Sad truth New exploits are released every single day There are "Zero-Day" exploits in the wild There are "Zero-Day exploits available for sale What can you do Assume the worst Think ahead Plan to be compromised when all your protections are bypassed Logging and Auditing Your new best friend You may be compromised and not yet know it Detection Tools HIDS Host Based Intrusion Detection NIDS Network Based Intrusion Detection Sometimes just called IDS IDS Detection based on signatures or anomalies Signatures Fewer false alarms You need rules to look for the activity Anomalies Network traffic is always changing You need a baseline to compare against Frequent triggers or false alarms or false positives Known as a behavoir-based anomaly system Other detection tools netstat Displays listening ports Displays open ports Displays Routing table net session (Windows) Displays open sessions for file sharing; username and IP addresses tasklist or task manager (ps in Linux) Shows what applications or processes you have running With the right flags, you can compare process ID from netstat at ps table to see what applications are using network sockets taskkill whoami net statistics net user Perf Mon or Performance Monitor View resource utilization Identify what processes are comsuming resources Packet Sniffing See what's coming and going from the system you are inspecting Implementing Logging and Auditing Auditing The process of reviewing for security purposes Logging The act of recording activites Deciding what to collect Success or / and failure Both may be valuable to your investigation or audit Events to record ? File Access Object Access Authennication DNS Queries Policy Modification File Modifications Object Modifications Elevated Privledge Use Web Traffic FTP use Network Traffic Wireless connections Proxy Servers Tools for logging Event Viewer Syslogd Centralized Logging Moving logs away from the machine under attack my preserve records before an attacker can cover their tracks Using the network may allow an attacker to insert mis information or fill storage Graceful failures? Some government or critical application require the detection of loggin faults to trigger an immediate shutdown CHAPTER 19 END Self Test Page 768 QUESTION - Introduction to Monitoring 1. Which of the following monitoring systems is best suited to identify zero day attacks? A. Signature-based B. Anomaly-based C. Host-based D. Network-based ANSWER B. Anomaly-based monitoring systems identify suspicious traffic based on anything outside the norm and not from a signature database. This means that any type of attackwhether a known attack or notis identified because it will be traffic out of the norm. A, C, and D are incorrect. Because a signature-based system uses a definition file, it detects only activity it has been programmed to detect. A host-based IDS monitors activity on a single system, while a network- based IDS monitors network traffic. QUESTION 2. A signature-based system uses a database of signatures to identify suspicious activity. What does an anomaly-based system use? A. A signature database B. A log file C. A baseline of normal activity D. An audit file ANSWER C. The anomaly-based system is programmed for a baseline of normal activity, and any activity out of the norm is considered suspicious. As a result it can detect unknown attacks (zero day). A, B, and D are incorrect because anomaly- based monitoring systems do not use a signature database, log file, or audit file. QUESTION - Monitoring Tools 3. What command allows you to view all TCP ports in a listening state on a Windows or Linux system? A. nbtstat -na B. netstat C. nbtstat D. netstat -na ANSWER D. The netstat -na command is used to view a list of open ports on the system. A, B, and C are incorrect. nbtstat is used to troubleshoot NetBIOS over TCP/IP, while the netstat command by itself will show only current connections and not listening ports. QUESTION 4. You are monitoring a Windows system and think you have identified a process that may be a potential virus. The process has the process ID of 1944what command would you use to terminate the process? A. kill 1944 B. taskkill /PID 1944 C. kill /PID 1944 D. taskkill 1944 ANSWER B. You can use the taskkill command in Windows to terminate a process, but must use the /PID switch if you are going to terminate the process by the process ID. A, C, and D are incorrect. The kill command is used by Linux to terminate a process. The taskkill command needs the /PID switch in this example. QUESTION 5. What command in Linux allows you to view a list of files and the permissions assigned to those files? A. ls -l B. ls C. lastperm D. listperm ANSWER A. To view the permissions on files when listing the files with ls, use the -l switch in Linux. B, C, and D are incorrect because the ls command is the command to list files, but you need the -l to display permissions. QUESTION 6. Your manager finds that the company web server is responding slowly and has spent some time with Performance Monitor to troubleshoot the issue. She has determined that no processes are running on the system using up system resources. What tool might you use next? A. Performance Monitor B. Protocol analyzer C. System Monitor D. Tasklist ANSWER B. If you have looked at the system and things seem to be normal with no additional processes running, then the problem could be the system is being overloaded with traffic. Usinga protocol analyzer, or network sniffer, will allow you to view traffic headed to the system. A, C, and D are incorrect. Performance Monitor and System Monitor are used to monitor the health of the system, and tasklist is used to view processes which have already run. QUESTION 7. What command in Linux displays a list of all users and the last time they logged on? A. loglast B. last C. lastlog D. first ANSWER C. The lastlog command displays all the user accounts on the Linux system and the last time they logged on. A, B, and D are incorrect because they do not display all the user accounts on the Linux system and the last time they logged on. QUESTION - Implementing Logging and Auditing 8. When implementing auditing in Windows what event would you enable if you wanted to audit when someone creates a new user account? A. Audit group management B. Audit user management C. Audit administrative tasks D. Audit account management ANSWER D. To audit when user accounts are created or modified, you must enable the "Audit account management" event. A, B, and C are incorrect because they are not events in Windows auditing. QUESTION 9. Your manager has asked that you monitor printer access. What event in the audit policy would you enable? A. Audit printer access B. Audit object access C. Audit account management D. Audit account logon ANSWER B. To monitor printer access, you would enable the success of object access in the audit policy. A, C, and D are incorrect because you need to enable object access auditing to audit files and printers in Windows. QUESTION 10. Your manager comes to you and asks you to check the logs to see if Bob has been surfing facebook.com again during company time. What logs would you check? A. FTP log B. Web server log C. Firewall log D. Proxy log ANSWER D. To monitor web sites that have been visited by users on the network, you will typically look at the proxy server logs. A, B, and C are incorrect. The FTP log would be used to view access to the FTP server, while the web server log would be used to monitor access to a web site. The firewall log would be used to monitor inbound communication. FOR TOMORROW Thursday Review, Review Review Schedule your exam WebSite Cost Reimbursement Keeping your certificate valid CEU's https://www.brighttalk.com