Chat with AI
Deck 8: Intrusion Detection and Prevention Systems
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 8: Intrusion Detection and Prevention Systems
1
A hybrid IDPS combines aspects of NIDPS and HIDPS configurations.
True
2
Which of the following is a sensor type that uses bandwidth throttling and alters malicious content?
A) passive only
B) inline only
C) active only
D) online only
A) passive only
B) inline only
C) active only
D) online only
B
3
An NIDPS can tell you whether an attack attempt on the host was successful.
False
4
A weakness of a signature-based system is that it must keep state information on a possible attack.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
Which of the following is NOT a method used by passive sensors to monitor traffic?
A) spanning port
B) network tap
C) packet filter
D) load balancer
A) spanning port
B) network tap
C) packet filter
D) load balancer
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
Which method for detecting certain types of attacks uses an algorithm to detect suspicious traffic,is resource intensive,and requires extensive tuning and maintenance?
A) brute force
B) heuristic
C) signature
D) anomaly
A) brute force
B) heuristic
C) signature
D) anomaly
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
Which of the following is true about an HIDPS?
A) monitors OS and application logs
B) sniffs packets as they enter the network
C) tracks misuse by external users
D) centralized configurations affect host performance
A) monitors OS and application logs
B) sniffs packets as they enter the network
C) tracks misuse by external users
D) centralized configurations affect host performance
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
Which of the following is an advantage of a signature-based detection system?
A) the definition of what constitutes normal traffic changes
B) it is based on profiles the administrator creates
C) each signature is assigned a number and name
D) the IDPS must be trained for weeks
A) the definition of what constitutes normal traffic changes
B) it is based on profiles the administrator creates
C) each signature is assigned a number and name
D) the IDPS must be trained for weeks
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
Which of the following is NOT a typical IDPS component?
A) network sensors
B) command console
C) database server
D) Internet gateway
A) network sensors
B) command console
C) database server
D) Internet gateway
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
Which of the following is considered a problem with a passive,signature-based system?
A) profile updating
B) signature training
C) custom rules
D) false positives
A) profile updating
B) signature training
C) custom rules
D) false positives
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
Which approach to stateful protocol analysis involves detection of the protocol in use,followed by activation of analyzers that can identify applications not using standard ports?
A) Protocol state tracking
B) IP packet reassembly
C) Traffic rate monitoring
D) Dynamic Application layer protocol analysis
A) Protocol state tracking
B) IP packet reassembly
C) Traffic rate monitoring
D) Dynamic Application layer protocol analysis
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
No actual traffic passes through a passive sensor; it only monitors copies of the traffic.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
Which of the following is NOT a network defense function found in intrusion detection and prevention systems?
A) prevention
B) response
C) identification
D) detection
A) prevention
B) response
C) identification
D) detection
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
Where is a host-based IDPS agent typically placed?
A) on a workstation or server
B) at Internet gateways
C) between remote users and internal network
D) between two subnets
A) on a workstation or server
B) at Internet gateways
C) between remote users and internal network
D) between two subnets
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
What is an advantage of the anomaly detection method?
A) makes use of signatures of well-known attacks
B) system can detect attacks from inside the network by people with stolen accounts
C) easy to understand and less difficult to configure than a signature-based system
D) after installation, the IDPS is trained for several days or weeks
A) makes use of signatures of well-known attacks
B) system can detect attacks from inside the network by people with stolen accounts
C) easy to understand and less difficult to configure than a signature-based system
D) after installation, the IDPS is trained for several days or weeks
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
Which IDPS customization option is a list of entities known to be harmless?
A) thresholds
B) whitelists
C) blacklists
D) alert settings
A) thresholds
B) whitelists
C) blacklists
D) alert settings
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
Which of the following is NOT a primary detection methodology?
A) signature detection
B) baseline detection
C) anomaly detection
D) stateful protocol analysis
A) signature detection
B) baseline detection
C) anomaly detection
D) stateful protocol analysis
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion?
A) inline
B) host-based
C) hybrid
D) network-based
A) inline
B) host-based
C) hybrid
D) network-based
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
An IDPS consists of a single device that you install between your firewall and the Internet.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
The period of time during which an IDPS monitors network traffic to observe what constitutes normal network behavior is referred to as which of the following?
A) training period
B) baseline scanning
C) profile monitoring
D) traffic normalizing
A) training period
B) baseline scanning
C) profile monitoring
D) traffic normalizing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an IDPS component that monitors traffic on a network segment
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an IDPS component that monitors traffic on a network segment
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the entire length of an attack
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the entire length of an attack
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
__________________ procedures are a set of actions that are spelled out in the security policy and followed if the IDPS detects a true positive.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an NIDPS sensor that examines copies of traffic on the network
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an NIDPS sensor that examines copies of traffic on the network
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Which of the following is true about an NIDPS versus an HIDPS?
A) an NIDPS can determine if a host attack was successful
B) an HIDPS can detect attacks not caught by an NIDPS
C) an HIDPS can detect intrusion attempts on the entire network
D) an NIDPS can compare audit log records
A) an NIDPS can determine if a host attack was successful
B) an HIDPS can detect attacks not caught by an NIDPS
C) an HIDPS can detect intrusion attempts on the entire network
D) an NIDPS can compare audit log records
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Anomaly detection systems make use of _______________ that describe the services and resources each authorized user or group normally accesses on the network.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the process of maintaining a table of current connections so that abnormal traffic can be identified
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the process of maintaining a table of current connections so that abnormal traffic can be identified
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
In a _______________ based detection system,the IDPS can begin working immediately after installation.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Which of the following is true about the steps in setting up and using an IDPS?
A) anomaly-based systems come with a database of attack signatures
B) sensors placed on network segments will always capture every packet
C) alerts are sent when a packet doesn't match a stored signature
D) false positives do not compromise network security
A) anomaly-based systems come with a database of attack signatures
B) sensors placed on network segments will always capture every packet
C) alerts are sent when a packet doesn't match a stored signature
D) false positives do not compromise network security
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Why might you want to allow extra time for setting up the database in an anomaly-based system?
A) the installation procedure is usually complex and time consuming
B) to add your own custom rule base
C) it requires special hardware that must be custom built
D) to allow a baseline of data to be compiled
A) the installation procedure is usually complex and time consuming
B) to add your own custom rule base
C) it requires special hardware that must be custom built
D) to allow a baseline of data to be compiled
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
A network ____________ is a type of passive sensor that consists of a direct connection between a sensor and the physical network medium.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
Which of the following is an IDPS security best practice?
A) to prevent false positives, only test the IDPS at initial configuration
B) communication between IDPS components should be encrypted
C) all sensors should be assigned IP addresses
D) log files for HIDPSs should be kept local
A) to prevent false positives, only test the IDPS at initial configuration
B) communication between IDPS components should be encrypted
C) all sensors should be assigned IP addresses
D) log files for HIDPSs should be kept local
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the ability to track an attempted attack or intrusion back to its source
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
the ability to track an attempted attack or intrusion back to its source
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
sets of characteristics that describe network services and resources a user or group normally accesses
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
sets of characteristics that describe network services and resources a user or group normally accesses
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an NIDPS sensor positioned so that all traffic on the network segment is examined as it passes through
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an NIDPS sensor positioned so that all traffic on the network segment is examined as it passes through
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
An IDPS __________________ server is the central repository for sensor and agent data.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
a genuine attack detected successfully by an IDPS
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
a genuine attack detected successfully by an IDPS
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
If you see a /16 in the header of a snort rule,what does it mean?
A) a maximum of 16 log entries should be kept
B) the size of the log file is 16 MB
C) the subnet mask is 255.255.0.0
D) the detected signature is 16 bits in length
A) a maximum of 16 log entries should be kept
B) the size of the log file is 16 MB
C) the subnet mask is 255.255.0.0
D) the detected signature is 16 bits in length
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an attempt to gain unauthorized access to network resources
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
an attempt to gain unauthorized access to network resources
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
MATCHING
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
increasing an intrusion response to a higher level
a.accountability
b.escalated
c.event horizon
d.inline sensor
e.intrusion
a.accountability f.passive sensor
b.escalated g.profiles
c.event horizon h.sensor
d.inline sensor i.stateful protocol analysis
e.intrusion j.true positive
increasing an intrusion response to a higher level
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
Describe two advantages and two disadvantages of a signature-based system.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
List two approaches to stateful protocol analysis.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What are the four typical components of an IDPS?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
Define stateful protocol analysis.Include in your answer the concept of the event horizon.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
Contrast anomaly detection with signature detection.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
What is an inline sensor and how is it used to stop attacks?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Describe two advantages and two disadvantages of an anomaly-based system.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
What are the four common entry points to a network where sensors should be placed?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
What are the three network defense functions performed by an IDPS?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
List four types of information that an NIDPS typically logs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
