Intrusion Detection and Prevention Systems

Questions and Answers

A(n) works like a burglar alarm in that it detects a violation and activates an alarm.

IDPS

What is a major advantage of a Heuristic-based IDS?

It can detect Unknown Attacks.

What is the primary characteristic of a signature-based IDS?

It uses predefined patterns of known threats to identify intrusions.

What is the primary function of a SIEM system?

To collect, analyze, and respond to security events and incidents.

Intrusion detection consists of procedures and systems that identify system intrusions and take steps to limit the intrusion and return operations to a normal state when an intrusion is detected.

False

An IDPS can be configured to call a phone number or perform another type of signal or message.

True

A false positive is the failure of an IDPS system to react to an actual attack event.

False

NIDPSs can reliably ascertain whether an attack was successful.

False

HIDPSs are also known as system integrity verifiers.

True

An HIDPS can monitor system logs for predefined events.

True

An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.

True

An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices, such as routers or switches.

False

The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.

True

IDPS responses can be classified as active or passive.

True

A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered.

False

The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.

True

In order to determine which IDPS best meets an organization's needs to consider the system environment, security goals and objectives, and the existing security policy.

True

Your organization's operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems.

False

Among the considerations in evaluating an IDPS are the product's scalability, testing, support provisions, and ability to provide information on the source of attacks.

False

A fully distributed IDPS control strategy is an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component.

True

Security tools that provide decoy systems designed to lure potential attackers away from critical systems include honeypots, honeynets, and padded cell systems.

True

An IDPS helps to secure networks by identifying where the network needs securing.

False

Once the OS is known, the vulnerabilities to which a system is susceptible can more easily be determined.

True

The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems.

True

A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes.

False

Passive scanners are advantageous in that they can find client-side vulnerabilities that are typically not found by active scanners.

True

To use a packet sniffer legally, the administrator only needs to be on a network that the organization owns, and have authorization of the network's owners.

False

Alarm filtering and compaction is the process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm.

False

A(n) event is an indication that a system has just been attacked or is under attack.

False

Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called noise.

True

Avoidance is the process by which an attacker changes the format and/or timing of activities to avoid being detected by an IDPS.

False

The integrity value, which is based upon fuzzy logic, helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in progress.

False

A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.

True

The activities that gather public information about the organization and its network activities and assets is called fingerprinting.

False

In the process of protocol application verification, the NIDPSS look for invalid data packets.

False

A HIDPS is also known as a system validity verifier.

False

A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing.

False

Preconfigured, predetermined attack patterns are called signatures.

True

A(n) log file monitor is similar to an NIDPS.

True

The centralized IDPS implementation approach occurs when all detection functions are managed in a central location.

False

A(n) partially distributed IDPS control strategy combines the best of other IDPS strategies.

True

When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet.

True

A hardened honeypot is also known as a protected cell system.

False

The disadvantages of using the honeypot or padded cell approach include the fact that the technical implications of using such devices are not well understood.

False

When using trap-and-trace, the trap usually consists of a honeypot or padded cell and a(n) packet sniffer.

False

Enticement is the illegal and unethical action of luring an individual into committing a crime to get a conviction.

False

Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization.

False

For Linux or BSD systems, a tool called "Sam Spade" allows a remote individual to “mirror” entire Web sites.

False

Port scanners are tools used both by attackers and defenders to identify (or footprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information.

False

A(n) port is the equivalent of a network channel or connection point in a data communications system.

True

A(n) monitoring vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software.

False

Which of the following ports is commonly used for the HTTP protocol?

80

The ability to detect a target computer's is very valuable to an attacker.

operating system

Testing is a straightforward testing technique that looks for vulnerabilities in a program or protocol by feeding random input to the program or a network running the protocol.

Fuzz

Some vulnerability scanners feature a class of attacks called that are so dangerous they should only be used in a lab environment.

destructive

A vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software.

passive

A(n) is a software program or hardware appliance that can intercept, copy, and interpret network traffic.

packet sniffer

To use a packet sniffer legally, the administrator must

all of these are correct

How does a signature-based IDPS differ from a behavior-based IDPS?

A signature-based system looks for patterns of behavior that match a library of known behaviors. A behavior-based system watches for activities that suggest an alert-level activity is occurring, based on sequences of actions or the timing between otherwise unrelated events.

What is a SIEM and what is its primary purpose?

A security information and event management (SIEM) system is an information management system specifically tasked to collect and correlate events and other log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, reporting, and acting on the resulting information.

What is network footprinting and how is it related to network fingerprinting?

Footprinting is organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches that identify the organization's Web pages. Web pages usually contain information about internal systems, the people who develop the Web pages, and other tidbits that can be used for social engineering attacks. The fingerprinting phase uses the TCP/IP address ranges that were collected during the footprinting phase to identify the network services offered by the hosts in that range.

Study Notes

Intrusion Detection and Prevention Systems (IDPS)

• IDPS systems work like burglar alarms, detecting violations and activating alarms
• Heuristic-based IDS can detect unknown attacks
• Signature-based IDS uses predefined patterns to identify known threats
• SIEM systems collect, analyze, and respond to security events and incidents
• Intrusion detection involves procedures and systems that identify intrusions and restore normal operations
• IDPS can configure to call a phone number or perform another signal
• A false positive is a failure of an IDPS system to react to a real attack
• NIDPSS (Network-based IDPSs) are also known as system integrity verifiers
• HIDPSS (Host-based IDPSs) can monitor system logs for predictable events
• HIDPSs can detect local events that would elude a network-based system
• HIDPSs are optimized for multihost scanning, and can detect non-host devices like routers or switches
• Anomaly-based IDPSs collect statistical summaries by observing normal traffic

Description

This quiz explores Intrusion Detection and Prevention Systems (IDPS), highlighting their functionality as security measures akin to burglar alarms. It covers different types of IDS, including heuristic and signature-based systems, as well as the roles of SIEM in security event management. Test your knowledge on how these systems work to detect and respond to various cyber threats.