NT2580 Unit 5 Testing and Monitoring Security Controls
Testing and Monitoring Security Controls
A few different types of security events and baseline anomalies that might indicate suspicious activity
Different traffic patterns or influx in bandwidth usage can be considered suspicous activity. Or sevices changing port usage, in turn creating variaitons in normal patterns. A sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good. A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner to track them.
Large numbers of packets caught by your router or firewall's egress filters. Recall that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network has been compromised. Unscheduled reboots of server machines may sometimes indicate their compromise. You should be already be watching the event logs of your servers for failed logons and other security-related events.
Log Files contain complete records of all security events (logon events, resource access, attempted violations of policy, changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow a admin to quickly discover the root cause of any issues.
Predictable passwords could be an issue too. User passwords are probably one of the most vulnerable ways to have a security breach. It is mostly due to weak passwords. Weak passwords being a minimum or 8 characters and not requiring a number and/or a special character. Ensure you emplement “strickt” password complexity standards.
Limit unauthorized use of network resources by allowing access during businiess hours only. Do not allow remote access permitions to anyone, except those that
A few different types of security events and baseline anomalies that might indicate suspicious activity
Different traffic patterns or influx in bandwidth usage can be considered suspicous activity. Or sevices changing port usage, in turn creating variaitons in normal patterns. A sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good. A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner to track them.
Large numbers of packets caught by your router or firewall's egress filters. Recall that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network has been compromised. Unscheduled reboots of server machines may sometimes indicate their compromise. You should be already be watching the event logs of your servers for failed logons and other security-related events.
Log Files contain complete records of all security events (logon events, resource access, attempted violations of policy, changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow a admin to quickly discover the root cause of any issues.
Predictable passwords could be an issue too. User passwords are probably one of the most vulnerable ways to have a security breach. It is mostly due to weak passwords. Weak passwords being a minimum or 8 characters and not requiring a number and/or a special character. Ensure you emplement “strickt” password complexity standards.
Limit unauthorized use of network resources by allowing access during businiess hours only. Do not allow remote access permitions to anyone, except those that