An admin is investigating an unusual amount of traffic originating from a 2016 Server to the internet. The first event log was ID 1102. The outbound traffic is traversing over ports commonly associated with DNS. These symptoms are known as what?

An admin is investigating an unusual amount of traffic originating from a 2016 Server to the internet. The first event log was ID 1102. The outbound traffic is traversing over ports commonly associated with DNS. These symptoms are known as what?

• Vulnerability
• Threat
• Risk
• Indicator of Comprimise (IoC) 

EXPLANATION

Yet another event type worth monitoring is related to event log clearing. Checking for event ID 104 in the System log whether it is cleared, while searching for 1102 in the Audit log does the same. But clearing the application log puts nothing in the application event log?  

Although the application log clear does not result in a log clear entry in the actual application log, it does write an entry to the system log which was previously mentioned.  Is clearing event logs considered a normal activity? Granted, the act may not always result from malicious intent, but it should be considered enough of a non-standard event that it warrants closer examination. When log clears are performed in conjunction with other events, it is clearly a great way to cover your tracks if you were previously creating services, making firewall rules changes, etc. In some cases, if a system is functioning on an island without log forwarding or any other outside communication, this singular event might be your only indication of a much larger issue.  But wait... There are several ways to clear out the log files. Let us examine several of them to see how they work and ensure our monitoring will detect them. Obviously using the Windows native method of clearing event logs (Figure 9) is going to generate the event IDs we are looking for above. Event ID 104 is created just as expected when clearing out the System log.   

Read More

What is a node?

What is a node?

• A node refers to a point or joint where a connection takes place
• is combined with an IP address in order to identify two parts:
• It refers to a direct connection between two computers on a network.
• is the process of breaking down information into smaller manageable chunks before it is transmitted

EXPLANATION

A node is a device or data point in a larger network.
A node can be a couple of different things depending on whether the conversation is about computer science or networking.
In networking a node is either a connection point, a redistribution point, or a communication endpoint. In computer science, nodes are devices or data points on a large network, devices such a PC, phone, or printer are considers nodes.
In general, a node has a programmed or engineered capability that enables it to recognise, process, or forward transmissions to other nodes.

 

Read More

Which is the most frequent IT problem?

Which is the most frequent IT problem?

• Virus in user computer
• Computer froze
• User forgot his password
• Data loss 

EXPLANATION

• I'm unable to log in! ...
• “I've got the dreaded blue screen of death!” ...
• “I deleted some important files!” ...
• “I just closed my document without saving!” ...
• “My computer is running too slowly!” ...
• “My computer just shut down unexpectedly!” ...
• “I can't print anything!”

Read More

Which of the following is a valid IPv6 link-local address?

Which of the following is a valid IPv6 link-local address?

• fe80::f557:9caf:86ce:855e
• fg80::8a2e:0370:7334
• 169.254.1.1
• fe80:0000:0000:5d18:0000:6977:a3cf:e46d 

EXPLANATION

ipv6 unicast-routing
interface gigabitethernet 0/0/0
  ipv6 address 2001:DB8:c18:1::/64 eui-64
Device# show ipv6 interface gigabitethernet 0/0/0
Gigabitethernet0/0/0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::F557:9CAF:86CE:855E


  Global unicast address(es):
    2001:DB8:C18:1:260:3EFF:FE47:1530, subnet is 2001:DB8:C18:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF47:1530
    FF02::9
  MTU is 1500 bytes
  ICMP error messages limited to one every 500 milliseconds
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

 

Read More

A type of cryptographic network protocol for secure data communication

A type of cryptographic network protocol for secure data communication

• TFTP
• TELNET
• SSH
• RDP 

EXPLANATION

Secure Shell (SSH) was invented in the year 1995, which is a cryptographic network security protocol used for securing data communication over a network. It permits command-line login remotely as well as the execution of specific tasks remotely. Various functionalities of FTP are incorporated in SSH.

Read More