signatures or anomalies
Fewer false alarms
You need rules to look for the activity
Network traffic is always changing
You need a baseline to compare against
Frequent triggers or false alarms or false positives
Known as a behavoir-based anomaly system
Other detection tools
Displays listening ports
Displays open ports
Displays Routing table
net session (Windows)
Displays open sessions for file sharing; username and IP addresses
tasklist or task manager (ps in Linux)
Shows what applications or processes you have running
With the right flags, you can compare process ID from netstat at ps
table to see what applications are using network sockets
net statistics
net user
Perf Mon or Performance Monitor
View resource utilization
Identify what processes are comsuming resources
Packet Sniffing
See what's coming and going from the system
you are inspecting
Implementing Logging and Auditing
The process of reviewing for security purposes
The act of recording activites
Deciding what to collect
Success or / and failure
Both may be valuable to your investigation or
Events to record ?
File Access
Object Access
DNS Queries
Policy Modification
File Modifications
Object Modifications
Elevated Privledge Use
Web Traffic
FTP use
Network Traffic
Wireless connections
Proxy Servers
Tools for logging
Event Viewer
Centralized Logging
Moving logs away from the machine under
attack my preserve records before an attacker
can cover their tracks
Using the network may allow an attacker to
insert mis information or fill storage
Graceful failures?
Some government or critical application
require the detection of loggin faults to trigger
an immediate shutdown
Self Test Page 768
QUESTION - Introduction to
1. Which of the following monitoring systems
is best suited to identify zero day attacks?
A. Signature-based
B. Anomaly-based
C. Host-based
D. Network-based
B. Anomaly-based monitoring systems identify
suspicious traffic based on anything outside the norm
and not from a signature database. This means that
any type of attackwhether a known attack or
notis identified because it will be traffic out of the
A, C, and D are incorrect. Because a signature-based
system uses a definition file, it detects only activity it
has been programmed to detect. A host-based IDS
monitors activity on a single system, while a network-
based IDS monitors network traffic.
2. A signature-based system uses a database
of signatures to identify suspicious activity.
What does an anomaly-based system use?
A. A signature database
B. A log file
C. A baseline of normal activity
D. An audit file
C. The anomaly-based system is programmed
for a baseline of normal activity, and any
activity out of the norm is considered
suspicious. As a result it can detect unknown
attacks (zero day).
A, B, and D are incorrect because anomaly-
based monitoring systems do not use a
signature database, log file, or audit file.
QUESTION - Monitoring Tools
3. What command allows you to view all TCP
ports in a listening state on a Windows or
Linux system?
A. nbtstat -na
B. netstat
C. nbtstat
D. netstat -na
D. The netstat -na command is used to view a
list of open ports on the system.
A, B, and C are incorrect. nbtstat is used to
troubleshoot NetBIOS over TCP/IP, while the
netstat command by itself will show only
current connections and not listening ports.
4. You are monitoring a Windows system and
think you have identified a process that may
be a potential virus. The process has the
process ID of 1944what command would
you use to terminate the process?
A. kill 1944
B. taskkill /PID 1944
C. kill /PID 1944
D. taskkill 1944
B. You can use the taskkill command in
Windows to terminate a process, but must use
the /PID switch if you are going to terminate
the process by the process ID.
A, C, and D are incorrect. The kill command is
used by Linux to terminate a process. The
taskkill command needs the /PID switch in this
5. What command in Linux allows you to view
a list of files and the permissions assigned to
those files?
A. ls -l
B. ls
C. lastperm
D. listperm
A. To view the permissions on files when
listing the files with ls, use the -l switch in
B, C, and D are incorrect because the ls
command is the command to list files, but you
need the -l to display permissions.
6. Your manager finds that the company web
server is responding slowly and has spent some
time with Performance Monitor to troubleshoot
the issue. She has determined that no processes
are running on the system using up system
resources. What tool might you use next?
A. Performance Monitor
B. Protocol analyzer
C. System Monitor
D. Tasklist
B. If you have looked at the system and things
seem to be normal with no additional processes
running, then the problem could be the system is
being overloaded with traffic. Usinga protocol
analyzer, or network sniffer, will allow you to view
traffic headed to the system.
A, C, and D are incorrect. Performance Monitor
and System Monitor are used to monitor the
health of the system, and tasklist is used to view
processes which have already run.
7. What command in Linux displays a list of all
users and the last time they logged on?
A. loglast
B. last
C. lastlog
D. first
C. The lastlog command displays all the user
accounts on the Linux system and the last
time they logged on.
A, B, and D are incorrect because they do not
display all the user accounts on the Linux
system and the last time they logged on.
QUESTION - Implementing Logging and
8. When implementing auditing in Windows
what event would you enable if you wanted to
audit when someone creates a new user
A. Audit group management
B. Audit user management
C. Audit administrative tasks
D. Audit account management
D. To audit when user accounts are created or
modified, you must enable the "Audit account
management" event.
A, B, and C are incorrect because they are not
events in Windows auditing.
9. Your manager has asked that you monitor
printer access. What event in the audit policy
would you enable?
A. Audit printer access
B. Audit object access
C. Audit account management
D. Audit account logon
B. To monitor printer access, you would
enable the success of object access in the
audit policy.
A, C, and D are incorrect because you need to
enable object access auditing to audit files
and printers in Windows.
10. Your manager comes to you and asks you
to check the logs to see if Bob has been
surfing facebook.com again during company
time. What logs would you check?
A. FTP log
B. Web server log
C. Firewall log
D. Proxy log
D. To monitor web sites that have been visited
by users on the network, you will typically
look at the proxy server logs.
A, B, and C are incorrect. The FTP log would be
used to view access to the FTP server, while
the web server log would be used to monitor
access to a web site. The firewall log would be
used to monitor inbound communication.
Review, Review Review
Schedule your exam
Keeping your certificate valid