Download CIS4361 - Cybersecurity Concepts and Tools: Definitions and Questions and more Exams Network security in PDF only on Docsity!
CIS4361 - Full 12 chapters Get your revision ready!!
Anomaly analysis The process of defining an expected outcome or pattern to events, and then identifying any events that do not follow these patterns. Availability The act of systems and services functioning correctly and consistently without outages or denial of service. Availability analysis The process of identifying the ability of a system to fulfill its function without interruption Behavioral analysis The process of identifying the way in which an entity acts, and then reviewing future behavior to see if it deviates from the norm. CAM table (content-addressable memory) Used by switches to map MAC address to ports to forward packets to specific interfaces. CDM (Continuous Diagnostics and Mitigation) A program created by the Department of Homeland Security to identify threats, prioritize those threats in terms of the risks they pose, and then give security personnel the ability to triage these threats, all on an ongoing basis. CERT-UK (UK National Computer Emergency Response Team) A government organization that provides support to companies for managing and responding to cybersecurity incidents. Change management The process through which changes to the configuration of information systems are monitored and controlled, as part of the organization's overall configuration management efforts. CSM (continuous security monitoring) Used to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, with the objective of conducting ongoing
monitoring of the security of the organization's networks, information, and systems, and responding appropriately as situations change. Flash crowd When used in regard to network traffic, this refers to a situation in which the network or host suddenly receives an unusually large amount of traffic. Heuristic analysis The process of identifying the way in which an entity acts in a specific environment, and making decisions about the nature of the entity based on this. IDS (intrusion detection system) Passive IDS A system that scans, audits, and monitors the security infrastructure for signs of attacks in progress. IPS (intrusion prevention system) Active IDS A system that scans, audits, and monitors the security infrastructure for signs of attacks in progress, and actively blocks attacks. Interference See jamming. MAEC (Malware Attribute Enumeration and Characterization) A standardized language for communicating information about malware. Maintained by the MITRE Corporation. NBAD (network behavior anomaly detection) A security monitoring tool that monitors network packets for anomalous behavior based on known signatures. NetFlow A protocol included in many enterprise network devices that allows network administrators to monitor the flow of network traffic across these devices. NGFW (next generation firewall)
A government organization that analyzes and distributes information about threats to cybersecurity. WAF (web application firewall) A type of firewall that controls web-based application-layer traffic in the network. Cacti An open source, web-based graphing and monitoring tool developed for front-end applications. It allows users to poll services at fixed intervals and graph the resulting data. It is mainly used to graph time-series data of metrics such as network bandwidth utilization and CPU load. SolarWinds An IT monitoring and management tool that detects, diagnose, and resolve network performance problems and outages. It monitors and displays response time, performance, and availability of network devices. It can view performance, configuration, and traffic details of devices and applications that are onpremises, in the cloud, or across hybrid environments. MRTG (Multi Router Traffic Grapher) A monitoring tool that monitors the traffic load on network links. It provides a LIVE representation of this traffic by generating HTML pages containing PNG images. It is portable and has reliable interface identification. NetFlow Analyzer A traffic analytic tool that provides a real-time visibility into the network bandwidth performance by leveraging flow technologies. It also works as a bandwidth monitoring tool for optimizing network bandwidth and traffic patterns. Palo Alto Networks next-generation firewalls A next generation firewall designed to safely enable applications and prevent modern threats. It identifies network traffic based on applications, content, users, and devices. It reduces manual tasks and enhances security through automated means. CheckPoint Next Generation Firewall A next generation firewall that identifies and controls applications by user and scans content to stop threats. It provides safe browsing while protecting against threats and malware. It provides identity awareness, intrusion prevention, integrated security management, and many more features. It has introduced a SmartLog that delivers search results in seconds. SCAP
Which of the following security monitoring tools is a conglomeration of open standards that identify flaws in security configurations? Anomaly Which of the following defines an expected outcome or pattern to events, and then identifies events that do not follow these patterns? CAM tables Which of the following tables maps MAC addresses to ports and forwards packets to specific interfaces? WAF Which of the following protocols is an application-layer firewall that applies a set of rules to HTTP traffic and protects web servers and clients from malicious traffic? ModSecurity Which of the following is not an example of IDS/IPS solutions? Trend analysis Analysis methods for data collection that consist in the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events. Behavioral analysis Analysis methods for data collection that consist in the process of identifying the way in which an entity acts, and then reviewing future act to see if it deviates from the norm. Heuristic analysis Analysis methods for data collection that consist in the process of identifying the way in which an entity acts in a specific environment, and making decisions about the nature of the entity based on this. Availability analysis Analysis methods for data collection that consist in the process of identifying the capability of a system to fulfill its function without interruption. Anomaly analysis Analysis methods for data collection that consist in the process of defining an expected outcome or pattern to events, and then identifying any events that do not follow these patterns.
The HTTP method(s) used in the event (e.g., a GET request) Any specific query used in the event The specific web page path of the traffic More details about what kind of attack, if any, the event could indicate WAF (Web Application Firewall) log includes Intrusion detection systems/intrusion prevention systems (IDSs/IPSs), whether wireless (WIDS/ WIPS) or otherwise Usually have a built-in logging feature that records traffic and alerts according to how the system is configured. Snort Bro Cisco FirePOWER IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) solutions Snort IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) solution that consist of an open source IDS/IPS software for Linux and Windows systems to detect emerging threats Bro IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) solution that consist of an open source network monitor for Unix-based systems that can function as a network intrusion detection system/host-based intrusion detection system (NIDS/HIDS) Cisco FirePOWER IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) solution that consist of a proprietary network security software that blocks more threats and quickly mitigate those that breach defenses with the industry's first threat-focused NGFW (Next-Generation Firewall) Application: Events generated by applications and services, such as ones failing to start. Security: Audit events, such as failed logons. Setup: Events generated during the installation of Windows. System: Events generated by the operating system and its services, such as storage volume health checks.
Forwarded Events: Events that are forwarded to the computer from other computers. The five main categories of Windows event logs are 10.39.5.10: The IP address of the client making the request. student01: The user ID of the client when authenticated on the site. 12/Apr/2017:15:23:31 - 0500: The date and time the request was received, as well as the time zone. "GET / image.jpg HTTP/1.1": The request method used by the client and the resource requested. 403: The HTTP status code of the server's response Consider the given HTTP log entry example: 10.39.5.10-student01 [12/Apr/2017:15:23:31-0500] "GET / image.jpg HTTP/1.1" 403- Drag the part of the HTTP log entry to the matching description Continuous backup A database method where changes to data are backed up as they are made, therefore maximizing data currency. Differential backup A method of backing up all files in a selected storage location that have changed since the last full backup. Incremental backup A method of backing up all the files in a selected storage location that have changed since the last full or incremental backup. Windows PowerShell A command shell and scripting language built on the .NET Framework Bash A command shell and scripting language for Unix-like systems
Filter out unnecessary or duplicate data Combine sources Synchronize events logged in different sources Normalize data formats Store data securely Guidelines for Preparing Data for Analysis Linux® tools: grep cut diff Windows® tools: find Windows Management Instrumentation Command-line (WMIC) Event Viewer Scripting languages: Bash (Linux) PowerShell™ (Windows) Log analysis tools are divided into the following categories: find In Windows operating system, the ________ command searches text files for a particular string provided by the user, and returns the lines that contain this string. grep In Unix-like operating systems, the ________ command searches text files for specific strings supplied by the user. cut The ________ command is used to select sections of text from each line of files. grep In Unix-like operating systems, the ________ command searches text files for specific strings supplied by the user. This enables you to search the entire contents of a text file for a specific pattern, and display that pattern on the screen or dump it to another file
- i Ignores case sensitivity
- v Reverses the grep command's default behavior, returning only lines that do not match the given string
- w Treats search strings as discrete words
- c Returns the total count of matching lines rather than the lines themselves
- l Returns the names of the files with matching lines rather than the lines themselves
- L Returns the names of files without matching lines
- r Searches recursively within the given directory Options provided by the grep command cut Here's a basic example: cut - c5 syslog.txt This will return only the fifth character in each line of the syslog.txt file. You can also specify multiple lines to cut or a range to cut by using c#,#, and c#-#, respectively. The other major use of cut is with the - f and - d flags. Take the following example: cut - d " " - f1-4 syslog.txt The ________ command enables you to specify which text on a line you want to remove from your results so that they're easier for you to read. This can eliminate the frustration and inefficiency of poring over logs with excessive information on each line.
The Windows "find" command should not be confused with the Linux "find" command, which is used to locate files in a directory. The ________ command is essentially the Windows version of grep. It searches text files for a particular string that you provide, and returns the lines that contain this string. This command has a slightly different syntax than grep, but includes most of the same basic options Windows Management Instrumentation Command-line (WMIC) For example: wmic NTEVENT WHERE "LogFile='Security' AND EventType=5" GET SourceName,TimeGenerated,Message This will look in all security event log entries whose events are type 5 (audit failure). It will then return the source, the time the event was generated, and a brief message about the event. This can be useful for identifying specific events based on their details, without actually being at the target computer and combing through Event Viewer. Despite its use by attackers, ________ can also be helpful to security analysts who need to review log files on a remote Windows machine Event Viewer ________ is the main graphical hub for viewing event logs on a Windows computer. Windows logs events in one of several different categories, and this one provides views for each category Information: Successful events. Warning: Events that are not necessarily a problem, but may be in the future. Error: Events that are significant problems and may result in reduced functionality. Audit Success/Failure: Events that indicate a user or service either fulfilled or failed to fulfill the system's audit policies. These are unique to the Security log Event Viewer classify events by their severity: Bash The following is an example of a simple Bash script named "nm-script":
#!/bin/bash echo "Pulling NetMan entries..." grep "NetworkManager" /var/log/syslog | cut - d " " - f1-5 > netman-log.txt echo "NetMan log file created!" The first line of the script indicates what type of interpreter the system should run, as there are many different scripting languages. The echo lines simply print messages to the console. The "grep" line pipes in "cut" to trim the syslog as before, and outputs the results to a file called netman-log.txt ________ is a scripting language and command shell for Unix-like systems. It is the default shell for Linux and OS X®, and has its own command syntax. The commands you've been entering in Kali Linux™ thus far use this shell to execute. Additionally, tools like grep, cut, and diff are built into it Windows PowerShell The following is an example of a PowerShell script named log-fail-script.ps1: Write-Host "Retrieving logon failures..." Get-EventLog - Newest 5 - LogName Security - InstanceId 4625 | select timewritten, message | Out-File C:\log-fail.txt Write-Host "Log created!" The 'Write-Host' cmdlets function similar to echo by printing the given text to the PowerShell window. The 'Get-EventLog' cmdlet line searches the security event log for the latest five entries that match an instance ID of 4625—the logon failure code. The time the event was logged and a brief descriptive message are then output to the log-fail.txt file. ________ is a scripting language and shell for Microsoft® Windows® that is built on the .NET Framework. It is often used by administrators to manage both local and remote hosts as it integrates with WMI. It offers much greater functionality than the traditional Windows command prompt. True Bash is a scripting language and command shell for Unix-like systems True Bash has its own command syntax
be implemented as software, hardware appliances, or outsourced managed services. SIEM technology is often used to enhance incident response capabilities by providing expanded insights into intrusion detection and prevention through aggregation and correlation of event data across multiple incidents. A hardware and/or software solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. Splunk®: A proprietary SIEM that has a limited free version for individuals, a paid enterprise version, and a paid cloud-based version. HP ArcSight: A proprietary SIEM that has a limited trial version. IBM® QRadar®: A proprietary SIEM. Open Source Security Information Management (OSSIM): An open source SIEM developed by AlienVault® that is delivered as its own operating system, rather than an independent application. Common SIEM tools include: Regular expression (regex/regexp) Regular expressions are a much more powerful way to search for specific strings in a text than standard string searches. Search operations using regular expressions use a common syntax, which includes various special characters that have specific uses. This results in the search being able to retrieve granular results that it would otherwise not be able to. A group of characters that describe how to execute a specific search pattern on a given text.
- Matches zero or more instances of the preceding character. Ex: 105* matches the "10" in "104", the "105" in "1052", and the "1055" in "1055". ? Matches zero or one instances of the preceding character. Ex: 105? matches the "10" in "104" and the "105" in "1052".
- Matches one or more instances of the preceding character. Ex: 105+ matches the "105" in "1052" and the "1055" in "1055". {n} Matches only n instance(s) of the preceding character. Ex: 105{3} matches "10555".
{n,} Matches at least n instance(s) of the preceding character. Ex: 105{1,} matches "105", "1055", "10555", and so on. {n,m} Matches between n and m instances of the preceding character (inclusive). Ex: 105{1,3} matches "105", "1055", and "10555" Search Operators can match repetitions and specific numbers of instances of a pattern. ^ Matches the position at the beginning of the following string. Ex: ^105 does not match "2105". $ Matches the position at the end of the following string. Ex: 105$ does not match "1052" This next category of search operators are called anchors, as they prompt the search to match a specific location within the text [ ... ] Matches any character within the set. The set is contained in the brackets. Ex: [0123456789] matches every character in "1055". Likewise, [abcdef] matches the "e" and "c" in "security".
- Matches a range of characters within the set. Ex: [0-9] matches every character in "1055". Likewise, [a-f] matches the "e" and "c" in "security". ^ Inside brackets, this negates a set. Matches any characters or range of characters not in the set. Ex: [^0123] matches the "5" in "105". Likewise, [^a-f] matches the "s", "u", "r", "i", "t", and "y" in "security". This next category of search operators are called character sets, which enable you to define a wide range of characters to match all at once. . Matches any character except for line breaks. Ex: 105. matches "1055", "1056", "1057", and so on. ( ... ) Defines a subexpression with the pattern inside the parentheses. Ex: ([0-9]abc){2} matches "5abc5abc". Without the parentheses it matches "5abcc". | The "OR" logical operator. Matches the preceding string or the following string.
\D Matches any non-digit. Ex: 105\D matches "105a". \s Matches any whitespace. Whitespace is defined as a space, tab, return, or new line. Ex: 105\s matches "105 ". \S Matches any non-whitespace. Ex: 105\S matches "1055", "105a", "105!", and so on. \b Matches a word boundary. Word boundaries are defined as one side being any non- whitespace character, and the other side as being a whitespace character. Ex: 105\b matches the "105" in "22105" but does not match the "105" in "21052". \B Matches a non-word boundary. Ex: 105\B matches the "105" in "21052" but does not match the "105" in "22105". \c Matches the following control character. A control character is a non-written symbol, like a tab or return Special Operators Modifiers Regular expressions can also be used with __________, which alter the behavior of the expression in some way. They are typically placed at the end of the expression to modify the whole thing, but some may also be placed inline to modify only part of the expression i Ignores case sensitivity. Regular expressions are case sensitive by default. g It is a global modifier that finds all matches rather than stopping after the first match. m Turns on multi-line mode, which forces anchors to match the beginning or end of each line, rather than each string. s Turns on single-line mode, which forces the. operator to match line break characters.
The following are common modifiers for regular expressions \w Matches a word \W Matches a non-word \D Matches any non-digit \S Matches any non-whitespace \b Matches a word boundary \s Matches any whitespace \d Matches a digit \B Matches a non-word boundary Fill in the blanks by dragging the appropriate special operators from the bottom onto their correct boxes Students will likely have some familiarity with Linux, and may prefer to use tools like grep, awk, and cut to aid them in analysis tasks. Others may need to perform analysis of Windows system logs and will use command line tools like find or GUI tools like Event Viewer. Whatever they use, students will also likely see the value in scripting the use of these tools for automation—they can do this through the scripting languages Bash (Unix-like) or Windows PowerShell, among others. What are some of the tools you use most often to analyze log data? Snapshot The state a virtual environment is in at a certain point in time.
