Chat with AI
Deck 6: Network Monitoring and Intrusion Detection and Prevention Systems
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 6: Network Monitoring and Intrusion Detection and Prevention Systems
1
Which tcpdump option specifies the number of packets to capture?
A) -i
C) -p
B) -c
D) -n
A) -i
C) -p
B) -c
D) -n
B
2
In ____, valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.
A) DNS cache poisoning
C) denial-of-service (DoS) attacks
B) Tiny Fragment Packet attacks
D) man-in-the-middle attacks
A) DNS cache poisoning
C) denial-of-service (DoS) attacks
B) Tiny Fragment Packet attacks
D) man-in-the-middle attacks
A
3
The first hurdle a potential IDPS must clear is functioning in your systems environment.
True
4
What does the tcpdump host 192.168.1.100 command do?
A) It only captures traffic originating from and destined to 192.168.1.100.
B) It only captures traffic originating from 192.168.1.100.
C) It only captures traffic destined to 192.168.1.100.
D) It only captures traffic destined to the default host 192.168.1.1.
A) It only captures traffic originating from and destined to 192.168.1.100.
B) It only captures traffic originating from 192.168.1.100.
C) It only captures traffic destined to 192.168.1.100.
D) It only captures traffic destined to the default host 192.168.1.1.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
Deploying and implementing an IDPS is always a straightforward task.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
The tcpdump tool will output both the header and packet contents into ____ format.
A) binary
C) ASCII
B) hex
D) EBCDIC
A) binary
C) ASCII
B) hex
D) EBCDIC
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
The size of a signature base is a good measure of an IDPS's effectiveness.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
A ____ resides on a computer or appliance connected to a segment of an organization's network and monitors network traffic on that network segment - much like tcpdump - looking for indications of ongoing or successful attacks.
A) network-based IDPS (NIDPS)
B) host-based IDPS (HIDPS)
C) wireless IDPS
D) network behavior analysis (NBA) system
A) network-based IDPS (NIDPS)
B) host-based IDPS (HIDPS)
C) wireless IDPS
D) network behavior analysis (NBA) system
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
Most NBA sensors can be deployed in ____ mode only, using the same connection methods (e.g., network tap, switch spanning port) as network-based IDPSs.
A) simple
C) active
B) aggressive
D) passive
A) simple
C) active
B) aggressive
D) passive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
By default, tcpdump will just print ____ information.
A) source
C) packet header
B) destination
D) packet contents
A) source
C) packet header
B) destination
D) packet contents
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
Because of its ubiquity in UNIX/Linux systems, ____ has become the de facto standard in network sniffing.
A) ICMP
C) tcpdump
B) LaBrea
D) snort
A) ICMP
C) tcpdump
B) LaBrea
D) snort
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
Wireless sensors are most effective when their ____ overlap.
A) thresholds
C) footprints
B) signatures
D) keys
A) thresholds
C) footprints
B) signatures
D) keys
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
Signature-based IDPS technology is widely used because many attacks have clear and distinct signatures.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
In ____ verification, the higher-order protocols (HTTP, FTP, Telnet) are examined for unexpected packet behavior or improper use.
A) application stack
C) protocol stack
B) application protocol
D) protocol behavior
A) application stack
C) protocol stack
B) application protocol
D) protocol behavior
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
A signature-based IDPS examines network traffic in search of patterns that match known ____.
A) keys
C) signatures
B) addresses
D) phrases
A) keys
C) signatures
B) addresses
D) phrases
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
One of the best reasons to install a(n) ____ is to provide an organization with overall situational awareness - or a better overall understanding - of the activities that take place on the network.
A) router
C) firewall
B) IDPS
D) VPN
A) router
C) firewall
B) IDPS
D) VPN
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
When the measured activity is outside the baseline parameters - exceeding what is called the ____ - the IDPS sends an alert to the administrator.
A) baseline
C) radius
B) clipping level
D) sensor range
A) baseline
C) radius
B) clipping level
D) sensor range
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
The Simple Network Management Protocol contains ____ functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.
A) log
C) evidentiary packet dump
B) trap
D) e-mail message
A) log
C) evidentiary packet dump
B) trap
D) e-mail message
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
Intrusion ____ consists of activities that deter an intrusion.
A) detection
C) response
B) prevention
D) alert
A) detection
C) response
B) prevention
D) alert
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
A sniffer can decipher encrypted traffic.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
Under the guise of justice, some less scrupulous administrators may even be tempted to ____, or hack into a hacker's system to find out as much as possible about the hacker.
A) reverse hack
C) white hack
B) back hack
D) transpose
A) reverse hack
C) white hack
B) back hack
D) transpose
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
A value placed on an IDPS event's ability to correctly detect and identify certain types of attacks.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
A value placed on an IDPS event's ability to correctly detect and identify certain types of attacks.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The failure of an IDPS to react to an actual attack event.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The failure of an IDPS to react to an actual attack event.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
____________________ are decoy systems designed to lure potential attackers away from critical systems.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
An indication that a system has detected a possible attack.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
An indication that a system has detected a possible attack.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
IDPS events that are accurate and noteworthy but do not pose a significant threat to information security.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
IDPS events that are accurate and noteworthy but do not pose a significant threat to information security.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
One tool that provides active intrusion prevention is known as ____.
A) tcpdump
C) Vigenère cipher
B) ICMP
D) LaBrea
A) tcpdump
C) Vigenère cipher
B) ICMP
D) LaBrea
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process of reducing IDPS events in order to receive a better confidence in the alerts received.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process of reducing IDPS events in order to receive a better confidence in the alerts received.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process by which an attacker changes the format of the network packets and/or timing of their activities to avoid being detected by the IDPS.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process by which an attacker changes the format of the network packets and/or timing of their activities to avoid being detected by the IDPS.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
The ____________________ port, also known as a switched port analysis (SPAN) port or mirror port, is a specially configured connection on a network device that is capable of viewing all the traffic that moves through the entire device.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
According to SP 800-94, ____________________ (SPA) is a process of comparing predetermined profiles of generally accepted definitions of benign activity for each protocol state against observed events to identify deviations.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
A ____ is a list of discrete entities that are known to be benign.
A) blacklist
C) whitelist
B) hot list
D) clean list
A) blacklist
C) whitelist
B) hot list
D) clean list
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
A value that sets the limit between normal and abnormal behavior.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
A value that sets the limit between normal and abnormal behavior.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
____ applications use a combination of techniques to detect an intrusion and trace it back to its source.
A) Trap-and-trace applications
C) Behavior-based
B) Honeynet
D) Statistical anomaly-based
A) Trap-and-trace applications
C) Behavior-based
B) Honeynet
D) Statistical anomaly-based
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
____________________ sensors are typically intended for network perimeter use, so they would be deployed in close proximity to the perimeter firewalls, often between the firewall and the Internet border router to limit incoming attacks that could overwhelm the firewall.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
An alert or alarm that occurs in the absence of an actual attack.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
An alert or alarm that occurs in the absence of an actual attack.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Blacklists and whitelists are most commonly used in ____ detection and stateful protocol analysis.
A) blacklist
C) statistical anomaly-based
B) signature-based
D) behavior-based
A) blacklist
C) statistical anomaly-based
B) signature-based
D) behavior-based
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each item with a statement below.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing both false positives and false negatives.
a.Alert
f.False positive
b.Confidence
g.Filtering
c.Evasion
h.Tuning
d.Events
i.Thresholds
e.False negative
The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing both false positives and false negatives.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
A(n) ____________________ occurs when an attacker attempts to gain entry or disrupt the normal operations of an information system, almost always with the intent to do harm.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
When a collection of honeypots connects several honeypot systems on a subnet, it may be called a ____.
A) nest
C) honeynet
B) web
D) tunnel
A) nest
C) honeynet
B) web
D) tunnel
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
List three disadvantages of using a honeypot approach.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
List five strengths of IDPSs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
Describe an incident response.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
Define enticement and entrapment and compare the two.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
Explain the focus of a network-based IDPS and describe the specialized subtypes of network-based IDPSs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
List four problems a wireless IDPS can help detect.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Describe the response behavior of IDPSs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Define and describe a fully distributed IDPS control strategy.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
List three advantages of operational NIDPSs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
Describe three factors that can delay or undermine an organization's ability to make its systems safe from attack and subsequent loss.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
