Chapter 8 - Intrusion Detection - Final

security policy

13. The _________ is the predefined formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements.

A

13. _________ is a document that describes the application level protocol for exchanging data between intrusion detection entities. A. RFC 4767 B. RFC 4766 C. RFC 4765 D. RFC 4764

T

14. Network-based intrusion detection makes use of signature detection and anomaly detection.

administrator

15. The __________ is the human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS.

journeyman

2. A ________ is a hacker with sufficient technical skills to modify and extend attack toolkits to use newly discovered vulnerabilities.

F

2. Activists are either individuals or members of an organized crime group with a goal of financial reward.

A

3. A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection

T

3. Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.

T

4. Those who hack into computers do so for the thrill of it or for status.

Intrusion Detection

4. __________ is a security service that monitors and analyzes system events for the purpose of finding, and providing real-time warning of attempts to access system resources in an unauthorized manner.

A

5. The ________ is responsible for determining if an intrusion has occurred. A. analyzer B. host C. user interface D. sensor

intrusion

6. Copying a database containing credit card numbers, viewing sensitive data without authorization, and guessing and cracking passwords are examples of _________ .

F

6. The IDS component responsible for collecting data is the user interface.

B

6. __________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection

Profile-based

7. _________ anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.

D

7. _________ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection

True

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

D

2. A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so. A. intrusion detection B. IDS C. criminal enterprise D. security intrusion

user interface

3. The _________ to an IDS enables a user to view output from the system or control the behavior of the system.

C

4. A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection

sensors

5. An IDS comprises three logical components: analyzers, user interface and _____.

T

5. Intruders typically use steps from a common attack methodology.

T

7. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

B

8. A (n) __________ is a hacker with minimal technical skill who primarily uses existing attack toolkits. A. Master B. Apprentice C. Journeyman D. Activist

T

8. The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

Signature

8. ________ detection techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious.

F

9. Signature-based approaches attempt to define normal, or expected behavior, whereas anomaly approaches attempt to define proper behavior.

T

11. To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

B

12. A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way. A. PEP B. DDI C. IDEP D. IDME

F

12. An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

IDS

12.The functional components of an _________ are: data source, sensor, analyzer, administration, manager, and operator.

T

13. A common location for a NIDS sensor is just inside the external firewall.

C

14. The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria. A. protocol B. direction C. action D. destination port

Honeypots

14.________ are decoy systems that are designed to lure a potential attacker away from critical systems.

F

15. Snort can perform intrusion prevention but not intrusion detection.

D

15. The _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzer

A

9. The _________ module analyzes LAN traffic and reports the results to the central manager. A. LAN monitor agent B. host agent C. central manager agent D. architecture agent

Neural networks

9. _________ simulate human brain operation with neurons and synapse between them that classify observed data

False

The IDS component responsible for collecting data is the user interface.

activists

1. The broad classes of intruders are: cyber criminals, state-sponsored organizations, _________ , and others.

B

1. _________ are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes. A. State-sponsored organizations B. Activists C. Cyber criminals D. Others

net-work based (NIDS)

10. A ________ IDS monitors traffic at selected points on a network or interconnected set of networks.

F

10. Anomaly detection is effective against misfeasors.

D

11. A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensor

C

10. The purpose of the ________ module is to collect data on security related events on the host and transmit these to the central manager. A. central manager agent B. LAN monitor agent C. host agent D. architecture agent

Intrusion Detection Message Exchange Requirements

11. The _________ (RFC 4766) document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF).

T

1. An intruder can also be referred to as a hacker or cracker.

Network-based IDS

A _____ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

Host-based IDS

A _____ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

True

A common location for a NIDS sensor is just inside the external firewall.

Inline Sensor

A(n) _____ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

False

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

True

Intruders typically use steps from a common attack methodology.

True

Network-based intrusion detection makes use of signature detection and anomaly detection.

Analyzer

The _____ is the IDS component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.

True

The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

True

To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

Signature Detection

_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.

Anomaly Detection

_____ involves the collection of data relating to the behavior of legitimate users over a period of time.