1. Key Terms:
   1. Baselining:
      1. The process of measuring changes in networking, hardware, software, and so on.
   2. Baseline Reporting:
      1. Identification of the security posture of an application, system, or network.
   3. Security Posture:
      1. The risk level to which a system, or other technology element, is exposed.
   4. Security Posture Assessment:
      1. An assessment that uses baseline reporting and other analyses to discover vulnerabilities and weaknesses in systems and networks.
2. Creating a Baseline
   1. To create a baseline for a critical system process, use a reliable system monitoring tool to take measurements of the system process at regular intervals over a period of time.
      1. An example of one of these tools is the Windows Performance Monitor, which may be used to measure:
         1. CPU usage (%)
         2. System uptime (availability)
         3. Free RAM
         4. Free hard drive space
         5. CPU temperature
         6. Fan speed
         7. S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) data
         8. Note: The primary function of S.M.A.R.T. monitoring is to detect and report on the reliability of the HDDs (Hard Disk Drives), SSDs (Solid State Drives), and eMMCs (embedded Multi-Media Cards)
   2. To create a baseline of critical network processes, use SPAN (Switch Protocol Analyzer) and IP SLA (IP Service Level Agreement), along with a Network Protocol Analyzer such as Wireshark, SolarWinds, or Nessus to confirm the network measurements of your network hardware.
      1. Alternatively, if you have access to a centralized SDN environment, such as the Cisco APIC (Application Programmable Interface Controller) or APIC-EM (Application Programmable Interface Controller Enterprise Module), the Northbound Interface API can be used to automatically measure the network baseline with the ACL Path Trace Tool.
   3. Protocol Analyzers
      1. Wireshark
         1. Port Mirroring (SPAN):
            1. When you configure one or more ports on a switch to forward all packets to another port. Often used when capturing packets.
            2. Explain the difference between Port Mirroring and a Network Tap:
            3. Port Mirroring refers to configuring one or more (Layer 2) switch ports to copy and forward frames to another switch port.
            4. A Network Tap is a physical device that intercepts traffic between two points of the network. A network tap typically has three ports: One for each monitored port, and one for the computer performing packet capture.
      2. Network adapters (NICs) may operate in one of two modes:
         1. Promiscuous Mode:
            1. The network adapter captures all packets that it has access to regardless of the destination of those packets.
         2. Non-Promiscuous Mode:
            1. The network adapter captures only the packets specifically addressed to it. Flooded traffic from broadcasts, multicasts, and unknown unicasts are discarded without first being inspected.
            2. Broadcast Storm:
            3. The accumulation of broadcast and multicast traffic on a computer network.
   4. SNMP
      1. Simple Network Management Protocol (SNMP):
         1. A TCP/IP protocol that monitors network-attached devices and computers. It's usually incorporated as part of a network management system.
      2. Describe the three components of an SNMP system:
         1. Managed Devices:
            1. A network node that implements an SNMP interface that allows unidirectional (Read-Only, RO) or bidirectional (Read-Write, RW) access to node-specific information.
            2. Managed devices exchange node-specific information with the NMS.
         2. SNMP Agents:
            1. A network-management software module that resides on a managed device.
            2. An agent has local knowledge of Objects and their associated Object IDs (OIDs) held within the Management Information Base (MIB), and translates that information to or from an SNMP-specific form.
         3. SNMP Manager (NMS):
            1. A Network Management Station executes applications that monitor and control managed devices.
            2. One or more NMS provide the bulk of the processing and memory resources required for network management.
      3. SNMP uses ports 161 and 162:
         1. SNMP agents receive requests from the NMS on port 161.
         2. The NMS receives notifications from SNMP agents on port 162.
      4. In-Band vs Out-Of-Band (OOB):
         1. There are primarily two ways to manage a network:
            1. In-Band:
            2. Network management is performed from within the local network, using SSH, SNMP, or OpenFlow.
            3. In-band is the most common way to manage a network.
            4. Out-of-Band:
            5. Network management is performed from outside the local network.
            6. Use Cases:
            7. In large organizations, network dependent organizations, and/or organizations that highly value redundancy and resiliency, out-of-band network management may be deployed in combination to in-band management as a failsafe or secondary system.
            8. In systems that do not have access to a direct (local) network connection, such as SCADA, PLC, and other embedded systems used in critical infrastructure and manufacturing, out-of-band network management is also an option.
   5. Windows
      1. Describe how to view and monitor remotely-accessed file shares in Windows OS:
         1. In Windows, any files and shares that are being accessed by remote computers can be monitored within Computer Management (Run > compmgmt.msc).
         2. Inside Computer Management, navigate to System Tools > Shared Folders. From there you can see what shares and open files are being accessed, and what network sessions are open to that computer.
            1. Note: On some versions of Windows, the Performance Monitor utility can also be found within Computer Management.
         3. To view the files opened locally, use the openfiles command, which also allows you to see files opened by remote computers.
            1. The openfiles command must be run in elevated mode within the Command Prompt. The Maintain Objects List global flag must be enabled, with the following syntax:
            2. openfiles /local on
         4. Then run the openfiles command to see what files are opened locally, and by remote computers.
         5. To view a list of options that may be performed with the openfiles command, issue the /? option.
      2. Provide the syntax for the Windows openfiles command, which enables an administrator to list or disconnect files and folders that have been opened on a system:
         1. OPENFILES /parameter [arguments]
         2. Description: Enables an administrator to list or disconnect files and folders that have been opened on a system.
         3. Parameter List:
            1. /Disconnect: Disconnects one or more open files.
            2. /Query: Displays files opened locally or from shared folders.
            3. /Local: Enables / Disables the display of local open files.
            4. /?: Displays this help message.
         4. Examples:
            1. OPENFILES /Disconnect /?
            2. OPENFILES /Query /?
            3. OPENFILES /Local /?
3. Monitoring
   1. Once administrators set baseline requirements and deploy those baselines across the enterprise, they should continue to monitor systems for compliance with the baseline.
   2. Automated monitoring solutions allow administrators to rapidly check thousands of systems against the baseline and quickly identify any deviations that require further investigation.