Chapter 7 Quiz
A false positive is the failure of an IDPS system to react to an actual attack event.
False
A padded cell is a hardened honeynet. _________________________
False
A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered.
False
A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes.
False
A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _________________________
False
A(n) event is an indication that a system has just been attacked or is under attack. _________________________
False
A(n) server-based IDPS protects the server or host's information assets. _________________________
False
Administrators who are wary of using the same tools that attackers use should remember that a tool that can help close an open or poorly configured firewall will not help the network defender minimize the risk from attack.
False
All IDPS vendors target users with the same levels of technical and security expertise.
False
An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices, such as routers or switches.
False
Enticement is the action of luring an individual into committing a crime to get a conviction. _________________________
False
In the process of protocol application verification, the NIDPSs look for invalid data packets. _________________________
False
Intrusion detection and prevention systems can deal effectively with switched networks.
False
Intrusion detection consists of procedures and systems that identify system intrusions and take action when an intrusion is detected.
False
NIDPSs can reliably ascertain whether an attack was successful.
False
Passive scanners are advantageous in that they require vulnerability analysts to get approval prior to testing.
False
Services using the TCP/IP protocol can run only on their commonly used port number as specified in their original Internet standard.
False
The disadvantages of using the honeypot or padded cell approach include the fact that the technical implications of using such devices are not well understood. _________________________
False
The primary advantages of a centralized IDPS control strategy are cost and ease of use. _________________________
False
The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS is known as a false attack stimulus.
False
The process of entrapment occurs when an attacker changes the format and/or timing of activities to avoid being detected by an IDPS. _________________________
False
To use a packet sniffer legally, an administrator only needs permission of the organization's top computing executive.
False
When using trap-and-trace, the trace usually consists of a honeypot or padded cell and an alarm. _________________________
False
Your organization's operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems.
False
Activities that scan network locales for active systems and then identify the network services offered by the host systems are known as __________.
fingerprinting
HIDPSs are also known as system integrity verifiers.
True
IDPS responses can be classified as active or passive.
True
In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information and corrupt the servers' answers to routine DNS queries from other systems on the network.
True
In order to determine which IDPS best meets an organization's needs, first consider the organizational environment in technical, physical, and political terms.
True
Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors.
True
Once the OS is known, all of the vulnerabilities to which a system is susceptible can easily be determined.
True
Security tools that go beyond routine intrusion detection include honeypots, honeynets, and padded cell systems.
True
The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.
True
The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.
True
To assist in footprint intelligence collection, attackers may use an enhanced Web scanner that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses.
True
When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet. _________________________
True
Which of the following ports is commonly used for the HTTP protocol?
80
A(n) __________ IDPS is focused on protecting network information assets.
network-based
To determine whether an attack has occurred or is underway, NIDPSs compare measured activity to known __________ in their knowledge base.
signatures
In TCP/IP networking, port __________ is not used.
0
__________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
HIDPSs
A fully distributed IDPS control strategy is an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component.
True
A(n) log file monitor is similar to an NIDPS. _________________________
True
Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called noise. _________________________
True
An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.
True
An HIDPS can monitor system logs for predefined events.
True
An IDPS can be configured to dial a phone number and produce an alphanumeric page or other type of signal or message.
True
Some vulnerability scanners feature a class of attacks called _________, that are so dangerous they should only be used in a lab environment.
destructive
Network behavior analysis system __________ sensors are typically intended for network perimeter use, so they are deployed in close proximity to the perimeter firewalls, often between the firewall and the Internet border router to limit incoming attacks that could overwhelm the firewall.
inline
A(n) __________ is a software program or hardware appliance that can intercept, copy, and interpret network traffic.
packet sniffer