6.4.5 Practice Questions Test Out
Which of the following is true about an intrusion detection system?
An intrusion detection system monitors data packets for malicious or unauthorized traffic. An intrusion detection system (IDS) monitors data packets for malicious or unauthorized traffic. However, an IDS takes no action to stop or prevent the attack. It maintains a passive, not an active, role in network security. It cannot terminate or restart other processes, and it cannot block malicious activities.
Which IDS type can alert you to trespassers?
PIDS A PIDS (perimeter intrusion detection system) can alert you to physical trespassers. VMIDS, NIDS, and HIDS are IDS types. However, they cannot alert you to physical trespassers.
Which of the following describes the worst possible action by an IDS?
The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. The worst possible action an IDS can perform is identifying harmful traffic as harmless and allowing it to pass without generating any alerts. This condition is known as a false negative.
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?
Signature-based IDS A signature-based IDS, or pattern matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database. A heuristics-based IDS is able to perform some level of intelligent statistical analysis of traffic to detect attacks. Anomaly analysis-based IDSs look for changes in the normal patterns of traffic. Stateful inspection-based IDSs search for attacks by inspecting packet contents and associating one packet with another. These searches look for attacks in overall data streams rather than individual packets.
You've just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis?
Update the signature files. Signature recognition (also referred to as pattern matching, dictionary recognition, or misuse detection) looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. It can only detect attacks identified by published signature files. For this reason, it's important to update signature files on a regular basis. Anomaly recognition (also referred to as behavioral, heuristic, or statistical recognition) monitors traffic to define a standard activity pattern as normal functionality. Clipping levels or thresholds identify deviations from that norm. When the threshold is reached, the system generates an alert or takes an action.
Which IDS method defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline?
Anomaly-based Anomaly-based detection defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline. Dictionary recognition is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Pattern matching is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Misuse detection is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline.
Which IDS traffic assessment indicates that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic?
False positive A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.
As a security precaution, you've implemented IPsec to work between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement?
Host-based IDS A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it's received.
You're concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use?
IPS Use an intrusion prevention system (IPS) to both detect and respond to attacks. An intrusion detection system (IDS) can detect attacks and send notifications, but it cannot respond to attacks. Use a port scanner to check for open ports on a system or a firewall. Use a packet sniffer to examine packets on your network.
Which of the following is true about an NIDS?
It detects malicious or unusual incoming and outgoing traffic in real time. An NIDS (network-based intrusion detection system) detects malicious or unusual incoming and outgoing traffic in real time. An NIDS cannot analyze encrypted data or analyze fragmented packets. An HIDS (host-based intrusion detection system) can monitor changes that you've made to applications and systems.