Comptia Security Plus Mock Test Q54

Joe, a security administrator, believes that a network breach has occurred in the data center as a result of a misconfigured router access list, allowing outside access to an SSH server. Which of the following should Joe search for in the log files?

A. Failed authentication attempts
B. Network ping sweeps
C. Host port scans
D. Connections to port 22

Correct Answer: D
Section: Network Security

Explanation:
Log analysis is the art and science of reviewing audit trails, log files, or other forms of computer-generated records for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern.
SSH uses TCP port 22. All protocols encrypted by SSH also use TCP port 22, such as SFTP, SHTTP, SCP, SExec, and slogin.

Incorrect Answers:
A: This just shows you the number of attempts at authentication that were unsuccessful.

B: Ping sweeps are can establish a range of IP addresses which map to live hosts.

C: This is often carried out by administrators to validate security policies of their networks and by
attackers to identify running services on a host with the view to compromise it.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 26
http://en.wikipedia.org/wiki/Ping_sweep
http://en.wikipedia.org/wiki/Port_scanner