CHAPTER 19:

Understanding Monitoring and Auditing

Sad truth
New exploits are released every single day
There are "Zero-Day" exploits in the wild
There are "Zero-Day exploits available for sale
What can you do
Assume the worst
Think ahead
Plan to be compromised when all your
protections are bypassed
Logging and Auditing
Your new best friend
You may be compromised and not yet know it
Detection Tools
HIDS
Host Based Intrusion Detection
NIDS
Network Based Intrusion Detection
Sometimes just called IDS
IDS
Detection based on signatures or anomalies
Signatures
Fewer false alarms
You need rules to look for the activity
Anomalies
Network traffic is always changing
You need a baseline to compare against
Frequent triggers or false alarms or false positives
Known as a behavoir-based anomaly system
Other detection tools
netstat
Displays listening ports
Displays open ports
Displays Routing table
net session (Windows)
Displays open sessions for file sharing; username and IP addresses
tasklist or task manager (ps in Linux)
Shows what applications or processes you have running
With the right flags, you can compare process ID from netstat at ps
table to see what applications are using network sockets
taskkill
whoami
net statistics
net user
Perf Mon or Performance Monitor
View resource utilization
Identify what processes are comsuming resources
Packet Sniffing
See what's coming and going from the system
you are inspecting
Implementing Logging and Auditing
Auditing
The process of reviewing for security purposes
Logging
The act of recording activites
Deciding what to collect
Success or / and failure
Both may be valuable to your investigation or
audit
Events to record ?
File Access
Object Access
Authennication
DNS Queries
Policy Modification
File Modifications
Object Modifications
Elevated Privledge Use
Web Traffic
FTP use
Network Traffic
Wireless connections
Proxy Servers
Tools for logging
Event Viewer
Syslogd
Centralized Logging
Moving logs away from the machine under
attack my preserve records before an attacker
can cover their tracks
Using the network may allow an attacker to
insert mis information or fill storage
Graceful failures?
Some government or critical application
require the detection of loggin faults to trigger
an immediate shutdown
CHAPTER 19 END
Self Test Page 768
QUESTION - Introduction to
Monitoring
1. Which of the following monitoring systems
is best suited to identify zero day attacks?
A. Signature-based
B. Anomaly-based
C. Host-based
D. Network-based
ANSWER
B. Anomaly-based monitoring systems identify
suspicious traffic based on anything outside the norm
and not from a signature database. This means that
any type of attackwhether a known attack or
notis identified because it will be traffic out of the
norm.
A, C, and D are incorrect. Because a signature-based
system uses a definition file, it detects only activity it
has been programmed to detect. A host-based IDS
monitors activity on a single system, while a network-
based IDS monitors network traffic.
QUESTION
2. A signature-based system uses a database
of signatures to identify suspicious activity.
What does an anomaly-based system use?
A. A signature database
B. A log file
C. A baseline of normal activity
D. An audit file
ANSWER
C. The anomaly-based system is programmed
for a baseline of normal activity, and any
activity out of the norm is considered
suspicious. As a result it can detect unknown
attacks (zero day).
A, B, and D are incorrect because anomaly-
based monitoring systems do not use a
signature database, log file, or audit file.
QUESTION - Monitoring Tools
3. What command allows you to view all TCP
ports in a listening state on a Windows or
Linux system?
A. nbtstat -na
B. netstat
C. nbtstat
D. netstat -na
ANSWER
D. The netstat -na command is used to view a
list of open ports on the system.
A, B, and C are incorrect. nbtstat is used to
troubleshoot NetBIOS over TCP/IP, while the
netstat command by itself will show only
current connections and not listening ports.
QUESTION
4. You are monitoring a Windows system and
think you have identified a process that may
be a potential virus. The process has the
process ID of 1944what command would
you use to terminate the process?
A. kill 1944
B. taskkill /PID 1944
C. kill /PID 1944
D. taskkill 1944
ANSWER
B. You can use the taskkill command in
Windows to terminate a process, but must use
the /PID switch if you are going to terminate
the process by the process ID.
A, C, and D are incorrect. The kill command is
used by Linux to terminate a process. The
taskkill command needs the /PID switch in this
example.
QUESTION
5. What command in Linux allows you to view
a list of files and the permissions assigned to
those files?
A. ls -l
B. ls
C. lastperm
D. listperm
ANSWER
A. To view the permissions on files when
listing the files with ls, use the -l switch in
Linux.
B, C, and D are incorrect because the ls
command is the command to list files, but you
need the -l to display permissions.
QUESTION
6. Your manager finds that the company web
server is responding slowly and has spent some
time with Performance Monitor to troubleshoot
the issue. She has determined that no processes
are running on the system using up system
resources. What tool might you use next?
A. Performance Monitor
B. Protocol analyzer
C. System Monitor
D. Tasklist
ANSWER
B. If you have looked at the system and things
seem to be normal with no additional processes
running, then the problem could be the system is
being overloaded with traffic. Usinga protocol
analyzer, or network sniffer, will allow you to view
traffic headed to the system.
A, C, and D are incorrect. Performance Monitor
and System Monitor are used to monitor the
health of the system, and tasklist is used to view
processes which have already run.
QUESTION
7. What command in Linux displays a list of all
users and the last time they logged on?
A. loglast
B. last
C. lastlog
D. first
ANSWER
C. The lastlog command displays all the user
accounts on the Linux system and the last
time they logged on.
A, B, and D are incorrect because they do not
display all the user accounts on the Linux
system and the last time they logged on.
QUESTION - Implementing Logging and
Auditing
8. When implementing auditing in Windows
what event would you enable if you wanted to
audit when someone creates a new user
account?
A. Audit group management
B. Audit user management
C. Audit administrative tasks
D. Audit account management
ANSWER
D. To audit when user accounts are created or
modified, you must enable the "Audit account
management" event.
A, B, and C are incorrect because they are not
events in Windows auditing.
QUESTION
9. Your manager has asked that you monitor
printer access. What event in the audit policy
would you enable?
A. Audit printer access
B. Audit object access
C. Audit account management
D. Audit account logon
ANSWER
B. To monitor printer access, you would
enable the success of object access in the
audit policy.
A, C, and D are incorrect because you need to
enable object access auditing to audit files
and printers in Windows.
QUESTION
10. Your manager comes to you and asks you
to check the logs to see if Bob has been
surfing facebook.com again during company
time. What logs would you check?
A. FTP log
B. Web server log
C. Firewall log
D. Proxy log
ANSWER
D. To monitor web sites that have been visited
by users on the network, you will typically
look at the proxy server logs.
A, B, and C are incorrect. The FTP log would be
used to view access to the FTP server, while
the web server log would be used to monitor
access to a web site. The firewall log would be
used to monitor inbound communication.
FOR TOMORROW
Thursday
Review, Review Review
Schedule your exam
WebSite
Cost
Reimbursement
Keeping your certificate valid
CEU's
https://www.brighttalk.com