Nt 2580 Testing and Monitoring

In: Computers and Technology

Submitted By eckerteugene
Words 309
Pages 2
Testing and Monitoring Security Controls

Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. Authentication failures and unauthorized access attempts can be found in the log files. They contain complete records of all security events (logon events, resource access, attempted violations of policy, and changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow an admin to quickly discover the root cause of any issues. A sudden increase in traffic can indicate that either your web site has been mentioned on a popular news site and people are checking it out, or it may mean that someone is up to no good.

Given the following list of end-user policy violations and security breaches, select three breaches and identify strategies to control and monitor each event to mitigate risks and minimize exposure. Removable storage devices that might contain malware, filtered only when passing through the network could be a problem. The Solution: Limiting the privileges of users adapted to the duties assigned to the individual. Making it clear that no removable storage devices are to be brought into the network under no circumstance unless necessary and properly screened first. Passwords that meet security requirements but remain easily guessable are a hazard and could affect a network. The Solution: Implementing a change of password every so often. Implement the strategy that requires a combination of letters and numbers, and a minimum of a 30 day password renewal policy. Information on a laptop that is not encrypted would be a huge security issue. It would be likely that there would be some sort of damage in the event of “falling into the wrong hands.” The Solution: To prevent this from happening it is important to…...

Similar Documents

Testing and Monitoring Security Controls

...NT2580 Unit 5 Testing and Monitoring Security Controls A few different types of security events and baseline anomalies that might indicate suspicious activity Different traffic patterns or influx in bandwidth usage can be considered suspicous activity. Or sevices changing port usage, in turn creating variaitons in normal patterns. A sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good. A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner to track them. Large numbers of packets caught by your router or firewall's egress filters. Recall that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network has been compromised. Unscheduled reboots of server machines may sometimes indicate their compromise. You should be already be watching the event logs of your servers for failed logons and other security-related events. Log Files contain complete records of all security events (logon events, resource access, attempted violations of policy, changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow a admin to quickly discover the root cause of......

Words: 573 - Pages: 3

Testing and Monitoring Security Controls Worksheet

...are the first place to check for administrative issues and security activity. Log files help you put together a timeline of events surrounding everything from a performance problem to a security incident. You can also identify bad system or network activities by observing anomalies from baseline behavior or identifying certain suspicious actions. Testing ensures that your control and monitoring facilities work as intended and maintain proper operation. Monitoring ensures that you capture evidence when your testing procedures fail to examine all possibilities or legitimate behavior permits unauthorized activity. Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. Always consider that even legitimate traffic can be used in illegitimate ways, and sometimes, legitimate traffic can appear illegitimate. Protected services can be attacked from the inside or accessed externally through loopholes in firewall rules. Vulnerabilities may remain unidentified by intrusion detection system (IDS) or intrusion prevention system (IPS) signatures and evade detection. Monitoring helps you capture pieces of the puzzle that creates a timeline of events. Think on the following lines to answer this assignment: * How do you obtain a baseline of system or network behavior? * What is an anomaly in relation to baseline behavior? * Why might certain anomalies be worth investigating? * How can traffic have patterns......

Words: 477 - Pages: 2

Testing and Monitoring Security

...Testing and Monitoring Security Controls Two types of security events and baseline anomalies that are easy to identify are users that install software that is dangerous and when packets are sent to your router that are not permitted to be routed throughout your network. Using a security service or protocol that either comes with your operating system, or IOS in a routers case, is easy to manage so that administrators can be alerted when unauthorized activity takes place throughout your domain. A good administrator will set “triggers”, which are activities that are tagged for alarm, to allow him or herself to be alerted when a breach occurs. These services use protocols such as TCP, UDP, ICMP and SNMP(v1-3). Also, many firewalls can be set up to monitor incoming traffic by analyzing the ports on the TCP/UDP header and ensuring they are permitted to be passed within the domain. Within a windows domain, you can establish group policies to enforce restrictions on users that install unwanted software that can jeopardize security. These can either be enabled when base-lining an OS image for distribution, or through the domain controllers WAN policy group. Many networks can become prey to bad router configuration. WAN/LAN links usually suffer because administrators are reluctant to take a router offline to update access-lists. A possible solution to alleviating slip ups is to place an IP filtering firewall behind the router. This can be done in each area of the domain......

Words: 414 - Pages: 2

Testing and Monitoring Security Controls & Security Audits and Assessments

...Testing and Monitoring Security Controls & Security Audits and Assessments Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. * Authentication failures are one type of security event. A baseline anomalie that may indicate suspicious activity are unauthorized access attempts that can be found within log files. The log files contain records of all types of security events such as logon events, changes in system configuration and attempted violations of policy as well as system events like service startups and closures, errors and system warnings. * A second security event could be a sudden increase in overall traffic. It could simply mean that your website has been mentioned by a popular source, or it could mean that someone is trying to cause harm to your site. Given a list of policy violations and security breaches, select three breaches, and consider the best options for controlling and monitoring each incident. Identify the methods to mitigate risk and minimize exposure to threats or vulnerabilities. * Problem: Removable storage drives introduce malware filtered only when crossing the network. Solution: Limit user privileges that only include those that are required by the duties that are assigned to that individual. This will hopefully make it clear that no removable storage devices are to be connected to the network, no matter the circumstances unless they are screened first. * Problem:......

Words: 316 - Pages: 2

Testing and Monitoring Security Controls

...Testing and Monitoring Security Controls In the grand scheme of things security controls, in a nutshell, are in place to prevent security breaches. Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks relating to personal property, or computer software. So anything that has to do with accessing sensitive information with the intent of using it maliciously is considered a security risk. Things that might be overlooked or investigated may be cause for concern as there are never any true false positives in the world of cyber security. A couple of things that usually go unnoticed are failed login attempts and increased network traffic. This is what can be done to prevent this issue. You are coming back from a much needed vacation and you attempt to log on to your computer. Using the same password that you have established for all of your accounts for this company yet you have a message stating that your password is incorrect. You then notice your caps lock is on, try the password again and all is right with the world. The IT department calls and asks did you have an issue logging in and they ask for details, you mention the caps lock key and they chalk it up as user error. The logon attempts log that was in place at your place of employment allows the security team to pickup when something is wrong. Now take that same situation but instead of caps lock being the reason, you cannot access it at all. You learn from the IT security...

Words: 755 - Pages: 4

Unit 5 Assignment 1 Testing and Monitoring Security Controls

...Testing and Monitoring Security Controls Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. A sudden increase in traffic can indicate that either your web site has grown in popularity. It can also indicate that there have been attempts at unauthorized access to your network. Authentication failures and unauthorized access attempts can be found in the log files. They contain the complete records of all security events as well as critical system events that allow an admin to quickly discover the root cause of any issues. Given the following list of end-user policy violations and security breaches, select three breaches and identify strategies to control and monitor each event to mitigate risks and minimize exposure. Passwords that meet security requirements but remain easily guessable are a hazard and could affect a network. * Solution: Implementing a change of password every so often. Implement the strategy that requires a combination of letters and numbers, and a minimum of a 30 day password renewal policy. Information on a laptop that is not encrypted poses a huge security issue. It would be likely that there would be some sort of damage in the event of falling into the wrong hands. * Solution: To prevent this from happening it is important to encrypt the drives and other sensitive information. Removable storage devices could contain malware, filtered only when passing through the network could be a...

Words: 277 - Pages: 2

Nt 2580 Study Guide Final

...classification standards - Helps to determine the appropriate access to classify data. 19. Which of the following refers to the management of baseline settings for a system device? - Configuration control - The management of the baseline settings for a system device. 20. Identify a primary step of the SDLC. - SDLC - Design is a primary step 21. Which of the following is a process to verify policy compliance? - Security Auditing - to process to verify policy compliance. 22. When monitoring a system for anomalies, the system is measured against _. -Baseline - In order to recognize something as abnormal, you first must know what normal looks like (when monitoring systems for anomalies). 23. Which of the following is not a type of penetration test? - Testing Methods - Black-box testing, White-box testing, Grey-box testing 24. Identify a drawback of log monitoring. Monitoring Issues - many organizations turn off logs because they produce too much information. 25. Which of the following is not a type of monitoring device? Verifying Security Controls - Controls that monitor activity include intrusion detection systems (IDS), intrusion prevention systems (IPSs), and firewalls. 26. Identify the primary components of risk management. - Primary components of Risk Management - Reduction, Avoidance, Mitigation 27. Which of the following is not a part of a quantitative risk assessment? - BCP - Is not part of quantitative risk assessment 28. What are the primary......

Words: 1353 - Pages: 6

Unit 5 Assignment 1 Testing and Monitoring Security Controls

...NT2580 Unit 5 Assignment 1 Testing and Monitoring Security Controls Jose J Delgado Testing and Monitoring Security Controls A few different types of security events and baseline anomalies that might indicate suspicious activity. Different traffic patterns or influx in bandwidth usage can be considered suspicious activity. Also, services changing port usage, in turn creating variations in normal patterns. All sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good. A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner to track them. Some routers collect packet-level statistics; you can also use a software network scanner to track them. Also large numbers of packets caught by your router or firewall's egress filters. Egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because it is a clear sign that devices on your network have been compromised. Unscheduled reboots of server machines may sometimes signify that they are compromised as well. You should already be watching the event logs of your servers for failed logons and other security-related events. Log Files encompass complete records of all security events (logon events, resource access, attempted violations of policy, and......

Words: 524 - Pages: 3

Testing and Monitoring Security Controls

...Network Behavior Anomaly Detection (NBAD) is a safety technique used in monitoring network for signs of bizarre activity. This program is enacted by establishing a baseline, overseeing at in situations of normal network and user behavioral characteristics. Using Network behavior anomaly detection you can obtain a baseline of system or network behavior? If an attacker is using a spoofed source address, legitimate traffic from that address will be blocked as well. A common way to gain control over a remote system is by installing a small application on a target machine. A Trojan horse is an application that is hidden in some other type of content, such as a legitimate program. It can be used to create a new, secret account called a back door, or it can be used to run spyware, which collects user keystrokes for analysis. Trojan horses can also be used to infect and control affected systems, destroy and expose valuable company information, or use your systems as launching pads for further attacks from the inside. Investigation is vital as it aids in triggering quick detection of viruses and worms that replicate on the server system, cause unscheduled reboots of the system and great data losses. If you have antivirus software installed on that server, the virus can turn off that antivirus software and firewall which was configured by antivirus. And that means your computer is not protected. Log Files contain complete records of all security events (logon events, resource access,......

Words: 618 - Pages: 3

Nt 2580

...Criminal profiling is both art and science based on generalizations that categorize various types of computer criminals. Profiling uses statistical data for inductive profiling and deductive profiling. Inductive profiling assumes established patterns: criminal offenders tend to follow a common background and motive. Deductive profiling seeks to reconstruct the offender’s actions: hypothesizes the offender’s actions before, during, and after committing a crime. Stereotypical cybercriminals range from unsophisticated “script kiddies,” who lack programming skills, to expert criminals who create custom exploits and attack tools. Many cybercriminals disregard computer crime laws and often rationalize why those laws are invalid or inapplicable, especially when espousing political agendas against corporate practices or national policies. Recurring types of attackers include the following: ▪ Cracker: A malicious attacker who deliberately intrudes upon systems or networks to gain unauthorized access or unauthorized resources. ▪ Hacker: An individual who enjoys breaking systems or software without causing harm, presumably with the intent to better understand and improve security. ▪ Hat colors are often attributed to depict the mentality of a hacker or a cracker. Black hat corresponds to a harmful system intruder. White hat corresponds to a helpful security practitioner. Gray hat corresponds to a hacker who may act in goodwill, but also crosses the line to......

Words: 415 - Pages: 2

Nt 2580

...  Remote access security policy involves the policies and conditions that are in place that allow users to connect to servers when out of the network. In the case of Richman industries, they are interested in maintaining connections with their users, and sharing app data that is on a server for their day to day operations. In their case, I would have access policy that is based on Explicit Allow policies. This means that the policy grants “Permission” to access the servers remotely if the connection attempt matches the policy conditions.   Some of the requirements would include strict control enforced via one-time password authentication or public keys with strong pass-phrases. Also, anyone trying to gain access must not be connected to any other network at the same time, aside from personal home networks under the user's complete control. Further, employees with access must not use email accounts other than the company's standards, so that personal use won't be confused with business. Users must have approved virus control and spyware protection in place on all devices accessing the company network.   Remote access will be limited in certain areas, while at least Applications will be approved for access (Shared application data is an important part of Richman’s network). Systems and system settings will not be accessible from remote, out of network connections, to protect from outside alterations of systems or system settings, and any Data access will be read only,......

Words: 301 - Pages: 2

Nt 2580 Unit 1

...NT 2580 Unit 9 Assignment 1: List of a Computer Attack 5/25/15 Jeffry Rodriguez Phase 1 - Reconnaissance Reconnaissance is probably the longest phase, sometimes lasting weeks or months. The black hat uses a variety of sources to learn as much as possible about the target business and how it operates, including Internet searches Social engineering Dumpster diving Domain name management/search services Non-intrusive network scanning The activities in this phase are not easy to defend against. Information about an organization finds its way to the Internet via various routes. Employees are often easily tricked into providing tidbits of information which, over time, act to complete a complete picture of processes, organizational structure, and potential soft-spots. However, there are some things you can do which make it much harder for an attacker, including Make sure your systems don't leak information to the Web, including: Software versions and patch levels Email addresses Names and positions of key personnel Ensure proper disposal of printed information Provide generic contact information for domain name registration lookups Prevent perimeter LAN/WAN devices from responding to scanning attempts Phase 2 - Scanning Once the attacker has enough information to understand how the business works and what information of value might be available, he or she begins the process of scanning perimeter and internal network devices looking for weaknesses,......

Words: 797 - Pages: 4

Nt 2580 Unit 5 Assignment 1 Testing and Monitoring Security Controls

...Authentication failures and unauthorized access attempts can be found in the log files. They contain complete records of all security events (logon events, resource access, attempted violations of policy, and changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow an admin to quickly discover the root cause of any issues. A sudden increase in traffic can indicate that either your web site has been mentioned on a popular news site and people are checking it out, or it may mean that someone is up to no good. Given the following list of end-user policy violations and security breaches, select three breaches and identify strategies to control and monitor each event to mitigate risks and minimize exposure. Removable storage devices that might contain malware, filtered only when passing through the network could be a problem. Limiting the privileges of users adapted to the duties assigned to the individual. Making it clear that no removable storage devices are to be brought into the network under no circumstance unless necessary and properly screened first. Passwords that meet security requirements but remain easily guessable are a hazard and could affect a network. Implementing a change of password every so often. Implement the strategy that requires a combination of letters and numbers, and a minimum of a 30 day password renewal policy. Information on a laptop that is not encrypted......

Words: 282 - Pages: 2

Nt 2580 Project Part 1

...NT 2580 Intro to Info Security Project part 1 December 8, 2015 Headquarters Phoenix, AZ Branch 1 Branch 2 Branch 3 Atlanta, GA Chicago, IL Cincinnati, OH User Domain * Have employees sign confidential agreement * Introduce an AUP acceptable use policy * Have HR verify an employee’s identity with background checks * Conduct security awareness training * Enable content filtering and antivirus scanning * Restrict access to only info needed to perform job * Track and monitor abnormal behavior of employees Workstation Domain * Implement workstation log on ids and password * HR must define proper access controls for workers based on jobs * IT security must then assign access rights to systems, apps, and data * IT director must ensure workstation conforms to policy * Implement second level test to verify a user’s right to gain access * Start periodic workstation domain vulnerability tests to find gaps * Define workstation application software vulnerability window policy * Use content filtering and antivirus scanning at internet entry and exit * Mandate annual security awareness training LAN Domain * Setup of user LAN accounts with logon ID and password access controls * Make sure wiring closets, data centers , and computer rooms are secure * Define strict access control policies * Implement second level identity check * Define a strict software vulnerability window policy ...

Words: 1912 - Pages: 8

Testing and Monitoring Security Controls

...Log files would be the first place one would look to check for suspicious activity in the event of a crime. They can help you understand where something went wrong. Creating a timeline, of before and after the performance problem or incident. The way traffic moves through a network, especially when the computers are only used for certain things, creates baseline behavior. When something is out of place, such anomalies seem suspicious; but legitimate traffic could be used in illegitimate ways and legitimate traffic can at times seem illegitimate. By consistently monitoring the network, and observing all the possibilities, the anomalies of legitimate traffic wont seem that abnormal and one can focus on the real problems. Predictable passwords that meet minimum length requirements but remain easily guessable is a hazard that could affect a network with a weak password. If that is a problem, one should probably change the password every so often. It would be in everyone’s best interest if the password security level was increased, and that they would expire after a certain amount of time. Removable storage devices that might contain malware, filtered only when passing through the network could be a problem. but by limiting the privileges of users, adapted to the duties assigned to the individual. Making it clear that no removable storage devices are to be brought into the network under no circumstance unless necessary and properly screened first. If an unencrypted laptop......

Words: 313 - Pages: 2