Testing and Monitoring Security Controls
Nt2580
04/23/2013
Unit 5 Assignment 1
Testing and Monitoring Security Controls
Testing and Monitoring Security Controls Different traffic patterns can be a red flag when it comes to identifying different types of suspicious activities. There are multiple ways traffic can change to point out the activities: First is an unexpected increase in overall traffic. This may just mean that your web site has been talk about on a popular news site, or it may mean that someone is up to no good. Another would be a sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner like Observer or Network Monitor to track them. Also large numbers of packets caught by your router or firewall's egress filters. Remember that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network have been compromised. Unscheduled reboots of server machines may sometimes signify that they are compromised as well. You should already be watching the event logs of your servers for failed logons and other security-related events. Log Files encompass complete records of all security events (logon events, resource access, attempted violations of policy, and changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow an administrator to quickly discover the root cause of any issues. When remote users do not have recent patches or updates, the system administrator should set up group policies such as, forcing updates to install right away. Rather than having the users restart the systems themselves, squandering the companies and users time, but at the same time safe guarding what goes in and out of the network. Removable storage drives introduce malware filtered only when crossing
04/23/2013
Unit 5 Assignment 1
Testing and Monitoring Security Controls
Testing and Monitoring Security Controls Different traffic patterns can be a red flag when it comes to identifying different types of suspicious activities. There are multiple ways traffic can change to point out the activities: First is an unexpected increase in overall traffic. This may just mean that your web site has been talk about on a popular news site, or it may mean that someone is up to no good. Another would be a sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner like Observer or Network Monitor to track them. Also large numbers of packets caught by your router or firewall's egress filters. Remember that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network have been compromised. Unscheduled reboots of server machines may sometimes signify that they are compromised as well. You should already be watching the event logs of your servers for failed logons and other security-related events. Log Files encompass complete records of all security events (logon events, resource access, attempted violations of policy, and changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow an administrator to quickly discover the root cause of any issues. When remote users do not have recent patches or updates, the system administrator should set up group policies such as, forcing updates to install right away. Rather than having the users restart the systems themselves, squandering the companies and users time, but at the same time safe guarding what goes in and out of the network. Removable storage drives introduce malware filtered only when crossing