Network exam
True/False? In the United States, network and security teams are subject to federal and state law, such as the so-called "Intrusion Detection Act," U.S. Code 18 Section 2511. True False
False
For best security practice, it a good idea to keep recorded logs within a parameter network where a honeypot is present. True False
FALSE
Which of the following is true about honeypot systems
A- Distracts attackers from the main production system B- Access to sensitive devices and networks should be disallowed D- Make sure sensitive data is not available Allows security teams to track intruders movement to learn more about their E- TTPs in an effort to prevent an attack
Which of the following port numbers are valid well-know port numbers? Each correct answer represents a complete solution. Select all that applies. A. 636 B. 443 c. 465 D. 1023 E. 389
A. 636 B. 443 c. 465 D. 1023 E. 389
For effective intrusion detection, IDS must have a robust baseline profile which covers the entire organization's network and its segments. The challenge of the anomaly-based detection method is creating an effective profile. The initial profile, sometimes referred to as the "training profile," is generated by studying the traffic pattern over a period of time. Which of the following is considered a baseline profile. Partial grade is awarded. Choose all that apply.
A. Connecting from a set of mobile devices to the database server Traffic during the peak hours and non-peak hours as defined by the organization C. A web application logged in remotely by a specific set of users D. Connectivity pattern from an external partner network An application which has a specific acceptable password design
Select all that applies to IDS Systems: Each correct answer represents a complete solution. Choose all that apply. A. Event notification B. Write to Logs C. Detects abnormal activity D. Preventative measures
A. Event notification B. Write to Logs C. Detects abnormal activity
Which of the following components below can be monitored by using the host intrusion detection system (HIDS)? A. File system integrity B. Computer performance C. System files D. Storage space on computers
A. File system integrity C. System files
An IDS system has alerted the security administrator to a possibly malicious sequence of packets being sent to a Web server in the network external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network security tool can be used to determine if these packets are genuinely malicious or simply a false positive? A. Intrusion Prevention System B. Vulnerability scanner C. Network sniffer D. Protocol analyzer
A. Intrusion Prevention System
1. Jessica, a Firewall Security Analyst for company XYZ configured a packet filtering firewall to inspect each packet passing through the network and accepts or rejects it based on user-defined rules. Based on which of the following information are these rules set to filter the packets? Each correct answer represents a complete solution. Choose all that apply, A. Layer 4 protocol information B. Actual data in the packet C. Interface of sent or received traffic D. Source and destination Layer 3 address
A. Layer 4 protocol information C. Interface of sent or received traffic D. Source and destination Layer 3 address
An IDS is a group of processes working together in a network. These processes work on different computers and devices across the network. Which of the following processes does an IDS perform? Each correct answer represents a complete solution. Choose all that apply. A. Network traffic analysis B. Monitoring and analysis of user and system activity C. Event log analysis D. Statistical analysis of abnormal traffic patterns
A. Network traffic analysis B. Monitoring and analysis of user and system activity C. Event log analysis D. Statistical analysis of abnormal traffic patterns
OSI Layer 4 firewall can provide which of the following: Each correct answer represents a complete solution. Choose all that apply. A. Protocol type B. Packet filtering C. Source IP D. Content filtering
A. Protocol type B. Packet filtering C. Source IP
Which of the following are considered IDS Tools? Each correct answer represents a complete solution. Choose all that apply (Partial points awarded). A. Snort B. Tcpdum C. OSSEC D. AlienVault USM E. Tripwire
A. Snort B. Tcpdum C. OSSEC D. AlienVault USM
Which of the following are Low-interaction Honeypot tools: Each correct answer represents a complete solution. Choose all that apply (Partial points awarded). A. Specter B. Honeyd C.Honeybot D. Honeypot Decoy E. KFSensor
A. Specter B. Honeyd C. Honeybot D. KFSensor
You work as an IDS Engineer for ViperTech Inc. You want to configure Snort as an IDS for your company's wireless network, but you are concerned that Snort does not support all types of traffic. What traffic does Snort support? Each correct answer represents a complete solution. Choose all that apply, A. UDP B. IPC C. ICMP D. TCP
A. UDP C. ICMP D. TCP
Muhammad, SOCs analysist for IBM Tech is trying to decide which type of intrusion detection system (IDS) he should deploy to improve network security. Match the IDS description from the left with their appropriate IDS type on the right. Partial grade is awarded.
An IDS that monitors an entire network segment for intrusion attempts (D. Network-based) An IDS that only monitors a single particular device for intrusion attempts (B. Host-based segment for intrusion attempts) An IDS that maintains an attack profile database to identify intrusion attempts (A. Signature-based An IDS that monitors an entire network) An IDS that uses a learned activity baseline to identify intrusion attempts (C. Behavior-based )
Which of the following are components of Intrusion Detection? Each correct answer represents a complete solution. Choose all that apply. Partial points awarded. A. Signature Database B. Alerts & Notifications C. Sensors D. Management Console
B. Alerts & Notifications C. Sensors D. Management Console
Which of the following intrusion detection systems (IDS) monitors network traffic and compares it against an established system baseline? A. Network-based B. Anomaly-based C. File-based D. Signature-based
B. Anomaly-based
Which of the following is a computer system designed and configured to protect network resources from attack. A. Screened Subnet B. Bastion Host C. Multi-homed Firewall D. DMZ
B. Bastion Host
Which of the following folders are part of folder replacements and latest rules update when installing and working with SNORT? Each correct answer represents a complete solution. Choose all that apply. A. To rules B. Etc C. Prepro rules D. Rules
B. Etc C. Prepro rules D. Rules
What are the 3 main processing components that makes up Splunk Enterprise? Each correct answer represents a complete solution. Choose all that apply. A. Search and Investigate B. Forwarder C. Indexer D. Monitor Alerts E. Search Head
B. Forwarder C. Indexer E. Search Head
1. Which of the following are packet filtering tools for the Linux operating system? Each correct answer represents a complete solution. Choose all that apply. A. BlacklCE B. IPTab1es C. IPFi1ter D. Zone Alarm
B. IPTab1es C. IPFi1ter
Which of the following IDS generates the false alarm because of the abnormal behavior of users and network? A. Application protocol-based intrusion detection system (AP IDS) B. Network intrusion detection system (NIDS) C. Protocol-based intrusion detection system (P IDS) D. Host-based intrusion detection system (HIDS)
B. Network intrusion detection system (NIDS)
1. What are the three available actions in Snort: Each correct answer represents a complete solution. Choose all that apply. A. Accept B. Pass C.Alert D.Log
B. Pass C.Alert D.Log
1. Diana works as a professional Ethical Hacker. She has been assigned a project for testing the security of www.vipertech.com. She wants to corrupt an IDS signature database so that performing attacks on the server is made easy and she can observe the flaws in the ViperTech server. To perform her task, she first of all sends a virus that continuously changes its signature to avoid detection from IDS. Since the new signature of the virus does not match the old signature, which is entered in the IDS signature database, IDS becomes unable to point out the malicious virus. Which of the following IDS evasion attacks is Diana performing? A. Insertion attack B. Polymorphic shell code attack C. Evasion attack D. Session splicing attack
B. Polymorphic shell code attack
An IDS/IPS detected and blocked traffic from a blacklisted IP addresss to a protected network on port 22. Select all that applies to the connection attempt. Each correct answer represents a complete solution. Choose all that apply. A. FTPS Connection attempt B. SSH Connection attempt C. SFTP Connection attempt
B. SSH Connection attempt C. SFTP Connection attempt D. SCP Connection attempt
Which of the following IDS evasion techniques does an attacker transmits data in multiple small sized packets, which makes it very hard for an IDS to detect the attack signatures of such attacks? A. Fragmentation overlap B. Session splicing C. Insertion D. Fragmentation overwrite
B. Session splicing
Which of the following Linux utilities provides an efficient way to give specific users permission to use specific system commands at the root level? A. Isof B. sudo C. Apache D. grep
B. sudo
Select all that applies to "Data Collection" tools for network security monitoring (NSM). Each correct answer represents a complete solution. Choose all that apply. a. Snort b. Wireshark c. Tcpdump d. Bro/Zeek
Bro/Zeek
You are the Network Administrator for a large corporate network. You want to monitor all network traffic on your local network for suspicious activities and receive a notification when a possible attack is in process. Which of the following actions will you take for this? A. Install a DMZ firewall B. Enable verbose logging on the firewall C Install a network-based IDS D Install a host-based IDS
C Install a network-based IDS
Mariam is implementing a host based intrusion detection system on her company's web server. She feels that the best way to monitor the web server is to find a baseline of activity (connections, traffic, etc.) and to monitor for conditions above that baseline. This type of IDS is called A. Signature Based B. Passive IDS C. Anomaly Based D. Reactive IDS
C. Anomaly Based
Which of the following types of firewall functions at the Session layer of OSI model? A. Application-level firewall B. Switch-level firewall C. Circuit-level firewall D. Packet filtering firewall
C. Circuit-level firewall
Looking at the network drawing below, where would you place attractive network services with fake data to entice attackers to study their techniques A. In front of the Firewall facing the Internet B. All of the above C. DMZ D. Internal Net
C. DMZ
Osman works as an IDS Administrator for a financial company. For securing the company's network, he configured a firewall and an IDS. In spite of these security measures, intruders were able to attack the network. After a close investigation, Osman finds that his IDS is not configured properly and hence is unable to generate alarms when needed. What type of response is the IDS giving? A. False Positive B. True Negative C. False Negative D. True Positive
C. False Negative
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this? A. False negative B. True positive C. False positive D. True negative
C. False positive
Which of the following monitors program activities and modifies malicious activities on a system? A. Back door B. RADIUS C. HIDS D. NIDS
C. HIDS
Which of the following types of Intrusion Detection Systems consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state? A. NIDS B. PIDS C. HIDS D. APIDS
C. HIDS
An attacker makes an attempt against a Web server. The result is that the attack takes the form of URLs. These URLs search for a certain string that identifies an attack against the Web server. Which IDS/IPS detection method do the URLs use to detect and prevent an attack? A, Anamoly-based detection B. Honey pot detection C. Signature-based detection D. Policy-based detection
C. Signature-based detection
Which of the following is used for debugging the network setup itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem? A. iptables B. Netfilter C. Wireshark D. WinPcap
C. Wireshark
A firewall is a combination of hardware and software, used to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Users can configure a firewall to pass or block packets from specific IP addresses and ports. Which of the following tools works as a firewall for Linux ? firewall for Linux ? A. ipfchains B. stuntels C. iptables D. SSH
C. iptables
Which of the following commands in list is used to list Firewall rules? A. iptables LRules B. List FW C. iptables -L D. iptables -List
C. iptables -L
What is the best command to list all Network interfaces on a machine when setting up SNORT for intrusion detection? A. snort -NI B. snort -i 1 C. snort -W D. snort -L
C. snort -W
Tracy, your classmate from PSCS-4102 IDS class works as a Security Administrator for TigerTech Inc. The company has a TCP/IP network. Tracy have been assigned a task to configure security mechanisms for the network of the company. Tracy have decided to configure a packet filtering firewall. Which of the following may be the reasons that made Tracy choose a packet filtering firewall as a security mechanism? Each correct answer represents a complete solution. Choose all that apply. It easily matches most of the fields in Layer 3 packets and Layer 4 segment A. headers, and thus, provides a lot of flexibility in implementing security policies. It is easy to install packet filtering firewalls in comparison to the other network B. security solutions. C. It prevents application-layer attacks. It makes security transparent to end-users which provide easy use of the client D. applications.
D- It makes security transparent to end-users which provide easy use of the client applications. B- It is easy to install packet filtering firewalls in comparison to the other network security solutions.
Which of the following are usually found in an Intrusion detection system (IDS)? Each correct answer represents a complete solution. Choose two. A. Gateways B. Firewall C. Modem D. Console E. Sensor
D. Console E. Sensor
Which of the following tools are use for testing Firewall rules? Each correct answer represents a complete solution. Choose all that apply. A. FW Rule tester B. FWtester C. Firewalk D. Ftester
D. Ftester
Which of the following is a popular system integrity verifier (SIV) that can be used as a HIDS to monitor computer registry changes. A. registry editor B. Bro C. Wireshard D. Tripwire
D. Tripwire
1. Which of the following tools is an open source protocol analyzer that can capture traffic in real time? A. Bro B. NetWitness C. Snort D. Wireshark
D. Wireshark
Study the snort rule given below and interpret the rule. alert tcp any any —> 192,168.1.0/24 111 (content:" 100 01 86 a51",' msG. "mountd access" ;) Select the best answer.
D. on the network and destined for any IP address on the 192.168. I .0 subnet on port 1 11
Match the Packet Filtering Firewall Types below: Partial grade is awarded. Each packet is treated as independent communication connection A. Stateless Aware of established TCP sessions B. stateful
Each packet is treated as independent communication connection A. Stateless Aware of established TCP sessions B. stateful
1. Diversity should be considered when deploying firewall products for your organization? True False
TRUE
An incident investigator asks to receive a copy of the event from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs the sequence of many of the logged events do not match up. What is the most likely cause? The security breach was a false positive The attack altered or erased events from the logs B. C. Proper chain of custody was not observed while collecting the logs. The network devices are not all synchronized
The attack altered or erased events from the logs
A firewall is designed to keep the attackers out of the network whereas honeypots are designed to entice the hackers to attack the system. True False
True
It does not matter if an attack or malicious activity is encrypted, the Honeypot will capture the activity. True False
True
Protocol types , such as IGMP type 8 (echo request) can be examined by packet filtering firewalls? True False
True
Signature-based security technologies by definition imply that someone is going to get hurt" before the new attack is discovered. True False
True
Snort generates alerts according to the rules defined in configuration file. Snort generates alerts according to the rules defined in configuration file. True False
True
Snort uses the popular winpcap (for Windows) and requires promiscuous mode enabled on the network interface card to perform packet sniffing. True False
True
. Select the best location for a honeypot for company xyz network exhibit below. a. Wireless Network b. Internet Facing Network c. DMZ Network d. Internal Network
c. DMZ Network
Select the best location for a honeypot for company xyz network exhibit below.
c. DMZ Network
Sean, a network intrusion detection analyst at NOVA Tech is interested in traffic from internal, wireless, and DMZ networks. Where is the best option to place the IDS.
d. Locations C,D,E