Network endpoints and network devices have different security considerations and implications. A user workstation implies certain security issues that remain in the User Domain while network implications remain part of the LAN or LAN-to-WAN Domain. However, during the course of investigating an intrusion, you may have to source data from logs kept in routing devices and end-user systems.

Suppose an attacker intrudes upon one of your servers. How do you reconstruct the events of a crime? Log files are the first place to check for administrative issues and security activity. Log files help you put together a timeline of events surrounding everything from a performance problem to a security incident.

You can also identify bad system or network activities by observing anomalies from baseline behavior or identifying certain suspicious actions. Testing ensures that your control and monitoring facilities work as intended and maintain proper operation. Monitoring ensures that you capture evidence when your testing procedures fail to examine all possibilities or legitimate behavior permits unauthorized activity.

1. Identify at least two types of security events and baseline anomalies that might indicate suspicious activity.

Always consider that even legitimate traffic can be used in illegitimate ways, and sometimes, legitimate traffic can appear illegitimate. Protected services can be attacked from the inside or accessed externally through loopholes in firewall rules. Vulnerabilities may remain unidentified by intrusion detection system (IDS) or intrusion prevention system (IPS) signatures and evade detection. Monitoring helps you capture pieces of the puzzle that creates a timeline of events.

Think on the following lines to answer this assignment:

How do you obtain a baseline of system or network behavior?

What is an anomaly in relation to baseline behavior?

Why might certain anomalies be worth investigating?

How can traffic have patterns that signify known attacks?

What do log files help you learn that filtering systems overlook?

Why can legitimate traffic sometimes seem suspicious?

Policy violations and security breaches take many forms, and not all of them are obvious. You might have a policy that specifies a certain minimum password length but fails to enforce proper complexity allowing passwords to be easily guessed

Given the following list of end-user policy violations and security breaches, select three and identify strategies to control

and monitor each event to mitigate risk and minimize exposure.

A user made unauthorized use of network resources by attacking network entities.

Open network drive shares allow storage privileges to outside users.

Sensitive laptop data is unencrypted and susceptible to physical theft.

Remote users do not have recent patches or current updates.

Legitimate traffic bearing a malicious payload exploits network services.

An invalid protocol header disrupts a critical network service.

Removable storage drives introduce malware filtered only when crossing the network.

Predictable passwords meet minimum length requirements but remain easily guessable.

Bad router permissions allow attackers to modify configurations or disrupt traffic.