Protocols
What do the HTTP and HTTPS protocols do?
Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer protocols that manage the content requests from clients and the responses from the web server.
What is SMTP used for?
What is IMAP and POP3 used for?
SMTP is used to send data between mail servers and to send data from a host to a mail server.
IMAP and POP3 are used to download email messages from a mail server.
What is TOR?
A special browser is used to access the Tor network. This browser allows a user to browse the Internet anonymously.
What do applications like Sguil do?
Applications such as Snorby and Sguil can be used to read and search alert messages generated by NIDS/NIPS.
What location should the file lsass.exe be located and run form on a computer?
On Windows computers, security logging and security policies enforcement are carried out by the Local Security Authority Subsystem Service (LSASS), running as lsass.exe. It should be running from the Windows\System32 directory. If a file with this name, or a camouflaged name, such as 1sass.exe, is running or running from another directory, it could be malware.
What port does NTP use?
What is it important to know what the port number is?
NTP uses UDP port number 123.
Threat actors could use port 123 on NTP systems in order to direct DDoS attacks through vulnerabilities in client or server software.
IMAP and POP3 are used to download email messages and can be responsible for bringing malware to the receiving host.
How does a TOR Browser work?
When data is being sent into the TOR network, the data is only encrypted by the sending client itself.
The next-hop information is encrypted and decrypted between the TOR relays on a hop-by-hop basis. In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it.
Finally, at the end of the Tor path, the traffic reaches its Internet destination. The client data is not encrypted by the TOR network; that encryption is the responsibility of the user.
What is session data?
Session data is a record of a conversation between two network endpoints.
How do you determine the severity value of a syslog message based on PRI value?
The priority (PRI) value consists of two elements, the facility and severity of the message. It is calculated by multiplying the facility value by 8, and then adding the severity value, that is, priority = (facility * 8) + severity. To find the severity value from a given PRI, divide the PRI by 8 and the remainder is the severity value.
What is DNS and how could it be used by threat actors?
Domain Name Service (DNS) is used to convert domain names into IP addresses.
The DNS protocol could be used by malware to communicate with command-and-control server if the organization has a less stringent policies in place to protect against DNS-based threats.
Why does network security monitoring become harder when using HTTPS?
HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using secure socket layer (SSL).
Even though some devices can perform SSL decryption and inspection, this can present processing and privacy issues.
HTTPS adds complexity to packet captures due to the additional message involved in establishing an encrypted data connection.
What does NetFlow do?
NetFlow technology is deployed in the Metrics Collection module of a Cisco AVC system to collect network flow metrics and to export to management tools.
What is statistical data?
Like session data, statistical data is about network traffic. Statistical data is created through the analysis of other forms of network data.
How does NTP indicate there is a problem in the timestamp of the HEADER of a syslog message?
If the timestamp is preceded by the period (.) or asterisk (*) symbols, a problem is indicated with NTP.
How can ICMP can be a security threat?
ICMP can be used as a conduit for DoS attacks.
It can be used to collect information about a network such as the identification of hosts and network structure, and by determining the operating systems being used on the network.
What is FirePOWER?
Cisco Next-Generation IPS devices (NGIPS) use FirePOWER Services to consolidate multiple security layers into a single platform, which helps to contain costs and simplify management.
A web proxy device can inspect outgoing traffic as means of data loss prevention (DLP). DLP involves scanning outgoing traffic to detect whether the data that is leaving the enterprise network contains sensitive, confidential, or secret information.
How do NBA and NBAD work?
Network behavior analysis (NBA) and network behavior anomaly detection (NBAD) are approaches to network security monitoring that use advanced analytical techniques to analyze NetFlow or IPFIX network telemetry data.
What do security logs record on windows computers?
On a Windows host, security logs record events related to security, such as login attempts and operations related to file or object management and access.
How do you stop cyber attacks that use DNS?
DNS queries for randomly generated domain names or extremely long random-appearing DNS subdomains should be considered suspicious. Cyberanalysts could do the following for DNS-based attacks:
How does Syslog display logged entries?
Syslog clients send log entries to a syslog server. The syslog server concentrates and stores log entries. Log entries are categorized by seven severity levels:
emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), and debugging (7).
What does NetFlow do?
NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.