14.1.9 - Practice Questions
Which of the following are security devices that perform stateful inspection of packet data, looking for patterns that indicate malicious code? (Select two.) - ACL - Firewall - VPN - IPS - IDS
- IPS - IDS
Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Select two.) - Monitoring the audit trails on a server - Disconnecting a port being used by a zombie - Transmitting FIN or RES packets to an external host - Listening to network traffic
- Monitoring the audit trails on a server - Listening to network traffic
Creating fake resources such as honeypots, honeynets, and tarpits fulfills which of the following main intrusion detection and prevention goals? (Select two.) - Offers attackers a target that occupies their time and attention while distracting them from valid resources. - Detect anomalous behavior that varies from standard activity patterns, also referred to as heuristic recognition. - Lures attackers into a non-critical network segment where their actions are passively monitored and logged, then shuns the attacker by simply dropping their connection. - Detect attacks that are unique to the services on valid system resources and monitor application activity. - Entices attackers to reveal their IDs signatures, which can then be matched to known attack patterns. - Reveals information about an attacker's method and gathers evidence for identification or prosecution purposes.
- Offers attackers a target that occupies their time and attention while distracting them from valid resources. - Reveals information about an attacker's method and gathers evidence for identification or prosecution purposes.
An active IDS system often performs which of the following actions? (Select two.) - Request a second logon test for users performing abnormal activities. - Perform reverse lookups to identify an intruder. - Trap and delay the intruder until the authorities arrive. - Update filters to block suspect traffic.
- Perform reverse lookups to identify an intruder. - Update filters to block suspect traffic.
What actions can a typical passive intrusion detection system (IDS) take when it detects an attack? (Select two.) - The IDS configuration is changed dynamically, and the source IP address is banned. - The IDS logs all pertinent data about the intrusion. - LAN-side clients are halted and removed from the domain. - An alert is generated and delivered via email, the console, or an SNMP trap.
- The IDS logs all pertinent data about the intrusion. - An alert is generated and delivered via email, the console, or an SNMP trap.
You are concerned about protecting your network from network-based attacks from the internet. Specifically, you are concerned about zero day attacks (attacks that have not yet been identified or that do not have prescribed protections.) Which type of device should you use? - Signature-based IDS - Anti-virus scanner - Anomaly-based IDS - Host-based firewall - Network-based firewall
Anomaly-based IDS
What does a tarpit specifically do to detect and prevent intrusion into your network? - Answers connection requests in such a way that the attacking computer is stuck for a period of time. - Entices intruders by displaying a vulnerability, configuration flow, or data that appears to be of value. - Passively monitors and logs suspicious activity until it detects a known attack pattern, then shuns the intruder by dropping their connection. - Uses a packet sniffer to examine network traffic and identify known attack patterns, then locks the attacker's connection to prevent any further intrusion activities.
Answers connection requests in such a way that the attacking computer is stuck for a period of time.
As a security precaution, you have implemented IPsec between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? - Port scanner - Host-based IDS - Network-based IDS - VPN concentrator - Protocol analyzer
Host-based IDS
What security mechanism can be used to detect attacks originating on the internet or from within an internal trusted subnet? - Security alarm - Firewall - IDS - Biometric system
IDS
You are concerned about attacks directed against the firewall on your network. You want to be able to identify attacks and be notified of attacks. In addition, you want the system to take immediate action when possible to stop ore prevent the attack. Which tool should you use? - Packet sniffer - IPS - Port scanner - IDS
IPS
Properly configured passive IDS and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful in maintaining a secure environment? - Periodic reviews must be conducted to detect malicious activity or policy violations. - The accounting department must compress the longs on a quarterly basis. - All files must be verified with the IDs checksum. - All logs should be deleted and refreshed monthly.
Periodic reviews must be conducted to detect malicious activity or policy violations.
You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? - Packet sniffer - IPS - System logs - IDS - Port scanner
Port scanner
Which of the following is the most common detection method used by an IDS? - Anomaly - Behavior - Heuristic - Signature
Signature
If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network? - Delay the intruder. - Record audit trails about the intruder. - Terminate the intruder's session. - Monitor the intruder's actions.
Terminate the intruder's session.
You have just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis? - Generate a new baseline. - Modify clipping levels. - Update the signature files. - Check for backdoors.
Update the signature files.