CCNA CyberOps Chapter 11 Exam Online

Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer protocols that manage the content requests from clients and the responses from the web server. HTML (Hypertext Mark-up Language) is the encoding language that describes the content and display features of a web page. DNS is for domain name to IP address resolution. DHCP manages and provides dynamic IP configurations to clients.

NTP uses UDP port number 123. Threat actors could use port 123 on NTP systems in order to direct DDoS attacks through vulnerabilities in client or server software.

Domain Name Service (DNS) is used to convert domain names into IP addresses. Some organizations have less stringent policies in place to protect against DNS-based threats than they have in place for other exploits.

ICMP can be used as a conduit for DoS attacks. It can be used to collect information about a network such as the identification of hosts and network structure, and by determining the operating systems being used on the network.

DNS queries for randomly generated domain names or extremely long random-appearing DNS subdomains should be considered suspicious. Cyberanalysts could do the following for DNS-based attacks:Analyze DNS logs.
Use a passive DNS service to block requests to suspected CnC and exploit domains.

SMTP is used to send data between mail servers and to send data from a host to a mail server. The other two protocols that can be used for email are IMAP and POP3. IMAP and POP3 are used to download email messages from a mail server.

IMAP, SMTP, and POP3 are email protocols. SMTP is used to send data from a host to a server or to send data between servers. IMAP and POP3 are used to download email messages and can be responsible for bringing malware to the receiving host.

HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using secure socket layer (SSL). Even though some devices can perform SSL decryption and inspection, this can present processing and privacy issues. HTTPS adds complexity to packet captures due to the additional message involved in establishing an encrypted data connection.

When data is being sent into the TOR network, the data is only encrypted by the sending client itself. The next-hop information is encrypted and decrypted between the TOR relays on a hop-by-hop basis. In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it. Finally, at the end of the Tor path, the traffic reaches its Internet destination. The client data is not encrypted by the TOR network; that encryption is the responsibility of the user.

A special browser is used to access the Tor network. This browser allows a user to browse the Internet anonymously.

Applications such as Snorby and Sguil can be used to read and search alert messages generated by NIDS/NIPS.

Session data is a record of a conversation between two network endpoints.

Like session data, statistical data is about network traffic. Statistical data is created through the analysis of other forms of network data.

Network behavior analysis (NBA) and network behavior anomaly detection (NBAD) are approaches to network security monitoring that use advanced analytical techniques to analyze NetFlow or IPFIX network telemetry data.

On Windows computers, security logging and security policies enforcement are carried out by the Local Security Authority Subsystem Service (LSASS), running as lsass.exe. It should be running from the Windows\System32 directory. If a file with this name, or a camouflaged name, such as 1sass.exe, is running or running from another directory, it could be malware.

The priority (PRI) value consists of two elements, the facility and severity of the message. It is calculated by multiplying the facility value by 8, and then adding the severity value, that is, priority = (facility * 8) + severity. To find the severity value from a given PRI, divide the PRI by 8 and the remainder is the severity value.

The sixth field of the Apache access log message is the three-digital numeric status code. Codes that begin with a 2 represent success. Codes that begin with a 3 represent redirection. Codes that begin with a 4 represent client errors. Codes that begin with a 5 represent server errors.

The HEADER section of the message contains the timestamp. If the timestamp is preceded by the period (.) or asterisk (*) symbols, a problem is indicated with NTP.

On a Windows host, security logs record events related to security, such as login attempts and operations related to file or object management and access.

On a Windows host, setup logs record information about the installation of software, including Windows updates.

NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.

NetFlow technology is deployed in the Metrics Collection module of a Cisco AVC system to collect network flow metrics and to export to management tools.

A web proxy device can inspect outgoing traffic as means of data loss prevention (DLP). DLP involves scanning outgoing traffic to detect whether the data that is leaving the enterprise network contains sensitive, confidential, or secret information.

Cisco Next-Generation IPS devices (NGIPS) use FirePOWER Services to consolidate multiple security layers into a single platform, which helps to contain costs and simplify management. Apache Traffic Server, Squid, and WinGate are examples of web proxies.

Syslog clients send log entries to a syslog server. The syslog server concentrates and stores log entries. Log entries are categorized by seven severity levels:
emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), and debugging (7).

The syslog standard is used for logging event messages from network devices. Syslog messages are sent from the device to a logging server. Apache web server access logs are an important source of information for a cybersecurity analyst in order to see who accessed the server, the IP address used, date/time of access, and URL used.

A daemon in Linux is a background process that runs without the need for user interaction. A network administrator can view log files in order to see information about daemons running on the Linux server.

Discretionary access control allows users to control access to their data as owners of that data. ACLs may also be used in order to specify which users or groups have access to the data.

Based on the ex3 file system, an ext4 partition includes extensions that improve performance and an increase in the of supported files. An ext4 partition also supports journaling, a file system feature that minimizes the risk of file system corruption if power is suddenly lost to the system.