ITN 261 Quiz 3
An intrusion detection system (IDS) provides a way of both detecting an attack and dealing with it.
F
By definition, misuse is always malicious in nature.
F
Fail-open state results in closed and completely restricted access or communication.
F
Firewalls perform well against misuse.
F
Honeypots and honeynets are, by definition, illegal.
F
Intrusion detection is the ability to detect misuse of resources or privileges.
F
It is easy for an attacker to predict the sequence numbers of the packets in order to hijack a session successfully.
F
Misuse detection is the technique of uncovering successful or attempted unauthorized access to an information system.
F
Most networks and protocols are inherently secure making them difficult to sniff.
F
Over the past few years, the use of denial of service (DoS) attacks to commit crimes such as extortion has decreased.
F
Role based access control (RBAC) depends on the owner or author of data to manage security.
F
Session hijacking is the process of assisting two parties in establishing a new session.
F
Sniffers are fundamentally evil because they are only used to steal information.
F
Typically, a computer system can see all communications, whether they are addressed to the listening station or not.
F
Which of the following statements is NOT true about firewalls?
Firewalls have not changed much over the years.
Which of the following statements is NOT true regarding passive session hijacking?
In passive session hijacking, the attacker assumes the role of the party he has displaced.
Which of the following is NOT one of the steps an attacker must perform to conduct a successful session hijacking?
Inject packets into the network prior to the authentication process.
Which of the following provides the ability to monitor a network, host, or application, and report back when suspicious activity is detected?
Intrusion detection system (IDS)
Which of the following statements is NOT true regarding Address Resolution Protocol (ARP) poisoning?
It cannot be used to alter data in transmission or tap Voice over IP (VoIP) phone calls.
Countermeasures that can be used to defeat sniffing include all of the following EXCEPT:
Media Access Control (MAC) flooding.
Which of the following options for firewall implementation has multiple network interfaces that use rules to determine how packets will be forwarded between interfaces?
Multi-homed device
Which of the following statements is NOT true regarding passive sniffing?
Passive sniffing works only when the traffic you wish to observe and the station that will do the sniffing are in different collision domains.
Which of the following is NOT one of the three basic modes firewalls can operate in?
SYN proxying
Which of the following refers to an intrusion detection system (IDS) that is programmed to identify known attacks occurring in an information system or network by comparing sniffed traffic or other activity with that stored in a database?
Signature analysis
Which of the following is commonly known as misuse detection because it attempts to detect activities that may be indicative of misuse or intrusions?
Signature recognition
All of the following are commonly used tools to perform session hijacking EXCEPT:
Smurf
A denial of service (DoS) attack is designed to deny legitimate users the use of a system or service through the systematic overloading of its resources.
T
A lookup table is used to track which Media Access Control (MAC) addresses are present on which ports on the switch.
T
A multi-homed device has multiple network interfaces that use rules to determine how packets will be forwarded between interfaces.
T
A screened host is a setup where the network is protected by a device that combines the features of proxy servers with packet filtering.
T
Active session hijacking takes sniffing to the next level by moving from listening to interacting.
T
Active sniffing introduces traffic onto the network, meaning that the user's presence is now detectable by anyone or anything that may be looking.
T
An intrusion detection system (IDS) essentially extends the traffic-capturing capability of a packet sniffer in that the IDS compares the intercepted traffic to known good or bad behavior.
T
Barriers, guards, cameras, and locks are examples of physical controls.
T
Both denial of service (DoS) and distributed denial of service (DDoS) attacks seek to overwhelm a victim with requests designed to lock up, slow down, or crash a system.
T
Content addressable memory (CAM) is the memory present on a switch that is used to look up the Media Access Control (MAC) address to port mappings that are present on a network.
T
Content addressable memory (CAM) is used to build a lookup table.
T
Firewalls separate networks and organizations into different zones of trust.
T
In the first wave of a distributed denial of service (DDoS) attack, the targets that will be the "foot soldiers" are infected with the implements that will be used to attack the ultimate victim.
T
Intrusion detection is the process of detecting potential misuse or attacks and the ability to respond based on the alert that is provided.
T
Most intrusion detection systems (IDSs) are based on signature analysis.
T
Network connectivity arguably has the biggest impact on the effectiveness of the firewall.
T
Promiscuous mode is a special mode that a network card can be switched to that will allow the card to observe all traffic that passes by on the network.
T
Wireshark, Tcpdump, Windump, and Omnipeek are popular sniffing tools.
T
Which of the following statements is NOT true regarding distributed denial of service (DDoS) attacks?
The attack is easily tracked back to its true source.
Which of the following is a firewall best able to control?
Traffic
Any activity that should not be but is occurring on an information system is called:
an intrusion.
A group of infected systems that are used to collectively attack another system is called a:
botnet
With a hub connectivity device in place, all traffic can be seen by all other stations, which can be also referred to as all stations being on the same:
collision domain
Consumption of bandwidth, consumption of resources, and exploitation of programming defects are the three broad categories of:
denial of service (DoS) attacks.
All of the following actions can be helpful in thwarting session hijacking attacks EXCEPT:
employing operating systems that create predictable sets of sequence numbers.
A group of computers or a network configured to attract attackers is called a(n):
honeynet
A single computer that is configured to attract attackers to it and act as a decoy is called a(n):
honeypot
The principle that individuals will be given only the level of access that is appropriate for their specific job role or function is called:
least privilege.
Media Access Control (MAC) flooding and Address Resolution Protocol (ARP) poisoning are:
methods of bypassing a switch to perform sniffing.
The improper use of privileges or resources within an organization is called:
misuse
Botnets are used to perform all of the following attacks EXCEPT:
passive session hijacking.
What type of sniffing takes place on networks such as those that have a hub as the connectivity device?
passive sniffing
The primary difference between denial of service (DoS) attacks and distributed denial of service (DDoS) attacks is:
scale
An application or device that is designed to capture network traffic as it moves across the network itself is referred to as a:
sniffer
A device used to break a network into logical network segments known as collision domains is called a:
switch
The primary components of a host-based intrusion detection system (HIDS) are:
the command console and the monitoring agent software.
The primary components of a network-based intrusion detection system (NIDS) are:
the command console and the network sensor.
The two main types of intrusion detection systems (IDSs) are:
the network-based intrusion detection system (NIDS) and the host-based intrusion detection system (HIDS).
After a firewall is designed and implemented, a firewall policy should be developed.
F
Which of the following statements is NOT true about firewall policy?
A policy is not necessary if the firewall is configured in the way the administrator wants.
In what type of attack does the attacker take over an established session between two parties and then interact with the remaining party as if the attacker were the party that has been disconnected?
Active session hijacking
What type of sniffing takes place on networks that have connectivity hardware that is "smarter" or more advanced, such as those with a switch?
Active sniffing
Which of the following controls fit in the area of policy and procedure?
Administrative
Which of the following is an intrusion detection system with additional abilities that make it possible to protect systems from attack by using different methods of access control?
An intrusion prevention system
Which of the following is a detection method that uses a known model of activity in an environment and reports deviations from established normal behavior?
Anomaly detection
An intrusion detection system (IDS) is a single piece of software, as opposed to a series of components.
F
An intrusion detection system (IDS) prevents attacks from occurring.
F
Which of the following options for firewall implementation has a region of the network or zone that is sandwiched between two firewalls?
Demilitarized zone (DMZ)
Which of the following refers to using many systems to attack another system?
Distributed denial of service (DDoS) attacks
A denial of service (DoS) attack can be considered an "upgraded" and advanced version of a distributed denial of service (DDoS) attack.
F
A denial of service (DoS) attack is typically the first action an attacker will take in an attempt to access a system.
F
A distributed denial of service (DDoS) attack can be performed using only a software component; no hardware component is necessary.
F
A host-based intrusion detection system (HIDS) monitors activity on a network.
F
A packet filtering firewall is a type of firewall that functions as a gateway for requests arriving from clients.
F