NT2580 Unit 5 #1 Testing and Monitoring Security Controls- Bill Schnatz
A few different types of security events and baseline anomalies that might indicate suspicious activity. Different traffic patterns or increase in bandwidth usage can be considered suspicious activity. Also, services changing port usage, in turn creating variations in normal patterns. All sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good. A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner to track them.
Some routers collect packet-level statistics; you can also use a software network scanner to track them. Also large numbers of packets caught by your router or firewall's egress filters. Egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because it is a clear sign that devices on your network have been compromised. Unscheduled reboots of server machines may sometimes signify that they are compromised as well. You should already be watching the event logs of your servers for failed logons and other security-related events.
Log Files encompass complete records of all security events (logon events, resource access, attempted violations of policy, and changes in system configuration or policies) and critical system events (service/daemon start/stop, errors generated, system warnings) that can allow an administrator to quickly discover the root cause of any issues.
When remote users do not have recent patches or updates, the system administrator should set up group policies such as, forcing updates to install right away. Rather than having, the users restart the systems themselves, squandering the companies and users time, but at the same time safeguarding what will go in and out of the network.
Removable storage drives introduce malware filtered only when crossing the network. The system administrator should close all USB ports clients and servers on the network. This will resolve the