A.2.5 Pro Domain 5: Audit and Security Assessment
You are the IT security administrator for a small corporate network. You need to enable logging on the switch in the networking closet. In this lab, your task is to: Enable logging and the Syslog Aggregator. Configure RAM Memory Logging as follows:Emergency, Alert, and Critical: EnableError, Warning, Notice, Informational, and Debug: Disable Configure Flash Memory Logging as follows:Emergency and Alert: EnableCritical, Error, Warning, Notice, Informational, and Debug: Disable Copy the running configuration file to the startup configuration file using the following settings:Source File Name: Running configurationDestination File Name: Startup configuration
Complete this lab as follows: Access the Log Settings for the switch.From the left menu, expand Administration > System Log.Select Log Settings. Enable Logging and Syslog Aggregator.For Logging, mark Enable.For Syslog Aggregator, mark Enable. Configure RAM and Flash memory logging:Under RAM Memory Logging:Mark Emergency, Alert, and Critical.Clear Error, Warning, Notice, Informational, and Debug.Under Flash Memory Logging:Mark Emergency and Alert.Clear Critical, Error, Warning, Notice, Informational, and Debug. Select Apply. From the top menu bar, select Save. Under Copy/Save Configuration, select Apply. Select OK. Select Done.
You work as the IT security administrator for a small corporate network in the United States of America. The name of your site is www.corpnet.xyz. The company president has received several questionable emails that he is concerned may be malicious attacks on the company. He has asked you to determine whether the emails are hazardous and to handle them accordingly. In this lab, your task is to: Read each email and determine whether it is legitimate. Delete any emails that are attempts at social engineering. Keep emails that are safe. Hold your mouse over the embedded links to see the actual URL in the status bar at the bottom of the screen.
From the Inbox of the WebEmail interface, highlight an email. Read and explore the email and determine whether it is a legitimate email. This includes using your mouse to hover over suspicious attachments and links. Take the appropriate action for each email:If the email is an attempt at social engineering, from the menu bar, select Delete.If the email safe, do nothing. Repeat steps 1 through 3 for each email. The following table list the actions you should take for each email.EmailDiagnosisActionExplanation for ActionMicrosoft Windows Update CenterNew Service PackPhishingDeleteThis email has various spelling errors. The link does not direct you to a Microsoft website.Joe DavisRe: Lunch Today?Malicious AttachmentDeleteThis email appears to be from a colleague; however, why would he fail to respond to your lunch question and send you a random attachment in return?Executive RecruitingExecutive JobsWhalingDeleteWhaling uses tailored information to attack executives. Clicking the link could install malware that would capture sensitive company information. The link is pointing to a site in Germany (.de). It is suspicious that this organization would recruite executives from the USA.Human ResourcesEthics VideoSafeKeepWhile this email has an embedded link, it is digitally signed, as indicated by the green shield and checkmark. Therefore, you know it actually comes from your Human Resources department. When you hover over the link, you see that it is a secure link to the corporate web server.Online Banking DepartmentPayment PendingPhishingDeleteThis is a carefully crafted attempt to get your bank account information. Hover over the link and notice that it does not direct you to your credit union website, but to an unknown IP address. It is also very unlikely that a bank would delete your account for not verifying your information.Grandma JacklinFW: FW: FW: Virus Attack WarningHoaxDeleteAny email that asks you to forward it to everyone you know is probably a hoax. This email also contains very bad grammar.Emily SmithWeb Site UpdateSpear PhishingDeleteWhile this email appears to come from a colleague, notice that the link points to an executable file from a Russian domain name (.ru). A report file is more likely to have an extension of .pdf. .docx, .xlsx, or .txt. This probably is not a message a real colleague would send. This file will likely infect the computer with malware.Sara GoodwinWow!!Malicious AttachmentDeleteEmails with attachments from unknown people who address you as "Dear Friend" are probably not safe.Grandma JacklinFree Airline TicketsHoaxDeleteAny email that asks you to forward it to everyone you know is probably a hoax, even if the contents promise you a prize. In addition, there is no way to know how many people the email has been forwarded to. Likewise, it is very unlikely that an airline would give away that many free tickets.Human ResourcesIMPORTANT NOTICE-Action RequiredSafeKeepWhile this email appears very urgent, it doesn't ask you to click on anything or run any attachments. It does inform you that you need to go a website that you should already know and make sure your courses are complete.Activities CommitteePumpkin ContestSafeKeepThis email doesn't ask you to click on anything or run any attachments.Robert WilliamsPresentationSafeKeepThis email doesn't ask you to click on anything or run any attachments.
You work as the IT security administrator for a small corporate network. In an effort to protect your network against security threats and hackers, you have added Snort to pfSense. With Snort already installed, you need to configure rules and settings and then assign Snort to the desired interface. In this lab, your task is to use pfSense's Snort to complete the following: Sign into pfSense using the following:Username: adminPassword: P@ssw0rd (zero) Enable the downloading of the following:Snort free registered User rulesOinkmaster Code: 359d00c0e75a37a4dbd70757745c5c5dg85aaSnort GPLv2 Community rulesEmerging Threats Open rulesSourcefire OpenAppID detectorsAPPID Open rules Configure rule updates to happen once a day at 1:00 a.m.Hide any deprecated rules. Block offending hosts for 1 hour. Send all alerts to the system log when the Snort starts and stops. Assign Snort to the WAN interface using a description of WANSnort.Include:Sending alerts to the system logAutomatically blocking hosts that generate a Snort alert Start Snort on the WAN interface.
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Access the Snort Global Settings.From the pfSense menu bar, select Services > Snort.Under the Services breadcrumb, select Global Settings. Configure the required rules to be downloaded.Select Enable Snort VRT.In the Sort Oinkmaster Code field, enter 359d00c0e75a37a4dbd70757745c5c5dg85aa. You can copy and paste this from the scenario.Select Enable Snort GPLv2.Select Enable ET Open. Configure the Sourcefire OpenAppID Detectors to be downloaded.Under Sourcefire OpenAppID Detectors, select Enable OpenAppID.Select Enable RULES OpenAppID. Configure when and how often the rules will be updated.Under Rules Update Settings, use the Update Interval drop-down menu to select 1 Day.For Update Start Time, change to 01:00.Select Hide Deprecated Rules Categories. Configure Snort General Settings.Under General Settings, use the Remove Blocked Hosts Interval drop-down menu to select 1 HOUR.Select Startup/Shutdown Logging.Select Save. Configure the Snort Interface settings for the WAN interface.Under the Services breadcrumb, select Snort Interfaces and then select Add.Under General Settings, make sure Enable interface is selected.For Interface, use the drop-down menu to select WAN (PFSense port 1).For Description, use WANSnort.Under Alert Settings, select Send Alerts to System Log.Select Block Offenders.Scroll to the bottom and select Save. Start Snort on the WAN interface.Under the Snort Status column, select the arrow.Wait for a checkmark to appear, indicating that Snort was started successfully.
You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO: Local PoliciesSettingAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabledAudit: Shut down system immediately if unable to log security auditsEnabled Event LogSettingRetention method for security logDefine: Do not overwrite events (clear log manually) Advanced Audit Policy ConfigurationSettingAccount Logon: Audit Credential ValidationSuccess and FailureAccount Management: Audit User Account ManagementSuccess and FailureAccount Management: Audit Security Group ManagementSuccess and FailureAccount Management: Audit Other Account Management EventsSuccess and FailureAccount Management: Audit Computer Account ManagementSuccessDetailed Tracking: Audit Process CreationSuccessLogon/Logoff: Audit LogonSuccess and FailureLogon/Logoff: Audit LogoffSuccessPolicy Change: Audit Authentication Policy ChangeSuccessPolicy Change: Audit Audit Policy ChangeSuccess and FailurePrivilege Use: Audit Sensitive Privilege UseSuccess and FailureSystem: Audit System IntegritySuccess and FailureSystem: Audit Security System ExtensionSuccess and FailureSystem: Audit Security State ChangeSuccess and FailureSystem: Audit IPsec DriverSuccess and Failure Do not use the old audit policies located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.
Using Group Policy Management, access CorpNet.local's Group Policy Objects > WorkgroupGPO.From Server Manager's menu bar, select Tools > Group Policy Management.Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects.Maximize the windows for better viewing. Access the WorkstationGPO's Security Settings Local Policies.Right-click WorkstationGPO and select Edit.Maximize the windows for better viewing.Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Modify Local Policies.Select Security Options.From the right pane, double-click the policy you want to edit.Select Define this policy setting.Select the policy settings as required.Select OK.Select Yes to confirm changes as necessary.Repeat steps 3b - 3f for additional policy settings. Modify the Event Log.From the left pane, select Event Log.From the right pane, double-click the policy you want to edit.Select Define this policy setting.Select the policy settings as required.Select OK. Modify Advanced Audit Policy Configuration.From the left pane, expand Advanced Audit Policy Configuration > Audit Policies.Select the audit policy category.From the right pane, double-click the policy you want to edit.Select Configure the following audit events.Select the policy settings as required.Select OK.Repeat steps 5b-5f for additional policy settings.
